oathkeeper: github.com/ory/oathkeeper/rule Index | Files

package rule

import "github.com/ory/oathkeeper/rule"

Package rule implements management capabilities for rules

A rule is used to decide what to do with requests that are hitting the ORY Oathkeeper proxy server. A rule must define the HTTP methods and the URL under which it will apply. A URL may not have more than one rule. If a URL has no rule applied, the proxy server will return a 404 not found error.

ORY Oathkeeper stores as many rules as required and iterates through them on every request. Rules are essential to the way ORY Oathkeeper works.

Index

Package Files

doc.go fetcher.go fetcher_default.go matcher.go registry.go repository.go repository_memory.go rule.go rule_migrator.go validator.go

type Fetcher Uses

type Fetcher interface {
    Watch(ctx context.Context) error
}

type FetcherDefault Uses

type FetcherDefault struct {
    // contains filtered or unexported fields
}

func NewFetcherDefault Uses

func NewFetcherDefault(
    c configuration.Provider,
    r fetcherRegistry,
) *FetcherDefault

func (*FetcherDefault) Watch Uses

func (f *FetcherDefault) Watch(ctx context.Context) error

type Matcher Uses

type Matcher interface {
    Match(ctx context.Context, method string, u *url.URL) (*Rule, error)
}

type Registry Uses

type Registry interface {
    RuleValidator() Validator
    RuleFetcher() Fetcher
    RuleRepository() Repository
    RuleMatcher() Matcher
}

type Repository Uses

type Repository interface {
    List(ctx context.Context, limit, offset int) ([]Rule, error)
    Set(context.Context, []Rule) error
    Get(context.Context, string) (*Rule, error)
    Count(context.Context) (int, error)
}

type RepositoryMemory Uses

type RepositoryMemory struct {
    sync.RWMutex
    // contains filtered or unexported fields
}

func NewRepositoryMemory Uses

func NewRepositoryMemory(r repositoryMemoryRegistry) *RepositoryMemory

func (*RepositoryMemory) Count Uses

func (m *RepositoryMemory) Count(ctx context.Context) (int, error)

func (*RepositoryMemory) Get Uses

func (m *RepositoryMemory) Get(ctx context.Context, id string) (*Rule, error)

func (*RepositoryMemory) List Uses

func (m *RepositoryMemory) List(ctx context.Context, limit, offset int) ([]Rule, error)

func (*RepositoryMemory) Match Uses

func (m *RepositoryMemory) Match(ctx context.Context, method string, u *url.URL) (*Rule, error)

func (*RepositoryMemory) Set Uses

func (m *RepositoryMemory) Set(ctx context.Context, rules []Rule) error

func (*RepositoryMemory) WithRules Uses

func (m *RepositoryMemory) WithRules(rules []Rule)

WithRules sets rules without validation. For testing only.

type Rule Uses

type Rule struct {
    // ID is the unique id of the rule. It can be at most 190 characters long, but the layout of the ID is up to you.
    // You will need this ID later on to update or delete the rule.
    ID  string `json:"id"`

    // Version represents the access rule version. Should match one of ORY Oathkeepers release versions. Supported since
    // v0.20.0-beta.1+oryOS.14.
    Version string `json:"version"`

    // Description is a human readable description of this rule.
    Description string `json:"description"`

    // Match defines the URL that this rule should match.
    Match RuleMatch `json:"match"`

    // Authenticators is a list of authentication handlers that will try and authenticate the provided credentials.
    // Authenticators are checked iteratively from index 0 to n and if the first authenticator to return a positive
    // result will be the one used.
    //
    // If you want the rule to first check a specific authenticator  before "falling back" to others, have that authenticator
    // as the first item in the array.
    Authenticators []RuleHandler `json:"authenticators"`

    // Authorizer is the authorization handler which will try to authorize the subject (authenticated using an Authenticator)
    // making the request.
    Authorizer RuleHandler `json:"authorizer"`

    // Mutators is a list of mutation handlers that transform the HTTP request. A common use case is generating a new set
    // of credentials (e.g. JWT) which then will be forwarded to the upstream server.
    //
    // Mutations are performed iteratively from index 0 to n and should all succeed in order for the HTTP request to be forwarded.
    Mutators []RuleHandler `json:"mutators"`

    // Upstream is the location of the server where requests matching this rule should be forwarded to.
    Upstream Upstream `json:"upstream"`
}

Rule is a single rule that will get checked on every HTTP request.

func NewRule Uses

func NewRule() *Rule

func (*Rule) CompileURL Uses

func (r *Rule) CompileURL() (*regexp.Regexp, error)

func (*Rule) GetID Uses

func (r *Rule) GetID() string

GetID returns the rule's ID.

func (*Rule) IsMatching Uses

func (r *Rule) IsMatching(method string, u *url.URL) error

IsMatching returns an error if the provided method and URL do not match the rule.

func (*Rule) UnmarshalJSON Uses

func (r *Rule) UnmarshalJSON(raw []byte) error

type RuleHandler Uses

type RuleHandler struct {
    // Handler identifies the implementation which will be used to handle this specific request. Please read the user
    // guide for a complete list of available handlers.
    Handler string `json:"handler"`

    // Config contains the configuration for the handler. Please read the user
    // guide for a complete list of each handler's available settings.
    Config json.RawMessage `json:"config"`
}

type RuleMatch Uses

type RuleMatch struct {
    // An array of HTTP methods (e.g. GET, POST, PUT, DELETE, ...). When ORY Oathkeeper searches for rules
    // to decide what to do with an incoming request to the proxy server, it compares the HTTP method of the incoming
    // request with the HTTP methods of each rules. If a match is found, the rule is considered a partial match.
    // If the matchesUrl field is satisfied as well, the rule is considered a full match.
    Methods []string `json:"methods"`

    // This field represents the URL pattern this rule matches. When ORY Oathkeeper searches for rules
    // to decide what to do with an incoming request to the proxy server, it compares the full request URL
    // (e.g. https://mydomain.com/api/resource) without query parameters of the incoming
    // request with this field. If a match is found, the rule is considered a partial match.
    // If the matchesMethods field is satisfied as well, the rule is considered a full match.
    //
    // You can use regular expressions in this field to match more than one url. Regular expressions are encapsulated in
    // brackets < and >. The following example matches all paths of the domain `mydomain.com`: `https://mydomain.com/<.*>`.
    URL string `json:"url"`
    // contains filtered or unexported fields
}

type Upstream Uses

type Upstream struct {
    // PreserveHost, if false (the default), tells ORY Oathkeeper to set the upstream request's Host header to the
    // hostname of the API's upstream's URL. Setting this flag to true instructs ORY Oathkeeper not to do so.
    PreserveHost bool `json:"preserve_host"`

    // StripPath if set, replaces the provided path prefix when forwarding the requested URL to the upstream URL.
    StripPath string `json:"strip_path"`

    // URL is the URL the request will be proxied to.
    URL string `json:"url"`
}

type Validator Uses

type Validator interface {
    Validate(r *Rule) error
}

type ValidatorDefault Uses

type ValidatorDefault struct {
    // contains filtered or unexported fields
}

func NewValidatorDefault Uses

func NewValidatorDefault(r validatorRegistry) *ValidatorDefault

func (*ValidatorDefault) Validate Uses

func (v *ValidatorDefault) Validate(r *Rule) error

Package rule imports 39 packages (graph) and is imported by 3 packages. Updated 2019-11-06. Refresh now. Tools for package owners.