From 15bf8727981dd37f6598dc5cfcc52befcb918dd2 Mon Sep 17 00:00:00 2001 From: Aynur Zulkarnaev Date: Wed, 15 Jan 2020 16:35:52 +0100 Subject: [PATCH 1/2] oathkeeper: document matching strategy This commit complements pull request https://github.com/ory/oathkeeper/pull/334. Signed-off-by: Aynur Zulkarnaev --- docs/oathkeeper/api-access-rules.md | 39 ++++++++++++++++++----------- docs/oathkeeper/configuration.md | 13 ++++++++++ 2 files changed, 38 insertions(+), 14 deletions(-) diff --git a/docs/oathkeeper/api-access-rules.md b/docs/oathkeeper/api-access-rules.md index 508cc8704..3ff8bfdde 100644 --- a/docs/oathkeeper/api-access-rules.md +++ b/docs/oathkeeper/api-access-rules.md @@ -23,6 +23,8 @@ access_rules: # If the URL Scheme is `http://` or `https://`, the access rules (an array of access rules is expected) will be # fetched from the provided HTTP(s) location. - https://path-to-my-rules/rules.json + # Determines a matching strategy for the access rules . Currently supported values are `glob` and `regexp`. Empy string defaults to regexp. + matching_strategy: glob ``` or by setting the equivalent environment variable: @@ -75,20 +77,29 @@ Access Rules have four principal keys: - `match` (object): Defines the URL(s) this Access Rule should match. - `methods` (string[]): Array of HTTP methods (e.g. GET, POST, PUT, DELETE, ...). - - `url` (string): The URL that should be matched. Currently supports `regex` - templates and will support glob matching in the future: - - `regex`: Matches the URL against the string. You can use regular - expressions in this field to match more than one url. This matcher ignores - query parameters. Regular expressions are encapsulated in brackets `<` and - `>`: _ `https://mydomain.com/` _ matches: `https://mydomain.com/`. _ does - not match: `https://mydomain.com/foo`. _ does not match: - `https://mydomain.com`. _ - `://mydomain.com/<._>`* matches:`https://mydomain.com/`. _ - matches: `http://mydomain.com/`. _ matches: `http://mydomain.com/foo`. _ - does not match: `https://other-domain.com/`. _ does not match: - `https://mydomain.com`. - - `glob` (NOT YET AVAILABLE): Matches the URL against the string and - supports glob matching. + - `url` (string): The URL that should be matched. You can use regular + expressions or glob patterns in this field to match more than one url. + The matching strategy (glob or regexp) is defined in the global configuration + file as `access_rules.matching_strategy`. This matcher ignores query parameters. + Regular expressions (or glob patterns) are encapsulated in brackets `<` and `>`. + + Regular expressions examples: + - `https://mydomain.com/` matches `https://mydomain.com/` and does not match + `https://mydomain.com/foo` or `https://mydomain.com`. + - `://mydomain.com/<.*>` matches:`https://mydomain.com/` or + `http://mydomain.com/foo`. Does not match: + `https://other-domain.com/` or `https://mydomain.com`. + - `http://mydomain.com/<[[:digit:]]+>` matches `http://mydomain.com/123` and + does not match `http://mydomain/abc`. + - `http://mydomain.com/<(?!protected).*>` matches `http://mydomain.com/resource` + and does not match `http://mydomain.com/protected` + + [Glop](http://tldp.org/LDP/GNU-Linux-Tools-Summary/html/x11655.htm) patterns examples: + - `https://mydomain.com/` matches `https://mydomain.com/man` and does not + match `http://mydomain.com/foo`. + - `https://mydomain.com/<{foo*,bar*}>` matches `https://mydomain.com/foo` or + `https://mydomain.com/bar` and does not match `https://mydomain.com/any`. + - `authenticators`: A list of authentication handlers that authenticate the provided credentials. Authenticators are checked iteratively from index `0` to `n` and the first authenticator to return a positive result will be the one diff --git a/docs/oathkeeper/configuration.md b/docs/oathkeeper/configuration.md index efdb75b2d..046b71bef 100644 --- a/docs/oathkeeper/configuration.md +++ b/docs/oathkeeper/configuration.md @@ -532,6 +532,19 @@ access_rules: # > set ACCESS_RULES_REPOSITORIES= # repositories: '["file://path/to/rules.json","inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d","https://path-to-my-rules/rules.json"]' + + ## Matching Strategy ## + # Determines a matching strategy for the access rules. Currently supported values are `glob` and `regexp`. + # + # Default value: "regexp" + # + # Set this value using enrinment variables on + # - Linux/macOS: + # $ export ACCESS_RULES_MATCHING_STRATEGY= + # - Windows Command Line (CMD): + # > set ACCESS_RULES_MATCHING_STRATEGY= + matching_strategy: glob + ## Authenticators ## # From 7f341fb71caa11784e3b131b756a8d4bca561971 Mon Sep 17 00:00:00 2001 From: Aynur Zulkarnaev Date: Sun, 2 Feb 2020 22:07:59 +0100 Subject: [PATCH 2/2] oathkeeper: document matching Signed-off-by: Aynur Zulkarnaev --- .gitignore | 1 + docs/hydra/sdk/api.md | 66 ++-- docs/keto/sdk/api.md | 558 +--------------------------- docs/kratos/sdk/api.md | 36 +- docs/oathkeeper/api-access-rules.md | 46 +-- docs/oathkeeper/configuration.md | 7 +- website/package-lock.json | 2 +- 7 files changed, 98 insertions(+), 618 deletions(-) diff --git a/.gitignore b/.gitignore index ea189a449..b9b9e3b18 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ node_modules/ build/ _book/ .DS_Store +.idea/ node_modules diff --git a/docs/hydra/sdk/api.md b/docs/hydra/sdk/api.md index 07f50b94b..7abf14c7a 100644 --- a/docs/hydra/sdk/api.md +++ b/docs/hydra/sdk/api.md @@ -1689,7 +1689,7 @@ Status Code **200** "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:16Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -1731,7 +1731,7 @@ Status Code **200** "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:16Z", "userinfo_signed_response_alg": "string" } ] @@ -1911,7 +1911,7 @@ and only callable by first-party components. "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:16Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -1953,7 +1953,7 @@ and only callable by first-party components. "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:16Z", "userinfo_signed_response_alg": "string" } ``` @@ -1995,7 +1995,7 @@ and only callable by first-party components. "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:16Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -2037,7 +2037,7 @@ and only callable by first-party components. "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:16Z", "userinfo_signed_response_alg": "string" } ``` @@ -2118,7 +2118,7 @@ const input = '{ "contacts": [ "string" ], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:16Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": [ @@ -2172,7 +2172,7 @@ const input = '{ "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:16Z", "userinfo_signed_response_alg": "string" }'; const headers = { @@ -2311,7 +2311,7 @@ and only callable by first-party components. "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:16Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -2353,7 +2353,7 @@ and only callable by first-party components. "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:16Z", "userinfo_signed_response_alg": "string" } ``` @@ -2531,7 +2531,7 @@ and only callable by first-party components. "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:16Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -2573,7 +2573,7 @@ and only callable by first-party components. "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:16Z", "userinfo_signed_response_alg": "string" } ``` @@ -2614,7 +2614,7 @@ and only callable by first-party components. "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:17Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -2656,7 +2656,7 @@ and only callable by first-party components. "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:17Z", "userinfo_signed_response_alg": "string" } ``` @@ -2737,7 +2737,7 @@ const input = '{ "contacts": [ "string" ], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:16Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": [ @@ -2791,7 +2791,7 @@ const input = '{ "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:16Z", "userinfo_signed_response_alg": "string" }'; const headers = { @@ -5012,7 +5012,7 @@ the subject accepted or rejected the request. "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:17Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -5054,7 +5054,7 @@ the subject accepted or rejected the request. "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:17Z", "userinfo_signed_response_alg": "string" }, "context": { @@ -5760,7 +5760,7 @@ the requested authentication process. "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:17Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -5802,7 +5802,7 @@ the requested authentication process. "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:17Z", "userinfo_signed_response_alg": "string" }, "oidc_context": { @@ -7162,7 +7162,7 @@ Status Code **200** "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:17Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -7204,7 +7204,7 @@ Status Code **200** "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:17Z", "userinfo_signed_response_alg": "string" }, "context": { @@ -7790,7 +7790,7 @@ deleted automatically when performing the refresh flow. ```json { - "notAfter": "2020-01-31T17:58:39Z" + "notAfter": "2020-02-02T21:00:17Z" } ``` @@ -7888,7 +7888,7 @@ func main() { ```nodejs const fetch = require('node-fetch'); const input = '{ - "notAfter": "2020-01-31T17:58:39Z" + "notAfter": "2020-02-02T21:00:17Z" }'; const headers = { 'Content-Type': 'application/json', 'Accept': 'application/json' @@ -8491,7 +8491,7 @@ _JSONWebKeySet JSON web key set_ "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:17Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -8533,7 +8533,7 @@ _JSONWebKeySet JSON web key set_ "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:17Z", "userinfo_signed_response_alg": "string" }, "context": { @@ -8707,7 +8707,7 @@ request._ "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:17Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -8749,7 +8749,7 @@ request._ "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:17Z", "userinfo_signed_response_alg": "string" }, "context": { @@ -8835,7 +8835,7 @@ consent request._ ```json { - "notAfter": "2020-01-31T17:58:39Z" + "notAfter": "2020-02-02T21:00:17Z" } ``` @@ -8957,7 +8957,7 @@ _JSONWebKeySetGeneratorRequest json web key set generator request_ "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:17Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -8999,7 +8999,7 @@ _JSONWebKeySetGeneratorRequest json web key set generator request_ "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:17Z", "userinfo_signed_response_alg": "string" }, "oidc_context": { @@ -9081,7 +9081,7 @@ _Contains information about an ongoing logout request._ "client_secret_expires_at": 0, "client_uri": "string", "contacts": ["string"], - "created_at": "2020-01-31T17:58:39Z", + "created_at": "2020-02-02T21:00:17Z", "frontchannel_logout_session_required": true, "frontchannel_logout_uri": "string", "grant_types": ["string"], @@ -9123,7 +9123,7 @@ _Contains information about an ongoing logout request._ "subject_type": "string", "token_endpoint_auth_method": "string", "tos_uri": "string", - "updated_at": "2020-01-31T17:58:39Z", + "updated_at": "2020-02-02T21:00:17Z", "userinfo_signed_response_alg": "string" } ``` diff --git a/docs/keto/sdk/api.md b/docs/keto/sdk/api.md index 371bc7070..399408d3c 100644 --- a/docs/keto/sdk/api.md +++ b/docs/keto/sdk/api.md @@ -291,18 +291,18 @@ List ORY Access Control Policies Status Code **200** -| Name | Type | Required | Restrictions | Description | -| ----------------------------------------------------------------- | --------------------------------------------------------- | -------- | ------------ | -------------------------------------------------------------------------------------------------------------------- | -| _anonymous_ | [[oryAccessControlPolicy](#schemaoryaccesscontrolpolicy)] | false | none | none | -| » oryAccessControlPolicy specifies an ORY Access Policy document. | [oryAccessControlPolicy](#schemaoryaccesscontrolpolicy) | false | none | none | -| »» actions | [string] | false | none | Actions is an array representing all the actions this ORY Access Policy applies to. | -| »» conditions | object | false | none | Conditions represents a keyed object of conditions under which this ORY Access Policy is active. | -| »»» **additionalProperties** | object | false | none | none | -| »» description | string | false | none | Description is an optional, human-readable description. | -| »» effect | string | false | none | Effect is the effect of this ORY Access Policy. It can be "allow" or "deny". | -| »» id | string | false | none | ID is the unique identifier of the ORY Access Policy. It is used to query, update, and remove the ORY Access Policy. | -| »» resources | [string] | false | none | Resources is an array representing all the resources this ORY Access Policy applies to. | -| »» subjects | [string] | false | none | Subjects is an array representing all the subjects this ORY Access Policy applies to. | +| Name | Type | Required | Restrictions | Description | +| ---------------------------------------------------------------------------------------- | --------------------------------------------------------- | -------- | ------------ | -------------------------------------------------------------------------------------------------------------------- | +| _anonymous_ | [[oryAccessControlPolicy](#schemaoryaccesscontrolpolicy)] | false | none | none | +| » OryAccessControlPolicy oryAccessControlPolicy specifies an ORY Access Policy document. | [oryAccessControlPolicy](#schemaoryaccesscontrolpolicy) | false | none | none | +| »» actions | [string] | false | none | Actions is an array representing all the actions this ORY Access Policy applies to. | +| »» conditions | object | false | none | Conditions represents a keyed object of conditions under which this ORY Access Policy is active. | +| »»» **additionalProperties** | object | false | none | none | +| »» description | string | false | none | Description is an optional, human-readable description. | +| »» effect | string | false | none | Effect is the effect of this ORY Access Policy. It can be "allow" or "deny". | +| »» id | string | false | none | ID is the unique identifier of the ORY Access Policy. It is used to query, update, and remove the ORY Access Policy. | +| »» resources | [string] | false | none | Resources is an array representing all the resources this ORY Access Policy applies to. | +| »» subjects | [string] | false | none | Subjects is an array representing all the subjects this ORY Access Policy applies to. | Status Code **500** @@ -2972,524 +2972,6 @@ p JSON.parse(result) ## Schemas -AddOryAccessControlPolicyRoleMembersInternalServerErrorBody - -#### AddOryAccessControlPolicyRoleMembersInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_AddOryAccessControlPolicyRoleMembersInternalServerErrorBody add ory access -control policy role members internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -DeleteOryAccessControlPolicyInternalServerErrorBody - -#### DeleteOryAccessControlPolicyInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_DeleteOryAccessControlPolicyInternalServerErrorBody delete ory access control -policy internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -DeleteOryAccessControlPolicyRoleInternalServerErrorBody - -#### DeleteOryAccessControlPolicyRoleInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_DeleteOryAccessControlPolicyRoleInternalServerErrorBody delete ory access -control policy role internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -DoOryAccessControlPoliciesAllowInternalServerErrorBody - -#### DoOryAccessControlPoliciesAllowInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_DoOryAccessControlPoliciesAllowInternalServerErrorBody do ory access control -policies allow internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -GetOryAccessControlPolicyInternalServerErrorBody - -#### GetOryAccessControlPolicyInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_GetOryAccessControlPolicyInternalServerErrorBody get ory access control policy -internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -GetOryAccessControlPolicyNotFoundBody - -#### GetOryAccessControlPolicyNotFoundBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_GetOryAccessControlPolicyNotFoundBody get ory access control policy not found -body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -GetOryAccessControlPolicyRoleInternalServerErrorBody - -#### GetOryAccessControlPolicyRoleInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_GetOryAccessControlPolicyRoleInternalServerErrorBody get ory access control -policy role internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -GetOryAccessControlPolicyRoleNotFoundBody - -#### GetOryAccessControlPolicyRoleNotFoundBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_GetOryAccessControlPolicyRoleNotFoundBody get ory access control policy role -not found body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -IsInstanceAliveInternalServerErrorBody - -#### IsInstanceAliveInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_IsInstanceAliveInternalServerErrorBody is instance alive internal server error -body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -ListOryAccessControlPoliciesInternalServerErrorBody - -#### ListOryAccessControlPoliciesInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_ListOryAccessControlPoliciesInternalServerErrorBody list ory access control -policies internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -ListOryAccessControlPolicyRolesInternalServerErrorBody - -#### ListOryAccessControlPolicyRolesInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_ListOryAccessControlPolicyRolesInternalServerErrorBody list ory access control -policy roles internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -RemoveOryAccessControlPolicyRoleMembersInternalServerErrorBody - -#### RemoveOryAccessControlPolicyRoleMembersInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_RemoveOryAccessControlPolicyRoleMembersInternalServerErrorBody remove ory -access control policy role members internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -UpsertOryAccessControlPolicyInternalServerErrorBody - -#### UpsertOryAccessControlPolicyInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_UpsertOryAccessControlPolicyInternalServerErrorBody upsert ory access control -policy internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - -UpsertOryAccessControlPolicyRoleInternalServerErrorBody - -#### UpsertOryAccessControlPolicyRoleInternalServerErrorBody - - - -```json -{ - "code": 0, - "details": [ - { - "property1": {}, - "property2": {} - } - ], - "message": "string", - "reason": "string", - "request": "string", - "status": "string" -} -``` - -_UpsertOryAccessControlPolicyRoleInternalServerErrorBody upsert ory access -control policy role internal server error body_ - -#### Properties - -| Name | Type | Required | Restrictions | Description | -| -------------------------- | -------------- | -------- | ------------ | ----------- | -| code | integer(int64) | false | none | code | -| details | [object] | false | none | details | -| » **additionalProperties** | object | false | none | none | -| message | string | false | none | message | -| reason | string | false | none | reason | -| request | string | false | none | request | -| status | string | false | none | status | - addOryAccessControlPolicyRoleMembersBody #### addOryAccessControlPolicyRoleMembersBody @@ -3520,8 +3002,8 @@ control policy role internal server error body_ } ``` -_AuthorizationResult is the result of an access control decision. It contains -the decision outcome._ +_AuthorizationResult AuthorizationResult AuthorizationResult AuthorizationResult +is the result of an access control decision. It contains the decision outcome._ #### Properties @@ -3544,6 +3026,8 @@ the decision outcome._ } ``` +_HealthNotReadyStatus health not ready status_ + #### Properties | Name | Type | Required | Restrictions | Description | @@ -3563,8 +3047,6 @@ the decision outcome._ } ``` -_HealthStatus health status_ - #### Properties | Name | Type | Required | Restrictions | Description | @@ -3592,7 +3074,8 @@ _HealthStatus health status_ } ``` -_oryAccessControlPolicy specifies an ORY Access Policy document._ +_OryAccessControlPolicy oryAccessControlPolicy specifies an ORY Access Policy +document._ #### Properties @@ -3625,8 +3108,7 @@ _oryAccessControlPolicy specifies an ORY Access Policy document._ } ``` -_OryAccessControlPolicyAllowedInput Input for checking if a request is allowed -or not._ +_Input for checking if a request is allowed or not._ #### Properties @@ -3674,8 +3156,6 @@ other sort of role._ } ``` -_Version Version version_ - #### Properties | Name | Type | Required | Restrictions | Description | diff --git a/docs/kratos/sdk/api.md b/docs/kratos/sdk/api.md index aa09d1f72..f88448aa1 100644 --- a/docs/kratos/sdk/api.md +++ b/docs/kratos/sdk/api.md @@ -2432,15 +2432,15 @@ This endpoint is useful for reverse proxies and API Gateways. ```json { - "authenticated_at": "2020-01-31T17:58:40Z", - "expires_at": "2020-01-31T17:58:40Z", + "authenticated_at": "2020-02-02T21:00:20Z", + "expires_at": "2020-02-02T21:00:20Z", "identity": { "id": "string", "traits": {}, "traits_schema_id": "string", "traits_schema_url": "string" }, - "issued_at": "2020-01-31T17:58:40Z", + "issued_at": "2020-02-02T21:00:20Z", "sid": "string" } ``` @@ -2643,9 +2643,9 @@ your application (e.g. `/login?request=abcde`). ```json { "active": "string", - "expires_at": "2020-01-31T17:58:40Z", + "expires_at": "2020-02-02T21:00:20Z", "id": "string", - "issued_at": "2020-01-31T17:58:40Z", + "issued_at": "2020-02-02T21:00:20Z", "methods": { "property1": { "config": {}, @@ -2852,7 +2852,7 @@ your application (e.g. `/login?request=abcde`). ```json { - "expires_at": "2020-01-31T17:58:40Z", + "expires_at": "2020-02-02T21:00:20Z", "form": { "action": "string", "errors": [ @@ -2884,7 +2884,7 @@ your application (e.g. `/login?request=abcde`). "traits_schema_id": "string", "traits_schema_url": "string" }, - "issued_at": "2020-01-31T17:58:40Z", + "issued_at": "2020-02-02T21:00:20Z", "request_url": "string", "update_successful": true } @@ -3086,9 +3086,9 @@ your application (e.g. `/registration?request=abcde`). ```json { "active": "string", - "expires_at": "2020-01-31T17:58:40Z", + "expires_at": "2020-02-02T21:00:20Z", "id": "string", - "issued_at": "2020-01-31T17:58:40Z", + "issued_at": "2020-02-02T21:00:20Z", "methods": { "property1": { "config": {}, @@ -3768,9 +3768,9 @@ _nolint:deadcode,unused_ ```json { "active": "string", - "expires_at": "2020-01-31T17:58:40Z", + "expires_at": "2020-02-02T21:00:20Z", "id": "string", - "issued_at": "2020-01-31T17:58:40Z", + "issued_at": "2020-02-02T21:00:20Z", "methods": { "property1": { "config": {}, @@ -3861,7 +3861,7 @@ _and_ ```json { - "expires_at": "2020-01-31T17:58:40Z", + "expires_at": "2020-02-02T21:00:20Z", "form": { "action": "string", "errors": [ @@ -3893,7 +3893,7 @@ _and_ "traits_schema_id": "string", "traits_schema_url": "string" }, - "issued_at": "2020-01-31T17:58:40Z", + "issued_at": "2020-02-02T21:00:20Z", "request_url": "string", "update_successful": true } @@ -3922,9 +3922,9 @@ _Request presents a profile management request_ ```json { "active": "string", - "expires_at": "2020-01-31T17:58:40Z", + "expires_at": "2020-02-02T21:00:20Z", "id": "string", - "issued_at": "2020-01-31T17:58:40Z", + "issued_at": "2020-02-02T21:00:20Z", "methods": { "property1": { "config": {}, @@ -4027,15 +4027,15 @@ _and_ ```json { - "authenticated_at": "2020-01-31T17:58:40Z", - "expires_at": "2020-01-31T17:58:40Z", + "authenticated_at": "2020-02-02T21:00:20Z", + "expires_at": "2020-02-02T21:00:20Z", "identity": { "id": "string", "traits": {}, "traits_schema_id": "string", "traits_schema_url": "string" }, - "issued_at": "2020-01-31T17:58:40Z", + "issued_at": "2020-02-02T21:00:20Z", "sid": "string" } ``` diff --git a/docs/oathkeeper/api-access-rules.md b/docs/oathkeeper/api-access-rules.md index 3ff8bfdde..5c1be5234 100644 --- a/docs/oathkeeper/api-access-rules.md +++ b/docs/oathkeeper/api-access-rules.md @@ -23,7 +23,7 @@ access_rules: # If the URL Scheme is `http://` or `https://`, the access rules (an array of access rules is expected) will be # fetched from the provided HTTP(s) location. - https://path-to-my-rules/rules.json - # Determines a matching strategy for the access rules . Currently supported values are `glob` and `regexp`. Empy string defaults to regexp. + # Determines a matching strategy for the access rules . Currently supported values are `glob` and `regexp`. Empty string defaults to regexp. matching_strategy: glob ``` @@ -78,28 +78,28 @@ Access Rules have four principal keys: - `methods` (string[]): Array of HTTP methods (e.g. GET, POST, PUT, DELETE, ...). - `url` (string): The URL that should be matched. You can use regular - expressions or glob patterns in this field to match more than one url. - The matching strategy (glob or regexp) is defined in the global configuration - file as `access_rules.matching_strategy`. This matcher ignores query parameters. - Regular expressions (or glob patterns) are encapsulated in brackets `<` and `>`. - - Regular expressions examples: - - `https://mydomain.com/` matches `https://mydomain.com/` and does not match - `https://mydomain.com/foo` or `https://mydomain.com`. - - `://mydomain.com/<.*>` matches:`https://mydomain.com/` or - `http://mydomain.com/foo`. Does not match: - `https://other-domain.com/` or `https://mydomain.com`. - - `http://mydomain.com/<[[:digit:]]+>` matches `http://mydomain.com/123` and - does not match `http://mydomain/abc`. - - `http://mydomain.com/<(?!protected).*>` matches `http://mydomain.com/resource` - and does not match `http://mydomain.com/protected` - - [Glop](http://tldp.org/LDP/GNU-Linux-Tools-Summary/html/x11655.htm) patterns examples: - - `https://mydomain.com/` matches `https://mydomain.com/man` and does not - match `http://mydomain.com/foo`. - - `https://mydomain.com/<{foo*,bar*}>` matches `https://mydomain.com/foo` or - `https://mydomain.com/bar` and does not match `https://mydomain.com/any`. - + expressions or glob patterns in this field to match more than one url. The + matching strategy (glob or regexp) is defined in the global configuration + file as `access_rules.matching_strategy`. This matcher ignores query + parameters. Regular expressions (or glob patterns) are encapsulated in + brackets `<` and `>`. + Regular expressions examples: + - `https://mydomain.com/` matches `https://mydomain.com/` and does not match + `https://mydomain.com/foo` or `https://mydomain.com`. + - `://mydomain.com/<.*>` matches:`https://mydomain.com/` or + `http://mydomain.com/foo`. Does not match: `https://other-domain.com/` or + `https://mydomain.com`. + - `http://mydomain.com/<[[:digit:]]+>` matches `http://mydomain.com/123` and + does not match `http://mydomain/abc`. + - `http://mydomain.com/<(?!protected).*>` matches + `http://mydomain.com/resource` and does not match + `http://mydomain.com/protected` + [Glop](http://tldp.org/LDP/GNU-Linux-Tools-Summary/html/x11655.htm) patterns + examples: + - `https://mydomain.com/` matches `https://mydomain.com/man` and does + not match `http://mydomain.com/foo`. + - `https://mydomain.com/<{foo*,bar*}>` matches `https://mydomain.com/foo` or + `https://mydomain.com/bar` and does not match `https://mydomain.com/any`. - `authenticators`: A list of authentication handlers that authenticate the provided credentials. Authenticators are checked iteratively from index `0` to `n` and the first authenticator to return a positive result will be the one diff --git a/docs/oathkeeper/configuration.md b/docs/oathkeeper/configuration.md index 046b71bef..1f2b706f8 100644 --- a/docs/oathkeeper/configuration.md +++ b/docs/oathkeeper/configuration.md @@ -532,10 +532,10 @@ access_rules: # > set ACCESS_RULES_REPOSITORIES= # repositories: '["file://path/to/rules.json","inline://W3siaWQiOiJmb28tcnVsZSIsImF1dGhlbnRpY2F0b3JzIjpbXX1d","https://path-to-my-rules/rules.json"]' - + ## Matching Strategy ## - # Determines a matching strategy for the access rules. Currently supported values are `glob` and `regexp`. - # + # Determines a matching strategy for the access rules. Currently supported values are `glob` and `regexp`. + # # Default value: "regexp" # # Set this value using enrinment variables on @@ -544,7 +544,6 @@ access_rules: # - Windows Command Line (CMD): # > set ACCESS_RULES_MATCHING_STRATEGY= matching_strategy: glob - ## Authenticators ## # diff --git a/website/package-lock.json b/website/package-lock.json index f28699f39..230e11218 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -6189,7 +6189,7 @@ "dev": true, "requires": { "json-schema-ref-parser": "^6.1.0", - "jsonpath-plus": "^1.0.0", + "jsonpath-plus": "^2.0.0", "randexp": "^0.5.3" } },