[DX-1423] Update TYK_GW_SECRETS definition #6360
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PR Reviewer Guide 🔍
|
|
API Changes --- prev.txt 2024-07-09 15:01:53.458792536 +0000
+++ current.txt 2024-07-09 15:01:50.234777388 +0000
@@ -2596,12 +2596,10 @@
TYPES
type APIDef struct {
- // OAS contains the OAS API definition.
- OAS *OAS
- // Classic contains the Classic API definition.
+ OAS *OAS
Classic *apidef.APIDefinition
}
- APIDef holds both OAS and Classic forms of an API definition.
+ APIDef is struct to hold both OAS and Classic forms of an API definition.
type Allowance struct {
// Enabled is a boolean flag, if set to `true`, then individual allowances (allow, block, ignore) will be enforced.
@@ -2746,8 +2744,7 @@
type Basic struct {
// Enabled activates the basic authentication mode.
// Tyk classic API definition: `use_basic_auth`
- Enabled bool `bson:"enabled" json:"enabled"` // required
- // AuthSources contains the source for HTTP Basic Auth credentials.
+ Enabled bool `bson:"enabled" json:"enabled"` // required
AuthSources `bson:",inline" json:",inline"`
// DisableCaching disables the caching of basic authentication key.
// Tyk classic API definition: `basic_auth.disable_caching`
@@ -3099,8 +3096,6 @@
that were previously used to represent the same data.
type EndpointPostPlugins []EndpointPostPlugin
- EndpointPostPlugins is a list of EndpointPostPlugins. It's used where
- multiple plugins can be run.
func (e EndpointPostPlugins) ExtractTo(meta *apidef.GoPluginMeta)
ExtractTo extracts *EndpointPostPlugin to *apidef.GoPluginMeta.
@@ -3132,10 +3127,9 @@
Kind Kind `json:"type" bson:"type"` // json tag is changed as per contract
// ID is the ID of event handler in storage.
ID string `json:"id,omitempty" bson:"id,omitempty"`
- // Name is the name of event handler.
+ // Name is the name of event handler
Name string `json:"name,omitempty" bson:"name,omitempty"`
- // Webhook contains WebhookEvent configs. Encoding and decoding is handled by the custom marshaller.
Webhook WebhookEvent `bson:"-" json:"-"`
}
EventHandler holds information about individual event to be configured on
@@ -3161,16 +3155,10 @@
events are supported.
type ExternalOAuth struct {
- // Enabled activates external oauth functionality.
- Enabled bool `bson:"enabled" json:"enabled"` // required
-
- // AuthSources configures the source for the authentication token.
+ Enabled bool `bson:"enabled" json:"enabled"` // required
AuthSources `bson:",inline" json:",inline"`
-
- // Providers is used to configure OAuth providers.
- Providers []OAuthProvider `bson:"providers" json:"providers"` // required
+ Providers []OAuthProvider `bson:"providers" json:"providers"` // required
}
- ExternalOAuth holds configuration for an external OAuth provider.
type ExtractCredentialsFromBody struct {
// Enabled activates extracting credentials from body.
@@ -3209,7 +3197,7 @@
type GatewayTags struct {
// Enabled activates use of segment tags.
Enabled bool `bson:"enabled" json:"enabled"`
- // Tags contains a list of segment tags.
+ // Tags is a list of segment tags
Tags []string `bson:"tags" json:"tags"`
}
GatewayTags holds a list of segment tags that should apply for a gateway.
@@ -3240,7 +3228,7 @@
// Deprecated: Use PostAuthenticationPlugins instead.
PostAuthenticationPlugin *PostAuthenticationPlugin `bson:"postAuthenticationPlugin,omitempty" json:"postAuthenticationPlugin,omitempty"`
- // PostAuthenticationPlugins contains configuration related to the custom plugin that is run immediately after authentication.
+ // PostAuthenticationPlugin contains configuration related to the custom plugin that is run immediately after authentication.
// Tyk classic API definition: `custom_middleware.post_key_auth`.
PostAuthenticationPlugins CustomPlugins `bson:"postAuthenticationPlugins,omitempty" json:"postAuthenticationPlugins,omitempty"`
@@ -3252,7 +3240,7 @@
// Tyk classic API definition: `custom_middleware.post`.
PostPlugins CustomPlugins `bson:"postPlugins,omitempty" json:"postPlugins,omitempty"`
- // ResponsePlugin contains configuration related to the custom plugin that is run during processing of the response from the upstream service.
+ // Deprecated: ResponsePlugin contains configuration related to the custom plugin that is run during processing of the response from the upstream service.
// Deprecated: Use ResponsePlugins instead.
ResponsePlugin *ResponsePlugin `bson:"responsePlugin,omitempty" json:"responsePlugin,omitempty"`
@@ -3441,7 +3429,6 @@
// Cache is the caching mechanism for introspection responses.
Cache *IntrospectionCache `bson:"cache,omitempty" json:"cache,omitempty"`
}
- Introspection holds configuration for OAuth token introspection.
func (i *Introspection) ExtractTo(intros *apidef.Introspection)
@@ -3454,73 +3441,25 @@
// For introspection caching, it is suggested to use a short interval.
Timeout int64 `bson:"timeout" json:"timeout"`
}
- IntrospectionCache holds configuration for caching introspection requests.
func (c *IntrospectionCache) ExtractTo(cache *apidef.IntrospectionCache)
func (c *IntrospectionCache) Fill(cache apidef.IntrospectionCache)
type JWT struct {
- // Enabled activates the basic authentication mode.
- //
- // Tyk classic API definition: `enable_jwt`
- Enabled bool `bson:"enabled" json:"enabled"` // required
-
- // AuthSources configures the source for the JWT.
- AuthSources `bson:",inline" json:",inline"`
-
- // Source contains the source for the JWT.
- //
- // Tyk classic API definition: `jwt_source`
- Source string `bson:"source,omitempty" json:"source,omitempty"`
-
- // SigningMethod contains the signing method to use for the JWT.
- //
- // Tyk classic API definition: `jwt_signing_method`
- SigningMethod string `bson:"signingMethod,omitempty" json:"signingMethod,omitempty"`
-
- // IdentityBaseField specifies the claim name uniquely identifying the subject of the JWT.
- // The identity fields that are checked in order are: `kid`, IdentityBaseField, `sub`.
- //
- // Tyk classic API definition: `jwt_identity_base_field`
- IdentityBaseField string `bson:"identityBaseField,omitempty" json:"identityBaseField,omitempty"`
-
- // SkipKid controls skipping using the `kid` claim from a JWT (default behaviour).
- // When this is true, the field configured in IdentityBaseField is checked first.
- //
- // Tyk classic API definition: `jwt_skip_kid`
- SkipKid bool `bson:"skipKid,omitempty" json:"skipKid,omitempty"`
-
- // PolicyFieldName is a configurable claim name from which a policy ID is extracted.
- // The policy is applied to the session as a base policy.
- //
- // Tyk classic API definition: `jwt_policy_field_name`
- PolicyFieldName string `bson:"policyFieldName,omitempty" json:"policyFieldName,omitempty"`
-
- // ClientBaseField is used when PolicyFieldName is not provided. It will get
- // a session key and use the policies from that. The field ensures that requests
- // use the same session.
- //
- // Tyk classic API definition: `jwt_client_base_field`
- ClientBaseField string `bson:"clientBaseField,omitempty" json:"clientBaseField,omitempty"`
-
- // Scopes holds the scope to policy mappings for a claim name.
- Scopes *Scopes `bson:"scopes,omitempty" json:"scopes,omitempty"`
-
- // DefaultPolicies is a list of policy IDs that apply to the session.
- //
- // Tyk classic API definition: `jwt_default_policies`
- DefaultPolicies []string `bson:"defaultPolicies,omitempty" json:"defaultPolicies,omitempty"`
-
- // IssuedAtValidationSkew contains the duration in seconds for which token issuance can predate the current time during the request.
- IssuedAtValidationSkew uint64 `bson:"issuedAtValidationSkew,omitempty" json:"issuedAtValidationSkew,omitempty"`
-
- // NotBeforeValidationSkew contains the duration in seconds for which token validity can predate the current time during the request.
- NotBeforeValidationSkew uint64 `bson:"notBeforeValidationSkew,omitempty" json:"notBeforeValidationSkew,omitempty"`
-
- // ExpiresAtValidationSkew contains the duration in seconds for which the token can be expired before we consider it expired.
- ExpiresAtValidationSkew uint64 `bson:"expiresAtValidationSkew,omitempty" json:"expiresAtValidationSkew,omitempty"`
-
+ Enabled bool `bson:"enabled" json:"enabled"` // required
+ AuthSources `bson:",inline" json:",inline"`
+ Source string `bson:"source,omitempty" json:"source,omitempty"`
+ SigningMethod string `bson:"signingMethod,omitempty" json:"signingMethod,omitempty"`
+ IdentityBaseField string `bson:"identityBaseField,omitempty" json:"identityBaseField,omitempty"`
+ SkipKid bool `bson:"skipKid,omitempty" json:"skipKid,omitempty"`
+ PolicyFieldName string `bson:"policyFieldName,omitempty" json:"policyFieldName,omitempty"`
+ ClientBaseField string `bson:"clientBaseField,omitempty" json:"clientBaseField,omitempty"`
+ Scopes *Scopes `bson:"scopes,omitempty" json:"scopes,omitempty"`
+ DefaultPolicies []string `bson:"defaultPolicies,omitempty" json:"defaultPolicies,omitempty"`
+ IssuedAtValidationSkew uint64 `bson:"issuedAtValidationSkew,omitempty" json:"issuedAtValidationSkew,omitempty"`
+ NotBeforeValidationSkew uint64 `bson:"notBeforeValidationSkew,omitempty" json:"notBeforeValidationSkew,omitempty"`
+ ExpiresAtValidationSkew uint64 `bson:"expiresAtValidationSkew,omitempty" json:"expiresAtValidationSkew,omitempty"`
// IDPClientIDMappingDisabled prevents Tyk from automatically detecting the use of certain IDPs based on standard claims
// that they include in the JWT: `client_id`, `cid`, `clientId`. Setting this flag to `true` disables the mapping and avoids
// accidentally misidentifying the use of one of these IDPs if one of their standard values is configured in your JWT.
@@ -3532,7 +3471,7 @@
Import populates *JWT based on arguments.
type JWTValidation struct {
- // Enabled activates OAuth access token validation.
+ // Enabled activates OAuth access token validation by introspection to a third party.
Enabled bool `bson:"enabled" json:"enabled"`
// SigningMethod to verify signing method used in jwt - allowed values HMAC/RSA/ECDSA.
@@ -3557,8 +3496,6 @@
// ExpiresAtValidationSkew is the clock skew to be considered while validating the exp claim.
ExpiresAtValidationSkew uint64 `bson:"expiresAtValidationSkew,omitempty" json:"expiresAtValidationSkew,omitempty"`
}
- JWTValidation holds configuration for validating access tokens by inspecing
- them against a third party API, usually one provided by the IDP.
func (j *JWTValidation) ExtractTo(jwt *apidef.JWTValidation)
@@ -3701,23 +3638,12 @@
UpdateServers sets or updates the first servers URL if it matches oldAPIURL.
type OAuth struct {
- // Enabled activates the OAuth middleware.
- Enabled bool `bson:"enabled" json:"enabled"` // required
-
- // AuthSources configures the sources for OAuth credentials.
- AuthSources `bson:",inline" json:",inline"`
-
- // AllowedAuthorizeTypes is an array of OAuth authorization types.
+ Enabled bool `bson:"enabled" json:"enabled"` // required
+ AuthSources `bson:",inline" json:",inline"`
AllowedAuthorizeTypes []osin.AuthorizeRequestType `bson:"allowedAuthorizeTypes,omitempty" json:"allowedAuthorizeTypes,omitempty"`
-
- // RefreshToken enables clients using a refresh token to get a new bearer access token.
- RefreshToken bool `bson:"refreshToken,omitempty" json:"refreshToken,omitempty"`
-
- // AuthLoginRedirect configures a URL to redirect to after a successful login.
- AuthLoginRedirect string `bson:"authLoginRedirect,omitempty" json:"authLoginRedirect,omitempty"`
-
- // Notifications configures a URL trigger on key changes.
- Notifications *Notifications `bson:"notifications,omitempty" json:"notifications,omitempty"`
+ RefreshToken bool `bson:"refreshToken,omitempty" json:"refreshToken,omitempty"`
+ AuthLoginRedirect string `bson:"authLoginRedirect,omitempty" json:"authLoginRedirect,omitempty"`
+ Notifications *Notifications `bson:"notifications,omitempty" json:"notifications,omitempty"`
}
OAuth configures the OAuth middleware.
@@ -3725,13 +3651,9 @@
Import populates *OAuth from it's arguments.
type OAuthProvider struct {
- // JWT configures JWT validation.
- JWT *JWTValidation `bson:"jwt,omitempty" json:"jwt,omitempty"`
- // Introspection configures token introspection.
+ JWT *JWTValidation `bson:"jwt,omitempty" json:"jwt,omitempty"`
Introspection *Introspection `bson:"introspection,omitempty" json:"introspection,omitempty"`
}
- OAuthProvider holds the configuration for validation and introspection of
- OAuth tokens.
type OIDC struct {
// Enabled activates the OIDC authentication mode.
@@ -3747,7 +3669,7 @@
// Tyk classic API definition: `openid_options.segregate_by_client`.
SegregateByClientId bool `bson:"segregateByClientId,omitempty" json:"segregateByClientId,omitempty"`
- // Providers contains a list of authorized providers, their Client IDs and matched policies.
+ // Providers contains a list of authorised providers, their Client IDs and matched policies.
//
// Tyk classic API definition: `openid_options.providers`.
Providers []Provider `bson:"providers,omitempty" json:"providers,omitempty"`
@@ -3766,7 +3688,6 @@
type OldOAS struct {
openapifork.T
}
- OldOAS serves for data model migration/conversion purposes (gorm).
func (o *OldOAS) ConvertToNewerOAS() (*OAS, error)
ConvertToNewerOAS converts a deprecated OldOAS object to the newer OAS
@@ -3845,23 +3766,14 @@
Operations holds Operation definitions.
type Path struct {
- // Delete holds plugin configuration for DELETE requests.
- Delete *Plugins `bson:"DELETE,omitempty" json:"DELETE,omitempty"`
- // Get holds plugin configuration for GET requests.
- Get *Plugins `bson:"GET,omitempty" json:"GET,omitempty"`
- // Head holds plugin configuration for HEAD requests.
- Head *Plugins `bson:"HEAD,omitempty" json:"HEAD,omitempty"`
- // Options holds plugin configuration for OPTIONS requests.
+ Delete *Plugins `bson:"DELETE,omitempty" json:"DELETE,omitempty"`
+ Get *Plugins `bson:"GET,omitempty" json:"GET,omitempty"`
+ Head *Plugins `bson:"HEAD,omitempty" json:"HEAD,omitempty"`
Options *Plugins `bson:"OPTIONS,omitempty" json:"OPTIONS,omitempty"`
- // Patch holds plugin configuration for PATCH requests.
- Patch *Plugins `bson:"PATCH,omitempty" json:"PATCH,omitempty"`
- // Post holds plugin configuration for POST requests.
- Post *Plugins `bson:"POST,omitempty" json:"POST,omitempty"`
- // Put holds plugin configuration for PUT requests.
- Put *Plugins `bson:"PUT,omitempty" json:"PUT,omitempty"`
- // Trace holds plugin configuration for TRACE requests.
- Trace *Plugins `bson:"TRACE,omitempty" json:"TRACE,omitempty"`
- // Connect holds plugin configuration for CONNECT requests.
+ Patch *Plugins `bson:"PATCH,omitempty" json:"PATCH,omitempty"`
+ Post *Plugins `bson:"POST,omitempty" json:"POST,omitempty"`
+ Put *Plugins `bson:"PUT,omitempty" json:"PUT,omitempty"`
+ Trace *Plugins `bson:"TRACE,omitempty" json:"TRACE,omitempty"`
Connect *Plugins `bson:"CONNECT,omitempty" json:"CONNECT,omitempty"`
}
Path holds plugin configurations for HTTP method verbs.
@@ -3963,7 +3875,7 @@
// Block request by allowance.
Block *Allowance `bson:"block,omitempty" json:"block,omitempty"`
- // IgnoreAuthentication ignores authentication on request by allowance.
+ // Ignore authentication on request by allowance.
IgnoreAuthentication *Allowance `bson:"ignoreAuthentication,omitempty" json:"ignoreAuthentication,omitempty"`
// TransformRequestMethod allows you to transform the method of a request.
@@ -4183,7 +4095,7 @@
// Tyk classic API definition: `detailed_tracing`
DetailedTracing *DetailedTracing `bson:"detailedTracing,omitempty" json:"detailedTracing,omitempty"`
- // EventHandlers contains the configuration related to Tyk Events.
+ // Events contains the configuration related to Tyk Events.
//
// Tyk classic API definition: `event_handlers`
EventHandlers EventHandlers `bson:"eventHandlers,omitempty" json:"eventHandlers,omitempty"`
@@ -4326,32 +4238,14 @@
ServiceDiscoveryCache holds configuration for caching ServiceDiscovery data.
type Signature struct {
- // Enabled activates signature validation.
- // Tyk classic API definition: `auth_configs[X].validate_signature`.
- Enabled bool `bson:"enabled" json:"enabled"` // required
- // Algorithm is the signature method to use.
- // Tyk classic API definition: `auth_configs[X].signature.algorithm`.
- Algorithm string `bson:"algorithm,omitempty" json:"algorithm,omitempty"`
- // Header is the name of the header to consume.
- // Tyk classic API definition: `auth_configs[X].signature.header`.
- Header string `bson:"header,omitempty" json:"header,omitempty"`
- // Query is the name of the query parameter to consume.
- // Tyk classic API definition: `auth_configs[X].signature.use_param/param_name`.
- Query AuthSource `bson:"query,omitempty" json:"query,omitempty"`
- // Secret is the signing secret used for signature validation.
- // Tyk classic API definition: `auth_configs[X].signature.secret`.
- Secret string `bson:"secret,omitempty" json:"secret,omitempty"`
- // AllowedClockSkew configures a grace period in seconds during which an expired token is still valid.
- // Tyk classic API definition: `auth_configs[X].signature.allowed_clock_skew`.
- AllowedClockSkew int64 `bson:"allowedClockSkew,omitempty" json:"allowedClockSkew,omitempty"`
- // ErrorCode configures the HTTP response code for a validation failure.
- // If unconfigured, a HTTP 401 Unauthorized status code will be emitted.
- // Tyk classic API definition: `auth_configs[X].signature.error_code`.
- ErrorCode int `bson:"errorCode,omitempty" json:"errorCode,omitempty"`
- // ErrorMessage configures the error message that is emitted on validation failure.
- // A default error message is emitted if unset.
- // Tyk classic API definition: `auth_configs[X].signature.error_message`.
- ErrorMessage string `bson:"errorMessage,omitempty" json:"errorMessage,omitempty"`
+ Enabled bool `bson:"enabled" json:"enabled"` // required
+ Algorithm string `bson:"algorithm,omitempty" json:"algorithm,omitempty"`
+ Header string `bson:"header,omitempty" json:"header,omitempty"`
+ Query AuthSource `bson:"query,omitempty" json:"query,omitempty"`
+ Secret string `bson:"secret,omitempty" json:"secret,omitempty"`
+ AllowedClockSkew int64 `bson:"allowedClockSkew,omitempty" json:"allowedClockSkew,omitempty"`
+ ErrorCode int `bson:"errorCode,omitempty" json:"errorCode,omitempty"`
+ ErrorMessage string `bson:"errorMessage,omitempty" json:"errorMessage,omitempty"`
}
Signature holds the configuration for signature validation.
@@ -4495,23 +4389,14 @@
Fill fills *TransformRequestMethod from apidef.MethodTransformMeta.
type TykExtensionConfigParams struct {
- // UpstreamURL configures the upstream URL.
- UpstreamURL string
- // ListenPath configures the listen path.
- ListenPath string
- // CustomDomain configures the domain name.
- CustomDomain string
- // ApiID is the API ID.
- ApiID string
-
- // Authentication is true if the API configures authentication.
- Authentication *bool
- // AllowList is true if the API configures an allow list.
- AllowList *bool
- // ValidateRequest is true if the API enables request validation.
+ UpstreamURL string
+ ListenPath string
+ CustomDomain string
+ ApiID string
+ Authentication *bool
+ AllowList *bool
ValidateRequest *bool
- // MockResponse is true if a mocked response is configured.
- MockResponse *bool
+ MockResponse *bool
}
TykExtensionConfigParams holds the essential configuration required for the
Tyk Extension schema.
@@ -4550,8 +4435,8 @@
type URLRewriteCondition string
URLRewriteCondition defines the matching mode for an URL rewrite rules.
- - Value `any` means any of the defined trigger rules may match. - Value
- `all` means all the defined trigger rules must match.
+ - Value `any` means any of the defined trigger rules may match - Value `all`
+ means all the defined trigger rules must match
type URLRewriteInput string
URLRewriteInput defines the input for an URL rewrite rule.
@@ -4565,8 +4450,6 @@
match pattern against request body - `requestContext`, match pattern against
request context
- The default `url` is used as the input source.
-
func (i URLRewriteInput) Err() error
Err returns an error if the type value is invalid, nil otherwise.
@@ -4578,6 +4461,17 @@
type URLRewriteRule struct {
// In specifies one of the valid inputs for URL rewriting.
+ // By default, it uses `url` as the input source.
+ //
+ // The following values are valid:
+ //
+ // - `url`, match pattern against URL
+ // - `query`, match pattern against named query parameter value
+ // - `path`, match pattern against named path parameter value
+ // - `header`, match pattern against named header value
+ // - `sessionMetadata`, match pattern against session metadata
+ // - `requestBody`, match pattern against request body
+ // - `requestContext`, match pattern against request context
In URLRewriteInput `bson:"in" json:"in"`
// Name is the index in the value declared inside `in`.
@@ -4600,7 +4494,10 @@
URLRewriteRule represents a rewrite matching rules.
type URLRewriteTrigger struct {
- // Condition indicates the logical combination that will be applied to the rules for an advanced trigger.
+ // Condition indicates the logical combination that will be applied to the rules for an advanced trigger:
+ //
+ // - Value `any` means any of the defined trigger rules may match
+ // - Value `all` means all the defined trigger rules must match
Condition URLRewriteCondition `bson:"condition" json:"condition"`
// Rules contain individual checks that are combined according to the
@@ -5650,7 +5547,46 @@
Vault VaultConfig `json:"vault"`
} `json:"kv"`
- // Secrets are key-value pairs that can be accessed in the dashboard via "secrets://"
+ // The TYK_GW_SECRETS environment variable allows you to configure the "secrets"
+ // section in the Tyk Gateway configuration file. These secrets are key-value pairs
+ // that can be dynamically injected into API Definitions and the tyk.conf configuration
+ // file using the secrets://KEY notation. For Gateway versions prior to 5.3.0 only the
+ // listen path and target URL fields can use this notation.
+ //
+ // Syntax: TYK_GW_SECRETS=key1:/value1,key2:/value2
+ // Example: TYK_GW_SECRETS=api-listen-path:/secret,api-auth-key:/another-secret
+ //
+ // In this example, api-listen-path is set to /secret and api-auth-key is set to
+ // /another-secret. If the listen path in an API Definition has value secrets://api-listen-path,
+ // then Tyk Gateway will replace it with the value of the api-listen-path key, i.e. /secret.
+ //
+ // As another example, if you create a Key-Value pair in the secrets section of the tyk.conf file
+ // with the Key auth_header_name:
+ //
+ // {
+ // "secrets": {
+ // "auth_header_name": "Authorization"
+ // }
+ //
+ // Then within your API definition you could use the Value for the authentication header name as follows:
+ //
+ // {
+ // "x-tyk-api-gateway": {
+ // "components": {
+ // "securitySchemes": {
+ // "authToken": {
+ // "type": "apiKey",
+ // "in": "header",
+ // "name": "secrets://auth_header_name"
+ // }
+ // }
+ // }
+ // }
+ // }
+ //
+ // When the Gateway starts, Tyk will read the Value from the secrets section in the Gateway config file and
+ // use this to identify the header where Tyk Gateway should look for the Authentication token in requests
+ // to your Tyk OAS API.
Secrets map[string]string `json:"secrets"`
// Override the default error code and or message returned by middleware.
@@ -5671,7 +5607,7 @@
// "override_messages": {
// "oauth.auth_field_missing" : {
// "code": 401,
- // "message": "Token is not authorized"
+ // "message": "Token is not authorised"
// }
// }
// ```
@@ -6040,7 +5976,7 @@
// EnableFixedWindow enables fixed window rate limiting.
EnableFixedWindowRateLimiter bool `json:"enable_fixed_window_rate_limiter"`
- // Redis based rate limiter with sliding log. Provides 100% rate limiting accuracy, but require two additional Redis roundtrips for each request.
+ // Redis based rate limiter with sliding log. Provides 100% rate limiting accuracy, but require two additional Redis roundtrip for each request.
EnableRedisRollingLimiter bool `json:"enable_redis_rolling_limiter"`
// To enable, set to `true`. The sentinel-based rate limiter delivers a smoother performance curve as rate-limit calculations happen off-thread, but a stricter time-out based cool-down for clients. For example, when a throttling action is triggered, they are required to cool-down for the period of the rate limit.
@@ -6049,7 +5985,7 @@
// The standard rate limiter offers similar performance as the sentinel-based limiter. This is disabled by default.
EnableSentinelRateLimiter bool `json:"enable_sentinel_rate_limiter"`
- // EnableRateLimitSmoothing enables or disables rate limit smoothing. The rate smoothing is only supported on the
+ // EnableRateLimitSmoothing enables or disables rate smoothing. The rate smoothing is only supported on the
// Redis Rate Limiter, or the Sentinel Rate Limiter, as both algorithms implement a sliding log.
EnableRateLimitSmoothing bool `json:"enable_rate_limit_smoothing"`
@@ -6157,7 +6093,7 @@
// Your organisation ID to connect to the MDCB installation.
RPCKey string `json:"rpc_key"`
- // This the API key of a user used to authenticate and authorize the Gateway’s access through MDCB.
+ // This the API key of a user used to authenticate and authorise the Gateway’s access through MDCB.
// The user should be a standard Dashboard user with minimal privileges so as to reduce any risk if the user is compromised.
// The suggested security settings are read for Real-time notifications and the remaining options set to deny.
APIKey string `json:"api_key"`
@@ -6403,23 +6339,12 @@
TYPES
type AccessDefinition struct {
-
- // ApiName is the name of the API that the session request relates to.
- ApiName string `protobuf:"bytes,1,opt,name=api_name,json=apiName,proto3" json:"api_name,omitempty"`
- // ApiId is the ID of the API that the session request relates to.
- ApiId string `protobuf:"bytes,2,opt,name=api_id,json=apiId,proto3" json:"api_id,omitempty"`
- // Versions is a list of allowed API versions, e.g. `"versions": [ "Default" ]`.
- Versions []string `protobuf:"bytes,3,rep,name=versions,proto3" json:"versions,omitempty"`
- // AllowedUrls is a list of AccessSpec instances. Each instance defines a URL (endpoint)
- // with an associated allowed list of methods. If all URLs (endpoints) are allowed then the
- // attribute is not set.
+ ApiName string `protobuf:"bytes,1,opt,name=api_name,json=apiName,proto3" json:"api_name,omitempty"`
+ ApiId string `protobuf:"bytes,2,opt,name=api_id,json=apiId,proto3" json:"api_id,omitempty"`
+ Versions []string `protobuf:"bytes,3,rep,name=versions,proto3" json:"versions,omitempty"`
AllowedUrls []*AccessSpec `protobuf:"bytes,4,rep,name=allowed_urls,json=allowedUrls,proto3" json:"allowed_urls,omitempty"`
// Has unexported fields.
}
- AccessDefinition is defined as an attribute within a SessionState instance.
- Contains the allowed versions and URLs (endpoints) for the API that the
- session request relates to. Each URL (endpoint) specifies an associated list
- of allowed methods. See also AccessSpec.
func (*AccessDefinition) Descriptor() ([]byte, []int)
Deprecated: Use AccessDefinition.ProtoReflect.Descriptor instead.
@@ -6441,16 +6366,10 @@
func (x *AccessDefinition) String() string
type AccessSpec struct {
-
- // Url is a URL (endpoint) belonging to the API associated with the request session.
- Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
- // Methods is a list of allowed methods for the URL (endpoint), e.g. 'methods': [ 'GET'. 'POST', 'PUT', 'PATCH' ]
- // The list of methods are case sensitive.
+ Url string `protobuf:"bytes,1,opt,name=url,proto3" json:"url,omitempty"`
Methods []string `protobuf:"bytes,2,rep,name=methods,proto3" json:"methods,omitempty"`
// Has unexported fields.
}
- AccessSpec defines an API's URL (endpoint) and associated list of allowed
- methods.
func (*AccessSpec) Descriptor() ([]byte, []int)
Deprecated: Use AccessSpec.ProtoReflect.Descriptor instead.
@@ -6468,15 +6387,10 @@
func (x *AccessSpec) String() string
type BasicAuthData struct {
-
- // Password is a hashed password.
Password string `protobuf:"bytes,1,opt,name=password,proto3" json:"password,omitempty"`
- // Hash is the name of the hashing algorithm used to hash the password, e.g. bcrypt, Argon2.
- Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"`
+ Hash string `protobuf:"bytes,2,opt,name=hash,proto3" json:"hash,omitempty"`
// Has unexported fields.
}
- BasicAuthData contains a hashed password and the name of the hashing
- algorithm used.
func (*BasicAuthData) Descriptor() ([]byte, []int)
Deprecated: Use BasicAuthData.ProtoReflect.Descriptor instead.
@@ -6516,9 +6430,7 @@
PythonDispatcher for reference.
type DispatcherClient interface {
- // Dispatch is an RPC method that accepts and returns an Object.
Dispatch(ctx context.Context, in *Object, opts ...grpc.CallOption) (*Object, error)
- // DispatchEvent dispatches an event to the target language.
DispatchEvent(ctx context.Context, in *Event, opts ...grpc.CallOption) (*EventReply, error)
}
DispatcherClient is the client API for Dispatcher service.
@@ -6529,22 +6441,17 @@
func NewDispatcherClient(cc grpc.ClientConnInterface) DispatcherClient
type DispatcherServer interface {
- // Dispatch is an RPC method that accepts and returns an Object.
Dispatch(context.Context, *Object) (*Object, error)
- // DispatchEvent dispatches an event to the target language.
DispatchEvent(context.Context, *Event) (*EventReply, error)
}
DispatcherServer is the server API for Dispatcher service. All
implementations should embed UnimplementedDispatcherServer for forward
- compatibility.
+ compatibility
type Event struct {
-
- // Payload represents the JSON payload.
Payload string `protobuf:"bytes,1,opt,name=payload,proto3" json:"payload,omitempty"`
// Has unexported fields.
}
- Event is represented as a JSON payload.
func (*Event) Descriptor() ([]byte, []int)
Deprecated: Use Event.ProtoReflect.Descriptor instead.
@@ -6562,7 +6469,6 @@
type EventReply struct {
// Has unexported fields.
}
- EventReply is the response for event.
func (*EventReply) Descriptor() ([]byte, []int)
Deprecated: Use EventReply.ProtoReflect.Descriptor instead.
@@ -6576,14 +6482,10 @@
func (x *EventReply) String() string
type Header struct {
-
- // Key represents the name of the header.
- Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
- // Values is a list of values for a given header content.
+ Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"`
// Has unexported fields.
}
- Header is a reponse header that contains multiple associated values.
func (*Header) Descriptor() ([]byte, []int)
Deprecated: Use Header.ProtoReflect.Descriptor instead.
@@ -6601,33 +6503,14 @@
func (x *Header) String() string
type HookType int32
- HookType is an enumeration that identifies the type of plugin.
const (
- // Unknown is used for error checking and handling of an unrecognised hook type.
- HookType_Unknown HookType = 0
- // Pre is executed before request sent to upstream target and before any
- // authentication information is extracted from the header or
- // parameter list of the request. Applies to both keyless and protected
- // APIs.
- HookType_Pre HookType = 1
- // Post is executed after authentication, validation, throttling and quota-limiting
- // middleware has been executed, just before the request is proxied upstream. Use this
- // to post-process a request before sending it to upstream API. This is only called
- // when using protected APIs.
- HookType_Post HookType = 2
- // PostKeyAuth is executed after authentication, validation, throttling, and quota-limiting
- // middleware has been executed, just before the request is proxied upstream. Use this
- // to post-process a request before sending it to upstream API. This is only called
- // when using protected APIs.
- HookType_PostKeyAuth HookType = 3
- // CustomKeyCheck is executed for performing customised authentication.
+ HookType_Unknown HookType = 0
+ HookType_Pre HookType = 1
+ HookType_Post HookType = 2
+ HookType_PostKeyAuth HookType = 3
HookType_CustomKeyCheck HookType = 4
- // Response is executed after the upstream API replies. The arguments passed to this hook include
- // both the request and response data. Use this to modify the HTTP response before it’s
- // sent to the client. This hook also receives the request object, the session object,
- // the metadata and API definition associated with the request.
- HookType_Response HookType = 5
+ HookType_Response HookType = 5
)
func (HookType) Descriptor() protoreflect.EnumDescriptor
@@ -6643,14 +6526,9 @@
func (HookType) Type() protoreflect.EnumType
type JWTData struct {
-
- // Secret is the shared secret.
Secret string `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"`
// Has unexported fields.
}
- JWTData is added to sessions where a Tyk key (embedding a shared secret) is
- used as the public key for signing the JWT. This message contains the shared
- secret.
func (*JWTData) Descriptor() ([]byte, []int)
Deprecated: Use JWTData.ProtoReflect.Descriptor instead.
@@ -6666,39 +6544,22 @@
func (x *JWTData) String() string
type MiniRequestObject struct {
-
- // Headers is a read-only field for reading headers injected by previous middleware.
- Headers map[string]string `protobuf:"bytes,1,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // SetHeaders is a map of header key values to append to the request.
- SetHeaders map[string]string `protobuf:"bytes,2,rep,name=set_headers,json=setHeaders,proto3" json:"set_headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // DeleteHeaders is a list of header names to be removed from the request.
- DeleteHeaders []string `protobuf:"bytes,3,rep,name=delete_headers,json=deleteHeaders,proto3" json:"delete_headers,omitempty"`
- // Body is the request body.
- Body string `protobuf:"bytes,4,opt,name=body,proto3" json:"body,omitempty"`
- // Url is the request URL.
- Url string `protobuf:"bytes,5,opt,name=url,proto3" json:"url,omitempty"`
- // Params is a read only map of request params.
- Params map[string]string `protobuf:"bytes,6,rep,name=params,proto3" json:"params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // AddParams is a map of parameter keys and values to add to the request.
- AddParams map[string]string `protobuf:"bytes,7,rep,name=add_params,json=addParams,proto3" json:"add_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // ExtendedParams allows a parameter to have multiple values, currently unsupported.
- ExtendedParams map[string]string `protobuf:"bytes,8,rep,name=extended_params,json=extendedParams,proto3" json:"extended_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // DeleteParams is a list of parameter keys to be removed from the request.
- DeleteParams []string `protobuf:"bytes,9,rep,name=delete_params,json=deleteParams,proto3" json:"delete_params,omitempty"`
- // ReturnOverrides override the response for the request, see ReturnOverrides.
- ReturnOverrides *ReturnOverrides `protobuf:"bytes,10,opt,name=return_overrides,json=returnOverrides,proto3" json:"return_overrides,omitempty"`
- // Method is the request method, eg GET, POST, etc.
- Method string `protobuf:"bytes,11,opt,name=method,proto3" json:"method,omitempty"`
- // RequestUri is the raw unprocessed request URL, including query string and fragments.
- RequestUri string `protobuf:"bytes,12,opt,name=request_uri,json=requestUri,proto3" json:"request_uri,omitempty"`
- // Scheme is the URL scheme, e.g. http or https.
- Scheme string `protobuf:"bytes,13,opt,name=scheme,proto3" json:"scheme,omitempty"`
- // RawBody is the raw request body.
- RawBody []byte `protobuf:"bytes,14,opt,name=raw_body,json=rawBody,proto3" json:"raw_body,omitempty"`
+ Headers map[string]string `protobuf:"bytes,1,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ SetHeaders map[string]string `protobuf:"bytes,2,rep,name=set_headers,json=setHeaders,proto3" json:"set_headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ DeleteHeaders []string `protobuf:"bytes,3,rep,name=delete_headers,json=deleteHeaders,proto3" json:"delete_headers,omitempty"`
+ Body string `protobuf:"bytes,4,opt,name=body,proto3" json:"body,omitempty"`
+ Url string `protobuf:"bytes,5,opt,name=url,proto3" json:"url,omitempty"`
+ Params map[string]string `protobuf:"bytes,6,rep,name=params,proto3" json:"params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ AddParams map[string]string `protobuf:"bytes,7,rep,name=add_params,json=addParams,proto3" json:"add_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ ExtendedParams map[string]string `protobuf:"bytes,8,rep,name=extended_params,json=extendedParams,proto3" json:"extended_params,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ DeleteParams []string `protobuf:"bytes,9,rep,name=delete_params,json=deleteParams,proto3" json:"delete_params,omitempty"`
+ ReturnOverrides *ReturnOverrides `protobuf:"bytes,10,opt,name=return_overrides,json=returnOverrides,proto3" json:"return_overrides,omitempty"`
+ Method string `protobuf:"bytes,11,opt,name=method,proto3" json:"method,omitempty"`
+ RequestUri string `protobuf:"bytes,12,opt,name=request_uri,json=requestUri,proto3" json:"request_uri,omitempty"`
+ Scheme string `protobuf:"bytes,13,opt,name=scheme,proto3" json:"scheme,omitempty"`
+ RawBody []byte `protobuf:"bytes,14,opt,name=raw_body,json=rawBody,proto3" json:"raw_body,omitempty"`
// Has unexported fields.
}
- MiniRequestObject is used for middleware calls and contains important fields
- like headers, parameters, body and URL.
func (*MiniRequestObject) Descriptor() ([]byte, []int)
Deprecated: Use MiniRequestObject.ProtoReflect.Descriptor instead.
@@ -6740,14 +6601,9 @@
func (x *MiniRequestObject) String() string
type Monitor struct {
-
- // TriggerLimits is a list of quota percentage limits, defined in descending order.
TriggerLimits []float64 `protobuf:"fixed64,1,rep,packed,name=trigger_limits,json=triggerLimits,proto3" json:"trigger_limits,omitempty"`
// Has unexported fields.
}
- Monitor allows API endpoint users, stakeholders or an organisation to be
- notified by webhook when certain quota limits have been reached for their
- session token.
func (*Monitor) Descriptor() ([]byte, []int)
Deprecated: Use Monitor.ProtoReflect.Descriptor instead.
@@ -6763,28 +6619,15 @@
func (x *Monitor) String() string
type Object struct {
-
- // HookType is an enumeration that identifies the plugin hook type.
- HookType HookType `protobuf:"varint,1,opt,name=hook_type,json=hookType,proto3,enum=coprocess.HookType" json:"hook_type,omitempty"`
- // HookName is the plugin name.
- HookName string `protobuf:"bytes,2,opt,name=hook_name,json=hookName,proto3" json:"hook_name,omitempty"`
- // Request relates to the main request data structure used by rich plugins. It’s used for middleware calls
- // and contains important fields like headers, parameters, body and URL.
- Request *MiniRequestObject `protobuf:"bytes,3,opt,name=request,proto3" json:"request,omitempty"`
- // Session stores information about the current key/user that’s used for authentication.
- Session *SessionState `protobuf:"bytes,4,opt,name=session,proto3" json:"session,omitempty"`
- // Metadata is a dynamic filed that contains the metadata.
- Metadata map[string]string `protobuf:"bytes,5,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // Spec contains information about API definition, including APIID, OrgID and config_data.
- Spec map[string]string `protobuf:"bytes,6,rep,name=spec,proto3" json:"spec,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // Response relates to the ResponseObject used by response hooks. The fields are populated with the upstream HTTP
- // response data. All the field contents can be modified.
- Response *ResponseObject `protobuf:"bytes,7,opt,name=response,proto3" json:"response,omitempty"`
- // Has unexported fields.
-}
- Object wraps a MiniRequestObject and contains additional fields that are
- useful for users that implement their own request dispatchers, like the
- middleware hook type and name.
+ HookType HookType `protobuf:"varint,1,opt,name=hook_type,json=hookType,proto3,enum=coprocess.HookType" json:"hook_type,omitempty"`
+ HookName string `protobuf:"bytes,2,opt,name=hook_name,json=hookName,proto3" json:"hook_name,omitempty"`
+ Request *MiniRequestObject `protobuf:"bytes,3,opt,name=request,proto3" json:"request,omitempty"`
+ Session *SessionState `protobuf:"bytes,4,opt,name=session,proto3" json:"session,omitempty"`
+ Metadata map[string]string `protobuf:"bytes,5,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ Spec map[string]string `protobuf:"bytes,6,rep,name=spec,proto3" json:"spec,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ Response *ResponseObject `protobuf:"bytes,7,opt,name=response,proto3" json:"response,omitempty"`
+ // Has unexported fields.
+}
func (*Object) Descriptor() ([]byte, []int)
Deprecated: Use Object.ProtoReflect.Descriptor instead.
@@ -6812,20 +6655,13 @@
func (x *Object) String() string
type ResponseObject struct {
-
- // StatusCode is the HTTP status code received from the upstream.
- StatusCode int32 `protobuf:"varint,1,opt,name=status_code,json=statusCode,proto3" json:"status_code,omitempty"`
- // RawBody represents the raw bytes of HTTP response body.
- RawBody []byte `protobuf:"bytes,2,opt,name=raw_body,json=rawBody,proto3" json:"raw_body,omitempty"`
- // Body represents the HTTP response body. Excluded when the raw_body contains invalid UTF-8 characters.
- Body string `protobuf:"bytes,3,opt,name=body,proto3" json:"body,omitempty"`
- // Headers represents the headers received from upstream.
- Headers map[string]string `protobuf:"bytes,4,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // MultivalueHeaders is a list of headers. Useful when header has multiple values. See Header.
- MultivalueHeaders []*Header `protobuf:"bytes,5,rep,name=multivalue_headers,json=multivalueHeaders,proto3" json:"multivalue_headers,omitempty"`
+ StatusCode int32 `protobuf:"varint,1,opt,name=status_code,json=statusCode,proto3" json:"status_code,omitempty"`
+ RawBody []byte `protobuf:"bytes,2,opt,name=raw_body,json=rawBody,proto3" json:"raw_body,omitempty"`
+ Body string `protobuf:"bytes,3,opt,name=body,proto3" json:"body,omitempty"`
+ Headers map[string]string `protobuf:"bytes,4,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ MultivalueHeaders []*Header `protobuf:"bytes,5,rep,name=multivalue_headers,json=multivalueHeaders,proto3" json:"multivalue_headers,omitempty"`
// Has unexported fields.
}
- ResponseObject is used by response hooks. All fields are modifiable.
func (*ResponseObject) Descriptor() ([]byte, []int)
Deprecated: Use ResponseObject.ProtoReflect.Descriptor instead.
@@ -6849,22 +6685,13 @@
func (x *ResponseObject) String() string
type ReturnOverrides struct {
-
- // ResponseCode overrides the upstream response status code.
- ResponseCode int32 `protobuf:"varint,1,opt,name=response_code,json=responseCode,proto3" json:"response_code,omitempty"`
- // ResponseError overrides the upstream response error message.
- ResponseError string `protobuf:"bytes,2,opt,name=response_error,json=responseError,proto3" json:"response_error,omitempty"`
- // Headers overrides the upstream response headers.
- Headers map[string]string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // OverrideError overrides the upstream error response with response_error when set to true.
- OverrideError bool `protobuf:"varint,4,opt,name=override_error,json=overrideError,proto3" json:"override_error,omitempty"`
- // ResponseBody is an alias of response_error that contains the response body.
- ResponseBody string `protobuf:"bytes,5,opt,name=response_body,json=responseBody,proto3" json:"response_body,omitempty"`
+ ResponseCode int32 `protobuf:"varint,1,opt,name=response_code,json=responseCode,proto3" json:"response_code,omitempty"`
+ ResponseError string `protobuf:"bytes,2,opt,name=response_error,json=responseError,proto3" json:"response_error,omitempty"`
+ Headers map[string]string `protobuf:"bytes,3,rep,name=headers,proto3" json:"headers,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ OverrideError bool `protobuf:"varint,4,opt,name=override_error,json=overrideError,proto3" json:"override_error,omitempty"`
+ ResponseBody string `protobuf:"bytes,5,opt,name=response_body,json=responseBody,proto3" json:"response_body,omitempty"`
// Has unexported fields.
}
- ReturnOverrides is used to override the response for a given HTTP request
- When returned within an Object for a given HTTP request, the upstream
- reponse is replaced with the fields encapsulated within ReturnOverrides.
func (*ReturnOverrides) Descriptor() ([]byte, []int)
Deprecated: Use ReturnOverrides.ProtoReflect.Descriptor instead.
@@ -6888,98 +6715,39 @@
func (x *ReturnOverrides) String() string
type SessionState struct {
-
- // LastCheck is deprecated.
- LastCheck int64 `protobuf:"varint,1,opt,name=last_check,json=lastCheck,proto3" json:"last_check,omitempty"`
- // Allowance is deprecated, replaced by rate.
- Allowance float64 `protobuf:"fixed64,2,opt,name=allowance,proto3" json:"allowance,omitempty"`
- // Rate is the number of requests that are allowed in the specified rate limiting window.
- Rate float64 `protobuf:"fixed64,3,opt,name=rate,proto3" json:"rate,omitempty"`
- // Per is the duration of the rate window, in seconds.
- Per float64 `protobuf:"fixed64,4,opt,name=per,proto3" json:"per,omitempty"`
- // Expires is an epoch that defines when the key should expire.
- Expires int64 `protobuf:"varint,5,opt,name=expires,proto3" json:"expires,omitempty"`
- // QuotaMax is the maximum number of requests allowed during the quota period.
- QuotaMax int64 `protobuf:"varint,6,opt,name=quota_max,json=quotaMax,proto3" json:"quota_max,omitempty"`
- // QuotaRenews is an epoch that defines when the quota renews.
- QuotaRenews int64 `protobuf:"varint,7,opt,name=quota_renews,json=quotaRenews,proto3" json:"quota_renews,omitempty"`
- // QuotaRemaining is the number of requests remaining for this user’s quota (unrelated to rate
- // limit).
- QuotaRemaining int64 `protobuf:"varint,8,opt,name=quota_remaining,json=quotaRemaining,proto3" json:"quota_remaining,omitempty"`
- // QuotaRenewalRate is the time in seconds during which the quota is valid.
- // So for 1000 requests per hour, this value would be 3600 while quota_max and
- // quota_remaining would be 1000.
- QuotaRenewalRate int64 `protobuf:"varint,9,opt,name=quota_renewal_rate,json=quotaRenewalRate,proto3" json:"quota_renewal_rate,omitempty"`
- // AccessRights maps the session's API ID to an AccessDefinition. The AccessDefinition defines the access rights for the API in terms
- // of allowed: versions and URLs(endpoints). Each URL (endpoint) has a list of allowed methods.
- AccessRights map[string]*AccessDefinition `protobuf:"bytes,10,rep,name=access_rights,json=accessRights,proto3" json:"access_rights,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // OrgId represents the organisation the session user belongs to. This can be used in conjunction with the org_id
- // setting in the API Definition object to have tokens owned by organisations.
- OrgId string `protobuf:"bytes,11,opt,name=org_id,json=orgId,proto3" json:"org_id,omitempty"`
- // OauthClientId is the OAuth client ID that is set if the token is generated by an OAuth client during an
- // OAuth authorisation flow.
- OauthClientId string `protobuf:"bytes,12,opt,name=oauth_client_id,json=oauthClientId,proto3" json:"oauth_client_id,omitempty"`
- // OauthKeys maps an OAuth client ID with a corresponding access token value. Currently unsupported and under development.
- OauthKeys map[string]string `protobuf:"bytes,13,rep,name=oauth_keys,json=oauthKeys,proto3" json:"oauth_keys,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // BasicAuthData contains a hashed password and the name of the hashing algorithm used.
- BasicAuthData *BasicAuthData `protobuf:"bytes,14,opt,name=basic_auth_data,json=basicAuthData,proto3" json:"basic_auth_data,omitempty"`
- // JwtData is added to sessions where a Tyk key (embedding a shared secret) is used as the public key
- // for signing the JWT. The JWT token's KID header value references the ID of a Tyk key.
- JwtData *JWTData `protobuf:"bytes,15,opt,name=jwt_data,json=jwtData,proto3" json:"jwt_data,omitempty"`
- // HmacEnabled is set to `true` to indicate generation of a HMAC signature using the secret provided in `hmac_secret`.
- // If the generated signature matches the signature provided in the Authorizaton header then authentication of
- // the request has passed.
- HmacEnabled bool `protobuf:"varint,16,opt,name=hmac_enabled,json=hmacEnabled,proto3" json:"hmac_enabled,omitempty"`
- // HmacSecret represents the HMAC secret.
- HmacSecret string `protobuf:"bytes,17,opt,name=hmac_secret,json=hmacSecret,proto3" json:"hmac_secret,omitempty"`
- // IsInactive when set to true, indicates that access is denied.
- IsInactive bool `protobuf:"varint,18,opt,name=is_inactive,json=isInactive,proto3" json:"is_inactive,omitempty"`
- // ApplyPolicyId represents the policy ID that is bound to the token. Deprecated use apply_policies instead.
- ApplyPolicyId string `protobuf:"bytes,19,opt,name=apply_policy_id,json=applyPolicyId,proto3" json:"apply_policy_id,omitempty"`
- // DataExpires is a value, in seconds, that defines when data generated by the session token expires in
- // the analytics DB (must be using Pro edition and MongoDB).
- DataExpires int64 `protobuf:"varint,20,opt,name=data_expires,json=dataExpires,proto3" json:"data_expires,omitempty"`
- // Monitor represents the quota monitor settings, currently unsupported in gRPC sessions.
- Monitor *Monitor `protobuf:"bytes,21,opt,name=monitor,proto3" json:"monitor,omitempty"`
- // EnableDetailedRecording should be set to true to have Tyk store the inbound request and outbound
- // response data in HTTP Wire format as part of the analytics data.
- EnableDetailedRecording bool `protobuf:"varint,22,opt,name=enable_detailed_recording,json=enableDetailedRecording,proto3" json:"enable_detailed_recording,omitempty"`
- // Metadata represents meta-data to be included as part of the session that can be used in other
- // middleware such as transforms and header injection to embed user-specific
- // data into a request, or alternatively to query the providence of a key.
- Metadata map[string]string `protobuf:"bytes,23,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
- // Tags is a list of tags to embed into analytics data when the request completes. If a policy
- // has tags, those tags take precedence and are used instead.
- Tags []string `protobuf:"bytes,24,rep,name=tags,proto3" json:"tags,omitempty"`
- // Alias is an identifier for the token for use in analytics, to allow easier tracing of hashed
- // and unhashed tokens.
- Alias string `protobuf:"bytes,25,opt,name=alias,proto3" json:"alias,omitempty"`
- // LastUpdated is a timestamp that represents the time the session was last updated.
- // With *PostAuth* hooks this is a UNIX timestamp.
- LastUpdated string `protobuf:"bytes,26,opt,name=last_updated,json=lastUpdated,proto3" json:"last_updated,omitempty"`
- // IdExtractorDeadline is a UNIX timestamp that signifies when a cached key or ID will expire.
- // This relates to custom authentication, where authenticated keys can be cached to save repeated requests
- // to the gRPC server.
- IdExtractorDeadline int64 `protobuf:"varint,27,opt,name=id_extractor_deadline,json=idExtractorDeadline,proto3" json:"id_extractor_deadline,omitempty"`
- // SessionLifetime is a UNIX timestamp that denotes when the key will automatically expire.
- // Any·subsequent API request made using the key will be rejected.
- // Overrides the global session lifetime.
- SessionLifetime int64 `protobuf:"varint,28,opt,name=session_lifetime,json=sessionLifetime,proto3" json:"session_lifetime,omitempty"`
- // ApplyPolicies is a list of IDs for the policies that are bound to the token.
- ApplyPolicies []string `protobuf:"bytes,29,rep,name=apply_policies,json=applyPolicies,proto3" json:"apply_policies,omitempty"`
- // Certificate is the client certificate used to authenticate the request. Exists in the session instance if mTLS is configured
- // for the API. Currently unsupported.
- Certificate string `protobuf:"bytes,30,opt,name=certificate,proto3" json:"certificate,omitempty"`
- // MaxQueryDepth relates to graphQL APIs. If the session key has a maximum query depth limit defined then it is included in the
- // session instance. Currently unsupported and under development.
- MaxQueryDepth int64 `protobuf:"varint,31,opt,name=max_query_depth,json=maxQueryDepth,proto3" json:"max_query_depth,omitempty"`
- // Has unexported fields.
-}
- SessionState is created for every authenticated request and stored in Redis.
- Used to track the activity of a given key in different ways, mainly by the
- built-in Tyk middleware such as the quota middleware or the rate limiter.
- A GRPC plugin is able to create a SessionState object and store it in the
- same way built-in authentication mechanisms do.
+ LastCheck int64 `protobuf:"varint,1,opt,name=last_check,json=lastCheck,proto3" json:"last_check,omitempty"`
+ Allowance float64 `protobuf:"fixed64,2,opt,name=allowance,proto3" json:"allowance,omitempty"`
+ Rate float64 `protobuf:"fixed64,3,opt,name=rate,proto3" json:"rate,omitempty"`
+ Per float64 `protobuf:"fixed64,4,opt,name=per,proto3" json:"per,omitempty"`
+ Expires int64 `protobuf:"varint,5,opt,name=expires,proto3" json:"expires,omitempty"`
+ QuotaMax int64 `protobuf:"varint,6,opt,name=quota_max,json=quotaMax,proto3" json:"quota_max,omitempty"`
+ QuotaRenews int64 `protobuf:"varint,7,opt,name=quota_renews,json=quotaRenews,proto3" json:"quota_renews,omitempty"`
+ QuotaRemaining int64 `protobuf:"varint,8,opt,name=quota_remaining,json=quotaRemaining,proto3" json:"quota_remaining,omitempty"`
+ QuotaRenewalRate int64 `protobuf:"varint,9,opt,name=quota_renewal_rate,json=quotaRenewalRate,proto3" json:"quota_renewal_rate,omitempty"`
+ AccessRights map[string]*AccessDefinition `protobuf:"bytes,10,rep,name=access_rights,json=accessRights,proto3" json:"access_rights,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ OrgId string `protobuf:"bytes,11,opt,name=org_id,json=orgId,proto3" json:"org_id,omitempty"`
+ OauthClientId string `protobuf:"bytes,12,opt,name=oauth_client_id,json=oauthClientId,proto3" json:"oauth_client_id,omitempty"`
+ OauthKeys map[string]string `protobuf:"bytes,13,rep,name=oauth_keys,json=oauthKeys,proto3" json:"oauth_keys,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ BasicAuthData *BasicAuthData `protobuf:"bytes,14,opt,name=basic_auth_data,json=basicAuthData,proto3" json:"basic_auth_data,omitempty"`
+ JwtData *JWTData `protobuf:"bytes,15,opt,name=jwt_data,json=jwtData,proto3" json:"jwt_data,omitempty"`
+ HmacEnabled bool `protobuf:"varint,16,opt,name=hmac_enabled,json=hmacEnabled,proto3" json:"hmac_enabled,omitempty"`
+ HmacSecret string `protobuf:"bytes,17,opt,name=hmac_secret,json=hmacSecret,proto3" json:"hmac_secret,omitempty"`
+ IsInactive bool `protobuf:"varint,18,opt,name=is_inactive,json=isInactive,proto3" json:"is_inactive,omitempty"`
+ ApplyPolicyId string `protobuf:"bytes,19,opt,name=apply_policy_id,json=applyPolicyId,proto3" json:"apply_policy_id,omitempty"`
+ DataExpires int64 `protobuf:"varint,20,opt,name=data_expires,json=dataExpires,proto3" json:"data_expires,omitempty"`
+ Monitor *Monitor `protobuf:"bytes,21,opt,name=monitor,proto3" json:"monitor,omitempty"`
+ EnableDetailedRecording bool `protobuf:"varint,22,opt,name=enable_detailed_recording,json=enableDetailedRecording,proto3" json:"enable_detailed_recording,omitempty"`
+ Metadata map[string]string `protobuf:"bytes,23,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+ Tags []string `protobuf:"bytes,24,rep,name=tags,proto3" json:"tags,omitempty"`
+ Alias string `protobuf:"bytes,25,opt,name=alias,proto3" json:"alias,omitempty"`
+ LastUpdated string `protobuf:"bytes,26,opt,name=last_updated,json=lastUpdated,proto3" json:"last_updated,omitempty"`
+ IdExtractorDeadline int64 `protobuf:"varint,27,opt,name=id_extractor_deadline,json=idExtractorDeadline,proto3" json:"id_extractor_deadline,omitempty"`
+ SessionLifetime int64 `protobuf:"varint,28,opt,name=session_lifetime,json=sessionLifetime,proto3" json:"session_lifetime,omitempty"`
+ ApplyPolicies []string `protobuf:"bytes,29,rep,name=apply_policies,json=applyPolicies,proto3" json:"apply_policies,omitempty"`
+ Certificate string `protobuf:"bytes,30,opt,name=certificate,proto3" json:"certificate,omitempty"`
+ MaxQueryDepth int64 `protobuf:"varint,31,opt,name=max_query_depth,json=maxQueryDepth,proto3" json:"max_query_depth,omitempty"`
+ // Has unexported fields.
+}
func (*SessionState) Descriptor() ([]byte, []int)
Deprecated: Use SessionState.ProtoReflect.Descriptor instead.
@@ -7055,12 +6823,9 @@
func (x *SessionState) String() string
type StringSlice struct {
-
- // Items is a list of string items.
Items []string `protobuf:"bytes,1,rep,name=items,proto3" json:"items,omitempty"`
// Has unexported fields.
}
- StringSlice is a list of strings.
func (*StringSlice) Descriptor() ([]byte, []int)
Deprecated: Use StringSlice.ProtoReflect.Descriptor instead.
@@ -7636,6 +7401,9 @@
InstrumentationMW will set basic instrumentation events, variables and
timers on API jobs
+func IsGrpcStreaming(r *http.Request) bool
+ IsGrpcStreaming determines wether a request represents a grpc streaming req
+
func JSONToFormValues(r *http.Request) error
JSONToFormValues if r has header Content-Type set to application/json this
will decode request body as json to map[string]string and adds the key/value
@@ -8505,12 +8273,6 @@
func (gw *Gateway) NotifyCurrentServerStatus()
-func (gw *Gateway) PolicyByID(polID string) (user.Policy, bool)
-
-func (gw *Gateway) PolicyCount() int
-
-func (gw *Gateway) PolicyIDs() []string
-
func (gw *Gateway) ProcessOauthClientsOps(clients map[string]string)
ProcessOauthClientsOps performs the appropriate action for the received
clients it can be any of the Create,Update and Delete operations
@@ -9799,10 +9561,6 @@
TickOk triggers a reload and ensures a queue happened and a reload cycle
happens. This will block until all the cases are met.
-type Repository interface {
- policy.Repository
-}
-
type RequestDefinition struct {
Method string `json:"method"`
Headers map[string]string `json:"headers"`
@@ -10033,10 +9791,7 @@
func (p *ReverseProxy) HandleResponse(rw http.ResponseWriter, res *http.Response, ses *user.SessionState) error
-func (p *ReverseProxy) IsUpgrade(req *http.Request) (string, bool)
- IsUpgrade will return the upgrade header value and true if present for the
- request. It requires EnableWebSockets to be enabled in the gateway HTTP
- server config.
+func (p *ReverseProxy) IsUpgrade(req *http.Request) (bool, string)
func (p *ReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) ProxyResponse
@@ -12316,6 +12071,10 @@
func (limit APILimit) IsEmpty() bool
+func (g *APILimit) Less(in APILimit) bool
+ Less will return true if the receiver has a smaller duration between
+ requests than `in`.
+
type AccessDefinition struct {
APIName string `json:"api_name" msg:"api_name"`
APIID string `json:"api_id" msg:"api_id"` |
PR Code Suggestions ✨
|
dcs3spp
changed the title
rewsmith
requested changes
Jul 5, 2024
| // Secrets are key-value pairs that can be accessed in the dashboard via "secrets://" | ||
| // The TYK_GW_SECRETS environment variable allows you to configure the "secrets" | ||
| // section in the Tyk Gateway configuration file. These secrets are key-value pairs | ||
| // that can be dynamically injected into API Definitions and the tyk.conf configuration |
There was a problem hiding this comment.
Can we provide an example of a secret being used to dynamically inject a value into tyk.conf?
There was a problem hiding this comment.
@rewsmith I have updated with an example
added 2 commits
July 9, 2024 15:45
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
User description
Description
This PR updates the config.go godoc comments in response to a ticket raised by @oluwaseyeayinla. It updates the description for TYK_GW_SECRETS with an example and explains what what can be be updated using the secrets://key notation.
Related Issue
https://tyktech.atlassian.net/browse/DX-1423
Motivation and Context
How This Has Been Tested
Screenshots (if appropriate)
Types of changes
Checklist
PR Type
Documentation
Description
TYK_GW_SECRETSenvironment variable inconfig/config.go.TYK_GW_SECRETS.Changes walkthrough 📝
config.go
Update godoc comments for `TYK_GW_SECRETS` environment variableconfig/config.go
TYK_GW_SECRETSenvironmentvariable.
TYK_GW_SECRETS.Tyk Gateway configuration.