301 lines
8.8 KiB
Lua
301 lines
8.8 KiB
Lua
local typedefs = require "kong.db.schema.typedefs"
|
|
local Schema = require "kong.db.schema"
|
|
local get_rand_bytes = require("kong.tools.rand").get_rand_bytes
|
|
|
|
|
|
local char = string.char
|
|
local rand = math.random
|
|
local encode_base64 = ngx.encode_base64
|
|
|
|
|
|
local same_site = Schema.define {
|
|
type = "string",
|
|
description = "Determines whether and how a cookie may be sent with cross-site requests.",
|
|
default = "Strict",
|
|
one_of = {
|
|
"Strict",
|
|
"Lax",
|
|
"None",
|
|
"Default",
|
|
},
|
|
}
|
|
|
|
|
|
local headers = Schema.define({
|
|
type = "set",
|
|
description = "List of information to include, as headers, in the response to the downstream.",
|
|
elements = {
|
|
type = "string",
|
|
one_of = {
|
|
"id",
|
|
"audience",
|
|
"subject",
|
|
"timeout",
|
|
"idling-timeout",
|
|
"rolling-timeout",
|
|
"absolute-timeout",
|
|
},
|
|
},
|
|
})
|
|
|
|
|
|
local logout_methods = Schema.define({
|
|
type = "set",
|
|
description = "A set of HTTP methods that the plugin will respond to.",
|
|
elements = {
|
|
type = "string",
|
|
one_of = { "GET", "POST", "DELETE" },
|
|
},
|
|
default = { "POST", "DELETE" },
|
|
})
|
|
|
|
|
|
--- kong.rand.random_string with 32 bytes instead
|
|
-- @returns random string of length 44
|
|
local function random_string()
|
|
return encode_base64(get_rand_bytes(32, true))
|
|
:gsub("/", char(rand(48, 57))) -- 0 - 10
|
|
:gsub("+", char(rand(65, 90))) -- A - Z
|
|
:gsub("=", char(rand(97, 122))) -- a - z
|
|
end
|
|
|
|
|
|
return {
|
|
name = "session",
|
|
fields = {
|
|
{ consumer = typedefs.no_consumer },
|
|
{ protocols = typedefs.protocols },
|
|
{
|
|
config = {
|
|
type = "record",
|
|
fields = {
|
|
{
|
|
secret = {
|
|
description = "The secret that is used in keyed HMAC generation.",
|
|
type = "string",
|
|
required = false,
|
|
default = random_string(),
|
|
encrypted = true, -- Kong Enterprise Exclusive. This does nothing in Kong CE
|
|
referenceable = true,
|
|
},
|
|
},
|
|
{
|
|
storage = {
|
|
description =
|
|
"Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.",
|
|
type = "string",
|
|
one_of = { "cookie", "kong" },
|
|
default = "cookie"
|
|
}
|
|
},
|
|
{
|
|
audience = {
|
|
description =
|
|
"The session audience, which is the intended target application. For example `\"my-application\"`.",
|
|
type = "string",
|
|
default = "default"
|
|
}
|
|
},
|
|
{
|
|
idling_timeout = {
|
|
description = "The session cookie idle time, in seconds.",
|
|
type = "number",
|
|
default = 900
|
|
}
|
|
},
|
|
{
|
|
rolling_timeout = {
|
|
description =
|
|
"The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.",
|
|
type = "number",
|
|
default = 3600
|
|
}
|
|
},
|
|
{
|
|
absolute_timeout = {
|
|
description =
|
|
"The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.",
|
|
type = "number",
|
|
default = 86400
|
|
}
|
|
},
|
|
{
|
|
stale_ttl = {
|
|
description =
|
|
"The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.",
|
|
type = "number",
|
|
default = 10
|
|
}
|
|
},
|
|
{
|
|
cookie_name = {
|
|
description = "The name of the cookie.",
|
|
type = "string",
|
|
default = "session"
|
|
}
|
|
},
|
|
{
|
|
cookie_path = {
|
|
description = "The resource in the host where the cookie is available.",
|
|
type = "string",
|
|
default = "/"
|
|
}
|
|
},
|
|
{
|
|
cookie_domain = {
|
|
description = "The domain with which the cookie is intended to be exchanged.",
|
|
type = "string"
|
|
}
|
|
},
|
|
{
|
|
cookie_same_site = same_site,
|
|
},
|
|
{
|
|
cookie_http_only = {
|
|
description =
|
|
"Applies the `HttpOnly` tag so that the cookie is sent only to a server.",
|
|
type = "boolean",
|
|
default = true
|
|
}
|
|
},
|
|
{
|
|
cookie_secure = {
|
|
description =
|
|
"Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.",
|
|
type = "boolean",
|
|
default = true
|
|
}
|
|
},
|
|
{
|
|
remember = {
|
|
description = "Enables or disables persistent sessions.",
|
|
type = "boolean",
|
|
default = false
|
|
}
|
|
},
|
|
{
|
|
remember_cookie_name = {
|
|
description = "Persistent session cookie name. Use with the `remember` configuration parameter.",
|
|
type = "string",
|
|
default = "remember"
|
|
}
|
|
},
|
|
{
|
|
remember_rolling_timeout = {
|
|
description = "The persistent session rolling timeout window, in seconds.",
|
|
type = "number",
|
|
default = 604800
|
|
}
|
|
},
|
|
{
|
|
remember_absolute_timeout = {
|
|
description = "The persistent session absolute timeout limit, in seconds.",
|
|
type = "number",
|
|
default = 2592000
|
|
}
|
|
},
|
|
{ response_headers = headers },
|
|
{ request_headers = headers },
|
|
{ read_body_for_logout = { type = "boolean", default = false } },
|
|
{ logout_methods = logout_methods },
|
|
{
|
|
logout_query_arg = {
|
|
description = "The query argument passed to logout requests.",
|
|
type = "string",
|
|
default = "session_logout"
|
|
}
|
|
},
|
|
{
|
|
logout_post_arg = {
|
|
description = "The POST argument passed to logout requests. Do not change this property.",
|
|
type = "string",
|
|
default = "session_logout"
|
|
}
|
|
},
|
|
{
|
|
hash_subject = {
|
|
description = "Whether to hash or not the subject when store_metadata is enabled.",
|
|
type = "boolean",
|
|
default = false
|
|
}
|
|
},
|
|
{
|
|
store_metadata = {
|
|
description =
|
|
"Whether to also store metadata of sessions, such as collecting data of sessions for a specific audience belonging to a specific subject.",
|
|
type = "boolean",
|
|
default = false
|
|
}
|
|
},
|
|
},
|
|
shorthand_fields = {
|
|
-- TODO: deprecated forms, to be removed in Kong 4.0
|
|
{
|
|
cookie_lifetime = {
|
|
type = "number",
|
|
func = function(value)
|
|
return { rolling_timeout = value }
|
|
end,
|
|
},
|
|
},
|
|
{
|
|
cookie_idletime = {
|
|
type = "number",
|
|
func = function(value)
|
|
if value == nil or value == ngx.null then
|
|
value = 0
|
|
end
|
|
return { idling_timeout = value }
|
|
end,
|
|
},
|
|
},
|
|
{
|
|
cookie_renew = {
|
|
type = "number",
|
|
func = function()
|
|
-- session library 4.0.0 calculates this
|
|
ngx.log(ngx.INFO, "[session] cookie_renew option does not exists anymore")
|
|
end,
|
|
},
|
|
},
|
|
{
|
|
cookie_discard = {
|
|
type = "number",
|
|
func = function(value)
|
|
return { stale_ttl = value }
|
|
end,
|
|
}
|
|
},
|
|
{
|
|
cookie_samesite = {
|
|
type = "string",
|
|
func = function(value)
|
|
if value == "off" then
|
|
value = "Lax"
|
|
end
|
|
return { cookie_same_site = value }
|
|
end,
|
|
},
|
|
},
|
|
{
|
|
cookie_httponly = {
|
|
type = "boolean",
|
|
func = function(value)
|
|
return { cookie_http_only = value }
|
|
end,
|
|
},
|
|
},
|
|
{
|
|
cookie_persistent = {
|
|
type = "boolean",
|
|
func = function(value)
|
|
return { remember = value }
|
|
end,
|
|
}
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|