consent 변화 내부 머지 완료

docker/ory/clickhouse/init.sql

@@ -7,13 +7,23 @@ CREATE TABLE IF NOT EXISTS ory.oathkeeper_access_logs (
   path String DEFAULT '',
   status UInt16 DEFAULT 0,
   latency_ms UInt32 DEFAULT 0,
+  client_id String DEFAULT '',
   rp String DEFAULT '',
   action String DEFAULT '',
   target String DEFAULT '',
+  rule_id String DEFAULT '',
+  host String DEFAULT '',
+  scheme String DEFAULT '',
+  query String DEFAULT '',
+  upstream_url String DEFAULT '',
   subject String DEFAULT '',
+  parent_session_id String DEFAULT '',
   client_ip String DEFAULT '',
   user_agent String DEFAULT '',
+  referer String DEFAULT '',
   decision String DEFAULT '',
+  bytes_in UInt64 DEFAULT 0,
+  bytes_out UInt64 DEFAULT 0,
   trace_id String DEFAULT '',
   span_id String DEFAULT '',
   raw String DEFAULT ''

docker/ory/oathkeeper/rules.draft.json

@@ -84,5 +84,33 @@
     "authenticators": [{ "handler": "noop" }],
     "authorizer": { "handler": "allow" },
     "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "rp-template-browser",
+    "description": "RP proxy (browser session). TODO: match.url/upstream.url을 실제 RP로 좁혀야 함.",
+    "match": {
+      "url": "http://<.*>/rp/<.*>",
+      "methods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://rp_upstream:8080"
+    },
+    "authenticators": [{ "handler": "cookie_session" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
+  },
+  {
+    "id": "rp-template-bearer",
+    "description": "RP proxy (bearer). TODO: oauth2_introspection 또는 jwt 활성화 필요.",
+    "match": {
+      "url": "http://<.*>/rp-api/<.*>",
+      "methods": ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
+    },
+    "upstream": {
+      "url": "http://rp_upstream:8080"
+    },
+    "authenticators": [{ "handler": "oauth2_introspection" }],
+    "authorizer": { "handler": "allow" },
+    "mutators": [{ "handler": "noop" }]
   }
 ]

docker/ory/vector/vector.toml

@@ -15,6 +15,9 @@
     request_method = get(parsed, ["request", "method"]) ?? ""
     request_path = get(parsed, ["request", "path"]) ?? ""
     request_url = get(parsed, ["request", "url"]) ?? ""
+    request_host = get(parsed, ["request", "host"]) ?? ""
+    request_scheme = get(parsed, ["request", "scheme"]) ?? ""
+    request_query = get(parsed, ["request", "query"]) ?? ""
     .method = parsed.method ?? parsed.http_method ?? request_method ?? ""
     .path = parsed.path ?? parsed.http_path ?? request_path ?? request_url ?? ""
     response_status = get(parsed, ["response", "status"]) ?? 0
@@ -27,6 +30,7 @@
     .user_agent = parsed.user_agent
     if is_null(.user_agent) { .user_agent = get(headers, ["User-Agent"]) }
     if is_null(.user_agent) { .user_agent = "" }
+    .referer = get(headers, ["Referer"]) ?? ""
 
     .decision = parsed.decision
     if is_null(.decision) { .decision = parsed.result }
@@ -38,9 +42,18 @@
     .span_id = parsed.span_id
     if is_null(.span_id) { .span_id = "" }
 
-    .rp = ""
-    .action = ""
-    .target = ""
+    .rp = parsed.rp ?? ""
+    .action = parsed.action ?? ""
+    .target = parsed.target ?? ""
+    .rule_id = parsed.rule_id ?? get(parsed, ["rule", "id"]) ?? ""
+    .client_id = parsed.client_id ?? get(parsed, ["client", "id"]) ?? ""
+    .parent_session_id = parsed.parent_session_id ?? get(parsed, ["extra", "parent_session_id"]) ?? ""
+    .host = parsed.host ?? request_host ?? ""
+    .scheme = parsed.scheme ?? request_scheme ?? ""
+    .query = parsed.query ?? request_query ?? ""
+    .upstream_url = parsed.upstream_url ?? get(parsed, ["upstream", "url"]) ?? ""
+    .bytes_in = to_int(parsed.bytes_in ?? parsed.request_bytes ?? 0) ?? 0
+    .bytes_out = to_int(parsed.bytes_out ?? parsed.response_bytes ?? 0) ?? 0
   '''
 
 [sinks.clickhouse]