github.com/avenga/couper@v1.12.2/server/testdata/integration/config/03_couper.hcl (about) 1 server "acs" { 2 access_control = ["ba1"] 3 error_file = "../api_error.json" 4 api { 5 base_path = "/v1" 6 disable_access_control = ["ba1"] 7 endpoint "/**" { 8 # access_control = ["ba1"] # not possible atm TODO: spec 9 proxy { 10 backend "test" { 11 set_request_headers = { 12 auth = ["ba1"] 13 } 14 } 15 } 16 } 17 } 18 19 api { 20 base_path = "/v2" 21 access_control = ["ba2"] 22 endpoint "/**" { 23 proxy { 24 backend "test" { 25 set_request_headers = { 26 auth = ["ba1", "ba2"] 27 Authorization = request.headers.authorization # proxy blacklist 28 } 29 } 30 } 31 } 32 } 33 34 api { 35 base_path = "/v3" 36 access_control = ["ba2"] 37 endpoint "/**" { 38 access_control = ["ba3"] 39 disable_access_control = ["ba1", "ba2", "ba3"] 40 proxy { 41 backend = "test" 42 } 43 } 44 } 45 46 api { 47 base_path = "/v4" 48 access_control = ["ba2"] 49 endpoint "/**" { 50 error_file = "../server_error.html" # error_file in endpoint 51 proxy { 52 backend = "test" 53 } 54 } 55 } 56 57 api { 58 base_path = "/v5" 59 access_control = ["ba2"] 60 cors { 61 allowed_origins = ["*"] 62 } 63 endpoint "/exists" { 64 response { 65 body = "exists" 66 } 67 } 68 } 69 70 endpoint "/status" { 71 disable_access_control = ["ba1"] 72 proxy { 73 backend = "test" 74 } 75 } 76 77 endpoint "/superadmin" { 78 access_control = ["ba4"] 79 proxy { 80 backend "test" { 81 set_request_headers = { 82 auth = ["ba1", "ba4"] 83 Authorization = request.headers.authorization # proxy blacklist 84 } 85 } 86 } 87 } 88 89 endpoint "/ba5" { 90 access_control = ["ba5"] 91 disable_access_control = ["ba1"] 92 proxy { 93 backend "test" { 94 set_request_headers = { 95 X-Ba-User = request.context.ba5.user 96 Authorization = request.headers.authorization # proxy blacklist 97 } 98 set_response_headers = { 99 X-BA-User = request.context.ba5.user 100 } 101 } 102 } 103 } 104 105 endpoint "/jwt" { 106 disable_access_control = ["ba1"] 107 access_control = ["JWTToken"] 108 response { 109 headers = { 110 x-jwt-sub = request.context.JWTToken.sub 111 x-granted-permissions = json_encode(request.context.granted_permissions) 112 } 113 } 114 } 115 116 endpoint "/jwt/cookie" { 117 disable_access_control = ["ba1"] 118 access_control = ["JWTTokenCookie"] 119 response {} 120 } 121 122 endpoint "/jwt/header" { 123 disable_access_control = ["ba1"] 124 access_control = ["JWTTokenHeader"] 125 response {} 126 } 127 128 endpoint "/jwt/header/auth" { 129 disable_access_control = ["ba1"] 130 access_control = ["JWTTokenHeaderAuth"] 131 response {} 132 } 133 134 endpoint "/jwt/tokenValue" { 135 disable_access_control = ["ba1"] 136 access_control = ["JWTTokenTokenValue"] 137 response {} 138 } 139 140 endpoint "/jwt/token_value_query" { 141 disable_access_control = ["ba1"] 142 access_control = ["JWT_token_value_query"] 143 response { 144 headers = { 145 x-jwt-sub = request.context.JWT_token_value_query.sub 146 x-granted-permissions = json_encode(request.context.granted_permissions) 147 } 148 } 149 } 150 151 endpoint "/jwt/token_value_body" { 152 disable_access_control = ["ba1"] 153 access_control = ["JWT_token_value_body"] 154 response { 155 headers = { 156 x-jwt-sub = request.context.JWT_token_value_body.sub 157 x-granted-permissions = json_encode(request.context.granted_permissions) 158 } 159 } 160 } 161 162 endpoint "/jwt/rsa" { 163 disable_access_control = ["ba1"] 164 access_control = ["RSAToken"] 165 response { 166 headers = { 167 x-jwt-sub = request.context.RSAToken.sub 168 } 169 } 170 } 171 172 endpoint "/jwt/rsa/pkcs1" { 173 disable_access_control = ["ba1"] 174 access_control = ["RSAToken1"] 175 response { 176 headers = { 177 x-jwt-sub = request.context.RSAToken1.sub 178 } 179 } 180 } 181 182 endpoint "/jwt/rsa/pkcs8" { 183 disable_access_control = ["ba1"] 184 access_control = ["RSAToken8"] 185 response { 186 headers = { 187 x-jwt-sub = request.context.RSAToken8.sub 188 } 189 } 190 } 191 192 endpoint "/jwt/rsa/bad" { 193 disable_access_control = ["ba1"] 194 access_control = ["RSATokenWrongAlgorithm"] 195 response { 196 headers = { 197 x-jwt-sub = request.context.RSATokenWrongAlgorithm.sub 198 } 199 } 200 } 201 202 endpoint "/jwt/ecdsa" { 203 disable_access_control = ["ba1"] 204 access_control = ["ECDSAToken"] 205 response { 206 headers = { 207 x-jwt-sub = request.context.ECDSAToken.sub 208 } 209 } 210 } 211 212 endpoint "/jwt/ecdsa8" { 213 disable_access_control = ["ba1"] 214 access_control = ["ECDSAToken8"] 215 response { 216 headers = { 217 x-jwt-sub = request.context.ECDSAToken8.sub 218 } 219 } 220 } 221 222 endpoint "/jwt/ecdsa/bad" { 223 disable_access_control = ["ba1"] 224 access_control = ["ECDSATokenWrongAlgorithm"] 225 response { 226 headers = { 227 x-jwt-sub = request.context.ECDSATokenWrongAlgorithm.sub 228 } 229 } 230 } 231 232 endpoint "/jwks/rsa" { 233 disable_access_control = ["ba1"] 234 access_control = ["JWKS"] 235 response { 236 headers = { 237 x-jwt-sub = request.context.JWKS.sub 238 } 239 } 240 } 241 242 endpoint "/jwks/ecdsa" { 243 disable_access_control = ["ba1"] 244 access_control = ["JWKS"] 245 response { 246 headers = { 247 x-jwt-sub = request.context.JWKS.sub 248 } 249 } 250 } 251 252 endpoint "/jwks/rsa/scope" { 253 disable_access_control = ["ba1"] 254 access_control = ["JWKS_scope"] 255 response { 256 headers = { 257 x-jwt-sub = request.context.JWKS_scope.sub 258 x-granted-permissions = json_encode(request.context.granted_permissions) 259 } 260 } 261 } 262 263 endpoint "/jwks/rsa/not_found" { 264 disable_access_control = ["ba1"] 265 access_control = ["JWKS_not_found"] 266 response { 267 headers = { 268 x-jwt-sub = request.context.JWKS_not_found.sub 269 } 270 } 271 } 272 273 endpoint "/jwks/rsa/remote" { 274 disable_access_control = ["ba1"] 275 access_control = ["JWKSRemote"] 276 response { 277 headers = { 278 x-jwt-sub = request.context.JWKSRemote.sub 279 } 280 } 281 } 282 endpoint "/jwks/rsa/backend" { 283 disable_access_control = ["ba1"] 284 access_control = ["JWKSBackend"] 285 response { 286 headers = { 287 x-jwt-sub = request.context.JWKSBackend.sub 288 } 289 } 290 } 291 endpoint "/jwks/rsa/backendref" { 292 disable_access_control = ["ba1"] 293 access_control = ["JWKSBackendRef"] 294 response { 295 headers = { 296 x-jwt-sub = request.context.JWKSBackendRef.sub 297 } 298 } 299 } 300 endpoint "/jwt/create" { 301 disable_access_control = ["ba1"] 302 response { 303 body = jwt_sign(request.query.type[0], {"sub":1234567890}) 304 } 305 } 306 } 307 308 definitions { 309 basic_auth "ba1" { 310 password = "asdf" 311 } 312 basic_auth "ba2" { 313 password = "asdf" 314 } 315 basic_auth "ba3" { 316 password = "asdf" 317 } 318 basic_auth "ba4" { 319 password = "asdf" 320 } 321 basic_auth "ba5" { 322 user = "USR" 323 password = "PWD" 324 } 325 jwt "JWTToken" { 326 signature_algorithm = "HS256" 327 key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e" 328 permissions_claim = "scope" 329 } 330 jwt "JWTTokenCookie" { 331 signature_algorithm = "HS256" 332 key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e" 333 cookie = "tok" 334 } 335 jwt "JWTTokenHeader" { 336 signature_algorithm = "HS256" 337 key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e" 338 header = "x-token" 339 } 340 jwt "JWTTokenHeaderAuth" { 341 signature_algorithm = "HS256" 342 key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e" 343 header = "aUtHoRiZaTiOn" 344 } 345 jwt "JWTTokenTokenValue" { 346 signature_algorithm = "HS256" 347 key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e" 348 token_value = request.query.tok[0] 349 } 350 jwt "RSAToken" { 351 signature_algorithm = "RS256" 352 key_file = "../files/certificate.pem" 353 } 354 jwt "RSAToken1" { 355 signature_algorithm = "RS256" 356 key =<<-EOF 357 -----BEGIN RSA PUBLIC KEY----- 358 MIIBCgKCAQEAxOubq8QN8gBVEwINCfVNvmZAhO+ZLeKZapT38OyZkqm+8BUs98cB 359 FmzUCiuN2cFrjuhoRAXj2YV/3lu0Sy/G3knLFbGSfuJ+oZuwYNDA3lasGJNZonRE 360 sAUJde1hI0uJbceJzcJDifUx2zGR5eCRQKlxxiV/irEy+wZ+/fN9xrue18BykLz6 361 HQBXu4mhc17q9qAZtx3hLBRxQwkZGbxumgYGdPXuh2YV82adw18wiZIXgVOvawgX 362 QvlVDnjSaLqE3RE/bkVmWkE4TRQuFYhqoEFV50RBILEWlwUHqNggL9zUw2/RdW1u 363 TyQJtEMRiz6WgiWaq0l9SkmlrSFA2SDA5wIDAQAB 364 -----END RSA PUBLIC KEY----- 365 EOF 366 } 367 jwt "RSAToken8" { 368 header = "Authorization" 369 signature_algorithm = "RS256" 370 key =<<-EOF 371 -----BEGIN PUBLIC KEY----- 372 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxOubq8QN8gBVEwINCfVN 373 vmZAhO+ZLeKZapT38OyZkqm+8BUs98cBFmzUCiuN2cFrjuhoRAXj2YV/3lu0Sy/G 374 3knLFbGSfuJ+oZuwYNDA3lasGJNZonREsAUJde1hI0uJbceJzcJDifUx2zGR5eCR 375 QKlxxiV/irEy+wZ+/fN9xrue18BykLz6HQBXu4mhc17q9qAZtx3hLBRxQwkZGbxu 376 mgYGdPXuh2YV82adw18wiZIXgVOvawgXQvlVDnjSaLqE3RE/bkVmWkE4TRQuFYhq 377 oEFV50RBILEWlwUHqNggL9zUw2/RdW1uTyQJtEMRiz6WgiWaq0l9SkmlrSFA2SDA 378 5wIDAQAB 379 -----END PUBLIC KEY----- 380 EOF 381 } 382 jwt "RSATokenWrongAlgorithm" { 383 signature_algorithm = "RS384" 384 key_file = "../files/certificate.pem" 385 } 386 jwt "ECDSAToken" { 387 signature_algorithm = "ES256" 388 key_file = "../files/certificate-ecdsa.pem" 389 signing_ttl = "10s" 390 signing_key_file = "../files/ecdsa.key" 391 } 392 jwt "ECDSAToken8" { 393 signature_algorithm = "ES256" 394 key =<<-EOF 395 -----BEGIN PUBLIC KEY----- 396 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgPxsi3Y2J1FWrjXjacAWmbB+GIuz 397 KPLrW5KikaxLtwuoDE61oaWMM4H99mGPN7k4Bmamle8ne9Pr7rQhXuk8Iw== 398 -----END PUBLIC KEY----- 399 EOF 400 } 401 402 jwt "ECDSATokenWrongAlgorithm" { 403 signature_algorithm = "ES384" 404 key_file = "../files/certificate-ecdsa.pem" 405 } 406 407 jwt "JWKS" { 408 jwks_url = "file:../files/jwks.json" 409 } 410 411 jwt "JWKS_scope" { 412 jwks_url = "file:../files/jwks.json" 413 permissions_claim = "scope" 414 } 415 416 jwt "JWKSRemote" { 417 jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json" 418 } 419 420 jwt "JWKS_not_found" { 421 header = "Authorization" 422 jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/not.found" 423 } 424 425 jwt "JWKSBackend" { 426 jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json" 427 backend { 428 origin = env.COUPER_TEST_BACKEND_ADDR 429 } 430 } 431 432 jwt "JWKSBackendRef" { 433 jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json" 434 backend = "jwks" 435 } 436 437 jwt "JWT_token_value_query" { 438 token_value = request.query.token[0] 439 signature_algorithm = "HS256" 440 key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e" 441 permissions_claim = "scope" 442 } 443 444 jwt "JWT_token_value_body" { 445 token_value = request.json_body.token 446 signature_algorithm = "HS256" 447 key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e" 448 permissions_claim = "scope" 449 } 450 451 backend "jwks" { 452 origin = env.COUPER_TEST_BACKEND_ADDR 453 } 454 455 backend "test" { 456 origin = env.COUPER_TEST_BACKEND_ADDR 457 path = "/anything" 458 set_request_headers = { 459 Authorization = request.headers.authorization 460 } 461 } 462 } 463 464 settings { 465 no_proxy_from_env = true 466 }