diff --git a/api-catalog-package/build.gradle b/api-catalog-package/build.gradle index 6588d5aea0..2072b044aa 100644 --- a/api-catalog-package/build.gradle +++ b/api-catalog-package/build.gradle @@ -20,7 +20,6 @@ task packageApiCatalog(type: Zip) { into('/') { from "$buildDir/convert/manifest.yaml" from "$resourceDir/pluginDefinition.json" - from "../schemas/catalog-schema.json" } into('plugin/') { @@ -31,6 +30,11 @@ task packageApiCatalog(type: Zip) { from "$resourceDir/plugin/web/assets/api-catalog.png" } + into('schemas/') { + from "$resourceDir/schemas/api-catalog-config.json" + from "$resourceDir/schemas/zowe-schema.json" + } + into('bin/') { from configurations.catalogServiceJar from "$resourceDir/bin/start.sh" diff --git a/api-catalog-package/src/main/resources/manifest.yaml b/api-catalog-package/src/main/resources/manifest.yaml index 0f5c2493f0..765eb87566 100644 --- a/api-catalog-package/src/main/resources/manifest.yaml +++ b/api-catalog-package/src/main/resources/manifest.yaml @@ -9,7 +9,9 @@ title: API Catalog description: API Catalog service to display service details and API documentation for discovered API services. license: EPL-2.0 schemas: - configs: catalog-schema.json + configs: + - schemas/zowe-schema.json + - schemas/api-catalog-config.json repository: type: git url: https://github.com/zowe/api-layer.git diff --git a/api-catalog-package/src/main/resources/schemas/api-catalog-config.json b/api-catalog-package/src/main/resources/schemas/api-catalog-config.json new file mode 100644 index 0000000000..fca34e5ee4 --- /dev/null +++ b/api-catalog-package/src/main/resources/schemas/api-catalog-config.json @@ -0,0 +1,177 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/api-catalog-config", + "title": "api-catalog configuration", + "description": "Configuration properties for API Catalog, as specified within a configuration file such as zowe.yaml", + "type": "object", + "properties": { + "port": { + "$ref": "#/$defs/port", + "default": 7554 + }, + "debug": { + "type": "boolean", + "description": "Enable debug logs in API Catalog", + "default": false + }, + "sslDebug": { + "type": "string", + "description": "Configure attributes fro SSL config, see java property javax.net.debug." + }, + "heap": { + "type": "object", + "description": "Configure JVM parameters for heap size", + "properties": { + "init": { + "type": "integer", + "description": "Initial heap size in MB.", + "default": 32 + }, + "max": { + "type": "integer", + "description": "Maximum heap size in MB.", + "default": 512 + } + } + }, + "apiml": { + "type": "object", + "description": "Zowe API ML specific properties", + "properties": { + "catalog": { + "type": "object", + "description": "API Catalog customization", + "properties": { + "hide": { + "type": "object", + "properties": { + "serviceInfo": { + "type": "boolean", + "description": "Hide the instance URL value of all services registered to the API ML in the API Catalog.", + "default": false + } + } + }, + "customStyle": { + "type": "object", + "description": "Customization of the logotype and selected style options", + "properties": { + "logo": { + "type": "string", + "pattern": "^.*\\.(svg|png|jpe?g)$", + "description": "Location of API Catalog logo" + }, + "titlesColor": { + "type": "string", + "description": "Color of the Catalog title labels" + }, + "fontFamily": { + "type": "string", + "description": "Font family used for the UI" + }, + "headerColor": { + "type": "string", + "description": "Header color" + }, + "backgroundColor": { + "type": "string", + "description": "Background color for dashboard and detail page" + }, + "textColor": { + "type": "string", + "description": "Color used for the UI paragraph texts (i.e. service description)" + }, + "docLink": { + "type": "string", + "pattern": "^[^|]+\\|https?:\/\/.+$", + "description": "Custom link that would be displayed in the top right side of the header" + } + } + } + } + }, + "health": { + "type": "object", + "properties": { + "protected": { + "type": "boolean", + "description": "Specifies if the /application/health endpoint is protected or accessible without any credentials.", + "default": true + } + } + }, + "security": { + "type": "object", + "description": "Security configuration of the API Catalog", + "properties": { + "authorization": { + "type": "object", + "description": "Authorization configuration.", + "properties": { + "provider": { + "type": "string", + "enum": ["endpoint", "native", "dummy"], + "default": "native", + "description": "Specifies security provider to be used by the API Catalog." + } + } + } + } + } + } + }, + "server": { + "type": "object", + "description": "Configure API Catalog server properties.", + "properties": { + "ssl": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "To enable SSL/tls layer.", + "default": true + } + } + } + } + }, + "spring": { + "type": "object", + "description": "Application framework parameters", + "properties": { + "profiles": { + "type": "object", + "description": "Profiles that can hold multiple configuration parameters.", + "properties": { + "active": { + "type": "string", + "description": "List of the active configuration profiles.", + "pattern": "^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$" + } + } + } + } + }, + "logging": { + "type": "string", + "description": "Logging configuration for API Catalog service.", + "properties": { + "config": { + "type": "string", + "description": "Path to custom logback configuration file.", + "minLength": 1, + "maxLength": 1024 + } + } + } + }, + "$defs": { + "port": { + "type": "integer", + "description": "TCP network port", + "minimum": 1024, + "maximum": 65535 + } + } +} diff --git a/api-catalog-package/src/main/resources/schemas/zowe-schema.json b/api-catalog-package/src/main/resources/schemas/zowe-schema.json new file mode 100644 index 0000000000..b69bdaa6f3 --- /dev/null +++ b/api-catalog-package/src/main/resources/schemas/zowe-schema.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/api-catalog", + "allOf": [ + { "$ref": "/schemas/v2/server-base" }, + { "type": "object", + "properties": { + "components": { + "type": "object", + "additionalProperties": true, + "properties": { + "api-catalog": { + "allOf": [ + { "$ref": "/schemas/v2/server-base#zoweComponent" }, + { "$ref": "/schemas/v2/api-catalog-config" } + ] + } + } + } + } + } + ] +} diff --git a/apiml-common-lib-package/build.gradle b/apiml-common-lib-package/build.gradle index e7d6c737ae..7976fda4e8 100644 --- a/apiml-common-lib-package/build.gradle +++ b/apiml-common-lib-package/build.gradle @@ -24,7 +24,6 @@ task packageCommonLib(type: Zip) { into('/') { from "$buildDir/convert/manifest.yaml" - from "../schemas/apiml-common-lib-schema.json" } into('bin/') { diff --git a/apiml-common-lib-package/src/main/resources/manifest.yaml b/apiml-common-lib-package/src/main/resources/manifest.yaml index 0d7e81a794..e4a6f2d352 100644 --- a/apiml-common-lib-package/src/main/resources/manifest.yaml +++ b/apiml-common-lib-package/src/main/resources/manifest.yaml @@ -16,5 +16,3 @@ build: number: "{{build.number}}" commitHash: "{{build.commitHash}}" timestamp: {{build.timestamp}} -schemas: - configs: "apiml-common-lib-schema.json" diff --git a/apiml-package/build.gradle b/apiml-package/build.gradle index 7d815fb066..035665e965 100644 --- a/apiml-package/build.gradle +++ b/apiml-package/build.gradle @@ -20,7 +20,11 @@ task packageApiml(type: Zip) { into('/') { from "$resourceDir/zosmf-static-definition.yaml.template" from "$buildDir/convert/manifest.yaml" - from "../schemas/apiml-schema.json" + } + + into('schemas/') { + from "$resourceDir/schemas/apiml-config.json" + from "$resourceDir/schemas/zowe-schema.json" } into('bin/') { diff --git a/apiml-package/src/main/resources/bin/start.sh b/apiml-package/src/main/resources/bin/start.sh index 65bcee4716..fb41541db8 100755 --- a/apiml-package/src/main/resources/bin/start.sh +++ b/apiml-package/src/main/resources/bin/start.sh @@ -408,7 +408,7 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${APIML_CODE} ${JAVA_BIN_DIR}java \ -Dapiml.security.x509.externalMapperUrl=${ZWE_components_gateway_apiml_security_x509_externalMapperUrl:-${ZWE_configs_apiml_security_x509_externalMapperUrl:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/certificate/x509/map"}} \ -Dapiml.security.x509.externalMapperUser=${ZWE_components_gateway_apiml_security_x509_externalMapperUser:-${ZWE_configs_apiml_security_x509_externalMapperUser:-${ZWE_zowe_setup_security_users_zowe:-ZWESVUSR}}} \ -Dapiml.security.x509.registry.allowedUsers=${ZWE_components_gateway_apiml_security_x509_registry_allowedUsers:-${ZWE_configs_apiml_security_x509_registry_allowedUsers:-}} \ - -Dapiml.security.zosmf.applid=${ZWE_components_gateway_apiml_security_zosmf_applid:-${ZWE_configs_apiml_security_zosmf_applid:-IZUDFLT}} \ + -Dapiml.security.zosmf.applid=${ZWE_zosmf_applId:-IZUDFLT} \ -Dapiml.service.allowEncodedSlashes=${ZWE_components_gateway_apiml_service_allowEncodedSlashes:-${ZWE_configs_apiml_service_allowEncodedSlashes:-true}} \ -Dapiml.service.apimlId=${ZWE_components_gateway_apimlId:-${ZWE_configs_apimlId:-}} \ -Dapiml.service.corsEnabled=${ZWE_components_gateway_apiml_service_corsEnabled:-${ZWE_configs_apiml_service_corsEnabled:-false}} \ diff --git a/apiml-package/src/main/resources/manifest.yaml b/apiml-package/src/main/resources/manifest.yaml index c6da26c1db..39b00472a5 100644 --- a/apiml-package/src/main/resources/manifest.yaml +++ b/apiml-package/src/main/resources/manifest.yaml @@ -9,7 +9,9 @@ title: API Mediation Layer description: API Mediation Layer license: EPL-2.0 schemas: - configs: apiml-schema.json + configs: + - schemas/zowe-schema.json + - schemas/apiml-config.json repository: type: git url: https://github.com/zowe/api-layer.git diff --git a/apiml-package/src/main/resources/schemas/apiml-config.json b/apiml-package/src/main/resources/schemas/apiml-config.json new file mode 100644 index 0000000000..e6aeb0e170 --- /dev/null +++ b/apiml-package/src/main/resources/schemas/apiml-config.json @@ -0,0 +1,879 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/apiml-config", + "title": "apiml configuration", + "description": "Configuration properties for APIML, as specified within a configuration file such as zowe.yaml", + "type": "object", + "properties": { + "port": { + "$ref": "#/$defs/port", + "default": 7554 + }, + "debug": { + "type": "boolean", + "description": "Enable debug logs in API ML service", + "default": false + }, + "sslDebug": { + "type": "string", + "description": "Configure attributes fro SSL config, see java property javax.net.debug." + }, + "heap": { + "type": "object", + "description": "Configure JVM parameters for heap size", + "properties": { + "init": { + "type": "integer", + "description": "Initial heap size in MB.", + "default": 32 + }, + "max": { + "type": "integer", + "description": "Maximum heap size in MB.", + "default": 512 + } + } + }, + "apiml": { + "type": "object", + "description": "Zowe API ML specific properties", + "properties": { + "catalog": { + "type": "object", + "description": "API Catalog customization", + "properties": { + "hide": { + "type": "object", + "properties": { + "serviceInfo": { + "type": "boolean", + "description": "Hide the instance URL value of all services registered to the API ML in the API Catalog.", + "default": false + } + } + }, + "customStyle": { + "type": "object", + "description": "Customization of the logotype and selected style options", + "properties": { + "logo": { + "type": "string", + "pattern": "^.*\\.(svg|png|jpe?g)$", + "description": "Location of API Catalog logo" + }, + "titlesColor": { + "type": "string", + "description": "Color of the Catalog title labels" + }, + "fontFamily": { + "type": "string", + "description": "Font family used for the UI" + }, + "headerColor": { + "type": "string", + "description": "Header color" + }, + "backgroundColor": { + "type": "string", + "description": "Background color for dashboard and detail page" + }, + "textColor": { + "type": "string", + "description": "Color used for the UI paragraph texts (i.e. service description)" + }, + "docLink": { + "type": "string", + "pattern": "^[^|]+\\|https?:\/\/.+$", + "description": "Custom link that would be displayed in the top right side of the header" + } + } + } + } + }, + "connection": { + "type": "object", + "properties": { + "idleConnectionTimeoutSeconds" : { + "type": "integer", + "description": "Specifies a timeout limit for idle client connections, in seconds.", + "default": 5 + }, + "timeout": { + "type": "integer", + "description": "Specifies a timeout limit for a connection, in milliseconds.", + "default": 60000 + }, + "timeToLive": { + "type": "integer", + "description": "Specifies a timeout limit how long to keep open connection to be reused, in milliseconds.", + "default": 10000 + } + } + }, + "discovery": { + "type": "object", + "properties": { + "serviceIdPrefixReplacer": { + "type": "string", + "description": "A comma separated tuple to replace service ID with new one in API ML registry." + } + } + }, + "gateway": { + "type": "object", + "properties": { + "rateLimiterCapacity":{ + "type": "integer", + "description": "Defines the total number of requests that can be allowed at one time.", + "default": 20 + }, + "rateLimiterTokens":{ + "type": "integer", + "description": "Defines the number of requests that are added to the service’s allowance at regular intervals.", + "default": 20 + }, + "rateLimiterRefillDuration":{ + "type": "integer", + "description": "Sets the time interval (in minutes) at which new requests (or tokens) are added.", + "default": 1 + }, + "servicesToLimitRequestRate":{ + "type": "array", + "description": "Array of services which the rate limiter will be applied to.", + "items": { + "type": "string", + "description": "The name of the service." + } + }, + "servicesToDisableRetry":{ + "type": "array", + "description": "Array of services which the retry filter will be disabled for.", + "items": { + "type": "string", + "description": "The name of the service." + } + }, + "registry": { + "type": "object", + "description": "Gateway configuration of a service registry endpoint.", + "properties": { + "cachePeriodSec": { + "type": "integer", + "description": "Specifies time in seconds to expired of cached data about /registry endpoint.", + "default": 120 + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether the /registry endpoint is enabled.", + "default": false + }, + "maxSimultaneousRequests": { + "type": "integer", + "description": "Specifies amount of parallel connection to obtain information from other APIML instances about services to construct response of /registry endpoint.", + "default": 20 + }, + "metadataKeyAllowList": { + "type": "string", + "description": "Specifies what custom metadata are displayed in the /registry endpoint.", + "pattern": "^[^,]+(,[^,]+)*$" + }, + "refreshIntervalMs": { + "type": "integer", + "description": "Specifies time period in milliseconds for how often to update data in /registry endpoint.", + "default": 30000 + } + } + } + } + }, + "internal": { + "type": "object", + "description": "Single-service specific configuration", + "properties": { + "discovery": { + "type": "object", + "properties": { + "port": { + "$ref": "#/$defs/port", + "default": 7553 + } + } + } + } + }, + "health": { + "type": "object", + "properties": { + "protected": { + "type": "boolean", + "description": "Specifies if the /application/health endpoint is protected or accessible without any credentials.", + "default": true + } + } + }, + "security": { + "type": "object", + "description": "Security configuration of the Gateway", + "properties": { + "useInternalMapper": { + "type": "boolean", + "description": "Enables direct native calls to z/OS to query distributed identity mappings and client certificate mappings. Use only if APIML is running on z/OS.", + "default": true + }, + "auth": { + "type": "object", + "description": "Detail configuration of authentication schemes.", + "properties": { + "jwt": { + "type": "object", + "description": "Detail configuration of zoweJwt scheme.", + "properties": { + "customAuthHeader": { + "type": "string", + "description": "Additional header to set JWT token in case of zoweJwt scheme." + } + } + }, + "passticket": { + "type": "object", + "description": "Detail configuration of httpBasicPassTicket scheme.", + "properties": { + "customAuthHeader": { + "type": "string", + "description": "Additional header to set passticket in case of httpBasicPassTicket scheme." + }, + "customUserHeader": { + "type": "string", + "description": "Additional header to set userId in case of httpBasicPassTicket scheme." + } + } + }, + "provider": { + "type": "string", + "description": "Which provider should be used to verify user credentials.", + "enum": ["zosmf","saf"], + "default": "saf" + }, + "zosmf": { + "type": "object", + "description": "When zosmf is set as authentication provider, this section can be used to provide more details.", + "properties": { + "jwtAutoconfiguration": { + "type": "string", + "description": "Type of the token that is returned from zOSMF after login.", + "enum": ["JWT","jwt","LTPA","ltpa"], + "default": "jwt" + }, + "serviceId": { + "type": "string", + "description": "Service ID of zOSMF from discovery service. Under this ID is zOSMF registered", + "default": "ibmzosmf" + } + } + }, + "uniqueCookie": { + "type": "boolean", + "default": false + } + } + }, + "authorization": { + "type": "object", + "description": "Authorization configuration.", + "properties": { + "endpoint": { + "type": "object", + "description": "Configuration of SAF resource to check authorization via HTTP call.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable provider based on endpoint. to verify SAF authorization.", + "default": false + }, + "url": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of endpoint to verify SAF resource. Ie. https://<zss hostname>:<zss port>/saf-auth" + } + }, + "allOf": [ + { + "if": { + "properties": { + "enabled": { + "const": true + } + } + }, + "then": { + "required": [ + "url" + ] + } + } + ] + }, + "provider": { + "type": "string", + "enum": ["endpoint", "native", "dummy"], + "default": "native", + "description": "Specifies security provider to be used by the Gateway." + }, + "resourceClass": { + "type": "string", + "description": "zOS resource to verify access.", + "default": "ZOWE" + }, + "resourceNamePrefix": { + "type": "string", + "description": "Prefix of the resource.", + "default": "APIML." + } + }, + "allOf": [ + { + "if": { + "properties": { + "provider": { + "const": "endpoint" + } + } + }, + "then": { + "required": [ + "endpoint" + ] + } + } + ] + }, + "x509": { + "type": "object", + "description": "Client certificate configuration.", + "properties": { + "acceptForwardedCert": { + "type": "boolean", + "description": "To enable accepting client certificate from request header. It is used in domain APIML to accept forwarded client certificate by the caller.", + "default": false + }, + "certificatesUrl": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of the trusted caller to obtain used certificate. Request signed by this certificate are authorized to accept client certificate provided in the header." + }, + "certificatesUrls": { + "type": "string", + "format": "uri", + "pattern": "https?:\/\/[^\\s,]+", + "description": "List of URLs of the trusted callers to obtain used certificate. Request signed by this certificate are authorized to accept client certificate provided in the header." + }, + "enabled": { + "type": "boolean", + "default": false, + "description": "To enable accepting client certificate in the Gateway." + }, + "externalMapperUrl": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of the service where certificate will be mapped to user. ZSS is used if no value is provided." + }, + "externalMapperUser": { + "type": "string", + "description": "User that has permission to do such mapping. Zowe user is used if no value is provided." + }, + "registry": { + "type": "object", + "description": "Security configuration of /registry endpoint.", + "properties": { + "allowedUsers": { + "type": "string", + "pattern": "^[*]?|([a-zA-Z0-9]+(,[a-zA-Z0-9]+)*)$", + "description": "Specifies the comma-separated list of users that are permitted to use /registry endpoints. The user is obtained from the common name in the provided client certificate." + } + } + } + }, + "allOf": [ + { + "if": { + "properties": { + "acceptForwardedCert": { + "const": true + } + } + }, + "then": { + "anyOf": [ + { "required": [ "certificatesUrl" ] }, + { "required": [ "certificatesUrls" ] } + ] + } + } + ] + }, + "oidc": { + "type": "object", + "description": "OIDC configuration.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable authentication with OIDC token.", + "default": false + }, + "registry": { + "type": "string", + "description": "Registry name." + }, + "identityMapperUrl": { + "type": "string", + "deprecated": true, + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL where the Gateway can query the mapping of the distributed user ID to the mainframe user ID. ZSS is used if no value is provided." + }, + "identityMapperUser": { + "type": "string", + "deprecated": true, + "description": "User with access to external user identity mapper specified in identityMapperUrl. Zowe user is used if no value is provided." + }, + "jwks": { + "type": "object", + "description": "JWKS configuration", + "properties": { + "uri": { + "type": "string", + "description": "JWK set URL for OIDC token validation." + }, + "refreshInternalHours": { + "type": "integer", + "description": "How often are JWKs renewed.", + "default": 1 + } + } + }, + "userIdField": { + "type": "string", + "description": "OIDC token field used for user mapping in SAF.", + "default": "sub" + }, + "userInfo": { + "type": "object", + "description": "OIDC user info endpoint configuration.", + "properties": { + "uri": { + "type": "string", + "description": "OIDC user info endpoint URL." + } + } + }, + "validationType": { + "type": "string", + "description": "How OIDC token is validated.", + "enum": ["JWK","endpoint"], + "default": "JWK" + } + } + }, + "allowtokenrefresh": { + "type": "boolean", + "description": "Allow JWT to refresh.", + "default": false + }, + "jwtInitializerTimeout": { + "type": "integer", + "description": "Timeout for initialization of JWT in minutes.", + "default": 5 + }, + "personalAccessToken": { + "type": "object", + "description": "Personal Access Tokens configuration.", + "properties": { + "enabled": { + "type": "boolean", + "description": "To enable Personal Access Tokens.", + "default": false + } + } + }, + "saf": { + "type": "object", + "description": "SAF IDT provider.", + "properties": { + "provider": { + "type": "string", + "description": "Method of communication used by the SAF IDT provider implementation. REST is used if no value is provided.", + "enum": ["rest"], + "default": "rest" + }, + "urls": { + "type": "string", + "description": "URLs of the SAF IDT provider used for the token generation and verification.", + "properties": { + "authenticate": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of the SAF IDT provider used to generate the SAF token on behalf of the specified user." + }, + "verify": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of the SAF IDT provider used to validate the SAF token." + } + } + } + } + }, + "rauditx": { + "type": "object", + "description": "Configuration for issuing SMF records.", + "properties": { + "onOidcUserIsMapped": { + "type": "boolean", + "description": "To enable cutting SMF record on mapping distributed user from OIDC token to mainframe one.", + "default": false + }, + "oidcSourceUserPaths": { + "type": "string", + "description": "Comma separated JSON paths to find source user in the OIDC token to be cut in the SMF record.", + "default": "sub" + } + } + } + } + }, + "service": { + "type": "object", + "description": "General configuration of the Gateway.", + "properties": { + "allowEncodedSlashes": { + "type": "boolean", + "description": "When this parameter is set to true, the Gateway allows encoded characters to be part of URL requests redirected through the Gateway.", + "default": true + }, + "corsEnabled": { + "type": "boolean", + "description": "Allow CORS on gateway.", + "default": false + }, + "corsAllowedMethods": { + "type": "string", + "description": "List of allowed HTTP methods when CORS is enabled.", + "default": "GET,HEAD,POST,PATCH,DELETE,PUT,OPTIONS" + } + } + }, + "storage": { + "type": "object", + "description": "Storage configuration for Caching service", + "properties": { + "evictionStrategy": { + "type": "string", + "description": "Strategy for caching entries eviction.", + "enum": [ + "reject", + "removeOldest" + ], + "default": "reject" + }, + "mode": { + "type": "string", + "description": "Type of storge in caching service.", + "enum": [ + "inMemory", + "VSAM", + "redis", + "infinispan" + ], + "default": "infinispan" + }, + "size": { + "type": "integer", + "description": "The number of records stored before the eviction strategy is initiated", + "default": 10000 + }, + "infinispan": { + "type": "object", + "description": "Use Infinispan as the selected storage solution", + "properties": { + "jgroups": { + "type": "object", + "description": "Data synchronization between Caching instances.", + "properties": { + "port": { + "type": "integer", + "description": "The port number used by Infinispan to synchronize data among caching-service instances.", + "default": 7600 + }, + "host": { + "type": "string", + "description": "The hostname used by Infinispan to synchronize data among caching-service instances.", + "default": "localhost" + }, + "keyExchange": { + "type": "object", + "description": "Data encryption key exchange.", + "properties": { + "port": { + "type": "integer", + "description": "The port number used by Infinispan to exchange encryption key among Caching Service instances.", + "default": 7601 + } + } + }, + "tcp": { + "type": "object", + "description": "TCP stack", + "properties": { + "diag": { + "type": "object", + "description": "Cluster diagnostics", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable diagnostics of infinispan cluster", + "default": false + } + } + } + } + } + } + }, + "initialHosts": { + "type": "string", + "description": "Address of the other Caching services. Consists of jgroups port and host in the form of 'host[port]'.", + "default": "localhost[7600]" + } + } + }, + "vsam": { + "type": "object", + "deprecated": true, + "description": "When storage is selected as VSAM", + "properties": { + "name": { + "type": "string", + "description": "The ZFile filename of created VSAM." + }, + "keyLength": { + "type": "integer", + "description": "The VsamKey length", + "default": 128 + }, + "recordLength": { + "type": "integer", + "description": "The record length.", + "default": 4096 + }, + "encoding": { + "type": "string", + "description": "The character encoding.", + "default": "IBM-1047" + } + } + } + } + } + } + }, + "server": { + "type": "object", + "description": "Configure APIML server properties.", + "properties": { + "maxConnectionsPerRoute": { + "type": "integer", + "description": "How many connections should exist for single route?", + "default": 100 + }, + "maxTotalConnections": { + "type": "integer", + "description": "How many connections should exist in total?", + "default": 1000 + }, + "webSocket": { + "type": "object", + "description": "Customize websocket server parameters", + "properties": { + "maxIdleTimeout": { + "type": "integer", + "description": "The gateway acts as a server and client. This parameters customizes the default idle timeout for its client role.", + "default": 3600000 + }, + "connectTimeout": { + "type": "integer", + "description": "The gateway acts as a server and client. This parameters customizes the default connect timeout for its client role.", + "default": 45000 + }, + "asyncWriteTimeout": { + "type": "integer", + "description": "The gateway acts as a server and client. This parameters customizes the default async write timeout for its client role.", + "default": 60000 + }, + "requestBufferSize": { + "type": "integer", + "description": "Specifies the buffer size in bytes to load request headers.", + "default": 8192 + } + } + }, + "ssl": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "To enable SSL/tls layer.", + "default": true + } + } + } + } + }, + "spring": { + "type": "object", + "description": "Application framework parameters", + "properties": { + "profiles": { + "type": "object", + "description": "Profiles that can hold multiple configuration parameters.", + "properties": { + "active": { + "type": "string", + "description": "List of the active configuration profiles.", + "pattern": "^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$" + } + } + }, + "security": { + "type": "object", + "description": "Security configuration.", + "properties": { + "oauth2": { + "type": "object", + "description": "OAuth2 configuration values.", + "properties": { + "client": { + "type": "object", + "description": "Configuration of OAuth2 communication.", + "properties": { + "registration": { + "type": "object", + "description": "Provider specific values.", + "patternProperties": { + "^.+$": { + "clientId": { + "type": "string", + "description": "The client identifier." + }, + "clientSecret":{ + "type": "string", + "description": "The client secret." + }, + "redirectUri": { + "type": "string", + "description": "The client’s registered redirect URI that the Authorization Server redirects the end-user’s user-agent to after the end-user has authenticated and authorized access to the client." + }, + "scope": { + "type": "array", + "description": "The scope(s) requested by the client during the Authorization Request flow, such as openid, email, or profile.", + "items": { + "type": "string", + "description": "The scope identifier." + } + } + } + } + }, + "provider": { + "type": "object", + "description": "Provider specific values.", + "patternProperties": { + "^.+$": { + "authorizationUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The Authorization Endpoint URI for the Authorization Server." + }, + "tokenUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The Token Endpoint URI for the Authorization Server." + }, + "userInfoUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The URL of endpoint to obtain details about user by provided token." + }, + "userNameAttribute": { + "type": "string", + "description": "The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user." + }, + "jwkSetUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The URI used to retrieve the JSON Web Key (JWK) Set from the Authorization Server, which contains the cryptographic key(s) used to verify the JSON Web Signature (JWS) of the ID Token and optionally the UserInfo Response." + } + } + } + } + } + } + } + } + } + } + } + }, + "apimlId": { + "type": "string", + "pattern": "^[a-z0-9]{1,64}$", + "description": "Specifies identifier of the domain APIML for routing purpose in the central APIML." + }, + "logging": { + "type": "string", + "description": "Logging configuration for APIML single-service.", + "properties": { + "config": { + "type": "string", + "description": "Path to custom logback configuration file.", + "minLength": 1, + "maxLength": 1024 + } + } + } + }, + "$defs": { + "port": { + "type": "integer", + "description": "TCP network port", + "minimum": 1024, + "maximum": 65535 + }, + "routes": { + "type": "array", + "description": "Routing parameters", + "items": { + "type": "object", + "properties": { + "gatewayUrl": { + "type": "string", + "description": "The portion of the gateway URL which is replaced by the serviceUrl path." + }, + "serviceUrl": { + "type": "string", + "description": "The portion of the service instance URL path which replaces the gatewayUrl part." + } + }, + "required": ["gatewayUrl","serviceUrl"] + } + } + } +} diff --git a/apiml-package/src/main/resources/schemas/zowe-schema.json b/apiml-package/src/main/resources/schemas/zowe-schema.json new file mode 100644 index 0000000000..86498d4b65 --- /dev/null +++ b/apiml-package/src/main/resources/schemas/zowe-schema.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/apiml", + "allOf": [ + { "$ref": "/schemas/v2/server-base" }, + { "type": "object", + "properties": { + "components": { + "type": "object", + "additionalProperties": true, + "properties": { + "apiml": { + "allOf": [ + { "$ref": "/schemas/v2/server-base#zoweComponent" }, + { "$ref": "/schemas/v2/apiml-config" } + ] + } + } + } + } + } + ] +} diff --git a/apiml-sample-extension-package/build.gradle b/apiml-sample-extension-package/build.gradle index 5ecfcd7b56..02d231ddc7 100644 --- a/apiml-sample-extension-package/build.gradle +++ b/apiml-sample-extension-package/build.gradle @@ -28,7 +28,10 @@ task packageSampleExtension(type: Zip) { into('/') { from "$buildDir/convert/manifest.yaml" - from "../schemas/apiml-sample-extension-schema.json" + } + + into('schemas/') { + from "$resourceDir/schemas/zowe-schema.json" } into('bin/') { diff --git a/apiml-sample-extension-package/src/main/resources/manifest.yaml b/apiml-sample-extension-package/src/main/resources/manifest.yaml index e6e8462766..e090b7f160 100644 --- a/apiml-sample-extension-package/src/main/resources/manifest.yaml +++ b/apiml-sample-extension-package/src/main/resources/manifest.yaml @@ -21,4 +21,5 @@ build: gatewaySharedLibs: - bin/apiml-sample-extension.jar schemas: - configs: "apiml-sample-extension-schema.json" + configs: + - schemas/zowe-schema.json diff --git a/apiml-sample-extension-package/src/main/resources/schemas/zowe-schema.json b/apiml-sample-extension-package/src/main/resources/schemas/zowe-schema.json new file mode 100644 index 0000000000..427aeeeb63 --- /dev/null +++ b/apiml-sample-extension-package/src/main/resources/schemas/zowe-schema.json @@ -0,0 +1,22 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/apiml-sample-extension", + "allOf": [ + { "$ref": "/schemas/v2/server-base" }, + { "type": "object", + "properties": { + "components": { + "type": "object", + "additionalProperties": true, + "properties": { + "apiml-sample-extension": { + "allOf": [ + { "$ref": "/schemas/v2/server-base#zoweComponent" } + ] + } + } + } + } + } + ] +} diff --git a/caching-service-package/build.gradle b/caching-service-package/build.gradle index 90e4db2841..e9b53faef0 100644 --- a/caching-service-package/build.gradle +++ b/caching-service-package/build.gradle @@ -19,7 +19,11 @@ task packageCachingService(type: Zip) { into('/') { from "$buildDir/convert/manifest.yaml" - from "../schemas/caching-schema.json" + } + + into('schemas/') { + from "$resourceDir/schemas/caching-service-config.json" + from "$resourceDir/schemas/zowe-schema.json" } into('bin/') { diff --git a/caching-service-package/src/main/resources/manifest.yaml b/caching-service-package/src/main/resources/manifest.yaml index 237a6b3c88..7d8c3fddc0 100644 --- a/caching-service-package/src/main/resources/manifest.yaml +++ b/caching-service-package/src/main/resources/manifest.yaml @@ -9,7 +9,9 @@ title: Caching service for internal usage description: Service that provides caching API. license: EPL-2.0 schemas: - configs: caching-schema.json + configs: + - schemas/zowe-schema.json + - schemas/caching-service-config.json repository: type: git url: https://github.com/zowe/api-layer.git diff --git a/caching-service-package/src/main/resources/schemas/caching-service-config.json b/caching-service-package/src/main/resources/schemas/caching-service-config.json new file mode 100644 index 0000000000..824e2f9685 --- /dev/null +++ b/caching-service-package/src/main/resources/schemas/caching-service-config.json @@ -0,0 +1,233 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/caching-service-config", + "title": "caching-service configuration", + "description": "Configuration properties for Caching Service, as specified within a configuration file such as zowe.yaml", + "type": "object", + "properties": { + "port": { + "$ref": "#/$defs/port", + "default": 7555 + }, + "debug": { + "type": "boolean", + "description": "Enable debug logs in Caching Service", + "default": false + }, + "sslDebug": { + "type": "string", + "description": "Configure attributes fro SSL config, see java property javax.net.debug." + }, + "heap": { + "type": "object", + "description": "Configure JVM parameters for heap size", + "properties": { + "init": { + "type": "integer", + "description": "Initial heap size in MB.", + "default": 32 + }, + "max": { + "type": "integer", + "description": "Maximum heap size in MB.", + "default": 512 + } + } + }, + "apiml": { + "type": "object", + "description": "Zowe API ML specific properties.", + "properties": { + "health": { + "type": "object", + "properties": { + "protected": { + "type": "boolean", + "description": "Specifies if the /application/health endpoint is protected or accessible without any credentials.", + "default": true + } + } + } + } + }, + "storage": { + "type": "object", + "description": "Storage configuration for Caching service", + "properties": { + "evictionStrategy": { + "type": "string", + "description": "Strategy for caching entries eviction.", + "enum": [ + "reject", + "removeOldest" + ], + "default": "reject" + }, + "mode": { + "type": "string", + "description": "Type of storge in caching service.", + "enum": [ + "inMemory", + "VSAM", + "redis", + "infinispan" + ], + "default": "inMemory" + }, + "size": { + "type": "integer", + "description": "The number of records stored before the eviction strategy is initiated", + "default": 10000 + }, + "infinispan": { + "type": "object", + "description": "Use Infinispan as the selected storage solution", + "properties": { + "jgroups": { + "type": "object", + "description": "Data synchronization between Caching instances.", + "properties": { + "port": { + "type": "integer", + "description": "The port number used by Infinispan to synchronize data among caching-service instances.", + "default": 7600 + }, + "host": { + "type": "string", + "description": "The hostname used by Infinispan to synchronize data among caching-service instances." + }, + "keyExchange": { + "type": "object", + "description": "Data encryption key exchange.", + "properties": { + "port": { + "type": "integer", + "description": "The port number used by Infinispan to exchange encryption key among Caching Service instances.", + "default": 7601 + } + } + }, + "tcp": { + "type": "object", + "description": "TCP stack", + "properties": { + "diag": { + "type": "object", + "description": "Cluster diagnostics", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable diagnostics of infinispan cluster", + "default": false + } + } + } + } + } + } + }, + "persistence": { + "type": "object", + "description": "Where to persistently store caching data.", + "properties": { + "dataLocation": { + "type": "string", + "deprecated": true, + "description": "File location where to store data." + }, + "indexLocation": { + "type": "string", + "deprecated": true, + "description": "File location where to store index." + } + } + }, + "initialHosts": { + "type": "string", + "description": "Address of the other Caching services. Consists of jgroups port and host in the form of 'host[port]'." + } + } + }, + "vsam": { + "type": "object", + "deprecated": true, + "description": "When storage is selected as VSAM", + "properties": { + "name": { + "type": "string", + "description": "The ZFile filename of created VSAM." + }, + "keyLength": { + "type": "integer", + "description": "The VsamKey length", + "default": 128 + }, + "recordLength": { + "type": "integer", + "description": "The record length.", + "default": 4096 + }, + "encoding": { + "type": "string", + "description": "The character encoding.", + "default": "IBM-1047" + } + } + } + } + }, + "server": { + "type": "object", + "description": "Configure Caching service server properties.", + "properties": { + "ssl": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "To enable SSL/tls layer.", + "default": true + } + } + } + } + }, + "spring": { + "type": "object", + "description": "Application framework parameters", + "properties": { + "profiles": { + "type": "object", + "description": "Profiles that can hold multiple configuration parameters.", + "properties": { + "active": { + "type": "string", + "description": "List of the active configuration profiles.", + "pattern": "^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$" + } + } + } + } + }, + "logging": { + "type": "string", + "description": "Logging configuration for Caching service.", + "properties": { + "config": { + "type": "string", + "description": "Path to custom logback configuration file.", + "minLength": 1, + "maxLength": 1024 + } + } + } + }, + "$defs": { + "port": { + "type": "integer", + "description": "TCP network port", + "minimum": 1024, + "maximum": 65535 + } + } +} diff --git a/caching-service-package/src/main/resources/schemas/zowe-schema.json b/caching-service-package/src/main/resources/schemas/zowe-schema.json new file mode 100644 index 0000000000..a0c4501bef --- /dev/null +++ b/caching-service-package/src/main/resources/schemas/zowe-schema.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/caching-service", + "allOf": [ + { "$ref": "/schemas/v2/server-base" }, + { "type": "object", + "properties": { + "components": { + "type": "object", + "additionalProperties": true, + "properties": { + "caching-service": { + "allOf": [ + { "$ref": "/schemas/v2/server-base#zoweComponent" }, + { "$ref": "/schemas/v2/caching-service-config" } + ] + } + } + } + } + } + ] +} diff --git a/discovery-package/build.gradle b/discovery-package/build.gradle index 10571ebf6c..3718dd12d7 100644 --- a/discovery-package/build.gradle +++ b/discovery-package/build.gradle @@ -19,7 +19,11 @@ task packageDiscovery(type: Zip) { into('/') { from "$buildDir/convert/manifest.yaml", "$resourceDir/zosmf-static-definition.yaml.template" - from "../schemas/discovery-schema.json" + } + + into('schemas/') { + from "$resourceDir/schemas/discovery-config.json" + from "$resourceDir/schemas/zowe-schema.json" } into('bin/') { diff --git a/discovery-package/src/main/resources/manifest.yaml b/discovery-package/src/main/resources/manifest.yaml index 0d2dbbf70e..98a9bdead7 100644 --- a/discovery-package/src/main/resources/manifest.yaml +++ b/discovery-package/src/main/resources/manifest.yaml @@ -9,7 +9,9 @@ title: API Discovery description: The API Discovery service acts as the registration service broker between the API Gateway and its southbound servers. license: EPL-2.0 schemas: - configs: discovery-schema.json + configs: + - schemas/zowe-schema.json + - schemas/discovery-config.json repository: type: git url: https://github.com/zowe/api-layer.git diff --git a/discovery-package/src/main/resources/schemas/discovery-config.json b/discovery-package/src/main/resources/schemas/discovery-config.json new file mode 100644 index 0000000000..96641a80f3 --- /dev/null +++ b/discovery-package/src/main/resources/schemas/discovery-config.json @@ -0,0 +1,116 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/discovery-config", + "title": "discovery configuration", + "description": "Configuration properties for Discovery Service, as specified within a configuration file such as zowe.yaml", + "type": "object", + "properties": { + "port": { + "$ref": "#/$defs/port", + "default": 7552 + }, + "debug": { + "type": "boolean", + "description": "Enable debug logs in Discovery service", + "default": false + }, + "sslDebug": { + "type": "string", + "description": "Configure attributes fro SSL config, see java property javax.net.debug." + }, + "heap": { + "type": "object", + "description": "Configure JVM parameters for heap size", + "properties": { + "init": { + "type": "integer", + "description": "Initial heap size in MB.", + "default": 32 + }, + "max": { + "type": "integer", + "description": "Maximum heap size in MB.", + "default": 512 + } + } + }, + "apiml": { + "type": "object", + "description": "Zowe API ML specific properties.", + "properties": { + "discovery": { + "type": "object", + "properties": { + "serviceIdPrefixReplacer": { + "type": "string", + "description": "A comma separated tuple to replace service ID with new one in API ML registry." + } + } + }, + "health": { + "type": "object", + "properties": { + "protected": { + "type": "boolean", + "description": "Specifies if the /application/health endpoint is protected or accessible without any credentials.", + "default": true + } + } + } + } + }, + "server": { + "type": "object", + "description": "Configure Discovery server properties.", + "properties": { + "ssl": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "To enable SSL/tls layer.", + "default": true + } + } + } + } + }, + "spring": { + "type": "object", + "description": "Application framework parameters", + "properties": { + "profiles": { + "type": "object", + "description": "Profiles that can hold multiple configuration parameters.", + "properties": { + "active": { + "type": "string", + "description": "List of the active configuration profiles.", + "pattern": "^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$" + } + } + } + } + }, + "logging": { + "type": "string", + "description": "Logging configuration for Discovery service.", + "properties": { + "config": { + "type": "string", + "description": "Path to custom logback configuration file.", + "minLength": 1, + "maxLength": 1024 + } + } + } + }, + "$defs": { + "port": { + "type": "integer", + "description": "TCP network port", + "minimum": 1024, + "maximum": 65535 + } + } +} diff --git a/discovery-package/src/main/resources/schemas/zowe-schema.json b/discovery-package/src/main/resources/schemas/zowe-schema.json new file mode 100644 index 0000000000..4a2e43dafb --- /dev/null +++ b/discovery-package/src/main/resources/schemas/zowe-schema.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/discovery", + "allOf": [ + { "$ref": "/schemas/v2/server-base" }, + { "type": "object", + "properties": { + "components": { + "type": "object", + "additionalProperties": true, + "properties": { + "discovery": { + "allOf": [ + { "$ref": "/schemas/v2/server-base#zoweComponent" }, + { "$ref": "/schemas/v2/discovery-config" } + ] + } + } + } + } + } + ] +} diff --git a/gateway-package/build.gradle b/gateway-package/build.gradle index ed92af999e..26f2fb7047 100644 --- a/gateway-package/build.gradle +++ b/gateway-package/build.gradle @@ -19,7 +19,11 @@ task packageApiGateway(type: Zip) { into('/') { from "$buildDir/convert/manifest.yaml" - from "../schemas/gateway-schema.json" + } + + into('schemas/') { + from "$resourceDir/schemas/gateway-config.json" + from "$resourceDir/schemas/zowe-schema.json" } into('bin/') { diff --git a/gateway-package/src/main/resources/bin/start.sh b/gateway-package/src/main/resources/bin/start.sh index a08c5b5c3a..df414e62e9 100755 --- a/gateway-package/src/main/resources/bin/start.sh +++ b/gateway-package/src/main/resources/bin/start.sh @@ -42,7 +42,6 @@ # - ZWE_configs_apiml_connection_idleConnectionTimeoutSeconds # - ZWE_configs_apiml_connection_timeToLive # - ZWE_configs_apiml_health_protected -# - ZWE_configs_apiml_service_forwardClientCertEnabled # - ZWE_configs_apiml_security_auth_jwt_customAuthHeader # - ZWE_configs_apiml_security_auth_passticket_customUserHeader # - ZWE_configs_apiml_security_auth_passticket_customAuthHeader @@ -55,6 +54,7 @@ # - ZWE_configs_apiml_security_x509_registry_allowedUsers # - ZWE_configs_apiml_service_allowEncodedSlashes # - ZWE_configs_apiml_service_corsEnabled +# - ZWE_configs_apiml_service_corsAllowedMethods # - ZWE_configs_apiml_gateway_registry_enabled # - ZWE_configs_apiml_gateway_registry_cachePeriodSec # - ZWE_configs_apiml_gateway_registry_maxSimultaneousRequests @@ -311,13 +311,13 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} ${JAVA_BIN_DIR}java \ -Dapiml.connection.timeToLive=${ZWE_configs_apiml_connection_timeToLive:-10000} \ -Dapiml.gateway.cachePeriodSec=${ZWE_configs_apiml_gateway_registry_cachePeriodSec:-120} \ -Dapiml.gateway.cookieNameForRateLimit=${cookieName:-apimlAuthenticationToken} \ - -Dapiml.gateway.maxSimultaneousRequests=${ZWE_configs_gateway_registry_maxSimultaneousRequests:-20} \ + -Dapiml.gateway.maxSimultaneousRequests=${ZWE_configs_apiml_gateway_registry_maxSimultaneousRequests:-20} \ -Dapiml.gateway.rateLimiterCapacity=${ZWE_configs_apiml_gateway_rateLimiterCapacity:-20} \ -Dapiml.gateway.rateLimiterRefillDuration=${ZWE_configs_apiml_gateway_rateLimiterRefillDuration:-1} \ -Dapiml.gateway.rateLimiterTokens=${ZWE_configs_apiml_gateway_rateLimiterTokens:-20} \ - -Dapiml.gateway.refresh-interval-ms=${ZWE_configs_gateway_registry_refreshIntervalMs:-30000} \ + -Dapiml.gateway.refresh-interval-ms=${ZWE_configs_apiml_gateway_registry_refreshIntervalMs:-30000} \ -Dapiml.gateway.registry.enabled=${ZWE_configs_apiml_gateway_registry_enabled:-false} \ - -Dapiml.gateway.registry.metadata-key-allow-list=${ZWE_configs_gateway_registry_metadataKeyAllowList:-} \ + -Dapiml.gateway.registry.metadata-key-allow-list=${ZWE_configs_apiml_gateway_registry_metadataKeyAllowList:-} \ -Dapiml.gateway.servicesToLimitRequestRate=${ZWE_configs_apiml_gateway_servicesToLimitRequestRate:-} \ -Dapiml.gateway.servicesToDisableRetry=${ZWE_configs_apiml_gateway_servicesToDisableRetry:-} \ -Dapiml.health.protected=${ZWE_configs_apiml_health_protected:-true} \ @@ -328,7 +328,7 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${GATEWAY_CODE} ${JAVA_BIN_DIR}java \ -Dapiml.security.auth.passticket.customAuthHeader=${ZWE_configs_apiml_security_auth_passticket_customAuthHeader:-} \ -Dapiml.security.auth.passticket.customUserHeader=${ZWE_configs_apiml_security_auth_passticket_customUserHeader:-} \ -Dapiml.security.authorization.endpoint.enabled=${ZWE_configs_apiml_security_authorization_endpoint_enabled:-false} \ - -Dapiml.security.authorization.endpoint.url=${ZWE_configs_apiml_security_authorization_endpoint_url:-${ZWE_components_gateway_apiml_security_authorization_endpoint_url:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf-auth"}} \ + -Dapiml.security.authorization.endpoint.url=${ZWE_configs_apiml_security_authorization_endpoint_url:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf-auth"} \ -Dapiml.security.authorization.provider=${ZWE_configs_apiml_security_authorization_provider:-"native"} \ -Dapiml.security.forwardHeader.trustedProxies=${ZWE_configs_apiml_security_forwardHeader_trustedProxies:-} \ -Dapiml.security.ssl.nonStrictVerifySslCertificatesOfServices=${nonStrictVerifySslCertificatesOfServices:-false} \ diff --git a/gateway-package/src/main/resources/manifest.yaml b/gateway-package/src/main/resources/manifest.yaml index 11a0532702..b7bc951569 100644 --- a/gateway-package/src/main/resources/manifest.yaml +++ b/gateway-package/src/main/resources/manifest.yaml @@ -9,7 +9,9 @@ title: Gateway description: API Gateway service to route requests to services registered in the API Mediation Layer and provides an API for mainframe security. license: EPL-2.0 schemas: - configs: gateway-schema.json + configs: + - schemas/zowe-schema.json + - schemas/gateway-config.json repository: type: git url: https://github.com/zowe/api-layer.git diff --git a/gateway-package/src/main/resources/schemas/gateway-config.json b/gateway-package/src/main/resources/schemas/gateway-config.json new file mode 100644 index 0000000000..5f297593d1 --- /dev/null +++ b/gateway-package/src/main/resources/schemas/gateway-config.json @@ -0,0 +1,742 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/gateway-config", + "title": "gateway configuration", + "description": "Configuration properties for Gateway Service, as specified within a configuration file such as zowe.yaml", + "type": "object", + "properties": { + "port": { + "$ref": "#/$defs/port", + "default": 7553 + }, + "debug": { + "type": "boolean", + "description": "Enable debug logs in Gateway service", + "default": false + }, + "sslDebug": { + "type": "string", + "description": "Configure attributes fro SSL config, see java property javax.net.debug." + }, + "heap": { + "type": "object", + "description": "Configure JVM parameters for heap size", + "properties": { + "init": { + "type": "integer", + "description": "Initial heap size in MB.", + "default": 32 + }, + "max": { + "type": "integer", + "description": "Maximum heap size in MB.", + "default": 512 + } + } + }, + "apimlId": { + "type": "string", + "pattern": "^[a-z0-9]{1,64}$", + "description": "Specifies identifier of the domain gateway for routing purpose in the central Gateway." + }, + "apiml": { + "type": "object", + "description": "Zowe API ML specific properties.", + "properties": { + "connection": { + "type": "object", + "properties": { + "idleConnectionTimeoutSeconds" : { + "type": "integer", + "description": "Specifies a timeout limit for idle client connections, in seconds.", + "default": 5 + }, + "timeout": { + "type": "integer", + "description": "Specifies a timeout limit for a connection, in milliseconds.", + "default": 60000 + }, + "timeToLive": { + "type": "integer", + "description": "Specifies a timeout limit how long to keep open connection to be reused, in milliseconds.", + "default": 10000 + } + } + }, + "gateway": { + "type": "object", + "properties": { + "rateLimiterCapacity":{ + "type": "integer", + "description": "Defines the total number of requests that can be allowed at one time.", + "default": 20 + }, + "rateLimiterTokens":{ + "type": "integer", + "description": "Defines the number of requests that are added to the service’s allowance at regular intervals.", + "default": 20 + }, + "rateLimiterRefillDuration":{ + "type": "integer", + "description": "Sets the time interval (in minutes) at which new requests (or tokens) are added.", + "default": 1 + }, + "servicesToLimitRequestRate":{ + "type": "array", + "description": "Array of services which the rate limiter will be applied to.", + "items": { + "type": "string", + "description": "The name of the service." + } + }, + "servicesToDisableRetry":{ + "type": "array", + "description": "Array of services which the retry filter will be disabled for.", + "items": { + "type": "string", + "description": "The name of the service." + } + }, + "registry": { + "type": "object", + "description": "Gateway configuration of a service registry endpoint.", + "properties": { + "cachePeriodSec": { + "type": "integer", + "description": "Specifies time in seconds to expired of cached data about /registry endpoint.", + "default": 120 + }, + "enabled": { + "type": "boolean", + "description": "Specifies whether the /registry endpoint is enabled.", + "default": false + }, + "maxSimultaneousRequests": { + "type": "integer", + "description": "Specifies amount of parallel connection to obtain information from other APIML instances about services to construct response of /registry endpoint.", + "default": 20 + }, + "metadataKeyAllowList": { + "type": "string", + "description": "Specifies what custom metadata are displayed in the /registry endpoint.", + "pattern": "^[^,]+(,[^,]+)*$" + }, + "refreshIntervalMs": { + "type": "integer", + "description": "Specifies time period in milliseconds for how often to update data in /registry endpoint.", + "default": 30000 + } + } + } + } + }, + "health": { + "type": "object", + "properties": { + "protected": { + "type": "boolean", + "description": "Specifies if the /application/health endpoint is protected or accessible without any credentials.", + "default": true + } + } + }, + "security": { + "type": "object", + "description": "Security configuration of the Gateway", + "properties": { + "useInternalMapper": { + "type": "boolean", + "description": "Enables direct native calls to z/OS to query distributed identity mappings and client certificate mappings. Use only if APIML is running on z/OS.", + "default": true + }, + "auth": { + "type": "object", + "description": "Detail configuration of authentication schemes.", + "properties": { + "jwt": { + "type": "object", + "description": "Detail configuration of zoweJwt scheme.", + "properties": { + "customAuthHeader": { + "type": "string", + "description": "Additional header to set JWT token in case of zoweJwt scheme." + } + } + }, + "passticket": { + "type": "object", + "description": "Detail configuration of httpBasicPassTicket scheme.", + "properties": { + "customAuthHeader": { + "type": "string", + "description": "Additional header to set passticket in case of httpBasicPassTicket scheme." + }, + "customUserHeader": { + "type": "string", + "description": "Additional header to set userId in case of httpBasicPassTicket scheme." + } + } + }, + "provider": { + "type": "string", + "description": "Which provider should be used to verify user credentials.", + "enum": ["zosmf","saf"], + "default": "saf" + }, + "zosmf": { + "type": "object", + "description": "When zosmf is set as authentication provider, this section can be used to provide more details.", + "properties": { + "jwtAutoconfiguration": { + "type": "string", + "description": "Type of the token that is returned from zOSMF after login.", + "enum": ["JWT","jwt","LTPA","ltpa"], + "default": "jwt" + }, + "serviceId": { + "type": "string", + "description": "Service ID of zOSMF from discovery service. Under this ID is zOSMF registered", + "default": "ibmzosmf" + } + } + }, + "uniqueCookie": { + "type": "boolean", + "default": false + } + } + }, + "authorization": { + "type": "object", + "description": "Authorization configuration.", + "properties": { + "endpoint": { + "type": "object", + "description": "Configuration of SAF resource to check authorization via HTTP call.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable provider based on endpoint. to verify SAF authorization.", + "default": false + }, + "url": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of endpoint to verify SAF resource. Ie. https://<zss hostname>:<zss port>/saf-auth" + } + }, + "allOf": [ + { + "if": { + "properties": { + "enabled": { + "const": true + } + } + }, + "then": { + "required": [ + "url" + ] + } + } + ] + }, + "provider": { + "type": "string", + "enum": ["endpoint", "native", "dummy"], + "default": "native", + "description": "Specifies security provider to be used by the Gateway." + }, + "resourceClass": { + "type": "string", + "description": "zOS resource to verify access.", + "default": "ZOWE" + }, + "resourceNamePrefix": { + "type": "string", + "description": "Prefix of the resource.", + "default": "APIML." + } + }, + "allOf": [ + { + "if": { + "properties": { + "provider": { + "const": "endpoint" + } + } + }, + "then": { + "required": [ + "endpoint" + ] + } + } + ] + }, + "forwardHeader": { + "type": "object", + "description": "Forward header configuration.", + "properties": { + "trustedProxies": { + "type": "string", + "description": "IP address regular expression pattern used to identify trusted proxies from which X-Forwarded-* headers are accepted and forwarded." + } + } + }, + "x509": { + "type": "object", + "description": "Client certificate configuration.", + "properties": { + "acceptForwardedCert": { + "type": "boolean", + "description": "To enable accepting client certificate from request header. It is used in domain APIML to accept forwarded client certificate by the caller.", + "default": false + }, + "certificatesUrl": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of the trusted caller to obtain used certificate. Request signed by this certificate are authorized to accept client certificate provided in the header." + }, + "certificatesUrls": { + "type": "string", + "format": "uri", + "pattern": "https?:\/\/[^\\s,]+", + "description": "List of URLs of the trusted callers to obtain used certificate. Request signed by this certificate are authorized to accept client certificate provided in the header." + }, + "enabled": { + "type": "boolean", + "default": false, + "description": "To enable accepting client certificate in the Gateway." + }, + "externalMapperUrl": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of the service where certificate will be mapped to user. ZSS is used if no value is provided." + }, + "externalMapperUser": { + "type": "string", + "description": "User that has permission to do such mapping. Zowe user is used if no value is provided." + }, + "registry": { + "type": "object", + "description": "Security configuration of /registry endpoint.", + "properties": { + "allowedUsers": { + "type": "string", + "pattern": "^[*]?|([a-zA-Z0-9]+(,[a-zA-Z0-9]+)*)$", + "description": "Specifies the comma-separated list of users that are permitted to use /registry endpoints. The user is obtained from the common name in the provided client certificate." + } + } + } + }, + "allOf": [ + { + "if": { + "properties": { + "acceptForwardedCert": { + "const": true + } + } + }, + "then": { + "anyOf": [ + { "required": [ "certificatesUrl" ] }, + { "required": [ "certificatesUrls" ] } + ] + } + } + ] + }, + "oidc": { + "type": "object", + "description": "OIDC configuration.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable authentication with OIDC token.", + "default": false + }, + "registry": { + "type": "string", + "description": "Registry name." + }, + "identityMapperUrl": { + "type": "string", + "deprecated": true, + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL where the Gateway can query the mapping of the distributed user ID to the mainframe user ID. ZSS is used if no value is provided." + }, + "identityMapperUser": { + "type": "string", + "deprecated": true, + "description": "User with access to external user identity mapper specified in identityMapperUrl. Zowe user is used if no value is provided." + }, + "jwks": { + "type": "object", + "description": "JWKS configuration", + "properties": { + "uri": { + "type": "string", + "description": "JWK set URL for OIDC token validation." + }, + "refreshInternalHours": { + "type": "integer", + "description": "How often are JWKs renewed.", + "default": 1 + } + } + }, + "userIdField": { + "type": "string", + "description": "OIDC token field used for user mapping in SAF.", + "default": "sub" + }, + "userInfo": { + "type": "object", + "description": "OIDC user info endpoint configuration.", + "properties": { + "uri": { + "type": "string", + "description": "OIDC user info endpoint URL." + } + } + }, + "validationType": { + "type": "string", + "description": "How OIDC token is validated.", + "enum": ["JWK","endpoint"], + "default": "JWK" + } + } + }, + "allowtokenrefresh": { + "type": "boolean", + "description": "Allow JWT to refresh.", + "default": false + }, + "jwtInitializerTimeout": { + "type": "integer", + "description": "Timeout for initialization of JWT in minutes.", + "default": 5 + }, + "personalAccessToken": { + "type": "object", + "description": "Personal Access Tokens configuration.", + "properties": { + "enabled": { + "type": "boolean", + "description": "To enable Personal Access Tokens.", + "default": false + } + } + }, + "saf": { + "type": "object", + "description": "SAF IDT provider.", + "properties": { + "provider": { + "type": "string", + "description": "Method of communication used by the SAF IDT provider implementation. REST is used if no value is provided.", + "enum": ["rest"], + "default": "rest" + }, + "urls": { + "type": "string", + "description": "URLs of the SAF IDT provider used for the token generation and verification.", + "properties": { + "authenticate": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of the SAF IDT provider used to generate the SAF token on behalf of the specified user." + }, + "verify": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of the SAF IDT provider used to validate the SAF token." + } + } + } + } + }, + "rauditx": { + "type": "object", + "description": "Configuration for issuing SMF records.", + "properties": { + "onOidcUserIsMapped": { + "type": "boolean", + "description": "To enable cutting SMF record on mapping distributed user from OIDC token to mainframe one.", + "default": false + }, + "oidcSourceUserPaths": { + "type": "string", + "description": "Comma separated JSON paths to find source user in the OIDC token to be cut in the SMF record.", + "default": "sub" + } + } + } + } + }, + "service": { + "type": "object", + "description": "General configuration of the Gateway.", + "properties": { + "additionalRegistration": { + "type": "object", + "description": "List of additional Discovery Services URLs to register with and the routing patterns.", + "patternProperties": { + "^[0-9]+$": { + "type": "object", + "properties": { + "discoveryServiceUrls": { + "type": "string", + "description": "List of Discovery Services URLs in one security domain. You can separate multiple urls by comma or semicolon." + }, + "routes": { + "$ref": "#/$defs/routes" + } + }, + "required": ["discoveryServiceUrls","routes"] + } + } + }, + "allowEncodedSlashes": { + "type": "boolean", + "description": "When this parameter is set to true, the Gateway allows encoded characters to be part of URL requests redirected through the Gateway.", + "default": true + }, + "corsEnabled": { + "type": "boolean", + "description": "Allow CORS on gateway.", + "default": false + }, + "corsAllowedMethods": { + "type": "string", + "description": "List of allowed HTTP methods when CORS is enabled.", + "default": "GET,HEAD,POST,PATCH,DELETE,PUT,OPTIONS" + } + } + }, + "httpclient" : { + "type": "object", + "description": "HTTP client network settings", + "properties": { + "ssl": { + "type": "object", + "description": "SSL/TLS configuration for HTTP client", + "properties": { + "enabled": { + "type": "object", + "properties": { + "protocols": { + "type": "string", + "description": "List of enabled SSL/TLS protocols.", + "pattern": "^TLSv\\d+(\\.\\d+)?(,TLSv\\d+(\\.\\d+)?)*$" + } + } + } + } + } + } + } + } + }, + "server": { + "type": "object", + "description": "Configure gateway server properties.", + "properties": { + "maxConnectionsPerRoute": { + "type": "integer", + "description": "How many connections should exist for single route?", + "default": 100 + }, + "maxTotalConnections": { + "type": "integer", + "description": "How many connections should exist in total?", + "default": 1000 + }, + "webSocket": { + "type": "object", + "description": "Customize websocket server parameters", + "properties": { + "maxIdleTimeout": { + "type": "integer", + "description": "The gateway acts as a server and client. This parameters customizes the default idle timeout for its client role.", + "default": 3600000 + }, + "connectTimeout": { + "type": "integer", + "description": "The gateway acts as a server and client. This parameters customizes the default connect timeout for its client role.", + "default": 45000 + }, + "asyncWriteTimeout": { + "type": "integer", + "description": "The gateway acts as a server and client. This parameters customizes the default async write timeout for its client role.", + "default": 60000 + }, + "requestBufferSize": { + "type": "integer", + "description": "Specifies the buffer size in bytes to load request headers.", + "default": 8192 + } + } + }, + "ssl": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "To enable SSL/tls layer.", + "default": true + } + } + } + } + }, + "spring": { + "type": "object", + "description": "Application framework parameters", + "properties": { + "profiles": { + "type": "object", + "description": "Profiles that can hold multiple configuration parameters.", + "properties": { + "active": { + "type": "string", + "description": "List of the active configuration profiles.", + "pattern": "^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$" + } + } + }, + "security": { + "type": "object", + "description": "Security configuration.", + "properties": { + "oauth2": { + "type": "object", + "description": "OAuth2 configuration values.", + "properties": { + "client": { + "type": "object", + "description": "Configuration of OAuth2 communication.", + "properties": { + "registration": { + "type": "object", + "description": "Provider specific values.", + "patternProperties": { + "^.+$": { + "clientId": { + "type": "string", + "description": "The client identifier." + }, + "clientSecret":{ + "type": "string", + "description": "The client secret." + }, + "redirectUri": { + "type": "string", + "description": "The client’s registered redirect URI that the Authorization Server redirects the end-user’s user-agent to after the end-user has authenticated and authorized access to the client." + }, + "scope": { + "type": "array", + "description": "The scope(s) requested by the client during the Authorization Request flow, such as openid, email, or profile.", + "items": { + "type": "string", + "description": "The scope identifier." + } + } + } + } + }, + "provider": { + "type": "object", + "description": "Provider specific values.", + "patternProperties": { + "^.+$": { + "authorizationUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The Authorization Endpoint URI for the Authorization Server." + }, + "tokenUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The Token Endpoint URI for the Authorization Server." + }, + "userInfoUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The URL of endpoint to obtain details about user by provided token." + }, + "userNameAttribute": { + "type": "string", + "description": "The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user." + }, + "jwkSetUri": { + "type": "string", + "format": "uri", + "pattern": "^(https?)://", + "description": "The URI used to retrieve the JSON Web Key (JWK) Set from the Authorization Server, which contains the cryptographic key(s) used to verify the JSON Web Signature (JWS) of the ID Token and optionally the UserInfo Response." + } + } + } + } + } + } + } + } + } + } + } + }, + "logging": { + "type": "string", + "description": "Logging configuration for Gateway service.", + "properties": { + "config": { + "type": "string", + "description": "Path to custom logback configuration file.", + "minLength": 1, + "maxLength": 1024 + } + } + } + }, + "$defs": { + "port": { + "type": "integer", + "description": "TCP network port", + "minimum": 1024, + "maximum": 65535 + }, + "routes": { + "type": "array", + "description": "Routing parameters", + "items": { + "type": "object", + "properties": { + "gatewayUrl": { + "type": "string", + "description": "The portion of the gateway URL which is replaced by the serviceUrl path." + }, + "serviceUrl": { + "type": "string", + "description": "The portion of the service instance URL path which replaces the gatewayUrl part." + } + }, + "required": ["gatewayUrl","serviceUrl"] + } + } + } +} diff --git a/gateway-package/src/main/resources/schemas/zowe-schema.json b/gateway-package/src/main/resources/schemas/zowe-schema.json new file mode 100644 index 0000000000..e071e1d1d4 --- /dev/null +++ b/gateway-package/src/main/resources/schemas/zowe-schema.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/gateway", + "allOf": [ + { "$ref": "/schemas/v2/server-base" }, + { "type": "object", + "properties": { + "components": { + "type": "object", + "additionalProperties": true, + "properties": { + "gateway": { + "allOf": [ + { "$ref": "/schemas/v2/server-base#zoweComponent" }, + { "$ref": "/schemas/v2/gateway-config" } + ] + } + } + } + } + } + ] +} diff --git a/schemas/apiml-common-lib-schema.json b/schemas/apiml-common-lib-schema.json deleted file mode 100644 index 89907ab6a9..0000000000 --- a/schemas/apiml-common-lib-schema.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "$id": "https://zowe.org/schemas/v2/apiml-common-lib", - "allOf": [ - { "$ref": "https://zowe.org/schemas/v2/server-base" }, - { - "type": "object", - "properties": { - "components": { - "type": "object", - "additionalProperties": true, - "properties": { - "apiml-common-lib": { - "$ref": "https://zowe.org/schemas/v2/server-base#zoweComponent" - } - } - } - } - } - ] -} - diff --git a/schemas/apiml-sample-extension-schema.json b/schemas/apiml-sample-extension-schema.json deleted file mode 100644 index 8a35bc7869..0000000000 --- a/schemas/apiml-sample-extension-schema.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "$id": "https://zowe.org/schemas/v2/apiml-sample-extension", - "allOf": [ - { "$ref": "https://zowe.org/schemas/v2/server-base" }, - { - "type": "object", - "properties": { - "components": { - "type": "object", - "additionalProperties": true, - "properties": { - "apiml-sample-extension": { - "$ref": "https://zowe.org/schemas/v2/server-base#zoweComponent" - } - } - } - } - } - ] -} - diff --git a/schemas/apiml-schema.json b/schemas/apiml-schema.json deleted file mode 100644 index b196daf2cb..0000000000 --- a/schemas/apiml-schema.json +++ /dev/null @@ -1,91 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "$id": "https://zowe.org/schema/apiml-config", - "allOf": [ - { "$ref": "https://zowe.org/schemas/v2/server-base" }, - { - "type": "object", - "properties": { - "components": { - "type": "object", - "additionalProperties": true, - "properties": { - "apiml": { - "allOf": [ - {"$ref": "https://zowe.org/schemas/v2/server-base#zoweComponent"}, - { - "type": "object", - "properties": { - "port": { - "$ref": "#/$defs/port", - "default": 7554 - }, - "debug": { - "type": "boolean", - "description": "Enable debug logs in API ML service" - }, - "heap": { - "type": "object", - "description": "Configure JVM parameters for heap size", - "properties": { - "init": { - "type": "integer", - "description": "Initial heap size in MB." - }, - "max": { - "type": "integer", - "description": "Maximum heap size in MB." - } - } - }, - "server": { - "type": "object", - "description": "Configure API ML server properties.", - "properties": { - "ssl": { - "type": "object", - "description": "Network encryption for API ML service connections.", - "properties": { - "enabled": { - "type": "boolean", - "description": "Should API ML use encrypted communication?", - "default": true - } - } - } - } - }, - "spring": { - "type": "object", - "description": "Application framework parameters", - "properties": { - "profiles": { - "type": "object", - "description": "Profiles that can hold multiple configuration parameters.", - "properties": { - "active": { - "type": "string", - "description": "List of the active configuration profiles." - } - } - } - } - } - } - } - ] - } - } - } - } - } - ], - "$defs": { - "port": { - "type": "integer", - "description": "TCP network port", - "minimum": 1024, - "maximum": 65535 - } - } -} diff --git a/schemas/caching-schema.json b/schemas/caching-schema.json deleted file mode 100644 index 503903a609..0000000000 --- a/schemas/caching-schema.json +++ /dev/null @@ -1,167 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "$id": "https://zowe.org/schema/caching-config", - "allOf": [ - { "$ref": "https://zowe.org/schemas/v2/server-base" }, - { - "type": "object", - "properties": { - "components": { - "type": "object", - "additionalProperties": true, - "properties": { - "caching-service": { - "allOf": [ - {"$ref": "https://zowe.org/schemas/v2/server-base#zoweComponent"}, - { - "type": "object", - "properties": { - "port": { - "$ref": "#/$defs/port", - "default": 7555 - }, - "debug": { - "type": "boolean", - "description": "Enable debug logs in discovery service" - }, - "heap": { - "type": "object", - "description": "Configure JVM parameters for heap size", - "properties": { - "init": { - "type": "integer", - "description": "Initial heap size in MB." - }, - "max": { - "type": "integer", - "description": "Maximum heap size in MB." - } - } - }, - "storage": { - "evictionStrategy": { - "type": "string", - "description": "Strategy for caching entries eviction.", - "default": "reject" - }, - "mode": { - "type": "string", - "description": "Type of storge in caching service.", - "enum": ["inMemory","VSAM","redis","infinispan"], - "default": "inMemory" - }, - "size": { - "type": "integer", - "description": "the number of records stored before the eviction strategy is initiated", - "default": 10000 - }, - "infinispan":{ - "type": "object", - "description": "Use Infinispan as the selected storage solution", - "properties": { - "jgroups": { - "type": "object", - "description": "Data synchronization between Caching instances.", - "properties": { - "port": { - "type": "integer", - "description": "TCP port number", - "default": 7600 - }, - "host": { - "type": "string", - "description": "TCP hostname" - }, - "keyExchange": { - "type": "object", - "description": "Data encryption key exchange.", - "properties": { - "port": { - "type": "integer", - "description": "TCP port number", - "default": 7601 - } - } - }, - "tcp": { - "type": "object", - "description": "TCP stack", - "properties": { - "diag": { - "type": "object", - "description": "Cluster diagnostics", - "properties": { - "enabled": { - "type": "boolean", - "description": "Enable diagnostics of infinispan cluster" - } - } - } - } - } - } - }, - "persistence": { - "type": "object", - "description": "Where to persistently store caching data.", - "properties": { - "dataLocation": { - "type": "string", - "description": "File location where to store data." - }, - "indexLocation": { - "type": "string", - "description": "File location where to store index." - } - } - }, - "initialHosts": { - "type": "string", - "description": "Address of the other Caching services. Consists of jgroups port and host in the form of 'host[port]'." - } - } - }, - "vsam": { - "type": "object", - "description": "When storage is selected as VSAM", - "properties": { - "name": { - "type": "string", - "description": "The ZFile filename of created VSAM." - }, - "keyLength": { - "type": "integer", - "description": "The VsamKey length", - "default": 32 - }, - "recordLength": { - "type": "integer", - "description": "The record length.", - "default": 512 - }, - "encoding": { - "type": "string", - "description": "The character encoding.", - "default": "IBM-1047" - } - } - } - } - } - } - ] - } - } - } - } - } - ], - "$defs": { - "port": { - "type": "integer", - "description": "TCP network port", - "minimum": 1024, - "maximum": 65535 - } - } -} diff --git a/schemas/catalog-schema.json b/schemas/catalog-schema.json deleted file mode 100644 index 4aab5b3518..0000000000 --- a/schemas/catalog-schema.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "$id": "https://zowe.org/schema/catalog-config", - "allOf": [ - { "$ref": "https://zowe.org/schemas/v2/server-base" }, - { - "type": "object", - "properties": { - "components": { - "type": "object", - "additionalProperties": true, - "properties": { - "api-catalog": { - "allOf": [ - {"$ref": "https://zowe.org/schemas/v2/server-base#zoweComponent"}, - { - "type": "object", - "properties": { - "port": { - "$ref": "#/$defs/port", - "default": 7554 - }, - "apiml": { - "type": "object", - "description": "Zowe API ML specific properties", - "properties": { - "catalog": { - "type": "object", - "description": "API Catalog customization", - "properties": { - "customStyle": { - "type": "object", - "description": "", - "properties": { - "logo": { - "type": "string", - "description": "Location of API Catalog logo" - }, - "titlesColor": { - "type": "string", - "description": "Color of the Catalog title labels" - }, - "fontFamily": { - "type": "string", - "description": "Font family used for the UI" - }, - "headerColor": { - "type": "string", - "description": "Header color" - }, - "backgroundColor": { - "type": "string", - "description": "Background color for dashboard and detail page" - }, - "textColor": { - "type": "string", - "description": "Color used for the UI paragraph texts (i.e. service description)" - }, - "docLink": { - "type": "string", - "description": "Custom link that would be displayed in the top right side of the header" - } - } - } - } - } - } - }, - "debug": { - "type": "boolean", - "description": "Enable debug logs in API Catalog" - }, - "heap": { - "type": "object", - "description": "Configure JVM parameters for heap size", - "properties": { - "init": { - "type": "integer", - "description": "Initial heap size in MB." - }, - "max": { - "type": "integer", - "description": "Maximum heap size in MB." - } - } - } - } - } - ] - } - } - } - } - } - ], - "$defs": { - "port": { - "type": "integer", - "description": "TCP network port", - "minimum": 1024, - "maximum": 65535 - } - } -} diff --git a/schemas/discovery-schema.json b/schemas/discovery-schema.json deleted file mode 100644 index 999a054d9e..0000000000 --- a/schemas/discovery-schema.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "$id": "https://zowe.org/schema/discovery-config", - "allOf": [ - { "$ref": "https://zowe.org/schemas/v2/server-base" }, - { - "type": "object", - "properties": { - "components": { - "type": "object", - "additionalProperties": true, - "properties": { - "discovery-service": { - "allOf": [ - {"$ref": "https://zowe.org/schemas/v2/server-base#zoweComponent"}, - { - "type": "object", - "properties": { - "apiml": { - "type": "object", - "properties": { - "serviceIdPrefixReplacer": { - "type": "string", - "description": "A comma separated tuple to replace service ID with new one in API ML registry." - } - } - }, - "port": { - "$ref": "#/$defs/port", - "default": 7552 - }, - "debug": { - "type": "boolean", - "description": "Enable debug logs in discovery service" - }, - "heap": { - "type": "object", - "description": "Configure JVM parameters for heap size", - "properties": { - "init": { - "type": "integer", - "description": "Initial heap size in MB." - }, - "max": { - "type": "integer", - "description": "Maximum heap size in MB." - } - } - } - } - } - ] - } - } - } - } - } - ], - "$defs": { - "port": { - "type": "integer", - "description": "TCP network port", - "minimum": 1024, - "maximum": 65535 - } - } -} diff --git a/schemas/gateway-schema.json b/schemas/gateway-schema.json deleted file mode 100644 index c7524c1d36..0000000000 --- a/schemas/gateway-schema.json +++ /dev/null @@ -1,689 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "$id": "https://zowe.org/schema/gateway-config", - "allOf": [ - { "$ref": "https://zowe.org/schemas/v2/server-base" }, - { - "type": "object", - "properties": { - "components": { - "type": "object", - "additionalProperties": true, - "properties": { - "gateway-service": { - "allOf": [ - {"$ref": "https://zowe.org/schemas/v2/server-base#zoweComponent"}, - { - "type": "object", - "properties": { - "port": { - "$ref": "#/$defs/port", - "default": 7553 - }, - "debug": { - "type": "boolean", - "description": "Enable debug logs in gateway service", - "default": false - }, - "sslDebug": { - "type": "string", - "description": "Configure attributes fro SSL config, see java property javax.net.debug." - }, - "heap": { - "type": "object", - "description": "Configure JVM parameters for heap size", - "properties": { - "init": { - "type": "integer", - "description": "Initial heap size in MB.", - "default": 32 - }, - "max": { - "type": "integer", - "description": "Maximum heap size in MB.", - "max": 512 - } - } - }, - "apimlId": { - "type": "string", - "pattern": "^[a-z0-9]{1,64}$", - "description": "Specifies identifier of the domain gateway for routing purpose in the central Gateway." - }, - "certificate": { - "type": "object", - "description": "Network encryption for gateway service connections.", - "properties": { - "enabled": { - "type": "boolean", - "description": "Should gateway use encrypted communication?", - "default": true - }, - "keystore": { - "type": "object", - "properties": { - "alias": { - "type": "string", - "description": "Specifies the alias used to address the private key in the keystore." - }, - "key": { - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Specifies the password associated with the private key." - } - } - }, - "file": { - "type": "string", - "description": "Specifies the keystore file used to store the private key. When using keyring, the value should be set to the SAF keyring location. For information about required certificates." - }, - "password": { - "type": "string", - "description": "Specifies the password used to unlock the keystore." - }, - "type": { - "type": "string", - "pattern": "^((PKCS12)|(JCE.*RACFKS))$", - "description": "Specifies the type of the keystore.", - "default": "PKCS12" - } - }, - "allOf": [ - { - "if": { - "properties": { - "type": { - "pattern": "^JCE.*RACFKS$" - } - } - }, - "then": { - "properties": { - "file": { - "pattern": "^safkeyring[^:]*://" - } - } - } - } - ] - }, - "truststore": { - "type": "object", - "properties": { - "file": { - "type": "string", - "description": "Specifies the truststore file used to keep other parties public keys and certificates. When using keyring, this value should be set to the SAF keyring location. For information about required certificates." - }, - "password": { - "type": "string", - "description": "Specifies the password used to unlock the truststore." - }, - "type": { - "type": "string", - "pattern": "^((PKCS12)|(JCE.*RACFKS))$", - "description": "Specifies the truststore type. The default for this parameter is PKCS12.", - "default": "PKCS12" - } - }, - "allOf": [ - { - "if": { - "properties": { - "type": { - "pattern": "^JCE.*RACFKS$" - } - } - }, - "then": { - "properties": { - "file": { - "pattern": "^safkeyring[^:]*://" - } - } - } - } - ] - } - } - }, - "apiml": { - "type": "object", - "description": "Zowe API ML specific properties.", - "properties": { - "connection": { - "type": "object", - "properties": { - "idleConnectionTimeoutSeconds" : { - "type": "integer", - "description": "Specifies a timeout limit for idle client connections, in seconds.", - "default": 5 - }, - "timeout": { - "type": "integer", - "description": "Specifies a timeout limit for a connection, in milliseconds.", - "default": 60000 - }, - "timeToLive": { - "type": "integer", - "description": "Specifies a timeout limit how long to keep open connection to be reused, in milliseconds.", - "default": 60000 - } - } - }, - "gateway": { - "type": "object", - "properties": { - "routing": { - "properties": { - "rateLimiterCapacity":{ - "type": "integer", - "description": "Defines the total number of requests that can be allowed at one time.", - "default": 20 - }, - "rateLimiterTokens":{ - "type": "integer", - "description": "Defines the number of requests that are added to the service’s allowance at regular intervals.", - "default": 20 - }, - "rateLimiterRefillDuration":{ - "type": "integer", - "description": "Sets the time interval (in minutes) at which new requests (or tokens) are added.", - "default": 1 - }, - "servicesToLimitRequestRate":{ - "type": "array", - "description": "Array of services which the rate limiter will be applied to.", - "items": { - "type": "string", - "description": "The name of the service." - } - }, - "servicesToDisableRetry":{ - "type": "array", - "description": "Array of services which the retry filter will be disabled for.", - "items": { - "type": "string", - "description": "The name of the service." - } - } - } - }, - "registry": { - "type": "object", - "description": "Gateway configuration of a service registry endpoint.", - "properties": { - "cachePeriodSec": { - "type": "integer", - "description": "Specifies time in seconds to expired of cached data about /registry endpoint.", - "default": 120 - }, - "enabled": { - "type": "boolean", - "description": "Specifies whether the /registry endpoint is enabled.", - "default": false - }, - "maxSimultaneousRequests": { - "type": "integer", - "description": "Specifies amount of parallel connection to obtain information from other APIML instances about services to construct response of /registry endpoint.", - "default": 20 - }, - "metadataKeyAllowList": { - "type": "string", - "description": "Specifies what custom metadata are displayed in the /registry endpoint.", - "pattern": "^[^,]+(,[^,]+)*$" - }, - "refreshIntervalMs": { - "type": "integer", - "description": "Specifies time period in milliseconds for how often to update data in /registry endpoint.", - "default": 30000 - } - } - } - } - }, - "health": { - "type": "object", - "properties": { - "protected": { - "type": "boolean", - "description": "Specifies if the /application/health endpoint is protected or accessible without any credentials.", - "default": true - } - } - }, - "security": { - "type": "object", - "description": "Security configuration of the Gateway", - "properties": { - "auth": { - "type": "object", - "description": "Detail configuration of authentication schemes.", - "properties": { - "jwt": { - "type": "object", - "description": "Detail configuration of zoweJwt scheme.", - "properties": { - "customAuthHeader": { - "type": "string", - "description": "Additional header to set JWT token in case of zoweJwt scheme." - } - } - }, - "passticket": { - "type": "object", - "description": "Detail configuration of httpBasicPassTicket scheme.", - "properties": { - "customAuthHeader": { - "type": "string", - "description": "Additional header to set passticket in case of httpBasicPassTicket scheme." - }, - "customUserHeader": { - "type": "string", - "description": "Additional header to set userId in case of httpBasicPassTicket scheme." - } - } - }, - "uniqueCookie": { - "type": "boolean", - "default": false - } - } - }, - "authorization": { - "type": "object", - "description": "Authorization configuration.", - "properties": { - "endpoint": { - "type": "object", - "description": "Configuration of SAF resource to check authorization via HTTP call.", - "properties": { - "enabled": { - "type": "boolean", - "description": "Enable provider based on endpoint. to verify SAF authorization.", - "default": false - }, - "url": { - "type": "string", - "format": "uri", - "pattern": "^(https?)://", - "description": "URL of endpoint to verify SAF resource. Ie. https://<zss hostname>:<zss port>/saf-auth" - } - }, - "allOf": [ - { - "if": { - "properties": { - "enabled": { - "const": true - } - } - }, - "then": { - "required": [ - "url" - ] - } - } - ] - }, - "provider": { - "type": "string", - "enum": ["endpoint", "native", "dummy"], - "description": "Specifies security provider to be used by the Gateway." - } - }, - "allOf": [ - { - "if": { - "properties": { - "provider": { - "const": "endpoint" - } - } - }, - "then": { - "required": [ - "endpoint" - ] - } - } - ] - }, - "x509": { - "type": "object", - "description": "Client certificate configuration.", - "properties": { - "acceptForwardedCert": { - "type": "boolean", - "description": "To enable accepting client certificate from request header. It is used in domain APIML to accept forwarded client certificate by the caller.", - "default": false - }, - "certificatesUrl": { - "type": "string", - "format": "uri", - "pattern": "^(https?)://", - "description": "URL of the trusted caller to obtain used certificate. Request signed by this certificate are authorized to accept client certificate provided in the header." - }, - "enabled": { - "type": "boolean", - "default": false, - "description": "To enable accepting client certificate in the Gateway." - }, - "registry": { - "type": "object", - "description": "Security configuration of /registry endpoint.", - "properties": { - "allowedUsers": { - "type": "string", - "pattern": "^[*]?|([a-zA-Z0-9]+(,[a-zA-Z0-9]+)*)$", - "description": "Specifies the comma-separated list of users that are permitted to use /registry endpoints. The user is obtained from the common name in the provided client certificate." - } - } - } - }, - "allOf": [ - { - "if": { - "properties": { - "acceptForwardedCert": { - "const": true - } - } - }, - "then": { - "required": [ - "certificatesUrl" - ] - } - } - ] - }, - "oidc": { - "type": "object", - "description": "OIDC configuration.", - "properties": { - "enabled": { - "type": "boolean", - "description": "Enable authentication with OIDC token.", - "default": false - }, - "registry": { - "type": "string", - "description": "Registry name." - }, - "jwks": { - "type": "object", - "description": "JWKS configuration", - "properties": { - "uri": { - "type": "string", - "description": "JWK set URL for OIDC token validation." - }, - "refreshInternalHours": { - "type": "integer", - "description": "How often are JWKs renewed.", - "default": 1 - } - } - }, - "userInfo": { - "type": "object", - "description": "OIDC user info endpoint configuration", - "properties": { - "uri": { - "type": "string", - "description": "OIDC user info endpoint URL." - } - } - }, - "validationType": { - "type": "string", - "description": "How OIDC token is validated.", - "enum": ["JWK","endpoint"], - "default": "JWK" - } - } - }, - "allowtokenrefresh": { - "type": "boolean", - "description": "Allow JWT to refresh.", - "default": false - } - } - }, - "service": { - "type": "object", - "description": "General configuration of the Gateway.", - "properties": { - "additionalRegistration": { - "type": "object", - "description": "List of additional Discovery Services URLs to register with and the routing patterns.", - "patternProperties": { - "^[0-9]+$": { - "type": "object", - "properties": { - "discoveryServiceUrls": { - "type": "string", - "description": "List of Discovery Services URLs in one security domain. You can separate multiple urls by comma or semicolon." - }, - "routes": { - "$ref": "#/$defs/routes" - } - }, - "required": ["discoveryServiceUrls","routes"] - } - } - }, - "allowEncodedSlashes": { - "type": "boolean", - "description": "When this parameter is set to true, the Gateway allows encoded characters to be part of URL requests redirected through the Gateway.", - "default": true - }, - "corsEnabled": { - "type": "boolean", - "description": "Allow CORS on gateway.", - "default": false - }, - "forwardClientCertEnabled": { - "type": "boolean", - "description": "Enable forwarding client certificate to the next service or APIML.", - "default": false - } - } - } - } - }, - "server": { - "type": "object", - "description": "Configure gateway server properties.", - "properties": { - "maxConnectionsPerRoute": { - "type": "integer", - "description": "How many connection should exists for single HTTP client?", - "default": 100 - }, - "maxTotalConnections": { - "type": "integer", - "description": "How many connection should exists in total?", - "default": 1000 - }, - "webSocket": { - "type": "object", - "description": "Customize websocket server parameters", - "properties": { - "maxIdleTimeout": { - "type": "integer", - "description": "The gateway acts as a server and client. This parameters customizes the default idle timeout for its client role.", - "default": 3600000 - }, - "connectTimeout": { - "type": "integer", - "description": "The gateway acts as a server and client. This parameters customizes the default connect timeout for its client role.", - "default": 45000 - }, - "asyncWriteTimeout": { - "type": "integer", - "description": "The gateway acts as a server and client. This parameters customizes the default async write timeout for its client role.", - "default": 60000 - }, - "requestBufferSize": { - "type": "integer", - "description": "Specifies the buffer size in bytes to load request headers.", - "default": 8192 - } - } - }, - "ssl": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "description": "To enable SSL/tls layer.", - "default": true - } - } - } - } - }, - "spring": { - "type": "object", - "description": "Application framework parameters", - "properties": { - "profiles": { - "type": "object", - "description": "Profiles that can hold multiple configuration parameters.", - "properties": { - "active": { - "type": "string", - "description": "List of the active configuration profiles.", - "pattern": "^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$" - } - } - }, - "security": { - "type": "object", - "description": "Security configuration.", - "properties": { - "oauth2": { - "type": "object", - "description": "OAuth2 configuration values.", - "properties": { - "client": { - "type": "object", - "description": "Configuration of OAuth2 communication.", - "properties": { - "registration": { - "type": "object", - "description": "Provider specific values.", - "patternProperties": { - "^.+$": { - "clientId": { - "type": "string", - "description": "The client identifier." - }, - "clientSecret":{ - "type": "string", - "description": "The client secret." - }, - "redirectUri": { - "type": "string", - "description": "The client’s registered redirect URI that the Authorization Server redirects the end-user’s user-agent to after the end-user has authenticated and authorized access to the client." - }, - "scope": { - "type": "array", - "description": "The scope(s) requested by the client during the Authorization Request flow, such as openid, email, or profile.", - "items": { - "type": "string", - "description": "The scope identifier." - } - } - } - } - }, - "provider": { - "type": "object", - "description": "Provider specific values.", - "patternProperties": { - "^.+$": { - "authorizationUri": { - "type": "string", - "format": "uri", - "pattern": "^(https?)://", - "description": "The Authorization Endpoint URI for the Authorization Server." - }, - "tokenUri": { - "type": "string", - "format": "uri", - "pattern": "^(https?)://", - "description": "The Token Endpoint URI for the Authorization Server." - }, - "userInfoUri": { - "type": "string", - "format": "uri", - "pattern": "^(https?)://", - "description": "The URL of endpoint to obtain details about user by provided token." - }, - "userNameAttribute": { - "type": "string", - "description": "The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user." - }, - "jwkSetUri": { - "type": "string", - "format": "uri", - "pattern": "^(https?)://", - "description": "The URI used to retrieve the JSON Web Key (JWK) Set from the Authorization Server, which contains the cryptographic key(s) used to verify the JSON Web Signature (JWS) of the ID Token and optionally the UserInfo Response." - } - } - } - } - } - } - } - } - } - } - } - } - } - } - ] - } - } - } - } - } - ], - "$defs": { - "port": { - "type": "integer", - "description": "TCP network port", - "minimum": 1024, - "maximum": 65535 - }, - "routes": { - "type": "array", - "description": "Routing parameters", - "items": { - "type": "object", - "properties": { - "gatewayUrl": { - "type": "string", - "description": "The portion of the gateway URL which is replaced by the serviceUrl path." - }, - "serviceUrl": { - "type": "string", - "description": "The portion of the service instance URL path which replaces the gatewayUrl part." - } - }, - "required": ["gatewayUrl","serviceUrl"] - } - }, - "tlsType": { - "type": "string", - "description": "List of supported SSL/TLS protocols", - "enum": ["TLSv1.1", "TLSv1.2", "TLSv1.3", "TLSv1.4"] - } - } -} diff --git a/schemas/zaas-schema.json b/schemas/zaas-schema.json deleted file mode 100644 index 842d9b0edb..0000000000 --- a/schemas/zaas-schema.json +++ /dev/null @@ -1,246 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft/2019-09/schema", - "$id": "https://zowe.org/schema/zaas-config", - "allOf": [ - { "$ref": "https://zowe.org/schemas/v2/server-base" }, - { - "type": "object", - "properties": { - "components": { - "type": "object", - "additionalProperties": true, - "properties": { - "zaas": { - "allOf": [ - {"$ref": "https://zowe.org/schemas/v2/server-base#zoweComponent"}, - { - "type": "object", - "properties": { - "port": { - "$ref": "#/$defs/port", - "default": 7558 - }, - "debug": { - "type": "boolean", - "description": "Enable debug logs in ZAAS service" - }, - "heap": { - "type": "object", - "description": "Configure JVM parameters for heap size", - "properties": { - "init": { - "type": "integer", - "description": "Initial heap size in MB." - }, - "max": { - "type": "integer", - "description": "Maximum heap size in MB." - } - } - }, - "apiml": { - "type": "object", - "description": "Zowe API ML specific properties.", - "properties": { - "security": { - "type": "object", - "description": "Authentication and authorization options", - "properties": { - "useInternalMapper": { - "type": "boolean", - "description": "Enables direct native calls to z/OS to query distributed identity mappings and client certificate mappings. Use only if APIML is running on z/OS.", - "default": false - }, - "auth": { - "type": "object", - "description": "Authentication against API ML.", - "properties": { - "provider": { - "type": "string", - "description": "Which provider should be used to verify user credentials.", - "enum": ["zosmf","saf"], - "default": "zosmf" - }, - "zosmf": { - "type": "object", - "description": "When zosmf is set as authentication provider, this section can be used to provide more details.", - "properties": { - "jwtAutoconfiguration": { - "type": "string", - "description": "Type of the token that is returned from zOSMF after login.", - "enum": ["JWT","jwt","LTPA","ltpa"], - "default": "jwt" - }, - "serviceId": { - "type": "string", - "description": "Service ID of zOSMF from discovery service. Under this ID is zOSMF registered", - "default": "zosmf" - } - } - } - } - }, - "authorization": { - "type": "object", - "description": "Service info endpoints on ZAAS service can be protected by SAF resource check. Update this section to enable it.", - "properties": { - "provider": { - "type": "string", - "description": "Which provider will be used to validate access authorization.", - "enum": ["endpoint","native","dummy"] - }, - "endpoint": { - "type": "object", - "description": "Where the access will be validate.", - "properties": { - "enabled": { - "type": "boolean", - "description": "Is this endpoint enabled?", - "default": false - }, - "url": { - "type": "string", - "description": "Url to validate the authorization." - } - } - }, - "resourceClass": { - "type": "string", - "description": "zOS resource to verify access.", - "default": "ZOWE" - }, - "resourceNamePrefix": { - "type": "string", - "description": "Prefix of the resource.", - "default": "APIML." - } - } - }, - "x509": { - "type": "object", - "description": "Client certificate authentication support.", - "properties": { - "enabled": { - "type": "boolean", - "description": "Enable if client certificate should be considered as a source of authentication.", - "default": false - }, - "acceptForwardedCert": { - "type": "boolean", - "description": "Enable if the the Client Certificate forwarded in a dedicated header should be accepted", - "default": false - }, - "certificatesUrl": { - "type": "string", - "description": "URL of the Central ZAAS and its endpoint where it provides its public certificates." - }, - "externalMapperUrl": { - "type": "string", - "description": "URL of the service where certificate will be mapped to user. ZSS is used if no value is provided." - }, - "externalMapperUser": { - "type": "string", - "description": "User that has permission to do such mapping. Zowe user is used if no value is provided." - } - } - }, - "saf": { - "type": "object", - "description": "SAF IDT provider.", - "properties": { - "provider": { - "type": "string", - "description": "Method of communication used by the SAF IDT provider implementation. REST is used if no value is provided.", - "enum": ["rest"], - "default": "rest" - }, - "urls": { - "type": "string", - "description": "URLs of the SAF IDT provider used for the token generation and verification.", - "properties": { - "authenticate": { - "type": "string", - "description": "URL of the SAF IDT provider used to generate the SAF token on behalf of the specified user." - }, - "verify": { - "type": "string", - "description": "URL of the SAF IDT provider used to validate the SAF token." - } - } - } - } - } - } - } - } - }, - "server": { - "type": "object", - "description": "Configure ZAAS server properties.", - "properties": { - "ssl": { - "type": "object", - "description": "Network encryption for ZAAS service connections.", - "properties": { - "enabled": { - "type": "boolean", - "description": "Should ZAAS use encrypted communication?", - "default": true - } - } - } - - } - }, - "spring": { - "type": "object", - "description": "Application framework parameters", - "properties": { - "profiles": { - "type": "object", - "description": "Profiles that can hold multiple configuration parameters.", - "properties": { - "active": { - "type": "string", - "description": "List of the active configuration profiles." - } - } - } - } - } - } - } - ] - } - } - } - } - } - ], - "$defs": { - "port": { - "type": "integer", - "description": "TCP network port", - "minimum": 1024, - "maximum": 65535 - }, - "routes": { - "type": "array", - "description": "Routing parameters", - "items": { - "type": "object", - "properties": { - "gatewayUrl": { - "type": "string", - "description": "The portion of the ZAAS URL which is replaced by the serviceUrl path." - }, - "serviceUrl": { - "type": "string", - "description": "The portion of the service instance URL path which replaces the gatewayUrl part." - } - }, - "required": ["gatewayUrl","serviceUrl"] - } - } - } -} diff --git a/zaas-package/build.gradle b/zaas-package/build.gradle index e88b3a3ff7..2c869a0cd7 100644 --- a/zaas-package/build.gradle +++ b/zaas-package/build.gradle @@ -19,7 +19,11 @@ task packageZaas(type: Zip) { into('/') { from "$buildDir/convert/manifest.yaml" - from "../schemas/zaas-schema.json" + } + + into('schemas/') { + from "$resourceDir/schemas/zaas-config.json" + from "$resourceDir/schemas/zowe-schema.json" } into('bin/') { diff --git a/zaas-package/src/main/resources/bin/start.sh b/zaas-package/src/main/resources/bin/start.sh index 7d3b884cb0..577e288685 100755 --- a/zaas-package/src/main/resources/bin/start.sh +++ b/zaas-package/src/main/resources/bin/start.sh @@ -45,7 +45,7 @@ # - ZWE_configs_apiml_security_x509_externalMapperUser # - ZWE_configs_apiml_security_x509_acceptForwardedCert # - ZWE_configs_apiml_security_x509_certificatesUrl -# - ZWE_configs_apiml_security_zosmf_applid +# - ZWE_zosmf_applId # - ZWE_configs_apiml_security_oidc_enabled # - ZWE_configs_apiml_security_oidc_clientId # - ZWE_configs_apiml_security_oidc_clientSecret @@ -378,7 +378,7 @@ _BPX_JOBNAME=${ZWE_zowe_job_prefix}${ZAAS_CODE} ${JAVA_BIN_DIR}java \ -Dapiml.security.saf.urls.verify=${ZWE_configs_apiml_security_saf_urls_verify:-${ZWE_components_gateway_apiml_security_saf_urls_verify:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/saf/verify"}} \ -Dapiml.security.authorization.resourceClass=${ZWE_configs_apiml_security_authorization_resourceClass:-${ZWE_components_gateway_apiml_security_authorization_resourceClass:-ZOWE}} \ -Dapiml.security.authorization.resourceNamePrefix=${ZWE_configs_apiml_security_authorization_resourceNamePrefix:-${ZWE_components_gateway_apiml_security_authorization_resourceNamePrefix:-APIML.}} \ - -Dapiml.security.zosmf.applid=${ZWE_configs_apiml_security_zosmf_applid:-${ZWE_components_gateway_apiml_security_zosmf_applid:-IZUDFLT}} \ + -Dapiml.security.zosmf.applid=${ZWE_zosmf_applId:-IZUDFLT} \ -Dapiml.security.oidc.enabled=${ZWE_configs_apiml_security_oidc_enabled:-${ZWE_components_gateway_apiml_security_oidc_enabled:-false}} \ -Dapiml.security.oidc.registry=${ZWE_configs_apiml_security_oidc_registry:-${ZWE_components_gateway_apiml_security_oidc_registry:-}} \ -Dapiml.security.oidc.identityMapperUrl=${ZWE_configs_apiml_security_oidc_identityMapperUrl:-${ZWE_components_gateway_apiml_security_oidc_identityMapperUrl:-"${internalProtocol:-https}://${ZWE_haInstance_hostname:-localhost}:${ZWE_components_gateway_port:-7554}/zss/api/v1/certificate/dn"}} \ diff --git a/zaas-package/src/main/resources/manifest.yaml b/zaas-package/src/main/resources/manifest.yaml index 74ef5cbb0e..95ca5d6bcd 100644 --- a/zaas-package/src/main/resources/manifest.yaml +++ b/zaas-package/src/main/resources/manifest.yaml @@ -9,7 +9,9 @@ title: ZAAS description: Zowe Authentication and Authorization Service. license: EPL-2.0 schemas: - configs: zaas-schema.json + configs: + - schemas/zowe-schema.json + - schemas/zaas-config.json repository: type: git url: https://github.com/zowe/api-layer.git diff --git a/zaas-package/src/main/resources/schemas/zaas-config.json b/zaas-package/src/main/resources/schemas/zaas-config.json new file mode 100644 index 0000000000..ad5e6889c4 --- /dev/null +++ b/zaas-package/src/main/resources/schemas/zaas-config.json @@ -0,0 +1,387 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/zaas-config", + "title": "zaas configuration", + "description": "Configuration properties for ZAAS, as specified within a configuration file such as zowe.yaml", + "type": "object", + "properties": { + "port": { + "$ref": "#/$defs/port", + "default": 7558 + }, + "debug": { + "type": "boolean", + "description": "Enable debug logs in ZAAS service", + "default": false + }, + "sslDebug": { + "type": "string", + "description": "Configure attributes fro SSL config, see java property javax.net.debug." + }, + "heap": { + "type": "object", + "description": "Configure JVM parameters for heap size", + "properties": { + "init": { + "type": "integer", + "description": "Initial heap size in MB.", + "default": 32 + }, + "max": { + "type": "integer", + "description": "Maximum heap size in MB.", + "default": 512 + } + } + }, + "apiml": { + "type": "object", + "description": "Zowe API ML specific properties.", + "properties": { + "connection": { + "type": "object", + "properties": { + "idleConnectionTimeoutSeconds" : { + "type": "integer", + "description": "Specifies a timeout limit for idle client connections, in seconds.", + "default": 5 + }, + "timeout": { + "type": "integer", + "description": "Specifies a timeout limit for a connection, in milliseconds.", + "default": 60000 + }, + "timeToLive": { + "type": "integer", + "description": "Specifies a timeout limit how long to keep open connection to be reused, in milliseconds.", + "default": 60000 + } + } + }, + "health": { + "type": "object", + "properties": { + "protected": { + "type": "boolean", + "description": "Specifies if the /application/health endpoint is protected or accessible without any credentials.", + "default": true + } + } + }, + "security": { + "type": "object", + "description": "Authentication and authorization options", + "properties": { + "useInternalMapper": { + "type": "boolean", + "description": "Enables direct native calls to z/OS to query distributed identity mappings and client certificate mappings. Use only if APIML is running on z/OS.", + "default": true + }, + "auth": { + "type": "object", + "description": "Authentication against API ML.", + "properties": { + "provider": { + "type": "string", + "description": "Which provider should be used to verify user credentials.", + "enum": ["zosmf","saf"], + "default": "saf" + }, + "zosmf": { + "type": "object", + "description": "When zosmf is set as authentication provider, this section can be used to provide more details.", + "properties": { + "jwtAutoconfiguration": { + "deprecated": true, + "type": "string", + "description": "Type of the token that is returned from zOSMF after login.", + "enum": ["JWT","jwt","LTPA","ltpa"], + "default": "jwt" + }, + "serviceId": { + "type": "string", + "description": "Service ID of zOSMF from discovery service. Under this ID is zOSMF registered", + "default": "ibmzosmf" + } + } + }, + "uniqueCookie": { + "type": "boolean", + "default": false + } + } + }, + "authorization": { + "type": "object", + "description": "Service info endpoints on ZAAS service can be protected by SAF resource check. Update this section to enable it.", + "properties": { + "provider": { + "type": "string", + "description": "Which provider will be used to validate access authorization.", + "enum": ["endpoint","native","dummy"], + "default": "native" + }, + "endpoint": { + "type": "object", + "description": "Where the access will be validate.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Is this endpoint enabled?", + "default": false + }, + "url": { + "type": "string", + "description": "Url to validate the authorization." + } + } + }, + "resourceClass": { + "type": "string", + "description": "zOS resource to verify access.", + "default": "ZOWE" + }, + "resourceNamePrefix": { + "type": "string", + "description": "Prefix of the resource.", + "default": "APIML." + } + } + }, + "x509": { + "type": "object", + "description": "Client certificate authentication support.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable if client certificate should be considered as a source of authentication.", + "default": false + }, + "certificatesUrl": { + "type": "string", + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL of the trusted caller to obtain used certificate. Request signed by this certificate are authorized to accept client certificate provided in the header." + }, + "certificatesUrls": { + "type": "string", + "format": "uri", + "pattern": "https?:\/\/[^\\s,]+", + "description": "List of URLs of the trusted callers to obtain used certificate. Request signed by this certificate are authorized to accept client certificate provided in the header." + }, + "externalMapperUrl": { + "type": "string", + "description": "URL of the service where certificate will be mapped to user. ZSS is used if no value is provided." + }, + "externalMapperUser": { + "type": "string", + "description": "User that has permission to do such mapping. Zowe user is used if no value is provided." + } + }, + "allOf": [ + { + "if": { + "properties": { + "enabled": { + "const": true + } + } + }, + "then": { + "anyOf": [ + { "required": [ "certificatesUrl" ] }, + { "required": [ "certificatesUrls" ] } + ] + } + } + ] + }, + "oidc": { + "type": "object", + "description": "OIDC configuration.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Enable authentication with OIDC token.", + "default": false + }, + "registry": { + "type": "string", + "description": "Registry name." + }, + "identityMapperUrl": { + "type": "string", + "deprecated": true, + "format": "uri", + "pattern": "^(https?):\/\/", + "description": "URL where the Gateway can query the mapping of the distributed user ID to the mainframe user ID. ZSS is used if no value is provided." + }, + "identityMapperUser": { + "type": "string", + "deprecated": true, + "description": "User with access to external user identity mapper specified in identityMapperUrl. Zowe user is used if no value is provided." + }, + "jwks": { + "type": "object", + "description": "JWKS configuration", + "properties": { + "uri": { + "type": "string", + "description": "JWK set URL for OIDC token validation." + }, + "refreshInternalHours": { + "type": "integer", + "description": "How often are JWKs renewed.", + "default": 1 + } + } + }, + "userIdField": { + "type": "string", + "description": "OIDC token field used for user mapping in SAF.", + "default": "sub" + }, + "userInfo": { + "type": "object", + "description": "OIDC user info endpoint configuration.", + "properties": { + "uri": { + "type": "string", + "description": "OIDC user info endpoint URL." + } + } + }, + "validationType": { + "type": "string", + "description": "How OIDC token is validated.", + "enum": ["JWK","endpoint"], + "default": "JWK" + } + } + }, + "allowtokenrefresh": { + "type": "boolean", + "description": "Allow JWT to refresh.", + "default": false + }, + "jwtInitializerTimeout": { + "type": "integer", + "description": "Timeout for initialization of JWT in minutes.", + "default": 5 + }, + "personalAccessToken": { + "type": "object", + "description": "Personal Access Tokens configuration.", + "properties": { + "enabled": { + "type": "boolean", + "description": "To enable Personal Access Tokens.", + "default": false + } + } + }, + "saf": { + "type": "object", + "description": "SAF IDT provider.", + "properties": { + "provider": { + "type": "string", + "description": "Method of communication used by the SAF IDT provider implementation. REST is used if no value is provided.", + "enum": ["rest"], + "default": "rest" + }, + "urls": { + "type": "string", + "description": "URLs of the SAF IDT provider used for the token generation and verification.", + "properties": { + "authenticate": { + "type": "string", + "description": "URL of the SAF IDT provider used to generate the SAF token on behalf of the specified user." + }, + "verify": { + "type": "string", + "description": "URL of the SAF IDT provider used to validate the SAF token." + } + } + } + } + } + } + } + } + }, + "server": { + "type": "object", + "description": "Configure ZAAS server properties.", + "properties": { + "ssl": { + "type": "object", + "description": "Network encryption for ZAAS service connections.", + "properties": { + "enabled": { + "type": "boolean", + "description": "Should ZAAS use encrypted communication?", + "default": true + } + } + } + + } + }, + "spring": { + "type": "object", + "description": "Application framework parameters", + "properties": { + "profiles": { + "type": "object", + "description": "Profiles that can hold multiple configuration parameters.", + "properties": { + "active": { + "type": "string", + "description": "List of the active configuration profiles.", + "pattern": "^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$" + } + } + } + } + }, + "logging": { + "type": "string", + "description": "Logging configuration for Gateway service.", + "properties": { + "config": { + "type": "string", + "description": "Path to custom logback configuration file.", + "minLength": 1, + "maxLength": 1024 + } + } + } + }, + "$defs": { + "port": { + "type": "integer", + "description": "TCP network port", + "minimum": 1024, + "maximum": 65535 + }, + "routes": { + "type": "array", + "description": "Routing parameters", + "items": { + "type": "object", + "properties": { + "gatewayUrl": { + "type": "string", + "description": "The portion of the ZAAS URL which is replaced by the serviceUrl path." + }, + "serviceUrl": { + "type": "string", + "description": "The portion of the service instance URL path which replaces the gatewayUrl part." + } + }, + "required": ["gatewayUrl","serviceUrl"] + } + } + } +} diff --git a/zaas-package/src/main/resources/schemas/zowe-schema.json b/zaas-package/src/main/resources/schemas/zowe-schema.json new file mode 100644 index 0000000000..54e5370608 --- /dev/null +++ b/zaas-package/src/main/resources/schemas/zowe-schema.json @@ -0,0 +1,23 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "$id": "https://zowe.org/schemas/v2/zaas", + "allOf": [ + { "$ref": "/schemas/v2/server-base" }, + { "type": "object", + "properties": { + "components": { + "type": "object", + "additionalProperties": true, + "properties": { + "zaas": { + "allOf": [ + { "$ref": "/schemas/v2/server-base#zoweComponent" }, + { "$ref": "/schemas/v2/zaas-config" } + ] + } + } + } + } + } + ] +}