github.com/avenga/couper@v1.12.2/server/testdata/integration/config/03_couper.hcl (about)

     1  server "acs" {
     2    access_control = ["ba1"]
     3    error_file = "../api_error.json"
     4    api {
     5      base_path = "/v1"
     6      disable_access_control = ["ba1"]
     7      endpoint "/**" {
     8        # access_control = ["ba1"] # not possible atm TODO: spec
     9        proxy {
    10          backend "test" {
    11            set_request_headers = {
    12              auth = ["ba1"]
    13            }
    14          }
    15        }
    16      }
    17    }
    18  
    19    api {
    20      base_path = "/v2"
    21      access_control = ["ba2"]
    22      endpoint "/**" {
    23        proxy {
    24          backend "test" {
    25            set_request_headers = {
    26              auth = ["ba1", "ba2"]
    27              Authorization = request.headers.authorization # proxy blacklist
    28            }
    29          }
    30        }
    31      }
    32    }
    33  
    34    api {
    35      base_path = "/v3"
    36      access_control = ["ba2"]
    37      endpoint "/**" {
    38        access_control = ["ba3"]
    39        disable_access_control = ["ba1", "ba2", "ba3"]
    40        proxy {
    41          backend = "test"
    42        }
    43      }
    44    }
    45  
    46    api {
    47      base_path = "/v4"
    48      access_control = ["ba2"]
    49      endpoint "/**" {
    50        error_file = "../server_error.html" # error_file in endpoint
    51        proxy {
    52          backend = "test"
    53        }
    54      }
    55    }
    56  
    57    api {
    58      base_path = "/v5"
    59      access_control = ["ba2"]
    60      cors {
    61        allowed_origins = ["*"]
    62      }
    63      endpoint "/exists" {
    64        response {
    65          body = "exists"
    66        }
    67      }
    68    }
    69  
    70    endpoint "/status" {
    71      disable_access_control = ["ba1"]
    72      proxy {
    73        backend = "test"
    74      }
    75    }
    76  
    77    endpoint "/superadmin" {
    78      access_control = ["ba4"]
    79      proxy {
    80        backend "test" {
    81          set_request_headers = {
    82            auth = ["ba1", "ba4"]
    83            Authorization = request.headers.authorization # proxy blacklist
    84          }
    85        }
    86      }
    87    }
    88  
    89    endpoint "/ba5" {
    90      access_control = ["ba5"]
    91      disable_access_control = ["ba1"]
    92      proxy {
    93        backend "test" {
    94          set_request_headers = {
    95            X-Ba-User = request.context.ba5.user
    96            Authorization = request.headers.authorization # proxy blacklist
    97          }
    98          set_response_headers = {
    99            X-BA-User = request.context.ba5.user
   100          }
   101        }
   102      }
   103    }
   104  
   105    endpoint "/jwt" {
   106      disable_access_control = ["ba1"]
   107      access_control = ["JWTToken"]
   108      response {
   109        headers = {
   110          x-jwt-sub = request.context.JWTToken.sub
   111          x-granted-permissions = json_encode(request.context.granted_permissions)
   112        }
   113      }
   114    }
   115  
   116    endpoint "/jwt/cookie" {
   117      disable_access_control = ["ba1"]
   118      access_control = ["JWTTokenCookie"]
   119      response {}
   120    }
   121  
   122    endpoint "/jwt/header" {
   123      disable_access_control = ["ba1"]
   124      access_control = ["JWTTokenHeader"]
   125      response {}
   126    }
   127  
   128    endpoint "/jwt/header/auth" {
   129      disable_access_control = ["ba1"]
   130      access_control = ["JWTTokenHeaderAuth"]
   131      response {}
   132    }
   133  
   134    endpoint "/jwt/tokenValue" {
   135      disable_access_control = ["ba1"]
   136      access_control = ["JWTTokenTokenValue"]
   137      response {}
   138    }
   139  
   140    endpoint "/jwt/token_value_query" {
   141      disable_access_control = ["ba1"]
   142      access_control = ["JWT_token_value_query"]
   143      response {
   144        headers = {
   145          x-jwt-sub = request.context.JWT_token_value_query.sub
   146          x-granted-permissions = json_encode(request.context.granted_permissions)
   147        }
   148      }
   149    }
   150  
   151    endpoint "/jwt/token_value_body" {
   152      disable_access_control = ["ba1"]
   153      access_control = ["JWT_token_value_body"]
   154      response {
   155        headers = {
   156          x-jwt-sub = request.context.JWT_token_value_body.sub
   157          x-granted-permissions = json_encode(request.context.granted_permissions)
   158        }
   159      }
   160    }
   161  
   162    endpoint "/jwt/rsa" {
   163      disable_access_control = ["ba1"]
   164      access_control = ["RSAToken"]
   165      response {
   166        headers = {
   167          x-jwt-sub = request.context.RSAToken.sub
   168        }
   169      }
   170    }
   171  
   172    endpoint "/jwt/rsa/pkcs1" {
   173      disable_access_control = ["ba1"]
   174      access_control = ["RSAToken1"]
   175      response {
   176        headers = {
   177          x-jwt-sub = request.context.RSAToken1.sub
   178        }
   179      }
   180    }
   181  
   182    endpoint "/jwt/rsa/pkcs8" {
   183      disable_access_control = ["ba1"]
   184      access_control = ["RSAToken8"]
   185      response {
   186        headers = {
   187          x-jwt-sub = request.context.RSAToken8.sub
   188        }
   189      }
   190    }
   191  
   192    endpoint "/jwt/rsa/bad" {
   193      disable_access_control = ["ba1"]
   194      access_control = ["RSATokenWrongAlgorithm"]
   195      response {
   196        headers = {
   197          x-jwt-sub = request.context.RSATokenWrongAlgorithm.sub
   198        }
   199      }
   200    }
   201  
   202    endpoint "/jwt/ecdsa" {
   203      disable_access_control = ["ba1"]
   204      access_control = ["ECDSAToken"]
   205      response {
   206        headers = {
   207          x-jwt-sub = request.context.ECDSAToken.sub
   208        }
   209      }
   210    }
   211  
   212    endpoint "/jwt/ecdsa8" {
   213      disable_access_control = ["ba1"]
   214      access_control = ["ECDSAToken8"]
   215      response {
   216        headers = {
   217          x-jwt-sub = request.context.ECDSAToken8.sub
   218        }
   219      }
   220    }
   221  
   222    endpoint "/jwt/ecdsa/bad" {
   223      disable_access_control = ["ba1"]
   224      access_control = ["ECDSATokenWrongAlgorithm"]
   225      response {
   226        headers = {
   227          x-jwt-sub = request.context.ECDSATokenWrongAlgorithm.sub
   228        }
   229      }
   230    }
   231  
   232    endpoint "/jwks/rsa" {
   233      disable_access_control = ["ba1"]
   234      access_control = ["JWKS"]
   235      response {
   236        headers = {
   237          x-jwt-sub = request.context.JWKS.sub
   238        }
   239      }
   240    }
   241  
   242    endpoint "/jwks/ecdsa" {
   243      disable_access_control = ["ba1"]
   244      access_control = ["JWKS"]
   245      response {
   246        headers = {
   247          x-jwt-sub = request.context.JWKS.sub
   248        }
   249      }
   250    }
   251  
   252    endpoint "/jwks/rsa/scope" {
   253      disable_access_control = ["ba1"]
   254      access_control = ["JWKS_scope"]
   255      response {
   256        headers = {
   257          x-jwt-sub = request.context.JWKS_scope.sub
   258          x-granted-permissions = json_encode(request.context.granted_permissions)
   259        }
   260      }
   261    }
   262  
   263    endpoint "/jwks/rsa/not_found" {
   264      disable_access_control = ["ba1"]
   265      access_control = ["JWKS_not_found"]
   266      response {
   267        headers = {
   268          x-jwt-sub = request.context.JWKS_not_found.sub
   269        }
   270      }
   271    }
   272  
   273    endpoint "/jwks/rsa/remote" {
   274      disable_access_control = ["ba1"]
   275      access_control = ["JWKSRemote"]
   276      response {
   277        headers = {
   278          x-jwt-sub = request.context.JWKSRemote.sub
   279        }
   280      }
   281    }
   282    endpoint "/jwks/rsa/backend" {
   283      disable_access_control = ["ba1"]
   284      access_control = ["JWKSBackend"]
   285      response {
   286        headers = {
   287          x-jwt-sub = request.context.JWKSBackend.sub
   288        }
   289      }
   290    }
   291    endpoint "/jwks/rsa/backendref" {
   292      disable_access_control = ["ba1"]
   293      access_control = ["JWKSBackendRef"]
   294      response {
   295        headers = {
   296          x-jwt-sub = request.context.JWKSBackendRef.sub
   297        }
   298      }
   299    }
   300    endpoint "/jwt/create" {
   301      disable_access_control = ["ba1"]
   302      response {
   303        body = jwt_sign(request.query.type[0], {"sub":1234567890})
   304      }
   305    }
   306  }
   307  
   308  definitions {
   309    basic_auth "ba1" {
   310      password = "asdf"
   311    }
   312    basic_auth "ba2" {
   313      password = "asdf"
   314    }
   315    basic_auth "ba3" {
   316      password = "asdf"
   317    }
   318    basic_auth "ba4" {
   319      password = "asdf"
   320    }
   321    basic_auth "ba5" {
   322      user     = "USR"
   323      password = "PWD"
   324    }
   325    jwt "JWTToken" {
   326      signature_algorithm = "HS256"
   327      key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
   328      permissions_claim = "scope"
   329    }
   330    jwt "JWTTokenCookie" {
   331      signature_algorithm = "HS256"
   332      key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
   333  	cookie = "tok"
   334    }
   335    jwt "JWTTokenHeader" {
   336      signature_algorithm = "HS256"
   337      key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
   338  	header = "x-token"
   339    }
   340    jwt "JWTTokenHeaderAuth" {
   341      signature_algorithm = "HS256"
   342      key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
   343  	header = "aUtHoRiZaTiOn"
   344    }
   345    jwt "JWTTokenTokenValue" {
   346      signature_algorithm = "HS256"
   347      key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
   348  	token_value = request.query.tok[0]
   349    }
   350    jwt "RSAToken" {
   351      signature_algorithm = "RS256"
   352      key_file = "../files/certificate.pem"
   353    }
   354    jwt "RSAToken1" {
   355      signature_algorithm = "RS256"
   356      key =<<-EOF
   357          -----BEGIN RSA PUBLIC KEY-----
   358          MIIBCgKCAQEAxOubq8QN8gBVEwINCfVNvmZAhO+ZLeKZapT38OyZkqm+8BUs98cB
   359          FmzUCiuN2cFrjuhoRAXj2YV/3lu0Sy/G3knLFbGSfuJ+oZuwYNDA3lasGJNZonRE
   360          sAUJde1hI0uJbceJzcJDifUx2zGR5eCRQKlxxiV/irEy+wZ+/fN9xrue18BykLz6
   361          HQBXu4mhc17q9qAZtx3hLBRxQwkZGbxumgYGdPXuh2YV82adw18wiZIXgVOvawgX
   362          QvlVDnjSaLqE3RE/bkVmWkE4TRQuFYhqoEFV50RBILEWlwUHqNggL9zUw2/RdW1u
   363          TyQJtEMRiz6WgiWaq0l9SkmlrSFA2SDA5wIDAQAB
   364          -----END RSA PUBLIC KEY-----
   365      EOF
   366    }
   367    jwt "RSAToken8" {
   368      header = "Authorization"
   369      signature_algorithm = "RS256"
   370      key =<<-EOF
   371          -----BEGIN PUBLIC KEY-----
   372          MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxOubq8QN8gBVEwINCfVN
   373          vmZAhO+ZLeKZapT38OyZkqm+8BUs98cBFmzUCiuN2cFrjuhoRAXj2YV/3lu0Sy/G
   374          3knLFbGSfuJ+oZuwYNDA3lasGJNZonREsAUJde1hI0uJbceJzcJDifUx2zGR5eCR
   375          QKlxxiV/irEy+wZ+/fN9xrue18BykLz6HQBXu4mhc17q9qAZtx3hLBRxQwkZGbxu
   376          mgYGdPXuh2YV82adw18wiZIXgVOvawgXQvlVDnjSaLqE3RE/bkVmWkE4TRQuFYhq
   377          oEFV50RBILEWlwUHqNggL9zUw2/RdW1uTyQJtEMRiz6WgiWaq0l9SkmlrSFA2SDA
   378          5wIDAQAB
   379          -----END PUBLIC KEY-----
   380      EOF
   381    }
   382    jwt "RSATokenWrongAlgorithm" {
   383      signature_algorithm = "RS384"
   384      key_file = "../files/certificate.pem"
   385    }
   386    jwt "ECDSAToken" {
   387      signature_algorithm = "ES256"
   388      key_file = "../files/certificate-ecdsa.pem"
   389      signing_ttl = "10s"
   390      signing_key_file = "../files/ecdsa.key"
   391    }
   392    jwt "ECDSAToken8" {
   393      signature_algorithm = "ES256"
   394      key =<<-EOF
   395          -----BEGIN PUBLIC KEY-----
   396          MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgPxsi3Y2J1FWrjXjacAWmbB+GIuz
   397          KPLrW5KikaxLtwuoDE61oaWMM4H99mGPN7k4Bmamle8ne9Pr7rQhXuk8Iw==
   398          -----END PUBLIC KEY-----
   399      EOF
   400    }
   401  
   402    jwt "ECDSATokenWrongAlgorithm" {
   403      signature_algorithm = "ES384"
   404      key_file = "../files/certificate-ecdsa.pem"
   405    }
   406  
   407    jwt "JWKS" {
   408      jwks_url = "file:../files/jwks.json"
   409    }
   410  
   411    jwt "JWKS_scope" {
   412      jwks_url = "file:../files/jwks.json"
   413      permissions_claim = "scope"
   414    }
   415  
   416    jwt "JWKSRemote" {
   417      jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json"
   418    }
   419  
   420    jwt "JWKS_not_found" {
   421      header = "Authorization"
   422      jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/not.found"
   423    }
   424  
   425    jwt "JWKSBackend" {
   426      jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json"
   427      backend {
   428        origin = env.COUPER_TEST_BACKEND_ADDR
   429      }
   430    }
   431  
   432    jwt "JWKSBackendRef" {
   433      jwks_url = "${env.COUPER_TEST_BACKEND_ADDR}/jwks.json"
   434      backend = "jwks"
   435    }
   436  
   437    jwt "JWT_token_value_query" {
   438      token_value = request.query.token[0]
   439      signature_algorithm = "HS256"
   440      key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
   441      permissions_claim = "scope"
   442    }
   443  
   444    jwt "JWT_token_value_body" {
   445      token_value = request.json_body.token
   446      signature_algorithm = "HS256"
   447      key = "y0urS3cretT08eU5edF0rC0uPerInThe3xamp1e"
   448      permissions_claim = "scope"
   449    }
   450  
   451    backend "jwks" {
   452      origin = env.COUPER_TEST_BACKEND_ADDR
   453    }
   454  
   455    backend "test" {
   456      origin = env.COUPER_TEST_BACKEND_ADDR
   457      path = "/anything"
   458      set_request_headers = {
   459        Authorization = request.headers.authorization
   460      }
   461    }
   462  }
   463  
   464  settings {
   465    no_proxy_from_env = true
   466  }