Skip to content
This repository was archived by the owner on Dec 9, 2024. It is now read-only.

Commit 0e7c23c

Browse files
authored
feat: Refactored APIM policies into reusable builder component (#387)
Resolves issue where APIM policy overwrites any changes done outside of serverless yaml config Adds support for JWT validation Adds support for IP filter
1 parent 4f39681 commit 0e7c23c

14 files changed

+782
-124
lines changed

package-lock.json

Lines changed: 38 additions & 30 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@
6161
"request": "^2.81.0",
6262
"rimraf": "^2.7.1",
6363
"semver": "^6.3.0",
64-
"xml": "^1.0.1"
64+
"xml2js": "^0.4.22"
6565
},
6666
"devDependencies": {
6767
"@azure/ms-rest-js": "^1.8.7",
@@ -74,6 +74,7 @@
7474
"@types/request": "^2.48.1",
7575
"@types/serverless": "^1.18.2",
7676
"@types/xml": "^1.0.3",
77+
"@types/xml2js": "^0.4.5",
7778
"@typescript-eslint/eslint-plugin": "^1.9.0",
7879
"@typescript-eslint/parser": "^1.9.0",
7980
"axios-mock-adapter": "^1.16.0",

src/models/apiManagement.ts

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,20 @@ export interface ApiManagementConfig {
1212
backends?: BackendContract[];
1313
/** The API's CORS policy */
1414
cors?: ApiCorsPolicy;
15+
/** The API's JWT validation policy */
16+
jwtValidate?: ApiJwtValidatePolicy;
17+
/** The API's IP Filter policy */
18+
ipFilter?: ApiIpFilterPolicy;
19+
/** The pricing SKU for the APIM instance */
1520
sku?: {
21+
/** The SKU name, (consumption | developer | basic | standard | premium) */
1622
name?: string;
23+
/** The max number of reserved nodes for the specified SKU */
1724
capacity?: number;
1825
};
26+
/** The publisher e-mail associated with the APIM instance */
1927
publisherEmail?: string;
28+
/** The publisher name associated with the APIM instance */
2029
publisherName?: string;
2130
}
2231

@@ -35,3 +44,73 @@ export interface ApiCorsPolicy {
3544
/** A list of headers exposed during OPTION preflight requests */
3645
exposeHeaders: string[];
3746
}
47+
48+
/**
49+
* Defines an APIM JWT validation policy
50+
* See https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT for more information
51+
*/
52+
export interface ApiJwtValidatePolicy {
53+
/** The name of the query string parameter that contains the JWT token */
54+
queryParamName?: string;
55+
/** The name of the HTTP header that contains the JWT token */
56+
headerName?: string;
57+
/** An explicit JWT token value to validate */
58+
tokenValue?: string;
59+
/** The authorization scheme to acceept (ex. bearer) */
60+
scheme?: string;
61+
/** The HTTP status code to return for a failed response */
62+
failedStatusCode?: number;
63+
/** The error message to return for a failed response */
64+
failedErrorMessage?: string;
65+
/** Whether or not an expiration claim is required in the token */
66+
requireExpirationTime?: boolean;
67+
/** Whether or not tokens must be signed */
68+
requireSignedTokens?: boolean;
69+
/** Number of seconds to skew the clock */
70+
clockSkew?: number;
71+
/** String. Name of context variable that will receive token value as an object of type Jwt upon successful token validation */
72+
outputTokenVariableName?: string;
73+
/** Specifies the OpenID configuration used to validate the JWT token */
74+
openId?: {
75+
/** Link to the OpenID metadata url */
76+
metadataUrl: string;
77+
};
78+
/** List of valid Base64 encoded signing keys */
79+
signingKeys?: string[];
80+
/** List of valie Base64 encoded decryption keys */
81+
decryptionKeys?: string[];
82+
/** List of valid audiences for the token */
83+
audiences?: string[];
84+
/** List of valid issuers for the token */
85+
issuers?: string[];
86+
/** List of claims that must exist within the token */
87+
requiredClaims?: ApiJwtClaim[];
88+
}
89+
90+
/**
91+
* A JWT validation claim
92+
*/
93+
export interface ApiJwtClaim {
94+
/** The name of the claim to validate */
95+
name: string;
96+
/** Whether the claim value must contain all or any value */
97+
match: "all" | "any";
98+
/** The seperator used to parse multi-valued claims */
99+
separator?: string;
100+
/** The values to match against */
101+
values?: string[];
102+
}
103+
104+
/**
105+
* A IP Filter validation policy
106+
*/
107+
export interface ApiIpFilterPolicy {
108+
/** Whether the policy should allow or forbid the address specification */
109+
action: "allow" | "forbid";
110+
addresses?: string[];
111+
/** The range of IP addresses to apply to the policy */
112+
addressRange?: {
113+
from: string;
114+
to: string;
115+
};
116+
}

0 commit comments

Comments
 (0)