/
accessapplication.go
2521 lines (2282 loc) · 112 KB
/
accessapplication.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
package zero_trust
import (
"context"
"fmt"
"net/http"
"reflect"
"time"
"github.com/cloudflare/cloudflare-go/v2/internal/apijson"
"github.com/cloudflare/cloudflare-go/v2/internal/pagination"
"github.com/cloudflare/cloudflare-go/v2/internal/param"
"github.com/cloudflare/cloudflare-go/v2/internal/requestconfig"
"github.com/cloudflare/cloudflare-go/v2/internal/shared"
"github.com/cloudflare/cloudflare-go/v2/option"
"github.com/tidwall/gjson"
)
// AccessApplicationService contains methods and other services that help with
// interacting with the cloudflare API. Note, unlike clients, this service does not
// read variables from the environment automatically. You should not instantiate
// this service directly, and instead use the [NewAccessApplicationService] method
// instead.
type AccessApplicationService struct {
Options []option.RequestOption
CAs *AccessApplicationCAService
UserPolicyChecks *AccessApplicationUserPolicyCheckService
Policies *AccessApplicationPolicyService
}
// NewAccessApplicationService generates a new service that applies the given
// options to each request. These options are applied after the parent client's
// options (if there is one), and before any request-specific options.
func NewAccessApplicationService(opts ...option.RequestOption) (r *AccessApplicationService) {
r = &AccessApplicationService{}
r.Options = opts
r.CAs = NewAccessApplicationCAService(opts...)
r.UserPolicyChecks = NewAccessApplicationUserPolicyCheckService(opts...)
r.Policies = NewAccessApplicationPolicyService(opts...)
return
}
// Adds a new application to Access.
func (r *AccessApplicationService) New(ctx context.Context, params AccessApplicationNewParams, opts ...option.RequestOption) (res *Application, err error) {
opts = append(r.Options[:], opts...)
var env AccessApplicationNewResponseEnvelope
var accountOrZone string
var accountOrZoneID param.Field[string]
if params.AccountID.Present {
accountOrZone = "accounts"
accountOrZoneID = params.AccountID
} else {
accountOrZone = "zones"
accountOrZoneID = params.ZoneID
}
path := fmt.Sprintf("%s/%s/access/apps", accountOrZone, accountOrZoneID)
err = requestconfig.ExecuteNewRequest(ctx, http.MethodPost, path, params, &env, opts...)
if err != nil {
return
}
res = &env.Result
return
}
// Updates an Access application.
func (r *AccessApplicationService) Update(ctx context.Context, appID AppIDUnionParam, params AccessApplicationUpdateParams, opts ...option.RequestOption) (res *Application, err error) {
opts = append(r.Options[:], opts...)
var env AccessApplicationUpdateResponseEnvelope
var accountOrZone string
var accountOrZoneID param.Field[string]
if params.AccountID.Present {
accountOrZone = "accounts"
accountOrZoneID = params.AccountID
} else {
accountOrZone = "zones"
accountOrZoneID = params.ZoneID
}
path := fmt.Sprintf("%s/%s/access/apps/%v", accountOrZone, accountOrZoneID, appID)
err = requestconfig.ExecuteNewRequest(ctx, http.MethodPut, path, params, &env, opts...)
if err != nil {
return
}
res = &env.Result
return
}
// Lists all Access applications in an account or zone.
func (r *AccessApplicationService) List(ctx context.Context, query AccessApplicationListParams, opts ...option.RequestOption) (res *pagination.SinglePage[Application], err error) {
var raw *http.Response
opts = append(r.Options, opts...)
opts = append([]option.RequestOption{option.WithResponseInto(&raw)}, opts...)
var accountOrZone string
var accountOrZoneID param.Field[string]
if query.AccountID.Present {
accountOrZone = "accounts"
accountOrZoneID = query.AccountID
} else {
accountOrZone = "zones"
accountOrZoneID = query.ZoneID
}
path := fmt.Sprintf("%s/%s/access/apps", accountOrZone, accountOrZoneID)
cfg, err := requestconfig.NewRequestConfig(ctx, http.MethodGet, path, query, &res, opts...)
if err != nil {
return nil, err
}
err = cfg.Execute()
if err != nil {
return nil, err
}
res.SetPageConfig(cfg, raw)
return res, nil
}
// Lists all Access applications in an account or zone.
func (r *AccessApplicationService) ListAutoPaging(ctx context.Context, query AccessApplicationListParams, opts ...option.RequestOption) *pagination.SinglePageAutoPager[Application] {
return pagination.NewSinglePageAutoPager(r.List(ctx, query, opts...))
}
// Deletes an application from Access.
func (r *AccessApplicationService) Delete(ctx context.Context, appID AppIDUnionParam, body AccessApplicationDeleteParams, opts ...option.RequestOption) (res *AccessApplicationDeleteResponse, err error) {
opts = append(r.Options[:], opts...)
var env AccessApplicationDeleteResponseEnvelope
var accountOrZone string
var accountOrZoneID param.Field[string]
if body.AccountID.Present {
accountOrZone = "accounts"
accountOrZoneID = body.AccountID
} else {
accountOrZone = "zones"
accountOrZoneID = body.ZoneID
}
path := fmt.Sprintf("%s/%s/access/apps/%v", accountOrZone, accountOrZoneID, appID)
err = requestconfig.ExecuteNewRequest(ctx, http.MethodDelete, path, nil, &env, opts...)
if err != nil {
return
}
res = &env.Result
return
}
// Fetches information about an Access application.
func (r *AccessApplicationService) Get(ctx context.Context, appID AppIDUnionParam, query AccessApplicationGetParams, opts ...option.RequestOption) (res *Application, err error) {
opts = append(r.Options[:], opts...)
var env AccessApplicationGetResponseEnvelope
var accountOrZone string
var accountOrZoneID param.Field[string]
if query.AccountID.Present {
accountOrZone = "accounts"
accountOrZoneID = query.AccountID
} else {
accountOrZone = "zones"
accountOrZoneID = query.ZoneID
}
path := fmt.Sprintf("%s/%s/access/apps/%v", accountOrZone, accountOrZoneID, appID)
err = requestconfig.ExecuteNewRequest(ctx, http.MethodGet, path, nil, &env, opts...)
if err != nil {
return
}
res = &env.Result
return
}
// Revokes all tokens issued for an application.
func (r *AccessApplicationService) RevokeTokens(ctx context.Context, appID AppIDUnionParam, body AccessApplicationRevokeTokensParams, opts ...option.RequestOption) (res *AccessApplicationRevokeTokensResponse, err error) {
opts = append(r.Options[:], opts...)
var env AccessApplicationRevokeTokensResponseEnvelope
var accountOrZone string
var accountOrZoneID param.Field[string]
if body.AccountID.Present {
accountOrZone = "accounts"
accountOrZoneID = body.AccountID
} else {
accountOrZone = "zones"
accountOrZoneID = body.ZoneID
}
path := fmt.Sprintf("%s/%s/access/apps/%v/revoke_tokens", accountOrZone, accountOrZoneID, appID)
err = requestconfig.ExecuteNewRequest(ctx, http.MethodPost, path, nil, &env, opts...)
if err != nil {
return
}
res = &env.Result
return
}
type AllowedHeadersh = string
type AllowedHeadershParam = string
type AllowedIdpsh = string
type AllowedIdpshParam = string
type AllowedMethodsh string
const (
AllowedMethodshGet AllowedMethodsh = "GET"
AllowedMethodshPost AllowedMethodsh = "POST"
AllowedMethodshHead AllowedMethodsh = "HEAD"
AllowedMethodshPut AllowedMethodsh = "PUT"
AllowedMethodshDelete AllowedMethodsh = "DELETE"
AllowedMethodshConnect AllowedMethodsh = "CONNECT"
AllowedMethodshOptions AllowedMethodsh = "OPTIONS"
AllowedMethodshTrace AllowedMethodsh = "TRACE"
AllowedMethodshPatch AllowedMethodsh = "PATCH"
)
func (r AllowedMethodsh) IsKnown() bool {
switch r {
case AllowedMethodshGet, AllowedMethodshPost, AllowedMethodshHead, AllowedMethodshPut, AllowedMethodshDelete, AllowedMethodshConnect, AllowedMethodshOptions, AllowedMethodshTrace, AllowedMethodshPatch:
return true
}
return false
}
type AllowedOriginsh = string
type AllowedOriginshParam = string
// Identifier
//
// Satisfied by [shared.UnionString], [shared.UnionString].
type AppIDUnionParam interface {
ImplementsZeroTrustAppIDUnionParam()
}
type Application struct {
// Audience tag.
AUD string `json:"aud"`
CreatedAt time.Time `json:"created_at" format:"date-time"`
// UUID
ID string `json:"id"`
UpdatedAt time.Time `json:"updated_at" format:"date-time"`
// When set to true, users can authenticate to this application using their WARP
// session. When set to false this application will always require direct IdP
// authentication. This setting always overrides the organization setting for WARP
// authentication.
AllowAuthenticateViaWARP bool `json:"allow_authenticate_via_warp"`
AllowedIdps interface{} `json:"allowed_idps,required"`
// Displays the application in the App Launcher.
AppLauncherVisible bool `json:"app_launcher_visible"`
// When set to `true`, users skip the identity provider selection step during
// login. You must specify only one identity provider in allowed_idps.
AutoRedirectToIdentity bool `json:"auto_redirect_to_identity"`
CORSHeaders CORSHeaders `json:"cors_headers"`
// The custom error message shown to a user when they are denied access to the
// application.
CustomDenyMessage string `json:"custom_deny_message"`
// The custom URL a user is redirected to when they are denied access to the
// application when failing identity-based rules.
CustomDenyURL string `json:"custom_deny_url"`
// The custom URL a user is redirected to when they are denied access to the
// application when failing non-identity rules.
CustomNonIdentityDenyURL string `json:"custom_non_identity_deny_url"`
CustomPages interface{} `json:"custom_pages,required"`
// The primary hostname and path that Access will secure. If the app is visible in
// the App Launcher dashboard, this is the domain that will be displayed.
Domain string `json:"domain"`
// Enables the binding cookie, which increases security against compromised
// authorization tokens and CSRF attacks.
EnableBindingCookie bool `json:"enable_binding_cookie"`
// Enables the HttpOnly cookie attribute, which increases security against XSS
// attacks.
HTTPOnlyCookieAttribute bool `json:"http_only_cookie_attribute"`
// The image URL for the logo shown in the App Launcher dashboard.
LogoURL string `json:"logo_url"`
// The name of the application.
Name string `json:"name"`
// Allows options preflight requests to bypass Access authentication and go
// directly to the origin. Cannot turn on if cors_headers is set.
OptionsPreflightBypass bool `json:"options_preflight_bypass"`
// Enables cookie paths to scope an application's JWT to the application path. If
// disabled, the JWT will scope to the hostname by default
PathCookieAttribute bool `json:"path_cookie_attribute"`
// Sets the SameSite cookie setting, which provides increased security against CSRF
// attacks.
SameSiteCookieAttribute string `json:"same_site_cookie_attribute"`
SelfHostedDomains interface{} `json:"self_hosted_domains,required"`
// Returns a 401 status code when the request is blocked by a Service Auth policy.
ServiceAuth401Redirect bool `json:"service_auth_401_redirect"`
// The amount of time that tokens issued for this application will be valid. Must
// be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
// s, m, h.
SessionDuration string `json:"session_duration"`
// Enables automatic authentication through cloudflared.
SkipInterstitial bool `json:"skip_interstitial"`
Tags interface{} `json:"tags,required"`
// The application type.
Type string `json:"type"`
SaaSApp interface{} `json:"saas_app,required"`
JSON applicationJSON `json:"-"`
union ApplicationUnion
}
// applicationJSON contains the JSON metadata for the struct [Application]
type applicationJSON struct {
AUD apijson.Field
CreatedAt apijson.Field
ID apijson.Field
UpdatedAt apijson.Field
AllowAuthenticateViaWARP apijson.Field
AllowedIdps apijson.Field
AppLauncherVisible apijson.Field
AutoRedirectToIdentity apijson.Field
CORSHeaders apijson.Field
CustomDenyMessage apijson.Field
CustomDenyURL apijson.Field
CustomNonIdentityDenyURL apijson.Field
CustomPages apijson.Field
Domain apijson.Field
EnableBindingCookie apijson.Field
HTTPOnlyCookieAttribute apijson.Field
LogoURL apijson.Field
Name apijson.Field
OptionsPreflightBypass apijson.Field
PathCookieAttribute apijson.Field
SameSiteCookieAttribute apijson.Field
SelfHostedDomains apijson.Field
ServiceAuth401Redirect apijson.Field
SessionDuration apijson.Field
SkipInterstitial apijson.Field
Tags apijson.Field
Type apijson.Field
SaaSApp apijson.Field
raw string
ExtraFields map[string]apijson.Field
}
func (r applicationJSON) RawJSON() string {
return r.raw
}
func (r *Application) UnmarshalJSON(data []byte) (err error) {
err = apijson.UnmarshalRoot(data, &r.union)
if err != nil {
return err
}
return apijson.Port(r.union, &r)
}
func (r Application) AsUnion() ApplicationUnion {
return r.union
}
// Union satisfied by [zero_trust.ApplicationSelfHostedApplication],
// [zero_trust.ApplicationSaaSApplication],
// [zero_trust.ApplicationBrowserSSHApplication],
// [zero_trust.ApplicationBrowserVncApplication],
// [zero_trust.ApplicationAppLauncherApplication],
// [zero_trust.ApplicationDeviceEnrollmentPermissionsApplication],
// [zero_trust.ApplicationBrowserIsolationPermissionsApplication] or
// [zero_trust.ApplicationBookmarkApplication].
type ApplicationUnion interface {
implementsZeroTrustApplication()
}
func init() {
apijson.RegisterUnion(
reflect.TypeOf((*ApplicationUnion)(nil)).Elem(),
"",
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(ApplicationSelfHostedApplication{}),
},
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(ApplicationSaaSApplication{}),
},
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(ApplicationBrowserSSHApplication{}),
},
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(ApplicationBrowserVncApplication{}),
},
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(ApplicationAppLauncherApplication{}),
},
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(ApplicationDeviceEnrollmentPermissionsApplication{}),
},
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(ApplicationBrowserIsolationPermissionsApplication{}),
},
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(ApplicationBookmarkApplication{}),
},
)
}
type ApplicationSelfHostedApplication struct {
// The primary hostname and path that Access will secure. If the app is visible in
// the App Launcher dashboard, this is the domain that will be displayed.
Domain string `json:"domain,required"`
// The application type.
Type string `json:"type,required"`
// UUID
ID string `json:"id"`
// When set to true, users can authenticate to this application using their WARP
// session. When set to false this application will always require direct IdP
// authentication. This setting always overrides the organization setting for WARP
// authentication.
AllowAuthenticateViaWARP bool `json:"allow_authenticate_via_warp"`
// The identity providers your users can select when connecting to this
// application. Defaults to all IdPs configured in your account.
AllowedIdps []AllowedIdpsh `json:"allowed_idps"`
// Displays the application in the App Launcher.
AppLauncherVisible bool `json:"app_launcher_visible"`
// Audience tag.
AUD string `json:"aud"`
// When set to `true`, users skip the identity provider selection step during
// login. You must specify only one identity provider in allowed_idps.
AutoRedirectToIdentity bool `json:"auto_redirect_to_identity"`
CORSHeaders CORSHeaders `json:"cors_headers"`
CreatedAt time.Time `json:"created_at" format:"date-time"`
// The custom error message shown to a user when they are denied access to the
// application.
CustomDenyMessage string `json:"custom_deny_message"`
// The custom URL a user is redirected to when they are denied access to the
// application when failing identity-based rules.
CustomDenyURL string `json:"custom_deny_url"`
// The custom URL a user is redirected to when they are denied access to the
// application when failing non-identity rules.
CustomNonIdentityDenyURL string `json:"custom_non_identity_deny_url"`
// The custom pages that will be displayed when applicable for this application
CustomPages []CustomPagesh `json:"custom_pages"`
// Enables the binding cookie, which increases security against compromised
// authorization tokens and CSRF attacks.
EnableBindingCookie bool `json:"enable_binding_cookie"`
// Enables the HttpOnly cookie attribute, which increases security against XSS
// attacks.
HTTPOnlyCookieAttribute bool `json:"http_only_cookie_attribute"`
// The image URL for the logo shown in the App Launcher dashboard.
LogoURL string `json:"logo_url"`
// The name of the application.
Name string `json:"name"`
// Allows options preflight requests to bypass Access authentication and go
// directly to the origin. Cannot turn on if cors_headers is set.
OptionsPreflightBypass bool `json:"options_preflight_bypass"`
// Enables cookie paths to scope an application's JWT to the application path. If
// disabled, the JWT will scope to the hostname by default
PathCookieAttribute bool `json:"path_cookie_attribute"`
// Sets the SameSite cookie setting, which provides increased security against CSRF
// attacks.
SameSiteCookieAttribute string `json:"same_site_cookie_attribute"`
// List of domains that Access will secure.
SelfHostedDomains []SelfHostedDomainsh `json:"self_hosted_domains"`
// Returns a 401 status code when the request is blocked by a Service Auth policy.
ServiceAuth401Redirect bool `json:"service_auth_401_redirect"`
// The amount of time that tokens issued for this application will be valid. Must
// be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
// s, m, h.
SessionDuration string `json:"session_duration"`
// Enables automatic authentication through cloudflared.
SkipInterstitial bool `json:"skip_interstitial"`
// The tags you want assigned to an application. Tags are used to filter
// applications in the App Launcher dashboard.
Tags []string `json:"tags"`
UpdatedAt time.Time `json:"updated_at" format:"date-time"`
JSON applicationSelfHostedApplicationJSON `json:"-"`
}
// applicationSelfHostedApplicationJSON contains the JSON metadata for the struct
// [ApplicationSelfHostedApplication]
type applicationSelfHostedApplicationJSON struct {
Domain apijson.Field
Type apijson.Field
ID apijson.Field
AllowAuthenticateViaWARP apijson.Field
AllowedIdps apijson.Field
AppLauncherVisible apijson.Field
AUD apijson.Field
AutoRedirectToIdentity apijson.Field
CORSHeaders apijson.Field
CreatedAt apijson.Field
CustomDenyMessage apijson.Field
CustomDenyURL apijson.Field
CustomNonIdentityDenyURL apijson.Field
CustomPages apijson.Field
EnableBindingCookie apijson.Field
HTTPOnlyCookieAttribute apijson.Field
LogoURL apijson.Field
Name apijson.Field
OptionsPreflightBypass apijson.Field
PathCookieAttribute apijson.Field
SameSiteCookieAttribute apijson.Field
SelfHostedDomains apijson.Field
ServiceAuth401Redirect apijson.Field
SessionDuration apijson.Field
SkipInterstitial apijson.Field
Tags apijson.Field
UpdatedAt apijson.Field
raw string
ExtraFields map[string]apijson.Field
}
func (r *ApplicationSelfHostedApplication) UnmarshalJSON(data []byte) (err error) {
return apijson.UnmarshalRoot(data, r)
}
func (r applicationSelfHostedApplicationJSON) RawJSON() string {
return r.raw
}
func (r ApplicationSelfHostedApplication) implementsZeroTrustApplication() {}
type ApplicationSaaSApplication struct {
// UUID
ID string `json:"id"`
// The identity providers your users can select when connecting to this
// application. Defaults to all IdPs configured in your account.
AllowedIdps []AllowedIdpsh `json:"allowed_idps"`
// Displays the application in the App Launcher.
AppLauncherVisible bool `json:"app_launcher_visible"`
// Audience tag.
AUD string `json:"aud"`
// When set to `true`, users skip the identity provider selection step during
// login. You must specify only one identity provider in allowed_idps.
AutoRedirectToIdentity bool `json:"auto_redirect_to_identity"`
CreatedAt time.Time `json:"created_at" format:"date-time"`
// The custom pages that will be displayed when applicable for this application
CustomPages []CustomPagesh `json:"custom_pages"`
// The image URL for the logo shown in the App Launcher dashboard.
LogoURL string `json:"logo_url"`
// The name of the application.
Name string `json:"name"`
SaaSApp ApplicationSaaSApplicationSaaSApp `json:"saas_app"`
// The tags you want assigned to an application. Tags are used to filter
// applications in the App Launcher dashboard.
Tags []string `json:"tags"`
// The application type.
Type string `json:"type"`
UpdatedAt time.Time `json:"updated_at" format:"date-time"`
JSON applicationSaaSApplicationJSON `json:"-"`
}
// applicationSaaSApplicationJSON contains the JSON metadata for the struct
// [ApplicationSaaSApplication]
type applicationSaaSApplicationJSON struct {
ID apijson.Field
AllowedIdps apijson.Field
AppLauncherVisible apijson.Field
AUD apijson.Field
AutoRedirectToIdentity apijson.Field
CreatedAt apijson.Field
CustomPages apijson.Field
LogoURL apijson.Field
Name apijson.Field
SaaSApp apijson.Field
Tags apijson.Field
Type apijson.Field
UpdatedAt apijson.Field
raw string
ExtraFields map[string]apijson.Field
}
func (r *ApplicationSaaSApplication) UnmarshalJSON(data []byte) (err error) {
return apijson.UnmarshalRoot(data, r)
}
func (r applicationSaaSApplicationJSON) RawJSON() string {
return r.raw
}
func (r ApplicationSaaSApplication) implementsZeroTrustApplication() {}
type ApplicationSaaSApplicationSaaSApp struct {
// Optional identifier indicating the authentication protocol used for the saas
// app. Required for OIDC. Default if unset is "saml"
AuthType ApplicationSaaSApplicationSaaSAppAuthType `json:"auth_type"`
// The service provider's endpoint that is responsible for receiving and parsing a
// SAML assertion.
ConsumerServiceURL string `json:"consumer_service_url"`
CreatedAt time.Time `json:"created_at" format:"date-time"`
CustomAttributes interface{} `json:"custom_attributes,required"`
// The URL that the user will be redirected to after a successful login for IDP
// initiated logins.
DefaultRelayState string `json:"default_relay_state"`
// The unique identifier for your SaaS application.
IdPEntityID string `json:"idp_entity_id"`
// The format of the name identifier sent to the SaaS application.
NameIDFormat SaaSAppNameIDFormat `json:"name_id_format"`
// A [JSONata](https://jsonata.org/) expression that transforms an application's
// user identities into a NameID value for its SAML assertion. This expression
// should evaluate to a singular string. The output of this expression can override
// the `name_id_format` setting.
NameIDTransformJsonata string `json:"name_id_transform_jsonata"`
// The Access public certificate that will be used to verify your identity.
PublicKey string `json:"public_key"`
// A [JSONata] (https://jsonata.org/) expression that transforms an application's
// user identities into attribute assertions in the SAML response. The expression
// can transform id, email, name, and groups values. It can also transform fields
// listed in the saml_attributes or oidc_fields of the identity provider used to
// authenticate. The output of this expression must be a JSON object.
SAMLAttributeTransformJsonata string `json:"saml_attribute_transform_jsonata"`
// A globally unique name for an identity or service provider.
SPEntityID string `json:"sp_entity_id"`
// The endpoint where your SaaS application will send login requests.
SSOEndpoint string `json:"sso_endpoint"`
UpdatedAt time.Time `json:"updated_at" format:"date-time"`
// The URL where this applications tile redirects users
AppLauncherURL string `json:"app_launcher_url"`
// The application client id
ClientID string `json:"client_id"`
// The application client secret, only returned on POST request.
ClientSecret string `json:"client_secret"`
CustomClaims interface{} `json:"custom_claims,required"`
GrantTypes interface{} `json:"grant_types,required"`
// A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
GroupFilterRegex string `json:"group_filter_regex"`
RedirectURIs interface{} `json:"redirect_uris,required"`
Scopes interface{} `json:"scopes,required"`
JSON applicationSaaSApplicationSaaSAppJSON `json:"-"`
union ApplicationSaaSApplicationSaaSAppUnion
}
// applicationSaaSApplicationSaaSAppJSON contains the JSON metadata for the struct
// [ApplicationSaaSApplicationSaaSApp]
type applicationSaaSApplicationSaaSAppJSON struct {
AuthType apijson.Field
ConsumerServiceURL apijson.Field
CreatedAt apijson.Field
CustomAttributes apijson.Field
DefaultRelayState apijson.Field
IdPEntityID apijson.Field
NameIDFormat apijson.Field
NameIDTransformJsonata apijson.Field
PublicKey apijson.Field
SAMLAttributeTransformJsonata apijson.Field
SPEntityID apijson.Field
SSOEndpoint apijson.Field
UpdatedAt apijson.Field
AppLauncherURL apijson.Field
ClientID apijson.Field
ClientSecret apijson.Field
CustomClaims apijson.Field
GrantTypes apijson.Field
GroupFilterRegex apijson.Field
RedirectURIs apijson.Field
Scopes apijson.Field
raw string
ExtraFields map[string]apijson.Field
}
func (r applicationSaaSApplicationSaaSAppJSON) RawJSON() string {
return r.raw
}
func (r *ApplicationSaaSApplicationSaaSApp) UnmarshalJSON(data []byte) (err error) {
err = apijson.UnmarshalRoot(data, &r.union)
if err != nil {
return err
}
return apijson.Port(r.union, &r)
}
func (r ApplicationSaaSApplicationSaaSApp) AsUnion() ApplicationSaaSApplicationSaaSAppUnion {
return r.union
}
// Union satisfied by [zero_trust.SAMLSaaSApp] or
// [zero_trust.ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp].
type ApplicationSaaSApplicationSaaSAppUnion interface {
implementsZeroTrustApplicationSaaSApplicationSaaSApp()
}
func init() {
apijson.RegisterUnion(
reflect.TypeOf((*ApplicationSaaSApplicationSaaSAppUnion)(nil)).Elem(),
"",
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(SAMLSaaSApp{}),
},
apijson.UnionVariant{
TypeFilter: gjson.JSON,
Type: reflect.TypeOf(ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp{}),
},
)
}
type ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp struct {
// The URL where this applications tile redirects users
AppLauncherURL string `json:"app_launcher_url"`
// Identifier of the authentication protocol used for the saas app. Required for
// OIDC.
AuthType ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppAuthType `json:"auth_type"`
// The application client id
ClientID string `json:"client_id"`
// The application client secret, only returned on POST request.
ClientSecret string `json:"client_secret"`
CreatedAt time.Time `json:"created_at" format:"date-time"`
CustomClaims ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaims `json:"custom_claims"`
// The OIDC flows supported by this application
GrantTypes []ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppGrantType `json:"grant_types"`
// A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
GroupFilterRegex string `json:"group_filter_regex"`
// The Access public certificate that will be used to verify your identity.
PublicKey string `json:"public_key"`
// The permitted URL's for Cloudflare to return Authorization codes and Access/ID
// tokens
RedirectURIs []string `json:"redirect_uris"`
// Define the user information shared with access
Scopes []ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScope `json:"scopes"`
UpdatedAt time.Time `json:"updated_at" format:"date-time"`
JSON applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppJSON `json:"-"`
}
// applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppJSON contains the JSON
// metadata for the struct [ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp]
type applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppJSON struct {
AppLauncherURL apijson.Field
AuthType apijson.Field
ClientID apijson.Field
ClientSecret apijson.Field
CreatedAt apijson.Field
CustomClaims apijson.Field
GrantTypes apijson.Field
GroupFilterRegex apijson.Field
PublicKey apijson.Field
RedirectURIs apijson.Field
Scopes apijson.Field
UpdatedAt apijson.Field
raw string
ExtraFields map[string]apijson.Field
}
func (r *ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp) UnmarshalJSON(data []byte) (err error) {
return apijson.UnmarshalRoot(data, r)
}
func (r applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppJSON) RawJSON() string {
return r.raw
}
func (r ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSApp) implementsZeroTrustApplicationSaaSApplicationSaaSApp() {
}
// Identifier of the authentication protocol used for the saas app. Required for
// OIDC.
type ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppAuthType string
const (
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppAuthType = "saml"
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppAuthType = "oidc"
)
func (r ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppAuthType) IsKnown() bool {
switch r {
case ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppAuthTypeSAML, ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppAuthTypeOIDC:
return true
}
return false
}
type ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaims struct {
// The name of the claim.
Name string `json:"name"`
// A mapping from IdP ID to claim name.
NameByIdP map[string]string `json:"name_by_idp"`
// If the claim is required when building an OIDC token.
Required bool `json:"required"`
// The scope of the claim.
Scope ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScope `json:"scope"`
Source ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsSource `json:"source"`
JSON applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsJSON `json:"-"`
}
// applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsJSON contains the
// JSON metadata for the struct
// [ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaims]
type applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsJSON struct {
Name apijson.Field
NameByIdP apijson.Field
Required apijson.Field
Scope apijson.Field
Source apijson.Field
raw string
ExtraFields map[string]apijson.Field
}
func (r *ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaims) UnmarshalJSON(data []byte) (err error) {
return apijson.UnmarshalRoot(data, r)
}
func (r applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsJSON) RawJSON() string {
return r.raw
}
// The scope of the claim.
type ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScope string
const (
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScopeGroups ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScope = "groups"
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScopeProfile ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScope = "profile"
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScopeEmail ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScope = "email"
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScopeOpenid ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScope = "openid"
)
func (r ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScope) IsKnown() bool {
switch r {
case ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScopeGroups, ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScopeProfile, ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScopeEmail, ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsScopeOpenid:
return true
}
return false
}
type ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsSource struct {
// The name of the IdP claim.
Name string `json:"name"`
JSON applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsSourceJSON `json:"-"`
}
// applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsSourceJSON
// contains the JSON metadata for the struct
// [ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsSource]
type applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsSourceJSON struct {
Name apijson.Field
raw string
ExtraFields map[string]apijson.Field
}
func (r *ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsSource) UnmarshalJSON(data []byte) (err error) {
return apijson.UnmarshalRoot(data, r)
}
func (r applicationSaaSApplicationSaaSAppAccessOIDCSaaSAppCustomClaimsSourceJSON) RawJSON() string {
return r.raw
}
type ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppGrantType string
const (
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppGrantTypeAuthorizationCode ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppGrantType = "authorization_code"
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppGrantTypeAuthorizationCodeWithPkce ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppGrantType = "authorization_code_with_pkce"
)
func (r ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppGrantType) IsKnown() bool {
switch r {
case ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppGrantTypeAuthorizationCode, ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppGrantTypeAuthorizationCodeWithPkce:
return true
}
return false
}
type ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScope string
const (
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScopeOpenid ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScope = "openid"
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScopeGroups ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScope = "groups"
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScopeEmail ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScope = "email"
ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScopeProfile ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScope = "profile"
)
func (r ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScope) IsKnown() bool {
switch r {
case ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScopeOpenid, ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScopeGroups, ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScopeEmail, ApplicationSaaSApplicationSaaSAppAccessOIDCSaaSAppScopeProfile:
return true
}
return false
}
// Optional identifier indicating the authentication protocol used for the saas
// app. Required for OIDC. Default if unset is "saml"
type ApplicationSaaSApplicationSaaSAppAuthType string
const (
ApplicationSaaSApplicationSaaSAppAuthTypeSAML ApplicationSaaSApplicationSaaSAppAuthType = "saml"
ApplicationSaaSApplicationSaaSAppAuthTypeOIDC ApplicationSaaSApplicationSaaSAppAuthType = "oidc"
)
func (r ApplicationSaaSApplicationSaaSAppAuthType) IsKnown() bool {
switch r {
case ApplicationSaaSApplicationSaaSAppAuthTypeSAML, ApplicationSaaSApplicationSaaSAppAuthTypeOIDC:
return true
}
return false
}
type ApplicationBrowserSSHApplication struct {
// The primary hostname and path that Access will secure. If the app is visible in
// the App Launcher dashboard, this is the domain that will be displayed.
Domain string `json:"domain,required"`
// The application type.
Type string `json:"type,required"`
// UUID
ID string `json:"id"`
// When set to true, users can authenticate to this application using their WARP
// session. When set to false this application will always require direct IdP
// authentication. This setting always overrides the organization setting for WARP
// authentication.
AllowAuthenticateViaWARP bool `json:"allow_authenticate_via_warp"`
// The identity providers your users can select when connecting to this
// application. Defaults to all IdPs configured in your account.
AllowedIdps []AllowedIdpsh `json:"allowed_idps"`
// Displays the application in the App Launcher.
AppLauncherVisible bool `json:"app_launcher_visible"`
// Audience tag.
AUD string `json:"aud"`
// When set to `true`, users skip the identity provider selection step during
// login. You must specify only one identity provider in allowed_idps.
AutoRedirectToIdentity bool `json:"auto_redirect_to_identity"`
CORSHeaders CORSHeaders `json:"cors_headers"`
CreatedAt time.Time `json:"created_at" format:"date-time"`
// The custom error message shown to a user when they are denied access to the
// application.
CustomDenyMessage string `json:"custom_deny_message"`
// The custom URL a user is redirected to when they are denied access to the
// application when failing identity-based rules.
CustomDenyURL string `json:"custom_deny_url"`
// The custom URL a user is redirected to when they are denied access to the
// application when failing non-identity rules.
CustomNonIdentityDenyURL string `json:"custom_non_identity_deny_url"`
// The custom pages that will be displayed when applicable for this application
CustomPages []CustomPagesh `json:"custom_pages"`
// Enables the binding cookie, which increases security against compromised
// authorization tokens and CSRF attacks.
EnableBindingCookie bool `json:"enable_binding_cookie"`
// Enables the HttpOnly cookie attribute, which increases security against XSS
// attacks.
HTTPOnlyCookieAttribute bool `json:"http_only_cookie_attribute"`
// The image URL for the logo shown in the App Launcher dashboard.
LogoURL string `json:"logo_url"`
// The name of the application.
Name string `json:"name"`
// Allows options preflight requests to bypass Access authentication and go
// directly to the origin. Cannot turn on if cors_headers is set.
OptionsPreflightBypass bool `json:"options_preflight_bypass"`
// Enables cookie paths to scope an application's JWT to the application path. If
// disabled, the JWT will scope to the hostname by default
PathCookieAttribute bool `json:"path_cookie_attribute"`
// Sets the SameSite cookie setting, which provides increased security against CSRF
// attacks.
SameSiteCookieAttribute string `json:"same_site_cookie_attribute"`
// List of domains that Access will secure.
SelfHostedDomains []SelfHostedDomainsh `json:"self_hosted_domains"`
// Returns a 401 status code when the request is blocked by a Service Auth policy.
ServiceAuth401Redirect bool `json:"service_auth_401_redirect"`
// The amount of time that tokens issued for this application will be valid. Must
// be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
// s, m, h.
SessionDuration string `json:"session_duration"`
// Enables automatic authentication through cloudflared.
SkipInterstitial bool `json:"skip_interstitial"`
// The tags you want assigned to an application. Tags are used to filter
// applications in the App Launcher dashboard.
Tags []string `json:"tags"`
UpdatedAt time.Time `json:"updated_at" format:"date-time"`
JSON applicationBrowserSSHApplicationJSON `json:"-"`
}
// applicationBrowserSSHApplicationJSON contains the JSON metadata for the struct
// [ApplicationBrowserSSHApplication]
type applicationBrowserSSHApplicationJSON struct {
Domain apijson.Field
Type apijson.Field
ID apijson.Field
AllowAuthenticateViaWARP apijson.Field
AllowedIdps apijson.Field
AppLauncherVisible apijson.Field
AUD apijson.Field
AutoRedirectToIdentity apijson.Field
CORSHeaders apijson.Field
CreatedAt apijson.Field
CustomDenyMessage apijson.Field
CustomDenyURL apijson.Field
CustomNonIdentityDenyURL apijson.Field
CustomPages apijson.Field
EnableBindingCookie apijson.Field
HTTPOnlyCookieAttribute apijson.Field
LogoURL apijson.Field
Name apijson.Field
OptionsPreflightBypass apijson.Field
PathCookieAttribute apijson.Field
SameSiteCookieAttribute apijson.Field
SelfHostedDomains apijson.Field
ServiceAuth401Redirect apijson.Field
SessionDuration apijson.Field
SkipInterstitial apijson.Field
Tags apijson.Field
UpdatedAt apijson.Field
raw string
ExtraFields map[string]apijson.Field
}
func (r *ApplicationBrowserSSHApplication) UnmarshalJSON(data []byte) (err error) {
return apijson.UnmarshalRoot(data, r)
}
func (r applicationBrowserSSHApplicationJSON) RawJSON() string {
return r.raw
}
func (r ApplicationBrowserSSHApplication) implementsZeroTrustApplication() {}