Last active
June 12, 2024 23:25
-
-
Save andrewkroh/206610eecade896de9862a552a065f0b to your computer and use it in GitHub Desktop.
Cuelang Schema of Beats TLS options
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Beats TLS configuration options. | |
| package tls | |
| $version: "v8.14.0" | |
| #base64String: =~"^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$" | |
| #hexSHA256: =~"^[a-fA-F0-9]{64}$" | |
| #pemCerts: =~"^(?:(?:-+BEGIN CERTIFICATE-+\\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\\s+)+(?:-+END CERTIFICATE-+\\s*))+$" | |
| #pemKey: =~"^(?:(?:-+BEGIN .*KEY-+\\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\\s+)+(?:-+END .*KEY-+\\s*))$" | |
| #tlsConfig: { | |
| // Enable TLS. | |
| enabled?: bool | |
| // Verification mode. | |
| // | |
| // * full - Verifies that the provided certificate is signed by a trusted | |
| // authority (CA) and also verifies that the server’s hostname (or IP | |
| // address) matches the names identified within the certificate. | |
| // * strict - Verifies that the provided certificate is signed by a trusted | |
| // authority (CA) and also verifies that the server’s hostname (or IP | |
| // address) matches the names identified within the certificate. If the | |
| // Subject Alternative Name is empty, it returns an error. | |
| // * certificate - Verifies that the provided certificate is signed by a | |
| // trusted authority (CA), but does not perform any hostname verification. | |
| // * none - Performs no verification of the server’s certificate. This mode | |
| // disables many of the security benefits of SSL/TLS and should only be | |
| // used after cautious consideration. It is primarily intended as a | |
| // temporary diagnostic mechanism when attempting to resolve TLS errors; | |
| // its use in production environments is strongly discouraged. | |
| verification_mode?: *"full" | "strict" | "certificate" | "none" | |
| // Supported TLS versions. | |
| versions?: *["TLSv1.1", "TLSv1.2", "TLSv1.3"] | [..."TLSv1" | "TLSv1.0" | "TLSv1.1" | "TLSv1.2" | "TLSv1.3"] | |
| // List of cipher suites to accept. This list is given in descending order of | |
| // priority. If this option is omitted, the Go crypto library’s default suites | |
| // are used. | |
| cipher_suites?: [ | |
| ..."ECDHE-ECDSA-AES-128-CBC-SHA" | | |
| "ECDHE-ECDSA-AES-128-CBC-SHA256" | | |
| "ECDHE-ECDSA-AES-128-GCM-SHA256" | | |
| "ECDHE-ECDSA-AES-256-CBC-SHA" | | |
| "ECDHE-ECDSA-AES-256-GCM-SHA384" | | |
| "ECDHE-ECDSA-CHACHA20-POLY1305" | | |
| "ECDHE-ECDSA-RC4-128-SHA" | | |
| "ECDHE-RSA-3DES-CBC3-SHA" | | |
| "ECDHE-RSA-AES-128-CBC-SHA" | | |
| "ECDHE-RSA-AES-128-CBC-SHA256" | | |
| "ECDHE-RSA-AES-128-GCM-SHA256" | | |
| "ECDHE-RSA-AES-256-CBC-SHA" | | |
| "ECDHE-RSA-AES-256-GCM-SHA384" | | |
| "ECDHE-RSA-CHACHA20-POLY1205" | | |
| "ECDHE-RSA-RC4-128-SHA" | | |
| "RSA-RC4-128-SHA" | | |
| "RSA-3DES-CBC3-SHA" | | |
| "RSA-AES-128-CBC-SHA" | | |
| "RSA-AES-128-CBC-SHA256" | | |
| "RSA-AES-128-GCM-SHA256" | | |
| "RSA-AES-256-CBC-SHA" | | |
| "RSA-AES-256-GCM-SHA384" | | |
| "TLS-AES-128-GCM-SHA256" | | |
| "TLS-AES-256-GCM-SHA384" | | |
| "TLS-CHACHA20-POLY1305-SHA256", | |
| ] | |
| // List of certificate authorities to trust. If empty or not set, then the | |
| // host's keystore is used. Each entry in the list may be either a file path | |
| // or PEM encoded certificate. | |
| certificate_authorities?: [...string] | |
| // The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral | |
| // key exchange). | |
| curve_types?: [..."P-256" | "P-384" | "P-521" | "X25519"] | |
| // List of base64 encoded SHA-256 certificate fingerprints. One of the listed | |
| // fingerprints must match a certificate in the peer's chain. | |
| // | |
| // This check is not a replacement for the normal SSL validation, but it adds | |
| // additional validation. If this option is used with verification_mode set to | |
| // none, the check will always fail because it will not receive any verified | |
| // chains. | |
| ca_sha256?: [...#base64String] | |
| // A hex encoded SHA-256 fingerprint of a certificate. If any certificate | |
| // matching this fingerprint is found in the peer's chain then peer is | |
| // trusted. | |
| ca_trusted_fingerprint?: #hexSHA256 | |
| { | |
| // The key passphrase used to decrypt an encrypted key. | |
| // | |
| // NOTE: This is a secret. | |
| key_passphrase?: string | |
| } | | |
| { | |
| // Path to a file containing the key passphrase used to decrypt an encrpyted key. | |
| key_passphrase_path?: string | |
| } | |
| } | |
| // TLS client config. | |
| #TLSClientConfig: { | |
| #tlsConfig | |
| { | |
| // PEM encoded client certificate that is used to authenticate this client | |
| // when the server requests client authentication. | |
| certificate: #pemCerts | |
| // PEM encoded certificate private key. | |
| // | |
| // NOTE: This is a secret. | |
| key: #pemKey | |
| } | {} | |
| } | |
| // TLS server config. | |
| #TLSServerConfig: { | |
| #tlsConfig | |
| // Type of allowed TLS renegotiations. | |
| // | |
| // * never - Disables renegotiation. | |
| // * once - Allows a remote server to request renegotiation once per connection. | |
| // * freely - Allows a remote server to request renegotiation repeatedly. | |
| renegotiation?: *"never" | "once" | "freely" | |
| // The type of client authentication mode. When certificate_authorities is | |
| // set, it defaults to required. Otherwise, it defaults to none. | |
| client_authentication?: "none" | "optional" | "required" | |
| // The end-entity (leaf) certificate that the server uses to identify itself. | |
| // If the certificate is signed by a certificate authority (CA), then it | |
| // should include intermediate CA certificates, sorted from leaf to root. | |
| certificate: #pemCerts | |
| // PEM encoded certificate private key. | |
| // | |
| // NOTE: This is a secret. | |
| key: #pemKey | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| openapi: 3.0.0 | |
| info: | |
| title: Beats TLS configuration options. | |
| version: v8.14.0 | |
| paths: {} | |
| components: | |
| schemas: | |
| TLSClientConfig: | |
| description: TLS client config. | |
| type: object | |
| allOf: | |
| - $ref: '#/components/schemas/tlsConfig' | |
| - oneOf: | |
| - required: | |
| - certificate | |
| - key | |
| properties: | |
| certificate: | |
| $ref: '#/components/schemas/pemCerts' | |
| key: | |
| $ref: '#/components/schemas/pemKey' | |
| - not: | |
| anyOf: | |
| - required: | |
| - certificate | |
| - key | |
| properties: | |
| certificate: | |
| $ref: '#/components/schemas/pemCerts' | |
| key: | |
| $ref: '#/components/schemas/pemKey' | |
| TLSServerConfig: | |
| description: TLS server config. | |
| type: object | |
| properties: | |
| renegotiation: | |
| description: |- | |
| Type of allowed TLS renegotiations. | |
| * never - Disables renegotiation. | |
| * once - Allows a remote server to request renegotiation once per connection. | |
| * freely - Allows a remote server to request renegotiation repeatedly. | |
| type: string | |
| enum: | |
| - never | |
| - once | |
| - freely | |
| default: never | |
| client_authentication: | |
| description: |- | |
| The type of client authentication mode. When certificate_authorities is | |
| set, it defaults to required. Otherwise, it defaults to none. | |
| type: string | |
| enum: | |
| - none | |
| - optional | |
| - required | |
| certificate: | |
| $ref: '#/components/schemas/pemCerts' | |
| key: | |
| $ref: '#/components/schemas/pemKey' | |
| allOf: | |
| - $ref: '#/components/schemas/tlsConfig' | |
| - required: | |
| - certificate | |
| - key | |
| base64String: | |
| type: string | |
| pattern: ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$ | |
| hexSHA256: | |
| type: string | |
| pattern: ^[a-fA-F0-9]{64}$ | |
| pemCerts: | |
| type: string | |
| pattern: ^(?:(?:-+BEGIN CERTIFICATE-+\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\s+)+(?:-+END CERTIFICATE-+\s*))+$ | |
| pemKey: | |
| type: string | |
| pattern: ^(?:(?:-+BEGIN .*KEY-+\s+)(?:([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?\s+)+(?:-+END .*KEY-+\s*))$ | |
| tlsConfig: | |
| type: object | |
| properties: | |
| enabled: | |
| description: Enable TLS. | |
| type: boolean | |
| verification_mode: | |
| description: |- | |
| Verification mode. | |
| * full - Verifies that the provided certificate is signed by a trusted | |
| authority (CA) and also verifies that the server’s hostname (or IP | |
| address) matches the names identified within the certificate. | |
| * strict - Verifies that the provided certificate is signed by a trusted | |
| authority (CA) and also verifies that the server’s hostname (or IP | |
| address) matches the names identified within the certificate. If the | |
| Subject Alternative Name is empty, it returns an error. | |
| * certificate - Verifies that the provided certificate is signed by a | |
| trusted authority (CA), but does not perform any hostname verification. | |
| * none - Performs no verification of the server’s certificate. This mode | |
| disables many of the security benefits of SSL/TLS and should only be | |
| used after cautious consideration. It is primarily intended as a | |
| temporary diagnostic mechanism when attempting to resolve TLS errors; | |
| its use in production environments is strongly discouraged. | |
| type: string | |
| enum: | |
| - full | |
| - strict | |
| - certificate | |
| - none | |
| default: full | |
| versions: | |
| description: Supported TLS versions. | |
| type: array | |
| items: | |
| type: string | |
| enum: | |
| - TLSv1 | |
| - TLSv1.0 | |
| - TLSv1.1 | |
| - TLSv1.2 | |
| - TLSv1.3 | |
| default: | |
| - TLSv1.1 | |
| - TLSv1.2 | |
| - TLSv1.3 | |
| cipher_suites: | |
| description: |- | |
| List of cipher suites to accept. This list is given in descending order of | |
| priority. If this option is omitted, the Go crypto library’s default suites | |
| are used. | |
| type: array | |
| items: | |
| type: string | |
| enum: | |
| - ECDHE-ECDSA-AES-128-CBC-SHA | |
| - ECDHE-ECDSA-AES-128-CBC-SHA256 | |
| - ECDHE-ECDSA-AES-128-GCM-SHA256 | |
| - ECDHE-ECDSA-AES-256-CBC-SHA | |
| - ECDHE-ECDSA-AES-256-GCM-SHA384 | |
| - ECDHE-ECDSA-CHACHA20-POLY1305 | |
| - ECDHE-ECDSA-RC4-128-SHA | |
| - ECDHE-RSA-3DES-CBC3-SHA | |
| - ECDHE-RSA-AES-128-CBC-SHA | |
| - ECDHE-RSA-AES-128-CBC-SHA256 | |
| - ECDHE-RSA-AES-128-GCM-SHA256 | |
| - ECDHE-RSA-AES-256-CBC-SHA | |
| - ECDHE-RSA-AES-256-GCM-SHA384 | |
| - ECDHE-RSA-CHACHA20-POLY1205 | |
| - ECDHE-RSA-RC4-128-SHA | |
| - RSA-RC4-128-SHA | |
| - RSA-3DES-CBC3-SHA | |
| - RSA-AES-128-CBC-SHA | |
| - RSA-AES-128-CBC-SHA256 | |
| - RSA-AES-128-GCM-SHA256 | |
| - RSA-AES-256-CBC-SHA | |
| - RSA-AES-256-GCM-SHA384 | |
| - TLS-AES-128-GCM-SHA256 | |
| - TLS-AES-256-GCM-SHA384 | |
| - TLS-CHACHA20-POLY1305-SHA256 | |
| certificate_authorities: | |
| description: |- | |
| List of certificate authorities to trust. If empty or not set, then the | |
| host's keystore is used. Each entry in the list may be either a file path | |
| or PEM encoded certificate. | |
| type: array | |
| items: | |
| type: string | |
| curve_types: | |
| description: |- | |
| The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral | |
| key exchange). | |
| type: array | |
| items: | |
| type: string | |
| enum: | |
| - P-256 | |
| - P-384 | |
| - P-521 | |
| - X25519 | |
| ca_sha256: | |
| description: |- | |
| List of base64 encoded SHA-256 certificate fingerprints. One of the listed | |
| fingerprints must match a certificate in the peer's chain. | |
| This check is not a replacement for the normal SSL validation, but it adds | |
| additional validation. If this option is used with verification_mode set to | |
| none, the check will always fail because it will not receive any verified | |
| chains. | |
| type: array | |
| items: | |
| $ref: '#/components/schemas/base64String' | |
| ca_trusted_fingerprint: | |
| $ref: '#/components/schemas/hexSHA256' | |
| oneOf: | |
| - allOf: | |
| - properties: | |
| key_passphrase: | |
| description: |- | |
| The key passphrase used to decrypt an encrypted key. | |
| NOTE: This is a secret. | |
| type: string | |
| - not: | |
| anyOf: | |
| - properties: | |
| key_passphrase_path: | |
| description: Path to a file containing the key passphrase used to decrypt an encrpyted key. | |
| type: string | |
| - allOf: | |
| - properties: | |
| key_passphrase_path: | |
| description: Path to a file containing the key passphrase used to decrypt an encrpyted key. | |
| type: string | |
| - not: | |
| anyOf: | |
| - properties: | |
| key_passphrase: | |
| description: |- | |
| The key passphrase used to decrypt an encrypted key. | |
| NOTE: This is a secret. | |
| type: string |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To generate an openapi schema, use:
cue def beats.tls.cue -o api.tls.yaml --out openapi+yaml