zuplo 6.72.2 → 6.72.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/docs/analytics/access-and-entitlements.md +27 -34
- package/docs/analytics/overview.md +7 -6
- package/docs/analytics/reference/url-parameters.md +2 -10
- package/docs/analytics/shared-controls.md +3 -10
- package/docs/analytics/tabs/agents.md +3 -3
- package/docs/analytics/tabs/requests.md +2 -4
- package/docs/articles/accounts/audit-logs.mdx +4 -4
- package/docs/articles/audit-logging.mdx +65 -0
- package/docs/articles/audit-logs.mdx +222 -0
- package/docs/articles/connect-to-aws-alb-with-mtls.mdx +89 -13
- package/docs/articles/{custom-audit-log-policy.mdx → custom-audit-logs.mdx} +26 -22
- package/docs/articles/graphql-security.mdx +2 -1
- package/docs/articles/graphql.mdx +8 -0
- package/docs/articles/opentelemetry.mdx +7 -5
- package/docs/articles/securing-backend-mtls.mdx +92 -3
- package/docs/articles/troubleshooting-slow-responses.mdx +4 -3
- package/docs/articles/troubleshooting.md +3 -1
- package/docs/policies/_index.md +3 -0
- package/docs/policies/audit-log-inbound/doc.md +16 -11
- package/docs/policies/authzen-inbound/schema.json +1 -1
- package/docs/policies/axiomatics-authz-inbound/schema.json +1 -1
- package/docs/policies/clerk-jwt-auth-inbound/schema.json +3 -3
- package/docs/policies/mcp-auth0-oauth-inbound/schema.json +8 -5
- package/docs/policies/mcp-clerk-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-cognito-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-entra-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-google-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-keycloak-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-logto-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-oauth-inbound/schema.json +8 -5
- package/docs/policies/mcp-okta-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-onelogin-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-ping-oauth-inbound/schema.json +78 -0
- package/docs/policies/mcp-token-exchange-inbound/doc.md +72 -4
- package/docs/policies/mcp-token-exchange-inbound/intro.md +5 -4
- package/docs/policies/mcp-token-exchange-inbound/schema.json +277 -2
- package/docs/policies/mcp-workos-oauth-inbound/schema.json +78 -0
- package/docs/policies/mtls-auth-inbound/intro.md +52 -5
- package/docs/policies/okta-fga-authz-inbound/schema.json +1 -1
- package/docs/policies/open-id-jwt-auth-inbound/schema.json +3 -3
- package/docs/policies/openfga-authz-inbound/schema.json +1 -1
- package/docs/policies/propel-auth-jwt-inbound/schema.json +3 -3
- package/docs/policies/require-user-claims-inbound/doc.md +120 -0
- package/docs/policies/require-user-claims-inbound/intro.md +9 -0
- package/docs/policies/require-user-claims-inbound/schema.json +1323 -0
- package/docs/policies/semantic-cache-inbound/schema.json +1 -1
- package/docs/policies/upstream-aws-federated-auth-inbound/doc.md +78 -0
- package/docs/policies/upstream-aws-federated-auth-inbound/intro.md +20 -0
- package/docs/policies/upstream-aws-federated-auth-inbound/schema.json +98 -0
- package/docs/policies/upstream-aws-service-auth-inbound/doc.md +89 -0
- package/docs/policies/upstream-aws-service-auth-inbound/intro.md +19 -0
- package/docs/policies/upstream-aws-service-auth-inbound/schema.json +113 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/schema.json +4 -4
- package/docs/policies/upstream-gcp-federated-auth-inbound/doc.md +2 -2
- package/docs/policies/upstream-gcp-federated-auth-inbound/schema.json +5 -5
- package/docs/policies/upstream-gcp-service-auth-inbound/doc.md +3 -3
- package/docs/policies/upstream-gcp-service-auth-inbound/schema.json +3 -3
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/schema.json +19 -0
- package/docs/programmable-api/overview.mdx +0 -7
- package/package.json +4 -4
- package/docs/programmable-api/audit-log.mdx +0 -74
|
@@ -0,0 +1,120 @@
|
|
|
1
|
+
## Overview
|
|
2
|
+
|
|
3
|
+
The `require-user-claims-inbound` policy authorizes requests by evaluating a
|
|
4
|
+
rule against the claims of the authenticated user (`request.user`). It
|
|
5
|
+
separates authentication from authorization: an authentication policy — a JWT
|
|
6
|
+
policy such as `open-id-jwt-auth-inbound`, API key auth, mTLS, or any other —
|
|
7
|
+
proves _who_ the caller is; this policy then decides _what_ they may call.
|
|
8
|
+
|
|
9
|
+
Typical uses:
|
|
10
|
+
|
|
11
|
+
- Pin a route to specific caller identities — service accounts, OAuth clients,
|
|
12
|
+
or workload identities — by allowlisting the `sub` and/or `email` claims.
|
|
13
|
+
- Require an exact value on any claim, including nested claims (for example an
|
|
14
|
+
AWS STS token's `lambda_source_function_arn` under the
|
|
15
|
+
`https://sts.amazonaws.com/` namespace).
|
|
16
|
+
- Match prefixes with `startsWith`, for example AWS assumed-role subjects like
|
|
17
|
+
`arn:aws:sts::123456789012:assumed-role/my-role/<session>` where the session
|
|
18
|
+
name varies.
|
|
19
|
+
- Require membership in a group or role carried in an array-valued claim.
|
|
20
|
+
|
|
21
|
+
## Configuration
|
|
22
|
+
|
|
23
|
+
```json
|
|
24
|
+
{
|
|
25
|
+
"name": "require-known-agents",
|
|
26
|
+
"policyType": "require-user-claims-inbound",
|
|
27
|
+
"handler": {
|
|
28
|
+
"module": "$import(@zuplo/runtime)",
|
|
29
|
+
"export": "RequireUserClaimsInboundPolicy",
|
|
30
|
+
"options": {
|
|
31
|
+
"rule": {
|
|
32
|
+
"or": [
|
|
33
|
+
{
|
|
34
|
+
"claim": "sub",
|
|
35
|
+
"in": [
|
|
36
|
+
"ci-deployer@my-project.iam.gserviceaccount.com",
|
|
37
|
+
"112233445566778899000"
|
|
38
|
+
]
|
|
39
|
+
},
|
|
40
|
+
{
|
|
41
|
+
"claim": "email",
|
|
42
|
+
"eq": "ci-deployer@my-project.iam.gserviceaccount.com"
|
|
43
|
+
}
|
|
44
|
+
]
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
This policy must run **after** an authentication policy that populates
|
|
52
|
+
`request.user`. If no authenticated user is present on the request, the policy
|
|
53
|
+
returns `401 Unauthorized`. If the rule evaluates to false, it returns
|
|
54
|
+
`403 Forbidden`.
|
|
55
|
+
|
|
56
|
+
## Rules
|
|
57
|
+
|
|
58
|
+
A rule is either a single claim check or an `and`/`or` combination of nested
|
|
59
|
+
rules (`and`/`or` may nest up to three levels deep; a claim check may appear at
|
|
60
|
+
any level):
|
|
61
|
+
|
|
62
|
+
- `{ "and": [rule, ...] }` — every nested rule must pass.
|
|
63
|
+
- `{ "or": [rule, ...] }` — at least one nested rule must pass.
|
|
64
|
+
- `{ "claim": <claim>, "eq": value }` — the claim equals the value.
|
|
65
|
+
- `{ "claim": <claim>, "in": [value, ...] }` — the claim equals any listed
|
|
66
|
+
value.
|
|
67
|
+
- `{ "claim": <claim>, "startsWith": "prefix" }` — the claim is a string
|
|
68
|
+
starting with the prefix.
|
|
69
|
+
|
|
70
|
+
Each claim check uses exactly one operator. To combine operators on the same
|
|
71
|
+
claim, use `and`/`or` with one check per operator.
|
|
72
|
+
|
|
73
|
+
### Selecting claims
|
|
74
|
+
|
|
75
|
+
Claims are read from the authenticated user's data (`request.user.data`), which
|
|
76
|
+
is set by whichever authentication policy ran before this one. For a JWT auth
|
|
77
|
+
policy this is the full decoded token payload; for API key auth it is the key's
|
|
78
|
+
metadata.
|
|
79
|
+
|
|
80
|
+
`claim` is a light JSON-path selector:
|
|
81
|
+
|
|
82
|
+
- **Dot notation** addresses top-level and nested claims — `email`,
|
|
83
|
+
`address.country`.
|
|
84
|
+
- **Bracket notation** with quotes addresses claim names that contain dots or
|
|
85
|
+
slashes (namespaced claims), which dot notation cannot express —
|
|
86
|
+
`['https://example.com/roles']`, or nested:
|
|
87
|
+
`['https://sts.amazonaws.com/']['lambda_source_function_arn']`. Single or
|
|
88
|
+
double quotes both work; single quotes avoid backslash-escaping when the
|
|
89
|
+
selector is written in a JSON `policies.json`. The two notations may be
|
|
90
|
+
mixed, e.g. `realm_access['some.key']`.
|
|
91
|
+
- `sub` falls back to `request.user.sub` when the user data has no `sub`
|
|
92
|
+
property, so subject checks also work with authentication policies that only
|
|
93
|
+
set the subject (for example API key authentication).
|
|
94
|
+
|
|
95
|
+
### Evaluation semantics
|
|
96
|
+
|
|
97
|
+
Every check fails closed:
|
|
98
|
+
|
|
99
|
+
- A missing claim never matches.
|
|
100
|
+
- Object-valued claims never match.
|
|
101
|
+
- Comparisons are strict and type-sensitive: the string `"42"` does not equal
|
|
102
|
+
the number `42`. Note that Google-issued tokens carry `sub` as a string of
|
|
103
|
+
digits, and `$env(...)` substitution always produces strings — quote numeric
|
|
104
|
+
values accordingly.
|
|
105
|
+
- `startsWith` only matches string claim values, and an empty prefix is
|
|
106
|
+
rejected as a configuration error.
|
|
107
|
+
- When a claim value is an **array** (for example `groups` or `roles`), a check
|
|
108
|
+
passes if **any element** satisfies the operator.
|
|
109
|
+
|
|
110
|
+
Denied responses never echo claim values or expected values. The failing claim
|
|
111
|
+
checks and the caller's `sub` are written to the request log instead.
|
|
112
|
+
|
|
113
|
+
## Related policies
|
|
114
|
+
|
|
115
|
+
- [Open ID JWT Auth](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) —
|
|
116
|
+
verifies token signature, issuer, and audience, and populates
|
|
117
|
+
`request.user`.
|
|
118
|
+
- [JWT Scope Validation](https://zuplo.com/docs/policies/jwt-scopes-inbound) —
|
|
119
|
+
requires that the space-delimited `scope` claim contains **all** configured
|
|
120
|
+
scopes; use it for OAuth scope enforcement.
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
Authorize requests by validating claims on the authenticated user against a
|
|
2
|
+
configurable rule — allowlists (`in`), exact values (`eq`), and prefixes
|
|
3
|
+
(`startsWith`), combined with `and`/`or`.
|
|
4
|
+
|
|
5
|
+
Run this policy after any authentication policy (for example Open ID JWT Auth
|
|
6
|
+
or one of its provider-specific variants): the authentication policy proves
|
|
7
|
+
_who_ the caller is, and this policy decides _what_ they may call — for
|
|
8
|
+
example, pinning a route to specific service accounts, OAuth clients, tenants,
|
|
9
|
+
or groups without writing custom code.
|