zuplo 6.72.2 → 6.72.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (61) hide show
  1. package/docs/analytics/access-and-entitlements.md +27 -34
  2. package/docs/analytics/overview.md +7 -6
  3. package/docs/analytics/reference/url-parameters.md +2 -10
  4. package/docs/analytics/shared-controls.md +3 -10
  5. package/docs/analytics/tabs/agents.md +3 -3
  6. package/docs/analytics/tabs/requests.md +2 -4
  7. package/docs/articles/accounts/audit-logs.mdx +4 -4
  8. package/docs/articles/audit-logging.mdx +65 -0
  9. package/docs/articles/audit-logs.mdx +222 -0
  10. package/docs/articles/connect-to-aws-alb-with-mtls.mdx +89 -13
  11. package/docs/articles/{custom-audit-log-policy.mdx → custom-audit-logs.mdx} +26 -22
  12. package/docs/articles/graphql-security.mdx +2 -1
  13. package/docs/articles/graphql.mdx +8 -0
  14. package/docs/articles/opentelemetry.mdx +7 -5
  15. package/docs/articles/securing-backend-mtls.mdx +92 -3
  16. package/docs/articles/troubleshooting-slow-responses.mdx +4 -3
  17. package/docs/articles/troubleshooting.md +3 -1
  18. package/docs/policies/_index.md +3 -0
  19. package/docs/policies/audit-log-inbound/doc.md +16 -11
  20. package/docs/policies/authzen-inbound/schema.json +1 -1
  21. package/docs/policies/axiomatics-authz-inbound/schema.json +1 -1
  22. package/docs/policies/clerk-jwt-auth-inbound/schema.json +3 -3
  23. package/docs/policies/mcp-auth0-oauth-inbound/schema.json +8 -5
  24. package/docs/policies/mcp-clerk-oauth-inbound/schema.json +78 -0
  25. package/docs/policies/mcp-cognito-oauth-inbound/schema.json +78 -0
  26. package/docs/policies/mcp-entra-oauth-inbound/schema.json +78 -0
  27. package/docs/policies/mcp-google-oauth-inbound/schema.json +78 -0
  28. package/docs/policies/mcp-keycloak-oauth-inbound/schema.json +78 -0
  29. package/docs/policies/mcp-logto-oauth-inbound/schema.json +78 -0
  30. package/docs/policies/mcp-oauth-inbound/schema.json +8 -5
  31. package/docs/policies/mcp-okta-oauth-inbound/schema.json +78 -0
  32. package/docs/policies/mcp-onelogin-oauth-inbound/schema.json +78 -0
  33. package/docs/policies/mcp-ping-oauth-inbound/schema.json +78 -0
  34. package/docs/policies/mcp-token-exchange-inbound/doc.md +72 -4
  35. package/docs/policies/mcp-token-exchange-inbound/intro.md +5 -4
  36. package/docs/policies/mcp-token-exchange-inbound/schema.json +277 -2
  37. package/docs/policies/mcp-workos-oauth-inbound/schema.json +78 -0
  38. package/docs/policies/mtls-auth-inbound/intro.md +52 -5
  39. package/docs/policies/okta-fga-authz-inbound/schema.json +1 -1
  40. package/docs/policies/open-id-jwt-auth-inbound/schema.json +3 -3
  41. package/docs/policies/openfga-authz-inbound/schema.json +1 -1
  42. package/docs/policies/propel-auth-jwt-inbound/schema.json +3 -3
  43. package/docs/policies/require-user-claims-inbound/doc.md +120 -0
  44. package/docs/policies/require-user-claims-inbound/intro.md +9 -0
  45. package/docs/policies/require-user-claims-inbound/schema.json +1323 -0
  46. package/docs/policies/semantic-cache-inbound/schema.json +1 -1
  47. package/docs/policies/upstream-aws-federated-auth-inbound/doc.md +78 -0
  48. package/docs/policies/upstream-aws-federated-auth-inbound/intro.md +20 -0
  49. package/docs/policies/upstream-aws-federated-auth-inbound/schema.json +98 -0
  50. package/docs/policies/upstream-aws-service-auth-inbound/doc.md +89 -0
  51. package/docs/policies/upstream-aws-service-auth-inbound/intro.md +19 -0
  52. package/docs/policies/upstream-aws-service-auth-inbound/schema.json +113 -0
  53. package/docs/policies/upstream-azure-ad-service-auth-inbound/schema.json +4 -4
  54. package/docs/policies/upstream-gcp-federated-auth-inbound/doc.md +2 -2
  55. package/docs/policies/upstream-gcp-federated-auth-inbound/schema.json +5 -5
  56. package/docs/policies/upstream-gcp-service-auth-inbound/doc.md +3 -3
  57. package/docs/policies/upstream-gcp-service-auth-inbound/schema.json +3 -3
  58. package/docs/policies/upstream-zuplo-jwt-auth-inbound/schema.json +19 -0
  59. package/docs/programmable-api/overview.mdx +0 -7
  60. package/package.json +4 -4
  61. package/docs/programmable-api/audit-log.mdx +0 -74
@@ -0,0 +1,120 @@
1
+ ## Overview
2
+
3
+ The `require-user-claims-inbound` policy authorizes requests by evaluating a
4
+ rule against the claims of the authenticated user (`request.user`). It
5
+ separates authentication from authorization: an authentication policy — a JWT
6
+ policy such as `open-id-jwt-auth-inbound`, API key auth, mTLS, or any other —
7
+ proves _who_ the caller is; this policy then decides _what_ they may call.
8
+
9
+ Typical uses:
10
+
11
+ - Pin a route to specific caller identities — service accounts, OAuth clients,
12
+ or workload identities — by allowlisting the `sub` and/or `email` claims.
13
+ - Require an exact value on any claim, including nested claims (for example an
14
+ AWS STS token's `lambda_source_function_arn` under the
15
+ `https://sts.amazonaws.com/` namespace).
16
+ - Match prefixes with `startsWith`, for example AWS assumed-role subjects like
17
+ `arn:aws:sts::123456789012:assumed-role/my-role/<session>` where the session
18
+ name varies.
19
+ - Require membership in a group or role carried in an array-valued claim.
20
+
21
+ ## Configuration
22
+
23
+ ```json
24
+ {
25
+ "name": "require-known-agents",
26
+ "policyType": "require-user-claims-inbound",
27
+ "handler": {
28
+ "module": "$import(@zuplo/runtime)",
29
+ "export": "RequireUserClaimsInboundPolicy",
30
+ "options": {
31
+ "rule": {
32
+ "or": [
33
+ {
34
+ "claim": "sub",
35
+ "in": [
36
+ "ci-deployer@my-project.iam.gserviceaccount.com",
37
+ "112233445566778899000"
38
+ ]
39
+ },
40
+ {
41
+ "claim": "email",
42
+ "eq": "ci-deployer@my-project.iam.gserviceaccount.com"
43
+ }
44
+ ]
45
+ }
46
+ }
47
+ }
48
+ }
49
+ ```
50
+
51
+ This policy must run **after** an authentication policy that populates
52
+ `request.user`. If no authenticated user is present on the request, the policy
53
+ returns `401 Unauthorized`. If the rule evaluates to false, it returns
54
+ `403 Forbidden`.
55
+
56
+ ## Rules
57
+
58
+ A rule is either a single claim check or an `and`/`or` combination of nested
59
+ rules (`and`/`or` may nest up to three levels deep; a claim check may appear at
60
+ any level):
61
+
62
+ - `{ "and": [rule, ...] }` — every nested rule must pass.
63
+ - `{ "or": [rule, ...] }` — at least one nested rule must pass.
64
+ - `{ "claim": <claim>, "eq": value }` — the claim equals the value.
65
+ - `{ "claim": <claim>, "in": [value, ...] }` — the claim equals any listed
66
+ value.
67
+ - `{ "claim": <claim>, "startsWith": "prefix" }` — the claim is a string
68
+ starting with the prefix.
69
+
70
+ Each claim check uses exactly one operator. To combine operators on the same
71
+ claim, use `and`/`or` with one check per operator.
72
+
73
+ ### Selecting claims
74
+
75
+ Claims are read from the authenticated user's data (`request.user.data`), which
76
+ is set by whichever authentication policy ran before this one. For a JWT auth
77
+ policy this is the full decoded token payload; for API key auth it is the key's
78
+ metadata.
79
+
80
+ `claim` is a light JSON-path selector:
81
+
82
+ - **Dot notation** addresses top-level and nested claims — `email`,
83
+ `address.country`.
84
+ - **Bracket notation** with quotes addresses claim names that contain dots or
85
+ slashes (namespaced claims), which dot notation cannot express —
86
+ `['https://example.com/roles']`, or nested:
87
+ `['https://sts.amazonaws.com/']['lambda_source_function_arn']`. Single or
88
+ double quotes both work; single quotes avoid backslash-escaping when the
89
+ selector is written in a JSON `policies.json`. The two notations may be
90
+ mixed, e.g. `realm_access['some.key']`.
91
+ - `sub` falls back to `request.user.sub` when the user data has no `sub`
92
+ property, so subject checks also work with authentication policies that only
93
+ set the subject (for example API key authentication).
94
+
95
+ ### Evaluation semantics
96
+
97
+ Every check fails closed:
98
+
99
+ - A missing claim never matches.
100
+ - Object-valued claims never match.
101
+ - Comparisons are strict and type-sensitive: the string `"42"` does not equal
102
+ the number `42`. Note that Google-issued tokens carry `sub` as a string of
103
+ digits, and `$env(...)` substitution always produces strings — quote numeric
104
+ values accordingly.
105
+ - `startsWith` only matches string claim values, and an empty prefix is
106
+ rejected as a configuration error.
107
+ - When a claim value is an **array** (for example `groups` or `roles`), a check
108
+ passes if **any element** satisfies the operator.
109
+
110
+ Denied responses never echo claim values or expected values. The failing claim
111
+ checks and the caller's `sub` are written to the request log instead.
112
+
113
+ ## Related policies
114
+
115
+ - [Open ID JWT Auth](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) —
116
+ verifies token signature, issuer, and audience, and populates
117
+ `request.user`.
118
+ - [JWT Scope Validation](https://zuplo.com/docs/policies/jwt-scopes-inbound) —
119
+ requires that the space-delimited `scope` claim contains **all** configured
120
+ scopes; use it for OAuth scope enforcement.
@@ -0,0 +1,9 @@
1
+ Authorize requests by validating claims on the authenticated user against a
2
+ configurable rule — allowlists (`in`), exact values (`eq`), and prefixes
3
+ (`startsWith`), combined with `and`/`or`.
4
+
5
+ Run this policy after any authentication policy (for example Open ID JWT Auth
6
+ or one of its provider-specific variants): the authentication policy proves
7
+ _who_ the caller is, and this policy decides _what_ they may call — for
8
+ example, pinning a route to specific service accounts, OAuth clients, tenants,
9
+ or groups without writing custom code.