IAG v23.04 release updates

config-ui/react.skeleton/src/content/landingPage/landingPage.js

@@ -15,14 +15,14 @@ import yaml from 'js-yaml';
 
 const DOC_URL = "https://docs.verify.ibm.com/gateway/docs/";
 
-const SAMPLE_EMPTY_YAML = "version: 22.07";
+const SAMPLE_EMPTY_YAML = "version: 23.04";
 
 const SAMPLE_EMPTY = {
     "yaml": SAMPLE_EMPTY_YAML,
     "link": "#"
 }
 
-const SAML_AUTHZ_YAML = "version: \"22.07\"\n" +
+const SAML_AUTHZ_YAML = "version: \"23.04\"\n" +
                         "#\n" +
                         "# Configure an IAG container to proxy a single Web application, and define \n" +
                         "# an authorization policy for the Web application.  This configuration will \n" +
@@ -132,7 +132,7 @@ const SAMPLE_AUTHZ = {
     "link": DOC_URL + "examples-authorization-yaml"
 }
 
-const SAMPLE_BASIC_YAML = "version: \"22.07\"\n" +
+const SAMPLE_BASIC_YAML = "version: \"23.04\"\n" +
                           "\n" +
                           "#\n" +
                           "# Configure an IAG container with a very basic configuration.  This \n" +
@@ -191,7 +191,7 @@ const SAMPLE_BASIC = {
     "link": DOC_URL + "examples-oidc-verify-yaml"
 }                          
 
-const SAMPLE_ISVA_YAML =  "version: \"22.07\"\n" +
+const SAMPLE_ISVA_YAML =  "version: \"23.04\"\n" +
                           "\n" +
                           "#\n" +
                           "# Configure an IAG container with a very basic configuration.  This \n" +
@@ -257,7 +257,7 @@ const SAMPLE_ISVA = {
     "link": DOC_URL + "examples-oidc-verify-access-yaml"
 } 
 
-const SAMPLE_CREDVIEWER_YAML = "version: \"22.07\"\n" +
+const SAMPLE_CREDVIEWER_YAML = "version: \"23.04\"\n" +
                                "\n" +
                                "#\n" +
                                "# Configure an IAG container with a very basic configuration.  This \n" +
@@ -330,7 +330,7 @@ const SAMPLE_CREDVIEWER = {
     "link": DOC_URL + "examples-cred-viewer-yaml"
 }
 
-const SAMPLE_LWP_YAML = "version: \"22.07\"\n" +
+const SAMPLE_LWP_YAML = "version: \"23.04\"\n" +
                         "\n" +
                         "#\n" +
                         "# Configure an IAG container with a very basic configuration.  This \n" +
@@ -397,7 +397,7 @@ const SAMPLE_LWP = {
     "link": DOC_URL + "examples-local-webpages-yaml"
 }
 
-const SAMPLE_RL_YAML = "version: \"22.07\"\n" +
+const SAMPLE_RL_YAML = "version: \"23.04\"\n" +
                       "\n" +
                       "#\n" +
                       "# Configure an IAG container to proxy a single Web application.  This \n" +
@@ -494,7 +494,7 @@ const SAMPLE_RL = {
     "link": DOC_URL + "examples-rate-limiting-yaml" 
 };
 
-const SAMPLE_STDAPP_YAML = "version: \"22.07\"\n" +
+const SAMPLE_STDAPP_YAML = "version: \"23.04\"\n" +
                           "\n" +
                           "#\n" +
                           "# Configure an IAG container to proxy a single Web application.  This \n" +
@@ -563,7 +563,7 @@ const SAMPLE_STDAPP = {
     "link": DOC_URL + "examples-standard-application-yaml"
 };
 
-const SAMPLE_TRACING_YAML = "version: \"22.07\"\n" +
+const SAMPLE_TRACING_YAML = "version: \"23.04\"\n" +
                             "\n" +
                             "#\n" +
                             "# Configure an IAG container to proxy a single Web application, and activate\n" +
@@ -647,7 +647,7 @@ const SAMPLE_TRACING = {
     "link": DOC_URL + "examples-tracing-yaml"
 };
 
-const SAMPLE_UNAUTH_YAML = "version: \"22.07\"\n" +
+const SAMPLE_UNAUTH_YAML = "version: \"23.04\"\n" +
                            "\n" +
                           "#\n" +
                           "# Configure an IAG container to proxy a single Web application.  Due to the\n" + 
@@ -671,7 +671,7 @@ const SAMPLE_UNAUTH = {
     "link": DOC_URL + "examples-unauth-application-yaml"
 };      
 
-const SAMPLE_ISV_2FA_YAML = "version: \"22.07\"\n" +
+const SAMPLE_ISV_2FA_YAML = "version: \"23.04\"\n" +
                              "\n" +
                             "#\n" +
                             "# Configure an IAG container to proxy a single Web application, and define\n" +
@@ -756,7 +756,7 @@ const SAMPLE_ISV_2FA = {
     "link": DOC_URL + "examples-2fa-verify-yaml"
 };
 
-const SAMPLE_VH_YAML = "version: \"22.07\"\n" +
+const SAMPLE_VH_YAML = "version: \"23.04\"\n" +
                        "\n" +
                       "#\n" +
                       "# Configure an IAG container to proxy a single virtual host Web application.  \n" +
@@ -825,7 +825,7 @@ const SAMPLE_VH = {
     "link": DOC_URL + "examples-virtualhost-application-yaml"
 };
 
-const SAMPLE_HTTPTRAN_YAML = "version: \"22.07\"\n" +
+const SAMPLE_HTTPTRAN_YAML = "version: \"23.04\"\n" +
                              "\n" +
                             "#\n" +
                             "# Configure an IAG container to proxy a single Web application.  This \n" +
@@ -925,7 +925,7 @@ const SAMPLE_HTTPTRAN = {
     "link": DOC_URL + "examples-transformation-yaml"
 };
 
-const SAMPLE_OAUTH_ISVA_YAML = "version: \"22.07\"\n" +
+const SAMPLE_OAUTH_ISVA_YAML = "version: \"23.04\"\n" +
                                "\n" +
                               "#\n" +
                               "# Configure an IAG container with a very basic configuration.  This \n" +
@@ -981,7 +981,7 @@ const SAMPLE_OAUTH_ISVA = {
     "link": DOC_URL + "examples-oauth-verify-access-yaml"
 };
 
-const SAMPLE_OAUTH_ISV_YAML = "version: \"22.07\"\n" +
+const SAMPLE_OAUTH_ISV_YAML = "version: \"23.04\"\n" +
                               "\n" +
                               "#\n" +
                               "# Configure an IAG container with a very basic configuration.  This \n" +

openapi/openapi.yaml

@@ -1,7 +1,7 @@
 # Copyright contributors to the Application Gateway project
 openapi: '3.0'
 info:
-  version: 22.07
+  version: 23.04
   title: IBM Application Gateway Configuration Specification (OpenAPI)
 components:
   schemas:
@@ -20,6 +20,7 @@ components:
         - 21.09
         - 21.12
         - 22.07
+        - 23.04
     secrets:
       $ref: "secrets.yaml#/secrets"
     server:

openapi/resource_server.yaml

@@ -26,18 +26,26 @@ resource_server:
 
     virtual_host:
       description: >
-        The virtual host, as defined by the host header in the request, at
-        which the resource server will be made available. Port information may
-        also be specified if the virtual host is on a non-default port for the
-        intended protocol. This entry is required if the `path` entry has not
-        been specified. It is not valid to have both `path` and `virtual_host`
-        entries specified.
+        The virtual host, as defined by the host header in the request, at 
+        which the resource server will be made available. This will be the 
+        hostname and port number specified in the web browser when it makes 
+        the request. The port number should always be specified, whether the 
+        default port is being used (443 for SSL), or if the virtual host is 
+        using a non-default port for the intended protocol. If your docker 
+        or container host is mapping an incoming port number such as 443 to 
+        some other port inside the container (i.e. 8443), then specify here 
+        the incoming port number (i.e. 443).
+
+        This entry is required if the `path` entry has not been specified. 
+
+        It is not valid to have both `path` and `virtual_host` entries 
+        specified.
 
 
         Example:
 
         resource_servers:
-          - virtual_host: "application.ibm.com:9443"
+          - virtual_host: "application.ibm.com:443"
             # ...
       type: string
       x-uuid: true
@@ -814,6 +822,7 @@ resource_server:
                   form_action:   /login.jsp
                   service:       testCredentialService
                   resource_name: jspApp
+                  form_response_pattern: "*login_prompt*"
                   fields:
                     - name:   username
                       source: service
@@ -871,6 +880,16 @@ resource_server:
                   matching is performed based on the `action` attribute of
                   the HTML `<form>` node.
                 type: string
+              form_response_pattern:
+                description: >
+                  This optional entry specifies a pattern which is used to
+                  determine if the page contains the login form or not. If
+                  the page content does not include this pattern, it will be
+                  returned to the client. By default, the gateway will only
+                  examine the first 32,768 bytes of the response for the
+                  pattern. Because the pattern is checked against the entire
+                  cached response it will usually start and end with a '*'.
+                type: string
               service:
                 description: >
                   The name of the credential service which is used to store

openapi/server.yaml

@@ -1290,16 +1290,24 @@ server:
               type: string
 
     rate_limiting:
-      description: >
-        Specifies the global configuration related to rate limiting. Rate 
-        limiting policies are defined using the policies/rate_limiting[] entry.
+      description: |
+        Specifies the global configuration related to rate limiting. Rate limiting policies are defined using the policies/rate_limiting[] entry.
+
+        Additional rate limiting headers can also be enabled. The rate limiting response headers include:
+
+        header | value 
+        -------|-------
+        X-Rate-Limit-Policy    | The name of the rate limiting policy which is closest to being hit.
+        X-Rate-Limit-Remaining | The number of requests left for the rate limiting policy in the current rate limit window.
+        X-Rate-Limit-Reset     | The time (UTC Epoch time) at which the rate limiting policy resets.
 
 
         Example:
 
         server:
           rate_limiting:
             cache_size: 16384
+            response_headers: false
             redis:
               collection_name: test-collection
               sync_window: 10
@@ -1342,6 +1350,14 @@ server:
               maximum: unlimited
               default: 5
 
+        response_headers:
+          description: >
+            Specifies whether or not the gateway will insert the rate limiting headers into responses.
+
+            By default, the rate limiting response headers are disabled.
+          type: boolean
+          default: false
+
     content_security_policy:
       description: |
         Specifies whether or not the gateway will use the default content security policy.

openshift/build-sample/Dockerfile

@@ -1,7 +1,7 @@
 # Copyright contributors to the Application Gateway project
 
 # The container is based on the IAG container.
-FROM ibmcom/ibm-application-gateway:22.07
+FROM ibmcom/ibm-application-gateway:23.04
 
 # Copy the configuration files from the config directory
 # to the docker image.

openshift/build-sample/config/identity.yml

@@ -1,7 +1,7 @@
 # Copyright contributors to the Application Gateway project
 
 ---
-version: 22.07
+version: 23.04
 
 identity:
   oidc:

python/doc/ResourceServer.md

@@ -10,7 +10,7 @@ The definition for a single resource server which provides content for the gatew
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **path** | **str** | The path at which the resource server will be made available. This entry is required if the `virtual\_host` entry has not been specified. It is not valid to have both `path` and `virtual\_host` entries specified.  | [optional] 
-**virtual\_host** | **str** | The virtual host, as defined by the host header in the request, at which the resource server will be made available. Port information may also be specified if the virtual host is on a non-default port for the intended protocol. This entry is required if the `path` entry has not been specified. It is not valid to have both `path` and `virtual\_host` entries specified.  | [optional] 
+**virtual\_host** | **str** | The virtual host, as defined by the host header in the request, at  which the resource server will be made available. This will be the  hostname and port number specified in the web browser when it makes  the request. The port number should always be specified, whether the  default port is being used (443 for SSL), or if the virtual host is  using a non-default port for the intended protocol. If your docker  or container host is mapping an incoming port number such as 443 to  some other port inside the container (i.e. 8443), then specify here  the incoming port number (i.e. 443). This entry is required if the `path` entry has not been specified.  It is not valid to have both `path` and `virtual\_host` entries  specified.  | [optional] 
 **connection\_type** | **str** | The connection type the reverse proxy will make for this resource server.  | [optional] [default to 'tcp']
 **transparent\_path** | **bool** | A boolean flag indicating whether or not this resource server uses a transparent path. For path type resource servers, setting this entry to true will result in the passing of the entire URL as observed by the reverse proxy to the resource server, including the value given in \"path\". If set to false the reverse proxy will filter the path from the URL and pass only the remainder of the URL to the resource server.  | [optional] [default to False]
 **stateful** | **bool** | A boolean flag indicating whether or not user requests, for the lifetime of a session, are always processed by the same resource server.  | [optional] [default to False]

python/doc/ResourceServerFormsLogin.md

@@ -51,6 +51,7 @@ resource_servers:
           form_action:   /login.jsp
           service:       testCredentialService
           resource_name: jspApp
+          form_response_pattern: "*login_prompt*"
           fields:
             - name:   username
               source: service

python/doc/ResourceServerFormsLoginLoginResources.md

@@ -7,6 +7,7 @@ Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **resource** | **str** | This entry specifies a pattern that uniquely identifies requests for an application's login page. The page will then be intercepted to begin the forms-login sign-on process. The pattern provided is compared to the request URI.  | [optional] 
 **form\_action** | **str** | This entry specifies a pattern that identifies which form contained in the intercepted page is the login form. The matching is performed based on the `action` attribute of the HTML `<form>` node.  | [optional] 
+**form\_response\_pattern** | **str** | This optional entry specifies a pattern which is used to determine if the page contains the login form or not. If the page content does not include this pattern, it will be returned to the client. By default, the gateway will only examine the first 32,768 bytes of the response for the pattern. Because the pattern is checked against the entire cached response it will usually start and end with a '*'.  | [optional] 
 **service** | **str** | The name of the credential service which is used to store and retrieve credentials for this resource.  | [optional] 
 **resource\_name** | **str** | The resource name which will be used when making requests to the configured credential service.  | [optional] 
 **fields** | [**list[ResourceServerFormsLoginFields]**](ResourceServerFormsLoginFields.md) | This entry is a list of the form fields which are need to complete the form-based login.  | [optional] 

python/doc/ServerRateLimiting.md

@@ -2,12 +2,23 @@
 
 ## Description
 
-Specifies the global configuration related to rate limiting. Rate  limiting policies are defined using the policies/rate_limiting[] entry.
+Specifies the global configuration related to rate limiting. Rate limiting policies are defined using the policies/rate_limiting[] entry.
+
+Additional rate limiting headers can also be enabled. The rate limiting response headers include:
+
+header | value 
+-------|-------
+X-Rate-Limit-Policy    | The name of the rate limiting policy which is closest to being hit.
+X-Rate-Limit-Remaining | The number of requests left for the rate limiting policy in the current rate limit window.
+X-Rate-Limit-Reset     | The time (UTC Epoch time) at which the rate limiting policy resets.
+
 
 Example:
+
 server:
   rate_limiting:
     cache_size: 16384
+    response_headers: false
     redis:
       collection_name: test-collection
       sync_window: 10
@@ -19,6 +30,7 @@ Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
 **cache\_size** | **float** | The number of unique records to cache locally for the rate limiting capability. When this cache is exhausted, the oldest  cached records are ejected. This effectively resets the rate limiting counters for this client(s). This number needs to be  higher than the number of requests being rate limited across a  refresh interval.  | [optional] [default to 16384]
 **redis** | [**ServerRateLimitingRedis**](ServerRateLimitingRedis.md) |  | [optional] 
+**response\_headers** | **bool** | Specifies whether or not the gateway will insert the rate limiting headers into responses. By default, the rate limiting response headers are disabled.  | [optional] [default to False]
 
 [[Back to README]](../README.md)
 

python/packages/ibm_application_gateway/config/advanced.py

@@ -5,7 +5,7 @@
 
     No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)  # noqa: E501
 
-    The version of the OpenAPI document: 22.07
+    The version of the OpenAPI document: 23.04
     Generated by: https://openapi-generator.tech
 """
 

python/packages/ibm_application_gateway/config/advanced_configuration.py

@@ -5,7 +5,7 @@
 
     No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)  # noqa: E501
 
-    The version of the OpenAPI document: 22.07
+    The version of the OpenAPI document: 23.04
     Generated by: https://openapi-generator.tech
 """
 

python/packages/ibm_application_gateway/config/authorization.py

@@ -5,7 +5,7 @@
 
     No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)  # noqa: E501
 
-    The version of the OpenAPI document: 22.07
+    The version of the OpenAPI document: 23.04
     Generated by: https://openapi-generator.tech
 """
 

python/packages/ibm_application_gateway/config/authorization_rules.py

@@ -5,7 +5,7 @@
 
     No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)  # noqa: E501
 
-    The version of the OpenAPI document: 22.07
+    The version of the OpenAPI document: 23.04
     Generated by: https://openapi-generator.tech
 """
 

python/packages/ibm_application_gateway/config/ci_oidc.py

@@ -5,7 +5,7 @@
 
     No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)  # noqa: E501
 
-    The version of the OpenAPI document: 22.07
+    The version of the OpenAPI document: 23.04
     Generated by: https://openapi-generator.tech
 """
 

python/packages/ibm_application_gateway/config/eai.py

@@ -5,7 +5,7 @@
 
     No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)  # noqa: E501
 
-    The version of the OpenAPI document: 22.07
+    The version of the OpenAPI document: 23.04
     Generated by: https://openapi-generator.tech
 """
 

python/packages/ibm_application_gateway/config/identity.py

@@ -5,7 +5,7 @@
 
     No description provided (generated by Openapi Generator https://github.com/openapitools/openapi-generator)  # noqa: E501
 
-    The version of the OpenAPI document: 22.07
+    The version of the OpenAPI document: 23.04
     Generated by: https://openapi-generator.tech
 """