forked from aerleon/aerleon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
aerleon-definitions.schema.json
146 lines (146 loc) · 5.58 KB
/
aerleon-definitions.schema.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
{
"$id": "urn:aerleon:schemas:aerleon-definitions:1.0.0",
"$schema": "http:https://json-schema.org/draft-07/schema#",
"$comment": "https://aerleon.readthedocs.io/en/latest/reference/naming/",
"title": "Aerleon Network & Service Definitions",
"type": "object",
"additionalProperties": false,
"properties": {
"networks": {
"title": "Network Definition Section",
"description": "Policy files can reference the networks in this section by name. A network is a list of IP addresses or CIDR IP address ranges and may contain other networks.",
"type": "object",
"additionalProperties": { "$ref": "#/$defs/networkDefinition" },
"propertyNames": { "$ref": "#/$defs/token" }
},
"services": {
"title": "Service Definition Section",
"description": "Policy files can reference the services in this section by name. A service is a list of port/protocol pairs (e.g. port: 80, protocol: tcp) and can include port ranges. A service can include other services.",
"type": "object",
"additionalProperties": { "$ref": "#/$defs/serviceDefinition" },
"propertyNames": { "$ref": "#/$defs/token" }
}
},
"$defs": {
"token": {
"type": "string",
"pattern": "^[-_a-zA-Z0-9]+$"
},
"comment": {
"description": "Attach a comment directly to a value. This comment may be included in generated output on platforms that support it.",
"type": "string"
},
"address": {
"description": "Specifies an IP address or CIDR IP address range expression.",
"type": "string"
},
"fqdn": {
"description": "Specifies a fully qualified domain name with two or more labels.",
"type": "string",
"pattern": "^(?!.*:https://)(?=.{1,255}$)((.{1,63}\\.){1,127}(?![0-9]*$)[a-z0-9-]+\\.?)$"
},
"port": {
"description": "Specifies a port or port range.",
"oneOf": [
{
"type": "string",
"pattern": "^\\d+-\\d+|^\\d+$"
},
{
"type": "integer"
}
]
},
"protocol": {
"description": "Specifies a protocol by name or number.",
"oneOf": [{ "type": "integer" }, { "type": "string" }]
},
"networkDefinition": {
"type": "object",
"title": "Network Definition",
"description": "Defines a named network, composed of IP addresses, IP address ranges, and references to other networks.\nAn object with the \"address\" property adds that address or address range to the network.\nAn object with the \"name\" property includes the contents of that network into this one.\nA single string also includes the content of that network into this one.",
"additionalProperties": false,
"required": ["values"],
"properties": {
"values": {
"description": "Defines a named network, composed of IP addresses, IP address ranges, and references to other networks.\nAn object with the \"address\" property adds that address or address range to the network.\nAn object with the \"name\" property includes the contents of that network into this one.\nA single string also includes the content of that network into this one.",
"type": "array",
"items": {
"oneOf": [
{
"type": "string",
"title": "Network Reference",
"description": "Include another network by name.",
"$ref": "#/$defs/token"
},
{
"type": "object",
"required": ["address"],
"properties": {
"address": { "$ref": "#/$defs/address" },
"comment": { "$ref": "#/$defs/comment" }
},
"additionalProperties": false
},
{
"type": "object",
"required": ["fqdn"],
"properties": {
"fqdn": { "$ref": "#/$defs/fqdn" },
"comment": { "$ref": "#/$defs/comment" }
},
"additionalProperties": false
},
{
"type": "object",
"title": "Network Reference",
"required": ["name"],
"properties": {
"name": {
"description": "Include another network by name.",
"$ref": "#/$defs/token"
},
"comment": { "$ref": "#/$defs/comment" }
},
"additionalProperties": false
}
]
}
}
}
},
"serviceDefinition": {
"type": "array",
"title": "Service Definition",
"description": "Defines a named service, composed of portocol, port pairs and/or references to other services.",
"items": {
"oneOf": [
{
"type": "object",
"required": ["port", "protocol"],
"properties": {
"port": { "$ref": "#/$defs/port" },
"protocol": { "$ref": "#/$defs/protocol" },
"comment": { "$ref": "#/$defs/comment" }
},
"additionalProperties": false
},
{
"type": "object",
"title": "Service Reference",
"description": "Include another service by name.",
"required": ["name"],
"properties": {
"name": {
"description": "Include another service by name.",
"$ref": "#/$defs/token"
},
"comment": { "$ref": "#/$defs/comment" }
},
"additionalProperties": false
}
]
}
}
}
}