zuplo 6.67.32 → 6.68.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -0
- package/docs/_index.md +44 -0
- package/docs/ai-gateway/apps.mdx +28 -0
- package/docs/ai-gateway/custom-providers.mdx +54 -0
- package/docs/ai-gateway/getting-started.mdx +224 -0
- package/docs/ai-gateway/guardrails.mdx +65 -0
- package/docs/ai-gateway/integrations/ai-sdk.mdx +109 -0
- package/docs/ai-gateway/integrations/claude-code.mdx +49 -0
- package/docs/ai-gateway/integrations/codex.mdx +78 -0
- package/docs/ai-gateway/integrations/goose.mdx +104 -0
- package/docs/ai-gateway/integrations/langchain.mdx +66 -0
- package/docs/ai-gateway/integrations/openai.mdx +99 -0
- package/docs/ai-gateway/introduction.mdx +85 -0
- package/docs/ai-gateway/managing-apps.mdx +46 -0
- package/docs/ai-gateway/managing-providers.mdx +66 -0
- package/docs/ai-gateway/managing-teams.mdx +63 -0
- package/docs/ai-gateway/policies/akamai-ai-firewall.mdx +125 -0
- package/docs/ai-gateway/policies/comet-opik-tracing.mdx +139 -0
- package/docs/ai-gateway/policies/galileo-tracing.mdx +147 -0
- package/docs/ai-gateway/providers.mdx +32 -0
- package/docs/ai-gateway/teams.mdx +38 -0
- package/docs/ai-gateway/universal-api.mdx +43 -0
- package/docs/ai-gateway/usage-limits.mdx +89 -0
- package/docs/api-management/introduction.md +127 -0
- package/docs/articles/accounts/audit-logs.mdx +227 -0
- package/docs/articles/accounts/billing.mdx +25 -0
- package/docs/articles/accounts/default-api-key.mdx +30 -0
- package/docs/articles/accounts/delete-account.mdx +36 -0
- package/docs/articles/accounts/enterprise-sso.mdx +116 -0
- package/docs/articles/accounts/managing-account-members.mdx +45 -0
- package/docs/articles/accounts/managing-project-members.mdx +37 -0
- package/docs/articles/accounts/members-and-roles.mdx +21 -0
- package/docs/articles/accounts/roles-and-permissions.mdx +115 -0
- package/docs/articles/accounts/zuplo-api-keys.mdx +94 -0
- package/docs/articles/add-api-to-backstage.mdx +216 -0
- package/docs/articles/advanced-path-matching.mdx +139 -0
- package/docs/articles/api-key-administration.mdx +47 -0
- package/docs/articles/api-key-api.mdx +220 -0
- package/docs/articles/api-key-authentication.mdx +195 -0
- package/docs/articles/api-key-buckets.mdx +61 -0
- package/docs/articles/api-key-end-users.mdx +52 -0
- package/docs/articles/api-key-leak-detection.mdx +75 -0
- package/docs/articles/api-key-management.mdx +100 -0
- package/docs/articles/api-key-react-component.mdx +90 -0
- package/docs/articles/api-key-service-limits.mdx +14 -0
- package/docs/articles/archiving-requests-to-storage.mdx +119 -0
- package/docs/articles/branch-based-deployments.mdx +184 -0
- package/docs/articles/bypass-policy-for-testing.mdx +117 -0
- package/docs/articles/check-ip-address.mdx +17 -0
- package/docs/articles/ci-cd-azure/basic-deployment.mdx +49 -0
- package/docs/articles/ci-cd-azure/deploy-and-test.mdx +47 -0
- package/docs/articles/ci-cd-azure/local-testing.mdx +59 -0
- package/docs/articles/ci-cd-azure/multi-stage-deployment.mdx +88 -0
- package/docs/articles/ci-cd-azure/pr-preview-environments.mdx +50 -0
- package/docs/articles/ci-cd-azure/tag-based-releases.mdx +37 -0
- package/docs/articles/ci-cd-bitbucket/basic-deployment.mdx +27 -0
- package/docs/articles/ci-cd-bitbucket/deploy-and-test.mdx +41 -0
- package/docs/articles/ci-cd-bitbucket/local-testing.mdx +34 -0
- package/docs/articles/ci-cd-bitbucket/multi-stage-deployment.mdx +52 -0
- package/docs/articles/ci-cd-bitbucket/pr-preview-environments.mdx +46 -0
- package/docs/articles/ci-cd-bitbucket/tag-based-releases.mdx +27 -0
- package/docs/articles/ci-cd-circleci/basic-deployment.mdx +34 -0
- package/docs/articles/ci-cd-circleci/deploy-and-test.mdx +44 -0
- package/docs/articles/ci-cd-circleci/local-testing.mdx +50 -0
- package/docs/articles/ci-cd-circleci/multi-stage-deployment.mdx +82 -0
- package/docs/articles/ci-cd-circleci/pr-preview-environments.mdx +47 -0
- package/docs/articles/ci-cd-circleci/tag-based-releases.mdx +38 -0
- package/docs/articles/ci-cd-github/basic-deployment.mdx +48 -0
- package/docs/articles/ci-cd-github/cleanup-on-branch-delete.mdx +123 -0
- package/docs/articles/ci-cd-github/deploy-and-test.mdx +82 -0
- package/docs/articles/ci-cd-github/local-testing.mdx +102 -0
- package/docs/articles/ci-cd-github/multi-stage-deployment.mdx +136 -0
- package/docs/articles/ci-cd-github/pr-preview-environments.mdx +106 -0
- package/docs/articles/ci-cd-github/tag-based-releases.mdx +99 -0
- package/docs/articles/ci-cd-gitlab/basic-deployment.mdx +28 -0
- package/docs/articles/ci-cd-gitlab/deploy-and-test.mdx +44 -0
- package/docs/articles/ci-cd-gitlab/local-testing.mdx +39 -0
- package/docs/articles/ci-cd-gitlab/mr-preview-environments.mdx +52 -0
- package/docs/articles/ci-cd-gitlab/multi-stage-deployment.mdx +64 -0
- package/docs/articles/ci-cd-gitlab/tag-based-releases.mdx +28 -0
- package/docs/articles/composite-policy-reference.mdx +284 -0
- package/docs/articles/configuring-auth0-for-mcp-auth.mdx +186 -0
- package/docs/articles/configuring-okta-for-mcp-auth.mdx +208 -0
- package/docs/articles/convert-urls-to-openapi.mdx +62 -0
- package/docs/articles/cors.mdx +447 -0
- package/docs/articles/custom-audit-log-policy.mdx +95 -0
- package/docs/articles/custom-ci-cd-azure.mdx +81 -0
- package/docs/articles/custom-ci-cd-bitbucket.mdx +80 -0
- package/docs/articles/custom-ci-cd-circleci.mdx +78 -0
- package/docs/articles/custom-ci-cd-github.mdx +99 -0
- package/docs/articles/custom-ci-cd-gitlab.mdx +79 -0
- package/docs/articles/custom-ci-cd.mdx +82 -0
- package/docs/articles/custom-code-patterns.md +418 -0
- package/docs/articles/custom-domains.mdx +258 -0
- package/docs/articles/custom-logging-example.mdx +139 -0
- package/docs/articles/ddos-protection.mdx +138 -0
- package/docs/articles/development-options.mdx +49 -0
- package/docs/articles/environment-variables.mdx +134 -0
- package/docs/articles/environments.mdx +143 -0
- package/docs/articles/fastly-zuplo-host-setup.mdx +41 -0
- package/docs/articles/github-deployment-testing.mdx +101 -0
- package/docs/articles/gke-with-upstream-auth-policy.mdx +192 -0
- package/docs/articles/graphql-security.mdx +180 -0
- package/docs/articles/handling-form-data.mdx +61 -0
- package/docs/articles/health-checks.mdx +109 -0
- package/docs/articles/hosting-options.mdx +70 -0
- package/docs/articles/lazy-load-configuration-into-cache.mdx +92 -0
- package/docs/articles/limits.mdx +98 -0
- package/docs/articles/local-development-debugging.mdx +44 -0
- package/docs/articles/local-development-env-variables.mdx +23 -0
- package/docs/articles/local-development-installing-packages.mdx +23 -0
- package/docs/articles/local-development-routes-designer.mdx +27 -0
- package/docs/articles/local-development-services.mdx +40 -0
- package/docs/articles/local-development-troubleshooting.mdx +56 -0
- package/docs/articles/local-development.mdx +81 -0
- package/docs/articles/log-plugin-aws-cloudwatch.mdx +83 -0
- package/docs/articles/log-plugin-datadog.mdx +84 -0
- package/docs/articles/log-plugin-dynatrace.mdx +75 -0
- package/docs/articles/log-plugin-gcp.mdx +75 -0
- package/docs/articles/log-plugin-loki.mdx +136 -0
- package/docs/articles/log-plugin-new-relic.mdx +84 -0
- package/docs/articles/log-plugin-splunk.mdx +104 -0
- package/docs/articles/log-plugin-sumo.mdx +73 -0
- package/docs/articles/log-plugin-vmware-log-insight.mdx +154 -0
- package/docs/articles/log-request-response-data.mdx +398 -0
- package/docs/articles/logging.mdx +115 -0
- package/docs/articles/manual-mcp-oauth-testing.mdx +193 -0
- package/docs/articles/mcp-quickstart.mdx +135 -0
- package/docs/articles/metrics-plugins.mdx +371 -0
- package/docs/articles/migrate-from-apigee.md +408 -0
- package/docs/articles/migrate-from-aws-api-gateway.md +248 -0
- package/docs/articles/migrate-from-azure-apim.md +292 -0
- package/docs/articles/migrate-from-kong.md +300 -0
- package/docs/articles/migration-overview.md +81 -0
- package/docs/articles/monetization/api-access.mdx +69 -0
- package/docs/articles/monetization/billing-models.md +520 -0
- package/docs/articles/monetization/developer-portal.md +167 -0
- package/docs/articles/monetization/features.mdx +98 -0
- package/docs/articles/monetization/index.mdx +113 -0
- package/docs/articles/monetization/meters.mdx +135 -0
- package/docs/articles/monetization/monetization-policy.md +314 -0
- package/docs/articles/monetization/plan-examples.mdx +366 -0
- package/docs/articles/monetization/plans.mdx +266 -0
- package/docs/articles/monetization/pricing-models.mdx +225 -0
- package/docs/articles/monetization/private-plans.md +154 -0
- package/docs/articles/monetization/quickstart.md +355 -0
- package/docs/articles/monetization/rate-cards.mdx +171 -0
- package/docs/articles/monetization/stripe-integration.md +195 -0
- package/docs/articles/monetization/subscription-lifecycle.md +298 -0
- package/docs/articles/monetization/tax-collection.md +166 -0
- package/docs/articles/monetization/troubleshooting.md +272 -0
- package/docs/articles/monetization-custom.mdx +71 -0
- package/docs/articles/monetization-integrations.mdx +104 -0
- package/docs/articles/monitoring-your-gateway.mdx +53 -0
- package/docs/articles/monorepo-deployment.mdx +350 -0
- package/docs/articles/multiple-auth-policies.mdx +81 -0
- package/docs/articles/non-standard-ports.mdx +30 -0
- package/docs/articles/oauth-authentication.mdx +54 -0
- package/docs/articles/openapi-server-urls.mdx +60 -0
- package/docs/articles/openapi.mdx +130 -0
- package/docs/articles/opentelemetry.mdx +250 -0
- package/docs/articles/per-user-rate-limits-using-db.mdx +112 -0
- package/docs/articles/performance-testing.mdx +304 -0
- package/docs/articles/plugin-akamai-api-security.mdx +76 -0
- package/docs/articles/plugin-azure-blob.mdx +73 -0
- package/docs/articles/plugin-azure-event-hubs.mdx +64 -0
- package/docs/articles/plugin-hydrolix-traffic-peak.mdx +147 -0
- package/docs/articles/policies.mdx +33 -0
- package/docs/articles/rename-or-move-project.mdx +39 -0
- package/docs/articles/rick-and-morty-api-developer-portal-example.mdx +23 -0
- package/docs/articles/routing.mdx +193 -0
- package/docs/articles/s3-signed-url-uploads.mdx +521 -0
- package/docs/articles/secure-tunnel.mdx +84 -0
- package/docs/articles/securing-backend-mtls.mdx +268 -0
- package/docs/articles/securing-your-backend.mdx +148 -0
- package/docs/articles/security.mdx +105 -0
- package/docs/articles/sharing-code-across-projects.mdx +412 -0
- package/docs/articles/source-control-setup-azure.mdx +13 -0
- package/docs/articles/source-control-setup-bitbucket.mdx +43 -0
- package/docs/articles/source-control-setup-github.mdx +172 -0
- package/docs/articles/source-control-setup-gitlab.mdx +12 -0
- package/docs/articles/source-control.mdx +80 -0
- package/docs/articles/step-1-setup-basic-gateway-local.mdx +136 -0
- package/docs/articles/step-1-setup-basic-gateway.mdx +118 -0
- package/docs/articles/step-2-add-rate-limiting-local.mdx +126 -0
- package/docs/articles/step-2-add-rate-limiting.mdx +82 -0
- package/docs/articles/step-3-add-api-key-auth-local.mdx +199 -0
- package/docs/articles/step-3-add-api-key-auth.mdx +166 -0
- package/docs/articles/step-4-deploying-to-the-edge.mdx +220 -0
- package/docs/articles/step-5-dynamic-rate-limiting.mdx +167 -0
- package/docs/articles/support.mdx +144 -0
- package/docs/articles/terraform.mdx +114 -0
- package/docs/articles/testing-graphql.mdx +34 -0
- package/docs/articles/testing.mdx +522 -0
- package/docs/articles/troubleshooting-slow-responses.mdx +301 -0
- package/docs/articles/troubleshooting.md +302 -0
- package/docs/articles/tsconfig.mdx +105 -0
- package/docs/articles/tunnel-setup.mdx +195 -0
- package/docs/articles/tunnel-troubleshooting.mdx +50 -0
- package/docs/articles/update-zup-in-github-action.mdx +110 -0
- package/docs/articles/use-openapi-extension-data.mdx +79 -0
- package/docs/articles/users/multifactor-authentication.mdx +64 -0
- package/docs/articles/users/profile.mdx +13 -0
- package/docs/articles/versioning-on-zuplo.mdx +89 -0
- package/docs/articles/waf-ddos-akamai.md +133 -0
- package/docs/articles/waf-ddos-aws-waf-shield.mdx +85 -0
- package/docs/articles/waf-ddos-fastly.mdx +251 -0
- package/docs/articles/waf-ddos.mdx +140 -0
- package/docs/articles/zuplo-waf.mdx +156 -0
- package/docs/ask.mdx +3 -0
- package/docs/cli/authentication.mdx +56 -0
- package/docs/cli/connectivity.mdx +38 -0
- package/docs/cli/create-zuplo-api.mdx +80 -0
- package/docs/cli/delete.mdx +79 -0
- package/docs/cli/deploy.mdx +156 -0
- package/docs/cli/deploy.partial.mdx +46 -0
- package/docs/cli/dev.mdx +115 -0
- package/docs/cli/docs.mdx +66 -0
- package/docs/cli/editor.mdx +50 -0
- package/docs/cli/global-options.mdx +19 -0
- package/docs/cli/init.mdx +74 -0
- package/docs/cli/link.mdx +74 -0
- package/docs/cli/list.mdx +55 -0
- package/docs/cli/mtls-certificate-create.mdx +94 -0
- package/docs/cli/mtls-certificate-delete.mdx +55 -0
- package/docs/cli/mtls-certificate-describe.mdx +55 -0
- package/docs/cli/mtls-certificate-disable.mdx +55 -0
- package/docs/cli/mtls-certificate-list.mdx +47 -0
- package/docs/cli/mtls-certificate-update.mdx +72 -0
- package/docs/cli/openapi-convert.mdx +111 -0
- package/docs/cli/openapi-merge.mdx +138 -0
- package/docs/cli/openapi-merge.partial.mdx +29 -0
- package/docs/cli/openapi-overlay.mdx +123 -0
- package/docs/cli/overview.mdx +78 -0
- package/docs/cli/project-create.mdx +43 -0
- package/docs/cli/source-migrate.mdx +18 -0
- package/docs/cli/source-upgrade.mdx +41 -0
- package/docs/cli/test.mdx +70 -0
- package/docs/cli/test.partial.mdx +7 -0
- package/docs/cli/tunnel-create.mdx +53 -0
- package/docs/cli/tunnel-create.partial.mdx +9 -0
- package/docs/cli/tunnel-delete.mdx +35 -0
- package/docs/cli/tunnel-delete.partial.mdx +9 -0
- package/docs/cli/tunnel-describe.mdx +45 -0
- package/docs/cli/tunnel-describe.partial.mdx +5 -0
- package/docs/cli/tunnel-list.mdx +35 -0
- package/docs/cli/tunnel-list.partial.mdx +9 -0
- package/docs/cli/tunnel-rate-token.partial.mdx +9 -0
- package/docs/cli/tunnel-rotate-token.mdx +39 -0
- package/docs/cli/tunnel-services-describe.mdx +45 -0
- package/docs/cli/tunnel-services-describe.partial.mdx +9 -0
- package/docs/cli/tunnel-services-update.mdx +48 -0
- package/docs/cli/variable-create.mdx +91 -0
- package/docs/cli/variable-create.partial.mdx +5 -0
- package/docs/cli/variable-update.mdx +75 -0
- package/docs/cli/variable-update.partial.mdx +5 -0
- package/docs/concepts/api-keys.md +146 -0
- package/docs/concepts/authentication.mdx +109 -0
- package/docs/concepts/how-zuplo-works.mdx +120 -0
- package/docs/concepts/project-structure.mdx +174 -0
- package/docs/concepts/rate-limiting.md +246 -0
- package/docs/concepts/request-lifecycle.mdx +56 -0
- package/docs/concepts/source-control-and-deployment.mdx +229 -0
- package/docs/conferences/conference-prize-terms.mdx +80 -0
- package/docs/dedicated/akamai/ai-powered-applications.mdx +223 -0
- package/docs/dedicated/akamai/architecture.mdx +280 -0
- package/docs/dedicated/akamai/caching.mdx +212 -0
- package/docs/dedicated/akamai/cdn.mdx +156 -0
- package/docs/dedicated/architecture.mdx +208 -0
- package/docs/dedicated/custom-domains.mdx +31 -0
- package/docs/dedicated/federated-gateways.mdx +80 -0
- package/docs/dedicated/networking.mdx +69 -0
- package/docs/dedicated/overview.mdx +80 -0
- package/docs/dedicated/source-control.mdx +63 -0
- package/docs/dev-portal/dev-portal-create-consumer-on-auth.mdx +134 -0
- package/docs/dev-portal/introduction.mdx +65 -0
- package/docs/dev-portal/local-development.mdx +72 -0
- package/docs/dev-portal/migration.mdx +526 -0
- package/docs/dev-portal/node-modules.mdx +45 -0
- package/docs/dev-portal/updating.mdx +28 -0
- package/docs/dev-portal/zudoku/components/alert.mdx +130 -0
- package/docs/dev-portal/zudoku/components/badge.mdx +70 -0
- package/docs/dev-portal/zudoku/components/button.mdx +132 -0
- package/docs/dev-portal/zudoku/components/callout.mdx +112 -0
- package/docs/dev-portal/zudoku/components/card.mdx +104 -0
- package/docs/dev-portal/zudoku/components/checkbox.mdx +72 -0
- package/docs/dev-portal/zudoku/components/client-only.mdx +79 -0
- package/docs/dev-portal/zudoku/components/code-tabs.mdx +179 -0
- package/docs/dev-portal/zudoku/components/dialog.mdx +167 -0
- package/docs/dev-portal/zudoku/components/head.mdx +199 -0
- package/docs/dev-portal/zudoku/components/icons.mdx +27 -0
- package/docs/dev-portal/zudoku/components/input.mdx +96 -0
- package/docs/dev-portal/zudoku/components/label.mdx +86 -0
- package/docs/dev-portal/zudoku/components/link.mdx +242 -0
- package/docs/dev-portal/zudoku/components/markdown.mdx +151 -0
- package/docs/dev-portal/zudoku/components/mermaid.mdx +81 -0
- package/docs/dev-portal/zudoku/components/playground.mdx +87 -0
- package/docs/dev-portal/zudoku/components/secret.mdx +78 -0
- package/docs/dev-portal/zudoku/components/select.mdx +176 -0
- package/docs/dev-portal/zudoku/components/shadcn.mdx +73 -0
- package/docs/dev-portal/zudoku/components/slider.mdx +108 -0
- package/docs/dev-portal/zudoku/components/slot.mdx +119 -0
- package/docs/dev-portal/zudoku/components/stepper.mdx +138 -0
- package/docs/dev-portal/zudoku/components/switch.mdx +96 -0
- package/docs/dev-portal/zudoku/components/syntax-highlight.mdx +602 -0
- package/docs/dev-portal/zudoku/components/textarea.mdx +78 -0
- package/docs/dev-portal/zudoku/components/tooltip.mdx +195 -0
- package/docs/dev-portal/zudoku/components/typography.mdx +61 -0
- package/docs/dev-portal/zudoku/configuration/ai-assistants.md +64 -0
- package/docs/dev-portal/zudoku/configuration/api-catalog.md +108 -0
- package/docs/dev-portal/zudoku/configuration/api-reference.md +397 -0
- package/docs/dev-portal/zudoku/configuration/authentication-auth0.md +173 -0
- package/docs/dev-portal/zudoku/configuration/authentication-azure-ad.md +238 -0
- package/docs/dev-portal/zudoku/configuration/authentication-clerk.md +110 -0
- package/docs/dev-portal/zudoku/configuration/authentication-firebase.md +61 -0
- package/docs/dev-portal/zudoku/configuration/authentication-pingfederate.md +136 -0
- package/docs/dev-portal/zudoku/configuration/authentication-supabase.md +225 -0
- package/docs/dev-portal/zudoku/configuration/authentication.md +199 -0
- package/docs/dev-portal/zudoku/configuration/build-configuration.mdx +147 -0
- package/docs/dev-portal/zudoku/configuration/docs.md +282 -0
- package/docs/dev-portal/zudoku/configuration/footer.mdx +214 -0
- package/docs/dev-portal/zudoku/configuration/llms.md +89 -0
- package/docs/dev-portal/zudoku/configuration/navigation.mdx +408 -0
- package/docs/dev-portal/zudoku/configuration/overview.md +380 -0
- package/docs/dev-portal/zudoku/configuration/protected-routes.md +149 -0
- package/docs/dev-portal/zudoku/configuration/search.md +169 -0
- package/docs/dev-portal/zudoku/configuration/sentry.mdx +44 -0
- package/docs/dev-portal/zudoku/configuration/site.md +124 -0
- package/docs/dev-portal/zudoku/configuration/slots.mdx +124 -0
- package/docs/dev-portal/zudoku/configuration/vite-config.md +18 -0
- package/docs/dev-portal/zudoku/custom-plugins.md +287 -0
- package/docs/dev-portal/zudoku/customization/colors-theme.mdx +275 -0
- package/docs/dev-portal/zudoku/customization/fonts.md +110 -0
- package/docs/dev-portal/zudoku/extending/events.md +124 -0
- package/docs/dev-portal/zudoku/guides/custom-pages.md +106 -0
- package/docs/dev-portal/zudoku/guides/environment-variables.md +99 -0
- package/docs/dev-portal/zudoku/guides/mermaid.mdx +70 -0
- package/docs/dev-portal/zudoku/guides/navigation-migration.md +87 -0
- package/docs/dev-portal/zudoku/guides/navigation-rules.mdx +197 -0
- package/docs/dev-portal/zudoku/guides/processors.mdx +234 -0
- package/docs/dev-portal/zudoku/guides/static-files.md +55 -0
- package/docs/dev-portal/zudoku/guides/transforming-examples.md +156 -0
- package/docs/dev-portal/zudoku/guides/using-multiple-apis.md +87 -0
- package/docs/dev-portal/zudoku/markdown/admonitions.md +128 -0
- package/docs/dev-portal/zudoku/markdown/code-blocks.md +196 -0
- package/docs/dev-portal/zudoku/markdown/frontmatter.md +172 -0
- package/docs/dev-portal/zudoku/markdown/mdx.md +68 -0
- package/docs/dev-portal/zudoku/markdown/overview.md +275 -0
- package/docs/dev-portal/zudoku/plugins.md +5 -0
- package/docs/dev-portal/zudoku/writing.mdx +72 -0
- package/docs/errors/bad-request.mdx +39 -0
- package/docs/errors/build-error.mdx +45 -0
- package/docs/errors/fatal-project-error.mdx +39 -0
- package/docs/errors/gateway-timeout.mdx +33 -0
- package/docs/errors/get-head-body-error.mdx +41 -0
- package/docs/errors/main-mod-error.mdx +40 -0
- package/docs/errors/no-project-set.mdx +41 -0
- package/docs/errors/not-found.mdx +43 -0
- package/docs/errors/rate-limit-exceeded.mdx +31 -0
- package/docs/errors/schema-validation-failed.mdx +51 -0
- package/docs/errors/system-configuration-error.mdx +44 -0
- package/docs/errors/unauthorized.mdx +50 -0
- package/docs/errors/unknown-error.mdx +42 -0
- package/docs/errors.mdx +14 -0
- package/docs/guides/canary-routing-for-employees.mdx +385 -0
- package/docs/guides/geolocation-backend-routing.mdx +404 -0
- package/docs/guides/modify-openapi-paths.mdx +371 -0
- package/docs/guides/openapi-overlays.mdx +492 -0
- package/docs/guides/overview.mdx +12 -0
- package/docs/guides/user-based-backend-routing.mdx +437 -0
- package/docs/handlers/aws-lambda.mdx +201 -0
- package/docs/handlers/custom-handler.mdx +112 -0
- package/docs/handlers/legacy-dev-portal-handler.mdx +135 -0
- package/docs/handlers/mcp-server.mdx +730 -0
- package/docs/handlers/openapi.mdx +78 -0
- package/docs/handlers/redirect.mdx +115 -0
- package/docs/handlers/system-handlers.mdx +41 -0
- package/docs/handlers/url-forward.mdx +204 -0
- package/docs/handlers/url-rewrite.mdx +224 -0
- package/docs/handlers/websocket-handler.mdx +154 -0
- package/docs/home.mdx +6 -0
- package/docs/managed-edge/overview.md +78 -0
- package/docs/mcp-server/configuration-migration-guide.mdx +344 -0
- package/docs/mcp-server/custom-tools.mdx +487 -0
- package/docs/mcp-server/graphql.mdx +241 -0
- package/docs/mcp-server/introduction.mdx +122 -0
- package/docs/mcp-server/openai-apps-sdk.mdx +160 -0
- package/docs/mcp-server/prompts.mdx +283 -0
- package/docs/mcp-server/resources.mdx +288 -0
- package/docs/mcp-server/testing.mdx +53 -0
- package/docs/mcp-server/tools.mdx +306 -0
- package/docs/policies/_index.md +92 -0
- package/docs/policies/ab-test-inbound/intro.md +8 -0
- package/docs/policies/ab-test-inbound/policy.ts +14 -0
- package/docs/policies/ab-test-inbound/schema.json +27 -0
- package/docs/policies/ab-test-outbound/intro.md +8 -0
- package/docs/policies/ab-test-outbound/policy.ts +26 -0
- package/docs/policies/ab-test-outbound/schema.json +27 -0
- package/docs/policies/acl-policy-inbound/intro.md +5 -0
- package/docs/policies/acl-policy-inbound/policy.ts +32 -0
- package/docs/policies/acl-policy-inbound/schema.json +52 -0
- package/docs/policies/akamai-ai-firewall/schema.json +98 -0
- package/docs/policies/amberflo-metering-inbound/doc.md +183 -0
- package/docs/policies/amberflo-metering-inbound/intro.md +20 -0
- package/docs/policies/amberflo-metering-inbound/schema.json +108 -0
- package/docs/policies/api-key-inbound/doc.md +77 -0
- package/docs/policies/api-key-inbound/intro.md +30 -0
- package/docs/policies/api-key-inbound/schema.json +84 -0
- package/docs/policies/archive-request-aws-s3-inbound/intro.md +4 -0
- package/docs/policies/archive-request-aws-s3-inbound/policy.ts +58 -0
- package/docs/policies/archive-request-aws-s3-inbound/schema.json +68 -0
- package/docs/policies/archive-request-azure-storage-inbound/doc.md +31 -0
- package/docs/policies/archive-request-azure-storage-inbound/intro.md +4 -0
- package/docs/policies/archive-request-azure-storage-inbound/policy.ts +54 -0
- package/docs/policies/archive-request-azure-storage-inbound/schema.json +53 -0
- package/docs/policies/archive-request-gcp-storage-inbound/doc.md +63 -0
- package/docs/policies/archive-request-gcp-storage-inbound/intro.md +4 -0
- package/docs/policies/archive-request-gcp-storage-inbound/policy.ts +68 -0
- package/docs/policies/archive-request-gcp-storage-inbound/schema.json +47 -0
- package/docs/policies/archive-response-aws-s3-outbound/intro.md +2 -0
- package/docs/policies/archive-response-aws-s3-outbound/policy.ts +59 -0
- package/docs/policies/archive-response-aws-s3-outbound/schema.json +68 -0
- package/docs/policies/archive-response-azure-storage-outbound/doc.md +31 -0
- package/docs/policies/archive-response-azure-storage-outbound/intro.md +3 -0
- package/docs/policies/archive-response-azure-storage-outbound/policy.ts +54 -0
- package/docs/policies/archive-response-azure-storage-outbound/schema.json +53 -0
- package/docs/policies/audit-log-inbound/doc.md +78 -0
- package/docs/policies/audit-log-inbound/intro.md +10 -0
- package/docs/policies/audit-log-inbound/schema.json +81 -0
- package/docs/policies/auth0-jwt-auth-inbound/doc.md +125 -0
- package/docs/policies/auth0-jwt-auth-inbound/intro.md +17 -0
- package/docs/policies/auth0-jwt-auth-inbound/schema.json +74 -0
- package/docs/policies/authzen-inbound/doc.md +24 -0
- package/docs/policies/authzen-inbound/intro.md +31 -0
- package/docs/policies/authzen-inbound/schema.json +126 -0
- package/docs/policies/axiomatics-authz-inbound/doc.md +144 -0
- package/docs/policies/axiomatics-authz-inbound/intro.md +11 -0
- package/docs/policies/axiomatics-authz-inbound/schema.json +161 -0
- package/docs/policies/basic-auth-inbound/intro.md +9 -0
- package/docs/policies/basic-auth-inbound/schema.json +99 -0
- package/docs/policies/bot-detection-inbound/intro.md +4 -0
- package/docs/policies/bot-detection-inbound/schema.json +56 -0
- package/docs/policies/brownout-inbound/doc.md +55 -0
- package/docs/policies/brownout-inbound/intro.md +12 -0
- package/docs/policies/brownout-inbound/schema.json +115 -0
- package/docs/policies/caching-inbound/doc.md +209 -0
- package/docs/policies/caching-inbound/intro.md +23 -0
- package/docs/policies/caching-inbound/schema.json +98 -0
- package/docs/policies/change-method-inbound/schema.json +56 -0
- package/docs/policies/clear-headers-inbound/schema.json +59 -0
- package/docs/policies/clear-headers-outbound/schema.json +59 -0
- package/docs/policies/clerk-jwt-auth-inbound/doc.md +85 -0
- package/docs/policies/clerk-jwt-auth-inbound/intro.md +4 -0
- package/docs/policies/clerk-jwt-auth-inbound/schema.json +68 -0
- package/docs/policies/cognito-jwt-auth-inbound/intro.md +7 -0
- package/docs/policies/cognito-jwt-auth-inbound/schema.json +74 -0
- package/docs/policies/comet-opik-tracing-inbound/schema.json +65 -0
- package/docs/policies/complex-rate-limit-inbound/doc.md +20 -0
- package/docs/policies/complex-rate-limit-inbound/intro.md +23 -0
- package/docs/policies/complex-rate-limit-inbound/schema.json +142 -0
- package/docs/policies/composite-inbound/doc.md +69 -0
- package/docs/policies/composite-inbound/intro.md +15 -0
- package/docs/policies/composite-inbound/schema.json +59 -0
- package/docs/policies/composite-outbound/intro.md +6 -0
- package/docs/policies/composite-outbound/schema.json +59 -0
- package/docs/policies/curity-phantom-token-inbound/doc.md +109 -0
- package/docs/policies/curity-phantom-token-inbound/intro.md +3 -0
- package/docs/policies/curity-phantom-token-inbound/schema.json +68 -0
- package/docs/policies/custom-code-inbound/doc.md +267 -0
- package/docs/policies/custom-code-inbound/intro.md +2 -0
- package/docs/policies/custom-code-inbound/schema.json +48 -0
- package/docs/policies/custom-code-outbound/doc.md +235 -0
- package/docs/policies/custom-code-outbound/intro.md +2 -0
- package/docs/policies/custom-code-outbound/schema.json +43 -0
- package/docs/policies/firebase-jwt-inbound/intro.md +6 -0
- package/docs/policies/firebase-jwt-inbound/schema.json +68 -0
- package/docs/policies/formdata-to-json-inbound/schema.json +60 -0
- package/docs/policies/galileo-tracing-inbound/schema.json +65 -0
- package/docs/policies/geo-filter-inbound/doc.md +33 -0
- package/docs/policies/geo-filter-inbound/schema.json +108 -0
- package/docs/policies/graphql-complexity-limit-inbound/doc.md +48 -0
- package/docs/policies/graphql-complexity-limit-inbound/intro.md +2 -0
- package/docs/policies/graphql-complexity-limit-inbound/schema.json +90 -0
- package/docs/policies/graphql-disable-introspection-inbound/doc.md +66 -0
- package/docs/policies/graphql-disable-introspection-inbound/intro.md +15 -0
- package/docs/policies/graphql-disable-introspection-inbound/schema.json +48 -0
- package/docs/policies/graphql-introspection-filter-outbound/doc.md +148 -0
- package/docs/policies/graphql-introspection-filter-outbound/schema.json +79 -0
- package/docs/policies/hmac-auth-inbound/doc.md +30 -0
- package/docs/policies/hmac-auth-inbound/intro.md +10 -0
- package/docs/policies/hmac-auth-inbound/policy.ts +70 -0
- package/docs/policies/hmac-auth-inbound/schema.json +53 -0
- package/docs/policies/http-deprecation-outbound/doc.md +73 -0
- package/docs/policies/http-deprecation-outbound/schema.json +83 -0
- package/docs/policies/ip-restriction-inbound/intro.md +8 -0
- package/docs/policies/ip-restriction-inbound/policy.ts +40 -0
- package/docs/policies/ip-restriction-inbound/schema.json +58 -0
- package/docs/policies/jwt-scopes-inbound/schema.json +59 -0
- package/docs/policies/ldap-auth-inbound/schema.json +56 -0
- package/docs/policies/mock-api-inbound/schema.json +72 -0
- package/docs/policies/moesif-inbound/doc.md +44 -0
- package/docs/policies/moesif-inbound/intro.md +6 -0
- package/docs/policies/moesif-inbound/schema.json +68 -0
- package/docs/policies/monetization-inbound/doc.md +87 -0
- package/docs/policies/monetization-inbound/intro.md +6 -0
- package/docs/policies/monetization-inbound/schema.json +102 -0
- package/docs/policies/mtls-auth-inbound/intro.md +6 -0
- package/docs/policies/mtls-auth-inbound/schema.json +68 -0
- package/docs/policies/okta-fga-authz-inbound/doc.md +181 -0
- package/docs/policies/okta-fga-authz-inbound/intro.md +20 -0
- package/docs/policies/okta-fga-authz-inbound/schema.json +104 -0
- package/docs/policies/okta-jwt-auth-inbound/intro.md +7 -0
- package/docs/policies/okta-jwt-auth-inbound/schema.json +74 -0
- package/docs/policies/open-id-jwt-auth-inbound/doc.md +58 -0
- package/docs/policies/open-id-jwt-auth-inbound/intro.md +30 -0
- package/docs/policies/open-id-jwt-auth-inbound/schema.json +128 -0
- package/docs/policies/openfga-authz-inbound/doc.md +207 -0
- package/docs/policies/openfga-authz-inbound/intro.md +17 -0
- package/docs/policies/openfga-authz-inbound/schema.json +191 -0
- package/docs/policies/openmeter-inbound/doc.md +163 -0
- package/docs/policies/openmeter-inbound/intro.md +18 -0
- package/docs/policies/openmeter-inbound/schema.json +183 -0
- package/docs/policies/prompt-injection-outbound/doc.md +106 -0
- package/docs/policies/prompt-injection-outbound/intro.md +4 -0
- package/docs/policies/prompt-injection-outbound/schema.json +74 -0
- package/docs/policies/propel-auth-jwt-inbound/doc.md +88 -0
- package/docs/policies/propel-auth-jwt-inbound/intro.md +4 -0
- package/docs/policies/propel-auth-jwt-inbound/schema.json +74 -0
- package/docs/policies/query-param-to-header-inbound/doc.md +70 -0
- package/docs/policies/query-param-to-header-inbound/intro.md +5 -0
- package/docs/policies/query-param-to-header-inbound/schema.json +74 -0
- package/docs/policies/quota-inbound/doc.md +235 -0
- package/docs/policies/quota-inbound/intro.md +7 -0
- package/docs/policies/quota-inbound/schema.json +133 -0
- package/docs/policies/rate-limit-inbound/doc.md +78 -0
- package/docs/policies/rate-limit-inbound/intro.md +30 -0
- package/docs/policies/rate-limit-inbound/schema.json +134 -0
- package/docs/policies/rbac-policy-inbound/intro.md +3 -0
- package/docs/policies/rbac-policy-inbound/policy.ts +42 -0
- package/docs/policies/rbac-policy-inbound/schema.json +52 -0
- package/docs/policies/readme-metrics-inbound/doc.md +1 -0
- package/docs/policies/readme-metrics-inbound/intro.md +3 -0
- package/docs/policies/readme-metrics-inbound/schema.json +84 -0
- package/docs/policies/remove-headers-inbound/schema.json +59 -0
- package/docs/policies/remove-headers-outbound/schema.json +59 -0
- package/docs/policies/remove-query-params-inbound/schema.json +59 -0
- package/docs/policies/replace-string-outbound/schema.json +69 -0
- package/docs/policies/request-size-limit-inbound/schema.json +60 -0
- package/docs/policies/request-validation-inbound/doc.md +72 -0
- package/docs/policies/request-validation-inbound/intro.md +24 -0
- package/docs/policies/request-validation-inbound/schema.json +98 -0
- package/docs/policies/require-origin-inbound/intro.md +12 -0
- package/docs/policies/require-origin-inbound/schema.json +65 -0
- package/docs/policies/secret-masking-outbound/doc.md +41 -0
- package/docs/policies/secret-masking-outbound/intro.md +13 -0
- package/docs/policies/secret-masking-outbound/schema.json +65 -0
- package/docs/policies/semantic-cache-inbound/doc.md +63 -0
- package/docs/policies/semantic-cache-inbound/intro.md +4 -0
- package/docs/policies/semantic-cache-inbound/schema.json +179 -0
- package/docs/policies/set-body-inbound/intro.md +7 -0
- package/docs/policies/set-body-inbound/schema.json +56 -0
- package/docs/policies/set-headers-inbound/doc.md +41 -0
- package/docs/policies/set-headers-inbound/intro.md +2 -0
- package/docs/policies/set-headers-inbound/schema.json +83 -0
- package/docs/policies/set-headers-outbound/schema.json +83 -0
- package/docs/policies/set-query-params-inbound/schema.json +83 -0
- package/docs/policies/set-status-outbound/schema.json +62 -0
- package/docs/policies/sleep-inbound/schema.json +56 -0
- package/docs/policies/stripe-webhook-verification-inbound/intro.md +2 -0
- package/docs/policies/stripe-webhook-verification-inbound/schema.json +60 -0
- package/docs/policies/supabase-jwt-auth-inbound/doc.md +29 -0
- package/docs/policies/supabase-jwt-auth-inbound/intro.md +12 -0
- package/docs/policies/supabase-jwt-auth-inbound/schema.json +86 -0
- package/docs/policies/transform-body-inbound/intro.md +8 -0
- package/docs/policies/transform-body-inbound/policy.ts +16 -0
- package/docs/policies/transform-body-inbound/schema.json +27 -0
- package/docs/policies/transform-body-outbound/intro.md +8 -0
- package/docs/policies/transform-body-outbound/policy.ts +19 -0
- package/docs/policies/transform-body-outbound/schema.json +27 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/doc.md +82 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/intro.md +20 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/schema.json +84 -0
- package/docs/policies/upstream-firebase-admin-auth-inbound/intro.md +10 -0
- package/docs/policies/upstream-firebase-admin-auth-inbound/schema.json +68 -0
- package/docs/policies/upstream-firebase-user-auth-inbound/intro.md +2 -0
- package/docs/policies/upstream-firebase-user-auth-inbound/schema.json +113 -0
- package/docs/policies/upstream-gcp-federated-auth-inbound/doc.md +139 -0
- package/docs/policies/upstream-gcp-federated-auth-inbound/intro.md +21 -0
- package/docs/policies/upstream-gcp-federated-auth-inbound/schema.json +96 -0
- package/docs/policies/upstream-gcp-jwt-inbound/intro.md +10 -0
- package/docs/policies/upstream-gcp-jwt-inbound/schema.json +62 -0
- package/docs/policies/upstream-gcp-service-auth-inbound/doc.md +132 -0
- package/docs/policies/upstream-gcp-service-auth-inbound/intro.md +25 -0
- package/docs/policies/upstream-gcp-service-auth-inbound/schema.json +95 -0
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/doc.md +213 -0
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/intro.md +16 -0
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/schema.json +101 -0
- package/docs/policies/validate-json-schema-inbound/doc.md +129 -0
- package/docs/policies/validate-json-schema-inbound/intro.md +7 -0
- package/docs/policies/validate-json-schema-inbound/schema.json +56 -0
- package/docs/policies/web-bot-auth-inbound/doc.md +104 -0
- package/docs/policies/web-bot-auth-inbound/intro.md +16 -0
- package/docs/policies/web-bot-auth-inbound/schema.json +76 -0
- package/docs/policies/xml-to-json-outbound/doc.md +71 -0
- package/docs/policies/xml-to-json-outbound/intro.md +4 -0
- package/docs/policies/xml-to-json-outbound/schema.json +117 -0
- package/docs/programmable-api/audit-log.mdx +74 -0
- package/docs/programmable-api/background-dispatcher.mdx +124 -0
- package/docs/programmable-api/background-loader.mdx +104 -0
- package/docs/programmable-api/cache.mdx +186 -0
- package/docs/programmable-api/compatibility-dates.mdx +201 -0
- package/docs/programmable-api/console-logging.mdx +48 -0
- package/docs/programmable-api/context-data.mdx +127 -0
- package/docs/programmable-api/custom-cors-policy.mdx +64 -0
- package/docs/programmable-api/environment.mdx +328 -0
- package/docs/programmable-api/hooks.mdx +569 -0
- package/docs/programmable-api/http-problems.mdx +385 -0
- package/docs/programmable-api/jwt-service-plugin.mdx +420 -0
- package/docs/programmable-api/logger.mdx +223 -0
- package/docs/programmable-api/memory-zone-read-through-cache.mdx +96 -0
- package/docs/programmable-api/node-modules.mdx +67 -0
- package/docs/programmable-api/not-found-handler.mdx +47 -0
- package/docs/programmable-api/oauth-protected-resource-plugin.mdx +46 -0
- package/docs/programmable-api/overview.mdx +213 -0
- package/docs/programmable-api/problem-response-formatter.mdx +183 -0
- package/docs/programmable-api/request-user.mdx +289 -0
- package/docs/programmable-api/reusing-code.mdx +26 -0
- package/docs/programmable-api/route-raw.mdx +55 -0
- package/docs/programmable-api/runtime-behaviors.mdx +25 -0
- package/docs/programmable-api/runtime-errors.mdx +246 -0
- package/docs/programmable-api/runtime-extensions.mdx +340 -0
- package/docs/programmable-api/safely-clone-a-request-or-response.mdx +57 -0
- package/docs/programmable-api/streaming-zone-cache.mdx +155 -0
- package/docs/programmable-api/web-crypto-apis.mdx +219 -0
- package/docs/programmable-api/web-standard-apis.mdx +109 -0
- package/docs/programmable-api/zone-cache.mdx +131 -0
- package/docs/programmable-api/zp-body-removed.mdx +32 -0
- package/docs/programmable-api/zuplo-context.mdx +414 -0
- package/docs/programmable-api/zuplo-id-token.mdx +90 -0
- package/docs/programmable-api/zuplo-json.mdx +91 -0
- package/docs/programmable-api/zuplo-request.mdx +200 -0
- package/docs/sample-apis.mdx +78 -0
- package/docs/self-hosted/overview.md +60 -0
- package/package.json +6 -5
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import { ZuploContext, ZuploRequest } from "@zuplo/runtime";
|
|
2
|
+
|
|
3
|
+
export default async function (request: ZuploRequest, context: ZuploContext) {
|
|
4
|
+
// Get the incoming body as an Object
|
|
5
|
+
const obj = await request.json();
|
|
6
|
+
|
|
7
|
+
// Modify the object as required
|
|
8
|
+
obj.myNewProperty = "Hello World";
|
|
9
|
+
|
|
10
|
+
// Stringify the object
|
|
11
|
+
const body = JSON.stringify(obj);
|
|
12
|
+
|
|
13
|
+
// Return a new request based on the
|
|
14
|
+
// original but with the new body
|
|
15
|
+
return new ZuploRequest(request, { body });
|
|
16
|
+
}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "http://zuplo.com/schemas/policies/transform-body-inbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Transform Request Body",
|
|
6
|
+
"isCustom": true,
|
|
7
|
+
"products": ["api-gateway"],
|
|
8
|
+
"description": "Transform the body of an incoming request.",
|
|
9
|
+
"required": ["handler"],
|
|
10
|
+
"properties": {
|
|
11
|
+
"handler": {
|
|
12
|
+
"type": "object",
|
|
13
|
+
"default": {},
|
|
14
|
+
"required": ["export", "module"],
|
|
15
|
+
"properties": {
|
|
16
|
+
"export": {
|
|
17
|
+
"const": "default",
|
|
18
|
+
"description": "The export from the custom policy"
|
|
19
|
+
},
|
|
20
|
+
"module": {
|
|
21
|
+
"const": "$import(./modules/YOUR_MODULE)",
|
|
22
|
+
"description": "The module containing the policy"
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
This example policy shows how to use `response.json()` to read the outgoing
|
|
2
|
+
response as a JSON object. The object can then be modified as appropriate. It's
|
|
3
|
+
then converted back to a string and a new `Response` is returned in the policy
|
|
4
|
+
with the new body.
|
|
5
|
+
|
|
6
|
+
If the incoming response body isn't JSON, you can use `response.text()` or
|
|
7
|
+
`response.blob()` to access the contents as raw text or a
|
|
8
|
+
[blob](https://developer.mozilla.org/en-US/docs/Web/API/Response/blob).
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import { ZuploContext, ZuploRequest } from "@zuplo/runtime";
|
|
2
|
+
|
|
3
|
+
export default async function (
|
|
4
|
+
response: Response,
|
|
5
|
+
request: ZuploRequest,
|
|
6
|
+
context: ZuploContext,
|
|
7
|
+
) {
|
|
8
|
+
// Get the outgoing body as an Object
|
|
9
|
+
const obj = await response.json();
|
|
10
|
+
|
|
11
|
+
// Modify the object as required
|
|
12
|
+
obj.myNewProperty = "Hello World";
|
|
13
|
+
|
|
14
|
+
// Stringify the object
|
|
15
|
+
const body = JSON.stringify(obj);
|
|
16
|
+
|
|
17
|
+
// Return a new response with the new body
|
|
18
|
+
return new Response(body, request);
|
|
19
|
+
}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "http://zuplo.com/schemas/policies/transform-body-outbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Transform Response Body",
|
|
6
|
+
"isCustom": true,
|
|
7
|
+
"products": ["api-gateway"],
|
|
8
|
+
"description": "Transform the body of an outgoing response.",
|
|
9
|
+
"required": ["handler"],
|
|
10
|
+
"properties": {
|
|
11
|
+
"handler": {
|
|
12
|
+
"type": "object",
|
|
13
|
+
"default": {},
|
|
14
|
+
"required": ["export", "module"],
|
|
15
|
+
"properties": {
|
|
16
|
+
"export": {
|
|
17
|
+
"const": "default",
|
|
18
|
+
"description": "The export from the custom policy"
|
|
19
|
+
},
|
|
20
|
+
"module": {
|
|
21
|
+
"const": "$import(./modules/YOUR_MODULE)",
|
|
22
|
+
"description": "The module containing the policy"
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
}
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
This policy authenticates your Zuplo gateway to Azure AD-protected backend
|
|
2
|
+
services by automatically adding an OAuth 2.0 Bearer token to the
|
|
3
|
+
`Authorization` header of upstream requests. It uses the Azure AD client
|
|
4
|
+
credentials flow to obtain access tokens.
|
|
5
|
+
|
|
6
|
+
### How It Works
|
|
7
|
+
|
|
8
|
+
The policy performs the following operations:
|
|
9
|
+
|
|
10
|
+
1. Requests an access token from Azure AD using the configured client
|
|
11
|
+
credentials
|
|
12
|
+
2. Caches the token for subsequent requests until it nears expiration
|
|
13
|
+
3. Adds the token to the `Authorization` header as a Bearer token
|
|
14
|
+
4. Automatically handles token renewal when needed
|
|
15
|
+
|
|
16
|
+
### Policy Configuration
|
|
17
|
+
|
|
18
|
+
Configure the policy with your Azure AD application credentials:
|
|
19
|
+
|
|
20
|
+
```json
|
|
21
|
+
{
|
|
22
|
+
"name": "azure-ad-service-auth",
|
|
23
|
+
"export": "UpstreamAzureAdServiceAuthInboundPolicy",
|
|
24
|
+
"module": "$import(@zuplo/runtime)",
|
|
25
|
+
"options": {
|
|
26
|
+
"activeDirectoryTenantId": "YOUR_TENANT_ID",
|
|
27
|
+
"activeDirectoryClientId": "YOUR_CLIENT_ID",
|
|
28
|
+
"activeDirectoryClientSecret": "$env(AZURE_CLIENT_SECRET)",
|
|
29
|
+
"tokenRetries": 3,
|
|
30
|
+
"expirationOffsetSeconds": 300
|
|
31
|
+
}
|
|
32
|
+
}
|
|
33
|
+
```
|
|
34
|
+
|
|
35
|
+
### Usage Example
|
|
36
|
+
|
|
37
|
+
#### Securing Azure Function App Access
|
|
38
|
+
|
|
39
|
+
Apply the policy to routes that need to access your Azure Function App:
|
|
40
|
+
|
|
41
|
+
```json
|
|
42
|
+
{
|
|
43
|
+
"paths": {
|
|
44
|
+
"/api/data": {
|
|
45
|
+
"get": {
|
|
46
|
+
"x-zuplo-route": {
|
|
47
|
+
"policies": {
|
|
48
|
+
"inbound": ["jwt-auth", "azure-ad-service-auth"]
|
|
49
|
+
},
|
|
50
|
+
"handler": {
|
|
51
|
+
"export": "forwardToOrigin",
|
|
52
|
+
"module": "$import(@zuplo/runtime)",
|
|
53
|
+
"options": {
|
|
54
|
+
"baseUrl": "https://your-function-app.azurewebsites.net"
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
}
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
### Azure AD Configuration
|
|
65
|
+
|
|
66
|
+
To use this policy, you need to:
|
|
67
|
+
|
|
68
|
+
1. Create an Azure AD app registration for your Zuplo gateway
|
|
69
|
+
2. Generate a client secret for the app registration
|
|
70
|
+
3. Configure your backend service (e.g., Azure Functions, App Service) to use
|
|
71
|
+
Azure AD authentication
|
|
72
|
+
4. Grant the necessary permissions for your app registration to access your
|
|
73
|
+
backend service
|
|
74
|
+
|
|
75
|
+
### Security Considerations
|
|
76
|
+
|
|
77
|
+
- Store the client secret as an environment variable using `$env(VARIABLE_NAME)`
|
|
78
|
+
syntax
|
|
79
|
+
- Ensure your Azure AD app has the minimum required permissions to access your
|
|
80
|
+
backend services
|
|
81
|
+
- Consider using managed identities for Azure resources when possible
|
|
82
|
+
- Regularly rotate your client secrets according to your security policies
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
Secure your origin server with Azure Active Directory authentication by
|
|
2
|
+
automatically adding an `Authorization` header to upstream requests. This policy
|
|
3
|
+
enables your Zuplo gateway to authenticate with Azure AD-protected services
|
|
4
|
+
using client credentials flow.
|
|
5
|
+
|
|
6
|
+
With this policy, you'll benefit from:
|
|
7
|
+
|
|
8
|
+
- **Enhanced Backend Security**: Restrict access to your origin servers to only
|
|
9
|
+
your Zuplo gateway
|
|
10
|
+
- **Simplified Authentication**: Delegate authentication and authorization to
|
|
11
|
+
your gateway without backend code changes
|
|
12
|
+
- **Automatic Token Management**: Handle token acquisition, caching, and renewal
|
|
13
|
+
automatically
|
|
14
|
+
- **Azure Integration**: Seamlessly connect with Azure App Services, Functions,
|
|
15
|
+
and other Azure AD-protected resources
|
|
16
|
+
- **Credential Security**: Store sensitive Azure AD credentials securely in your
|
|
17
|
+
Zuplo environment
|
|
18
|
+
|
|
19
|
+
For instructions on configuring Azure AD authentication, see
|
|
20
|
+
[Configure your App Service or Azure Functions app to use Azure AD login](https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad).
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Upstream Azure AD Service Auth",
|
|
6
|
+
"isDeprecated": false,
|
|
7
|
+
"isPaidAddOn": false,
|
|
8
|
+
"isEnterprise": true,
|
|
9
|
+
"isInternal": false,
|
|
10
|
+
"isBeta": false,
|
|
11
|
+
"isHidden": false,
|
|
12
|
+
"products": ["api-gateway"],
|
|
13
|
+
"description": "Uses Azure Active Directory to add an Authorization header to the request in order to authenticate requests using Azure identity.",
|
|
14
|
+
"deprecatedMessage": "",
|
|
15
|
+
"required": ["handler"],
|
|
16
|
+
"properties": {
|
|
17
|
+
"handler": {
|
|
18
|
+
"type": "object",
|
|
19
|
+
"default": {},
|
|
20
|
+
"required": ["export", "module", "options"],
|
|
21
|
+
"properties": {
|
|
22
|
+
"export": {
|
|
23
|
+
"const": "UpstreamAzureAdServiceAuthInboundPolicy",
|
|
24
|
+
"description": "The name of the exported type"
|
|
25
|
+
},
|
|
26
|
+
"module": {
|
|
27
|
+
"const": "$import(@zuplo/runtime)",
|
|
28
|
+
"description": "The module containing the policy"
|
|
29
|
+
},
|
|
30
|
+
"options": {
|
|
31
|
+
"title": "UpstreamAzureAdServiceAuthInboundPolicyOptions",
|
|
32
|
+
"type": "object",
|
|
33
|
+
"description": "The options for this policy.",
|
|
34
|
+
"additionalProperties": false,
|
|
35
|
+
"required": [
|
|
36
|
+
"activeDirectoryTenantId",
|
|
37
|
+
"activeDirectoryClientId",
|
|
38
|
+
"activeDirectoryClientSecret"
|
|
39
|
+
],
|
|
40
|
+
"properties": {
|
|
41
|
+
"activeDirectoryTenantId": {
|
|
42
|
+
"type": "string",
|
|
43
|
+
"examples": ["b8e4141e-31f4-43e3-9a96-f97f3eba1eea"],
|
|
44
|
+
"description": "Azure Active Directory Tenant ID."
|
|
45
|
+
},
|
|
46
|
+
"activeDirectoryClientId": {
|
|
47
|
+
"type": "string",
|
|
48
|
+
"examples": ["20edbb34-13e9-42d0-a63c-1b6a0a20d02d"],
|
|
49
|
+
"description": "The Application (client) ID of the Azure AD App Registration."
|
|
50
|
+
},
|
|
51
|
+
"activeDirectoryClientSecret": {
|
|
52
|
+
"type": "string",
|
|
53
|
+
"examples": ["$env(ACTIVE_DIRECTORY_CLIENT_SECRET)"],
|
|
54
|
+
"description": "The client secret of the Azure AD App Registration."
|
|
55
|
+
},
|
|
56
|
+
"tokenRetries": {
|
|
57
|
+
"type": "number",
|
|
58
|
+
"default": 3,
|
|
59
|
+
"description": "The number of times to retry fetching the token in the event of a failure.."
|
|
60
|
+
},
|
|
61
|
+
"expirationOffsetSeconds": {
|
|
62
|
+
"type": "number",
|
|
63
|
+
"default": 300,
|
|
64
|
+
"description": "The number of seconds less than the token expiration to cache the token."
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
},
|
|
69
|
+
"examples": [
|
|
70
|
+
{
|
|
71
|
+
"export": "UpstreamAzureAdServiceAuthInboundPolicy",
|
|
72
|
+
"module": "$import(@zuplo/runtime)",
|
|
73
|
+
"options": {
|
|
74
|
+
"activeDirectoryClientId": "20edbb34-13e9-42d0-a63c-1b6a0a20d02d",
|
|
75
|
+
"activeDirectoryClientSecret": "$env(ACTIVE_DIRECTORY_CLIENT_SECRET)",
|
|
76
|
+
"activeDirectoryTenantId": "b8e4141e-31f4-43e3-9a96-f97f3eba1eea",
|
|
77
|
+
"expirationOffsetSeconds": 300,
|
|
78
|
+
"tokenRetries": 3
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
]
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
This policy adds a Firebase Admin token to the outgoing `Authentication` header
|
|
2
|
+
allowing requests to Firebase using Service Account admin permissions. This can
|
|
3
|
+
be useful for calling Firebase services such as Firestore through a Zuplo
|
|
4
|
+
endpoint that is secured with other means of Authentication such as API keys.
|
|
5
|
+
Additionally, this policy can be useful for service content to all API users
|
|
6
|
+
(for example serving a specific Firestore document containing configuration
|
|
7
|
+
data)
|
|
8
|
+
|
|
9
|
+
We recommend reading the `serviceAccountJson` from environment variables (so it
|
|
10
|
+
is not checked in to source control) using the `$env(ENV_VAR)` syntax.
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Upstream Firebase Admin Auth",
|
|
6
|
+
"isDeprecated": false,
|
|
7
|
+
"isPaidAddOn": false,
|
|
8
|
+
"isEnterprise": false,
|
|
9
|
+
"isInternal": false,
|
|
10
|
+
"isBeta": false,
|
|
11
|
+
"isHidden": false,
|
|
12
|
+
"products": ["api-gateway"],
|
|
13
|
+
"description": "Creates a Firebase Admin token and attaches it to the outgoing request. Useful when calling Firebase services as an administrator.",
|
|
14
|
+
"deprecatedMessage": "",
|
|
15
|
+
"required": ["handler"],
|
|
16
|
+
"properties": {
|
|
17
|
+
"handler": {
|
|
18
|
+
"type": "object",
|
|
19
|
+
"default": {},
|
|
20
|
+
"required": ["export", "module", "options"],
|
|
21
|
+
"properties": {
|
|
22
|
+
"export": {
|
|
23
|
+
"const": "UpstreamFirebaseAdminAuthInboundPolicy",
|
|
24
|
+
"description": "The name of the exported type"
|
|
25
|
+
},
|
|
26
|
+
"module": {
|
|
27
|
+
"const": "$import(@zuplo/runtime)",
|
|
28
|
+
"description": "The module containing the policy"
|
|
29
|
+
},
|
|
30
|
+
"options": {
|
|
31
|
+
"title": "UpstreamFirebaseAdminAuthInboundPolicyOptions",
|
|
32
|
+
"type": "object",
|
|
33
|
+
"description": "The options for this policy.",
|
|
34
|
+
"additionalProperties": false,
|
|
35
|
+
"required": ["serviceAccountJson"],
|
|
36
|
+
"properties": {
|
|
37
|
+
"serviceAccountJson": {
|
|
38
|
+
"type": "string",
|
|
39
|
+
"examples": ["$env(SERVICE_ACCOUNT_JSON)"],
|
|
40
|
+
"description": "The Google Service Account key in JSON format. Note you can load this from environment variables using the $env(ENV\\_VAR) syntax."
|
|
41
|
+
},
|
|
42
|
+
"tokenRetries": {
|
|
43
|
+
"type": "number",
|
|
44
|
+
"default": 3,
|
|
45
|
+
"description": "The number of times to retry fetching the token in the event of a failure."
|
|
46
|
+
},
|
|
47
|
+
"expirationOffsetSeconds": {
|
|
48
|
+
"type": "number",
|
|
49
|
+
"default": 300,
|
|
50
|
+
"description": "The number of seconds less than the token expiration to cache the token."
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
},
|
|
55
|
+
"examples": [
|
|
56
|
+
{
|
|
57
|
+
"export": "UpstreamFirebaseAdminAuthInboundPolicy",
|
|
58
|
+
"module": "$import(@zuplo/runtime)",
|
|
59
|
+
"options": {
|
|
60
|
+
"expirationOffsetSeconds": 300,
|
|
61
|
+
"serviceAccountJson": "$env(SERVICE_ACCOUNT_JSON)",
|
|
62
|
+
"tokenRetries": 3
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
]
|
|
66
|
+
}
|
|
67
|
+
}
|
|
68
|
+
}
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Upstream Firebase User Auth",
|
|
6
|
+
"isDeprecated": false,
|
|
7
|
+
"isPaidAddOn": false,
|
|
8
|
+
"isEnterprise": false,
|
|
9
|
+
"isInternal": false,
|
|
10
|
+
"isBeta": false,
|
|
11
|
+
"isHidden": false,
|
|
12
|
+
"products": ["api-gateway"],
|
|
13
|
+
"description": "Creates a Firebase custom user token and attaches it to the outgoing request. Useful when calling Firebase services as user.",
|
|
14
|
+
"deprecatedMessage": "",
|
|
15
|
+
"required": ["handler"],
|
|
16
|
+
"properties": {
|
|
17
|
+
"handler": {
|
|
18
|
+
"type": "object",
|
|
19
|
+
"default": {},
|
|
20
|
+
"required": ["export", "module", "options"],
|
|
21
|
+
"properties": {
|
|
22
|
+
"export": {
|
|
23
|
+
"const": "UpstreamFirebaseUserAuthInboundPolicy",
|
|
24
|
+
"description": "The name of the exported type"
|
|
25
|
+
},
|
|
26
|
+
"module": {
|
|
27
|
+
"const": "$import(@zuplo/runtime)",
|
|
28
|
+
"description": "The module containing the policy"
|
|
29
|
+
},
|
|
30
|
+
"options": {
|
|
31
|
+
"title": "UpstreamFirebaseUserAuthInboundPolicyOptions",
|
|
32
|
+
"type": "object",
|
|
33
|
+
"description": "The options for this policy.",
|
|
34
|
+
"additionalProperties": false,
|
|
35
|
+
"required": ["serviceAccountJson", "webApiKey"],
|
|
36
|
+
"properties": {
|
|
37
|
+
"serviceAccountJson": {
|
|
38
|
+
"type": "string",
|
|
39
|
+
"examples": ["$env(SERVICE_ACCOUNT_JSON)"],
|
|
40
|
+
"description": "The Google Service Account key in JSON format. Note you can load this from environment variables using the $env(ENV\\_VAR) syntax."
|
|
41
|
+
},
|
|
42
|
+
"userId": {
|
|
43
|
+
"type": "string",
|
|
44
|
+
"examples": ["1234"],
|
|
45
|
+
"description": "The userId to use as the custom token's subject."
|
|
46
|
+
},
|
|
47
|
+
"userIdPropertyPath": {
|
|
48
|
+
"type": "string",
|
|
49
|
+
"description": "The property on the incoming request.user object to retrieve the value of the userId."
|
|
50
|
+
},
|
|
51
|
+
"developerClaims": {
|
|
52
|
+
"type": "object",
|
|
53
|
+
"tsType": "Record<string, string | number | boolean | null>",
|
|
54
|
+
"additionalItems": {
|
|
55
|
+
"oneOf": [
|
|
56
|
+
{
|
|
57
|
+
"type": "string"
|
|
58
|
+
},
|
|
59
|
+
{
|
|
60
|
+
"type": "number"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"type": "boolean"
|
|
64
|
+
},
|
|
65
|
+
{
|
|
66
|
+
"type": "null"
|
|
67
|
+
}
|
|
68
|
+
]
|
|
69
|
+
},
|
|
70
|
+
"examples": [
|
|
71
|
+
{
|
|
72
|
+
"premium": true
|
|
73
|
+
}
|
|
74
|
+
],
|
|
75
|
+
"description": "Additional claims to include in the custom token's payload."
|
|
76
|
+
},
|
|
77
|
+
"webApiKey": {
|
|
78
|
+
"type": "string",
|
|
79
|
+
"examples": ["$env(WEB_API_KEY)"],
|
|
80
|
+
"description": "The Firebase Web API Key (found in project settings)"
|
|
81
|
+
},
|
|
82
|
+
"tokenRetries": {
|
|
83
|
+
"type": "number",
|
|
84
|
+
"default": 3,
|
|
85
|
+
"description": "The number of times to retry fetching the token in the event of a failure."
|
|
86
|
+
},
|
|
87
|
+
"expirationOffsetSeconds": {
|
|
88
|
+
"type": "number",
|
|
89
|
+
"default": 300,
|
|
90
|
+
"description": "The number of seconds less than the token expiration to cache the token."
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
},
|
|
95
|
+
"examples": [
|
|
96
|
+
{
|
|
97
|
+
"export": "UpstreamFirebaseUserAuthInboundPolicy",
|
|
98
|
+
"module": "$import(@zuplo/runtime)",
|
|
99
|
+
"options": {
|
|
100
|
+
"developerClaims": {
|
|
101
|
+
"premium": true
|
|
102
|
+
},
|
|
103
|
+
"expirationOffsetSeconds": 300,
|
|
104
|
+
"serviceAccountJson": "$env(SERVICE_ACCOUNT_JSON)",
|
|
105
|
+
"tokenRetries": 3,
|
|
106
|
+
"userId": "1234",
|
|
107
|
+
"webApiKey": "$env(WEB_API_KEY)"
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
]
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
}
|
|
@@ -0,0 +1,139 @@
|
|
|
1
|
+
Before you can use this policy, you will need to have configured the following:
|
|
2
|
+
|
|
3
|
+
- Setup Workload Identity Federation in your GCP project
|
|
4
|
+
- Create a GCP service account with the appropriate permissions.
|
|
5
|
+
|
|
6
|
+
### Setup GCP Workload Identity Federation
|
|
7
|
+
|
|
8
|
+
Setting up Workload Identity Federation for Zuplo follows the instructions for
|
|
9
|
+
setting up a standard OIDC Identity Provider. Refer to
|
|
10
|
+
[Google's Documentation for additional details](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#configure).
|
|
11
|
+
|
|
12
|
+
To begin, navigate to the
|
|
13
|
+
[Workload Identity page of Google Cloud Console](https://console.cloud.google.com/iam-admin/workload-identity-pools).
|
|
14
|
+
You will find this in the **IAM** section on the menu.
|
|
15
|
+
|
|
16
|
+
If you don't already have one, create a new Workload Identity Pool. Then create
|
|
17
|
+
a new provider and select **OpenID Connect** as the provider type.
|
|
18
|
+
|
|
19
|
+
Complete the following values in the form:
|
|
20
|
+
|
|
21
|
+
- **Provider name**: Any Value
|
|
22
|
+
- **Provider ID**: Any Value
|
|
23
|
+
- **Issuer (URL)**:
|
|
24
|
+
`https://dev.zuplo.com/v1/client-auth/auth_o8PUdhKxSTOiB794GWPwLQCD`
|
|
25
|
+
- **JWK File**: Do not set this value, GCP will perform automatic discovery of
|
|
26
|
+
the OAuth configuration.
|
|
27
|
+
- **Audiences**: Select "Default Audience"
|
|
28
|
+
|
|
29
|
+
Copy the URL value for the **Default Audience** and record it for later use.
|
|
30
|
+
|
|
31
|
+
Click **Continue** and set the follow provider attribute mappings.
|
|
32
|
+
|
|
33
|
+
- `google.subject` =>
|
|
34
|
+
`"zuplo::" + assertion.account + "::" + assertion.project + "::" + assertion.deployment`
|
|
35
|
+
- `attributes.account` => `assertion.account`
|
|
36
|
+
- `attributes.project` => `assertion.project`
|
|
37
|
+
- `attributes.deployment` => `assertion.deployment`
|
|
38
|
+
|
|
39
|
+
You can read about all the claims in the
|
|
40
|
+
[Zuplo Identity Token](https://zuplo.com/docs/articles/zuplo-id-token)
|
|
41
|
+
documentation.
|
|
42
|
+
|
|
43
|
+
Set **Attribute Conditions**
|
|
44
|
+
|
|
45
|
+
:::caution Important Security Step
|
|
46
|
+
|
|
47
|
+
It is critical that you set at minimum the `attribute.account == "my-account"`
|
|
48
|
+
attribute condition. Without this restriction ANY Zuplo API would be able to
|
|
49
|
+
call your resources.
|
|
50
|
+
|
|
51
|
+
:::
|
|
52
|
+
|
|
53
|
+
Set the attribute conditions you want to use to restrict access to this Workload
|
|
54
|
+
Identity Pool. Generally, you only need to set this to restrict the account. You
|
|
55
|
+
will use IAM bindings to grant specific permissions in later steps.
|
|
56
|
+
|
|
57
|
+
To set the account condition set the following value.
|
|
58
|
+
|
|
59
|
+
```
|
|
60
|
+
attribute.account == "my-account"
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
If you want to set further conditions, you can do so as desired, for example to
|
|
64
|
+
restrict access to all environments in a project set the following.
|
|
65
|
+
|
|
66
|
+
```txt
|
|
67
|
+
attribute.account == "my-account" && attribute.project == "my-project"
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
### Create a Service Account
|
|
71
|
+
|
|
72
|
+
You Zuplo Identity Token will be granted access to act as if it where a service
|
|
73
|
+
account in your Google project. As such, you will need to create a service
|
|
74
|
+
account.
|
|
75
|
+
|
|
76
|
+
You can do so in the Google console or using the Google CLI:
|
|
77
|
+
|
|
78
|
+
```shell
|
|
79
|
+
gcloud iam service-accounts create zuplo-api \
|
|
80
|
+
–-description="zuplo api sa" \
|
|
81
|
+
–-display-name="zuplo-api"
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
Next you need to create role binding for the Zuplo principal to impersonate the
|
|
85
|
+
service account:
|
|
86
|
+
|
|
87
|
+
- `SERVICE_ACCOUNT_EMAIL` is the email address of the service account.
|
|
88
|
+
- `PROJECT_NUMBER` is your numeric Google project number.
|
|
89
|
+
- `POOL_ID` is the id of the Workload Identity Pool you created earlier, for
|
|
90
|
+
example `zuplo-pool`.
|
|
91
|
+
- `SUBJECT` is the same the concatenated value we set to the value of
|
|
92
|
+
`google.subject` earlier. For example,
|
|
93
|
+
`zuplo::my-account::my-project::my-deployment-1235`
|
|
94
|
+
|
|
95
|
+
```shell
|
|
96
|
+
gcloud iam service-accounts add-iam-policy-binding $SERVICE_ACCOUNT_EMAIL \
|
|
97
|
+
--role roles/iam.workloadIdentityUser \
|
|
98
|
+
--member "principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/subject/$SUBJECT
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
Finally, grant your service account the permissions desired. For example, to
|
|
102
|
+
invoke Cloud Run services grant the `roles/run.invoker`
|
|
103
|
+
|
|
104
|
+
- `SERVICE_ACCOUNT_EMAIL` is the email address of the service account.
|
|
105
|
+
- `SERVICE_NAME` is the name of your Cloud Run service.
|
|
106
|
+
|
|
107
|
+
```shell
|
|
108
|
+
gcloud run services add-iam-policy-binding $SERVICE_NAME
|
|
109
|
+
--member-"serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
|
|
110
|
+
--role="roles/run.invoker"
|
|
111
|
+
```
|
|
112
|
+
|
|
113
|
+
### Set the Policy Options
|
|
114
|
+
|
|
115
|
+
With GCP Workload Federation setup, you can add the policy to your Zuplo API.
|
|
116
|
+
|
|
117
|
+
- `audience`: Set this to the resource you are planning to call, for example,
|
|
118
|
+
the Cloud Run URL.
|
|
119
|
+
- `serviceAccountEmail` - Set this value to the email address of the service
|
|
120
|
+
account previously created.
|
|
121
|
+
- `workloadIdentityProvider` - Set this to the value that was copied when
|
|
122
|
+
setting up your Workload Identity Pool (called **Default Audience**). Remove
|
|
123
|
+
the beginning `https://iam.googleapis.com/` part of the string.
|
|
124
|
+
|
|
125
|
+
```json
|
|
126
|
+
{
|
|
127
|
+
"name": "gcp-federated-auth",
|
|
128
|
+
"policyType": "upstream-gcp-federated-auth-inbound-policy",
|
|
129
|
+
"handler": {
|
|
130
|
+
"module": "$import(@zuplo/runtime)",
|
|
131
|
+
"export": "UpstreamGcpFederatedAuthInboundPolicy",
|
|
132
|
+
"options": {
|
|
133
|
+
"audience": "https://test-basic-vhpkl3cvtq-uc.a.run.app",
|
|
134
|
+
"serviceAccountEmail": "zup-api@my-project.iam.gserviceaccount.com",
|
|
135
|
+
"workloadIdentityProvider": "projects/932049231233/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
```
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
This policy allows you to delegate authentication and authorization to your
|
|
2
|
+
gateway without writing any code on your origin service by adding an
|
|
3
|
+
authentication token to outgoing header allowing the service to be secured with
|
|
4
|
+
GCP IAM.
|
|
5
|
+
|
|
6
|
+
The tokens are issued using Zuplo's internal OAuth services and exchanged with
|
|
7
|
+
GCP using
|
|
8
|
+
[Workflow Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation).
|
|
9
|
+
This allows you to authenticate your Zuplo API to your origin without saving any
|
|
10
|
+
secrets in Zuplo.
|
|
11
|
+
|
|
12
|
+
This is a useful means of securing your origin server so that only your Zuplo
|
|
13
|
+
gateway can make requests against it.
|
|
14
|
+
|
|
15
|
+
This policy works with
|
|
16
|
+
[GCP Identity Aware Proxy](https://zuplo.com/docs/articles/gke-with-upstream-auth-policy)
|
|
17
|
+
or services like [Cloud Run](https://cloud.google.com/iap/docs/managing-access)
|
|
18
|
+
that natively support IAM authorization.
|
|
19
|
+
|
|
20
|
+
For information on how Google's service based auth works see
|
|
21
|
+
[Authenticating for invocation](https://cloud.google.com/functions/docs/securing/authenticating)
|