Documentation
¶
Overview ¶
Package cloudflare provides the Cloudflare integration definition for integrations
Index ¶
- Variables
- func Builder(runtime *RuntimeConfig) registry.Builder
- type AssetCollect
- type AssetSync
- type Client
- type ClientConfig
- type CloudflareClient
- type CredentialSchema
- type DirectorySync
- type DomainScanBuildReport
- type DomainScanBuildReportResult
- type DomainScanGatherEnrichment
- type DomainScanGatherEnrichmentResult
- type DomainScanPoll
- type DomainScanPollResult
- type DomainScanSubmit
- type DomainScanSubmitResult
- type FindingsCollect
- type FindingsSync
- type HealthCheck
- type InstallationMetadata
- type RuntimeConfig
- type ScanTaskError
- type ScanTaskErrors
- type UserInput
Constants ¶
This section is empty.
Variables ¶
var ( // ErrAPITokenMissing indicates the Cloudflare API token is missing from the credential ErrAPITokenMissing = errors.New("cloudflare: api token missing") // ErrCredentialInvalid indicates credential metadata could not be decoded ErrCredentialInvalid = errors.New("cloudflare: credential invalid") // ErrCredentialMetadataRequired indicates no credential metadata was provided ErrCredentialMetadataRequired = errors.New("cloudflare: credential metadata required") // ErrTokenVerificationFailed indicates the Cloudflare token verification failed ErrTokenVerificationFailed = errors.New("cloudflare: token verification failed") // ErrTokenNotActive indicates the Cloudflare token is not in an active state ErrTokenNotActive = errors.New("cloudflare: token is not active") // ErrClientType indicates the provided client is not a Cloudflare client ErrClientType = errors.New("cloudflare: unexpected client type") // ErrResultEncode indicates an operation result could not be serialized ErrResultEncode = errors.New("cloudflare: result encode failed") // ErrMembersFetchFailed indicates the account members list request failed ErrMembersFetchFailed = errors.New("cloudflare: members fetch failed") // ErrMembersFetchFailed indicates the account members list request failed ErrGroupsFetchFailed = errors.New("cloudflare: groups fetch failed") // ErrPayloadEncode indicates a collected Cloudflare payload could not be serialized for ingest ErrPayloadEncode = errors.New("cloudflare: ingest payload encode failed") // ErrAccountIDMissing indicates the account ID is missing from user input ErrAccountIDMissing = errors.New("cloudflare: account id missing") // ErrOperationConfigInvalid indicates operation configuration could not be decoded ErrOperationConfigInvalid = errors.New("cloudflare: operation config invalid") // ErrFindingsFetchFailed indicates the Security Center insights list request failed ErrFindingsFetchFailed = errors.New("cloudflare: findings fetch failed") // ErrAssetsFetchFailed indicates the Registrar registrations list request failed ErrAssetsFetchFailed = errors.New("cloudflare: assets fetch failed") // ErrRuntimeConfigDecode indicates the runtime Cloudflare config could not be decoded ErrRuntimeConfigDecode = errors.New("cloudflare: runtime config decode failed") // ErrRuntimeConfigInvalid indicates the runtime Cloudflare config is missing required fields ErrRuntimeConfigInvalid = errors.New("cloudflare: runtime config invalid") // ErrDomainScanSubmitFailed indicates the URL Scanner bulk submission request failed ErrDomainScanSubmitFailed = errors.New("cloudflare: domain scan submit failed") // ErrDomainScanResultFailed indicates the URL Scanner result retrieval request failed ErrDomainScanResultFailed = errors.New("cloudflare: domain scan result fetch failed") // ErrDomainScanTaskFailed indicates Cloudflare reported the scan task itself failed ErrDomainScanTaskFailed = errors.New("cloudflare: domain scan task failed") )
var ( // DefinitionID is the stable identifier for the Cloudflare integration definition DefinitionID = types.NewDefinitionRef("def_01K0CFLARE00000000000000001") _,// domainScanSubmitSchema is the operation ref for submitting domains to the URL Scanner DomainScanSubmitOp = providerkit.OperationSchema[DomainScanSubmit]() _,//nolint:revive // domainScanPollSchema is the operation ref for polling a submitted URL Scanner result DomainScanPollOp = providerkit.OperationSchema[DomainScanPoll]() _,//nolint:revive // domainScanGatherEnrichmentSchema is the operation ref for gathering enrichment data for a domain DomainScanGatherEnrichmentOp = providerkit.OperationSchema[DomainScanGatherEnrichment]() _,//nolint:revive // domainScanBuildReportSchema is the operation ref for building the scan report from a completed URL Scanner result and gathered enrichment DomainScanBuildReportOp = providerkit.OperationSchema[DomainScanBuildReport]() //nolint:revive )
Functions ¶
func Builder ¶
func Builder(runtime *RuntimeConfig) registry.Builder
Builder returns the Cloudflare definition builder with the supplied runtime config applied. runtime.DomainScan configures vendor/technology classification for onboarding domain scan reports. When devMode is true or runtime.Provisioned() is true, a RuntimeIntegration is included so system-initiated calls (e.g. onboarding domain scans) can use the operator-owned account
Types ¶
type AssetCollect ¶ added in v1.23.0
type AssetCollect struct{}
AssetCollect collects Cloudflare domain registrations and stores them as assets
func (AssetCollect) IngestHandle ¶ added in v1.23.0
func (a AssetCollect) IngestHandle() types.IngestHandler
IngestHandle adapts asset collection to the ingest operation registration boundary
func (AssetCollect) Run ¶ added in v1.23.0
func (AssetCollect) Run(ctx context.Context, credentials types.CredentialBindings, client *CloudflareClient) ([]types.IngestPayloadSet, error)
Run collects Cloudflare domain registrations and emits asset ingest payloads
type AssetSync ¶ added in v1.23.0
type AssetSync struct {
// Disable is used to disable the asset sync operation from Cloudflare
Disable bool `json:"disable,omitempty" jsonschema:"title=Disable,description=Disable the syncing of domains from Cloudflare Registrar"`
// FilterExpr limits imported records to envelopes matching the CEL expression
FilterExpr string `` /* 181-byte string literal not displayed */
}
AssetSync holds installation-specific configuration for Cloudflare domain assets
type ClientConfig ¶ added in v1.27.12
type ClientConfig struct {
// AccountID is the Cloudflare account this client is scoped to
AccountID string
// APIToken is the raw Cloudflare API token, needed by calls made outside the SDK client
// (e.g. Browser Rendering requests issued directly by the domain scan enrichment operation)
APIToken string
// DomainScan configures vendor/technology classification for onboarding domain scan
// reports; runtime client only
DomainScan domainscan.ReportConfig
}
ClientConfig holds the account and domain scan settings a CloudflareClient is built from, sourced from either per-installation credentials or the operator-owned runtime config
type CloudflareClient ¶ added in v1.27.12
type CloudflareClient struct {
*cf.Client
// Config holds the account scope and domain scan settings this client was built with
Config ClientConfig
}
CloudflareClient wraps the Cloudflare SDK client with the account it's scoped to: the customer's own account for installation-bound operations, or the operator-owned account for system-initiated operations run through the runtime path. Config.DomainScan is only populated for the runtime (system) client, used by the domain scan enrichment operation
type CredentialSchema ¶
type CredentialSchema struct {
// APIToken is the Cloudflare API token with permissions to read account and zone metadata
APIToken string `json:"apiToken" jsonschema:"required,title=API Token"`
// AccountID is the Cloudflare account identifier used for account-scoped API calls
AccountID string `` /* 137-byte string literal not displayed */
}
CredentialSchema holds the Cloudflare API credentials for one installation
type DirectorySync ¶
type DirectorySync struct {
// Disable is used to disable the directory sync operation from Cloudflare
Disable bool `json:"disable,omitempty" jsonschema:"title=Disable,description=Disable the syncing of users and groups from Cloudflare"`
// FilterExpr limits imported records to envelopes matching the CEL expression
FilterExpr string `` /* 216-byte string literal not displayed */
}
DirectorySync holds installation-specific configuration collected from the user
func (DirectorySync) IngestHandle ¶
func (d DirectorySync) IngestHandle() types.IngestHandler
IngestHandle adapts directory sync to the ingest operation registration boundary
func (DirectorySync) Run ¶
func (DirectorySync) Run(ctx context.Context, credentials types.CredentialBindings, client *CloudflareClient) ([]types.IngestPayloadSet, error)
Run collects Cloudflare account members and emits directory account ingest payloads
type DomainScanBuildReport ¶ added in v1.27.12
type DomainScanBuildReport struct {
// InternalScanID is the openlane Scan record id the built report belongs to
InternalScanID string `json:"internalScanId"`
// Result is the completed URL Scanner task result to build the report from
Result json.RawMessage `json:"result"`
// Enrichment is the company profile, compliance, and DNS vendor data gathered via
// DomainScanGatherEnrichment
Enrichment domainscan.Enrichment `json:"enrichment"`
}
DomainScanBuildReport combines a completed URL Scanner result with previously-gathered enrichment data (company profile, compliance, and DNS vendor data) and builds the structured onboarding domain scan report
func (DomainScanBuildReport) Handle ¶ added in v1.27.12
func (b DomainScanBuildReport) Handle() types.OperationHandler
Handle adapts domain scan report building to the generic operation registration boundary
func (DomainScanBuildReport) Run ¶ added in v1.27.12
func (DomainScanBuildReport) Run(_ context.Context, client *CloudflareClient, cfg DomainScanBuildReport) (DomainScanBuildReportResult, error)
Run builds the structured scan report from the submitted URL Scanner result plus the already-gathered enrichment data
type DomainScanBuildReportResult ¶ added in v1.27.12
type DomainScanBuildReportResult struct {
// Data is the structured scan report, ready to persist on the Scan record
Data map[string]any `json:"data"`
}
DomainScanBuildReportResult carries the structured report built from the scan result and enrichment
type DomainScanGatherEnrichment ¶ added in v1.27.12
type DomainScanGatherEnrichment struct {
// Domain is the domain to gather enrichment for
Domain string `json:"domain"`
// ForceRefresh bypasses Cloudflare's Browser Rendering cache, forcing a fresh render
ForceRefresh bool `json:"forceRefresh,omitempty"`
}
DomainScanGatherEnrichment gathers company profile, compliance, and DNS vendor data for a domain
func (DomainScanGatherEnrichment) Handle ¶ added in v1.27.12
func (e DomainScanGatherEnrichment) Handle() types.OperationHandler
Handle adapts domain scan enrichment gathering to the generic operation registration boundary
func (DomainScanGatherEnrichment) Run ¶ added in v1.27.12
func (DomainScanGatherEnrichment) Run(ctx context.Context, client *CloudflareClient, cfg DomainScanGatherEnrichment) (DomainScanGatherEnrichmentResult, error)
Run gathers company profile, compliance, and DNS vendor data for the domain
type DomainScanGatherEnrichmentResult ¶ added in v1.27.12
type DomainScanGatherEnrichmentResult struct {
// Enrichment is the gathered company profile, compliance, and DNS vendor data
Enrichment domainscan.Enrichment `json:"enrichment"`
}
DomainScanGatherEnrichmentResult carries the gathered enrichment data
type DomainScanPoll ¶ added in v1.27.12
type DomainScanPoll struct {
// ScanResultID is the scan ID returned by DomainScanSubmit
ScanResultID string `json:"scanResultId"`
}
DomainScanPoll retrieves a previously submitted URL Scanner result by scan ID
func (DomainScanPoll) Handle ¶ added in v1.27.12
func (p DomainScanPoll) Handle() types.OperationHandler
Handle adapts domain scan polling to the generic operation registration boundary
func (DomainScanPoll) Run ¶ added in v1.27.12
func (DomainScanPoll) Run(ctx context.Context, client *CloudflareClient, cfg DomainScanPoll) (DomainScanPollResult, error)
Run retrieves a URL Scanner result by scan ID through. A 400 or 404 shortly after submission usually just means Cloudflare hasn't indexed the scan yet, so those are retried with a flat delay before giving up
type DomainScanPollResult ¶ added in v1.27.12
type DomainScanPollResult struct {
// Result is the raw URL Scanner result payload
Result *url_scanner.ScanGetResponse `json:"result"`
// TaskErrors lists task-level errors reported alongside the result, if any
TaskErrors ScanTaskErrors `json:"taskErrors,omitempty"`
}
DomainScanPollResult carries the raw URL Scanner result plus any task-level errors
type DomainScanSubmit ¶ added in v1.27.12
type DomainScanSubmit struct {
// Domains is the list of domains to submit for scanning
Domains []string `json:"domains"`
}
DomainScanSubmit submits domains to Cloudflare's URL Scanner for scanning
func (DomainScanSubmit) Handle ¶ added in v1.27.12
func (s DomainScanSubmit) Handle() types.OperationHandler
Handle adapts domain scan submission to the generic operation registration boundary
func (DomainScanSubmit) Run ¶ added in v1.27.12
func (DomainScanSubmit) Run(ctx context.Context, client *CloudflareClient, cfg DomainScanSubmit) (DomainScanSubmitResult, error)
Run submits the domains to Cloudflare's URL Scanner, batching requests as needed
type DomainScanSubmitResult ¶ added in v1.27.12
type DomainScanSubmitResult struct {
// Scans is the list of scan tasks created by Cloudflare's URL Scanner
Scans []url_scanner.ScanBulkNewResponse `json:"scans"`
}
DomainScanSubmitResult is the set of scan tasks created by a submission
type FindingsCollect ¶ added in v1.21.7
type FindingsCollect struct{}
FindingsCollect collects Cloudflare Security Center insights for ingest as findings
func (FindingsCollect) IngestHandle ¶ added in v1.21.7
func (f FindingsCollect) IngestHandle() types.IngestHandler
IngestHandle adapts findings collection to the ingest operation registration boundary
func (FindingsCollect) Run ¶ added in v1.21.7
func (FindingsCollect) Run(ctx context.Context, credentials types.CredentialBindings, client *CloudflareClient, lastRunAt *time.Time) ([]types.IngestPayloadSet, error)
Run collects Cloudflare Security Center insights and emits finding ingest payloads
type FindingsSync ¶ added in v1.21.7
type FindingsSync struct {
// Disable is used to disable the findings sync operation from Cloudflare
Disable bool `` /* 136-byte string literal not displayed */
// FilterExpr limits imported records to envelopes matching the CEL expression
FilterExpr string `` /* 185-byte string literal not displayed */
}
FindingsSync holds installation-specific configuration for Cloudflare Security Center insights
type HealthCheck ¶
type HealthCheck struct {
// Status is the token verification status returned by Cloudflare
Status string `json:"status,omitempty"`
// ExpiresOn is the token expiry time if set
ExpiresOn string `json:"expiresOn,omitempty"`
}
HealthCheck holds the result of a Cloudflare health check
func (HealthCheck) Handle ¶
func (h HealthCheck) Handle() types.OperationHandler
Handle adapts the health check to the generic operation registration boundary
func (HealthCheck) Run ¶
func (HealthCheck) Run(ctx context.Context, credentials types.CredentialBindings, c *CloudflareClient) (json.RawMessage, error)
Run executes the Cloudflare token verification
type InstallationMetadata ¶
type InstallationMetadata struct {
// AccountID is the Cloudflare account identifier used for account-scoped collection
AccountID string `json:"accountId,omitempty" jsonschema:"title=Account ID"`
}
InstallationMetadata holds the stable Cloudflare account identity for one installation
func (InstallationMetadata) InstallationIdentity ¶
func (m InstallationMetadata) InstallationIdentity() types.IntegrationInstallationIdentity
InstallationIdentity implements types.InstallationIdentifiable
type RuntimeConfig ¶ added in v1.27.12
type RuntimeConfig struct {
// APIToken is the Cloudflare API token for the operator-owned account
APIToken string `` /* 126-byte string literal not displayed */
// AccountID is the Cloudflare account identifier for the operator-owned account
AccountID string `json:"accountid" koanf:"accountid" jsonschema:"description=Cloudflare account ID for the operator-owned account"`
// DomainScan configures vendor/technology classification and enrichment behavior for
// onboarding domain scan reports
DomainScan domainscan.ReportConfig `` /* 153-byte string literal not displayed */
}
RuntimeConfig is the runtime-provisioned configuration for the operator-owned Cloudflare account. Sourced from koanf/environment at startup; used for system-initiated Cloudflare calls (e.g. onboarding domain scans) that are not tied to a customer installation
func (RuntimeConfig) Provisioned ¶ added in v1.27.12
func (c RuntimeConfig) Provisioned() bool
Provisioned reports whether the runtime config has the minimum required fields to make Cloudflare API calls
type ScanTaskError ¶ added in v1.27.12
type ScanTaskError struct {
Name string `json:"name"`
Message string `json:"message"`
Detail string `json:"detail"`
Code int `json:"code"`
}
ScanTaskError is a single error reported in a URL Scanner task's error list
func (ScanTaskError) Error ¶ added in v1.27.12
func (e ScanTaskError) Error() string
Error returns a human-readable representation of the scan task error
type ScanTaskErrors ¶ added in v1.27.12
type ScanTaskErrors []ScanTaskError
ScanTaskErrors is a list of ScanTaskError, satisfying the error interface when non-empty
func (ScanTaskErrors) Error ¶ added in v1.27.12
func (e ScanTaskErrors) Error() string
Error joins every task error's message with "; "
type UserInput ¶
type UserInput struct {
// DirectorySync includes the configuration for identity accounts from Cloudflare members
DirectorySync DirectorySync `json:"directorySync,omitempty" jsonschema:"title=Directory Account Sync"`
// AssetSync includes the configuration for Cloudflare domains as assets
AssetSync AssetSync `json:"assetSync,omitempty" jsonschema:"title=Cloudflare Asset Sync"`
// FindingsSync includes the configuration for findings from Cloudflare Security Center insights
FindingsSync FindingsSync `json:"findingSync,omitempty" jsonschema:"title=Security Insights Sync"`
}
UserInput holds installation-specific configuration collected from the user