From ce02055f560a0ced2969c762903cb994f10adfb3 Mon Sep 17 00:00:00 2001 From: adibmbrk Date: Thu, 30 Jan 2025 15:43:38 +0530 Subject: [PATCH] Add deployment.toml and policy templates --- resources/deployment.toml | 169 ++++++++++++++++++ .../authn_group_based_policy_template.xml | 33 ++++ .../authn_role_based_policy_template.xml | 33 ++++ .../authn_scope_based_policy_template.xml | 32 ++++ ...hn_time_and_role_based_policy_template.xml | 42 +++++ ...n_time_and_scope_based_policy_template.xml | 41 +++++ ...e_and_user_claim_based_policy_template.xml | 43 +++++ ...e_and_user_store_based_policy_template.xml | 45 +++++ .../authn_time_based_policy_template.xml | 29 +++ ...authn_user_claim_based_policy_template.xml | 36 ++++ ...authn_user_store_based_policy_template.xml | 36 ++++ .../policies/eval_permission_tree_policy.xml | 26 +++ ...rovisioning_role_based_policy_template.xml | 70 ++++++++ ...ng_time_and_role_based_policy_template.xml | 89 +++++++++ ...e_and_user_claim_based_policy_template.xml | 96 ++++++++++ ...rovisioning_time_based_policy_template.xml | 33 ++++ ...oning_user_claim_based_policy_template.xml | 78 ++++++++ ...e_based_token_issuance_policy_template.xml | 41 +++++ ...based_token_validation_policy_template.xml | 38 ++++ 19 files changed, 1010 insertions(+) create mode 100644 resources/deployment.toml create mode 100644 resources/policies/authn_group_based_policy_template.xml create mode 100644 resources/policies/authn_role_based_policy_template.xml create mode 100644 resources/policies/authn_scope_based_policy_template.xml create mode 100644 resources/policies/authn_time_and_role_based_policy_template.xml create mode 100644 resources/policies/authn_time_and_scope_based_policy_template.xml create mode 100644 resources/policies/authn_time_and_user_claim_based_policy_template.xml create mode 100644 resources/policies/authn_time_and_user_store_based_policy_template.xml create mode 100644 resources/policies/authn_time_based_policy_template.xml create mode 100644 resources/policies/authn_user_claim_based_policy_template.xml create mode 100644 resources/policies/authn_user_store_based_policy_template.xml create mode 100644 resources/policies/eval_permission_tree_policy.xml create mode 100644 resources/policies/provisioning_role_based_policy_template.xml create mode 100644 resources/policies/provisioning_time_and_role_based_policy_template.xml create mode 100644 resources/policies/provisioning_time_and_user_claim_based_policy_template.xml create mode 100644 resources/policies/provisioning_time_based_policy_template.xml create mode 100644 resources/policies/provisioning_user_claim_based_policy_template.xml create mode 100755 resources/policies/scope_based_token_issuance_policy_template.xml create mode 100755 resources/policies/scope_based_token_validation_policy_template.xml diff --git a/resources/deployment.toml b/resources/deployment.toml new file mode 100644 index 000000000..ca7e1a47c --- /dev/null +++ b/resources/deployment.toml @@ -0,0 +1,169 @@ +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)" +secure = "true" +http_method = "GET" +scopes = ["internal_entitlement_policy_mgt_view"] + +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)" +secure = "true" +http_method = "POST" +scopes = ["internal_entitlement_policy_mgt_create"] + +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)" +secure = "true" +http_method = "PATCH" +scopes = ["internal_entitlement_policy_mgt_update"] + +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)" +secure = "true" +http_method = "DELETE" +scopes = ["internal_entitlement_policy_mgt_delete"] + +# Entitlement Subscriber API +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)" +secure = "true" +http_method = "GET" +scopes = ["internal_entitlement_subscriber_mgt_view"] + +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)" +secure = "true" +http_method = "POST" +scopes = ["internal_entitlement_subscriber_mgt_create"] + +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)" +secure = "true" +http_method = "PATCH" +scopes = ["internal_entitlement_subscriber_mgt_update"] + +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)" +secure = "true" +http_method = "DELETE" +scopes = ["internal_entitlement_subscriber_mgt_delete"] + +# Entitlement Policy Publish API +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/publish(.*)" +secure = "true" +http_method = "POST" +scopes = ["internal_entitlement_policy_publish"] + +# Entitlement Global Policy Combining Algorithm API +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/combining-algorithm(.*)" +secure = "true" +http_method = "GET" +scopes = ["internal_entitlement_gpa_get"] + +[[resource.access_control]] +context = "(.*)/api/identity/entitlement/v1/entitlements/combining-algorithm(.*)" +secure = "true" +http_method = "PATCH" +scopes = ["internal_entitlement_gpa_set"] + +[[api_resources]] +name = "Entitlement Policies API" +identifier = "/api/identity/entitlement/v1/entitlements/policies" +requiresAuthorization = true +description = "API representation of the Entitlements Policy Management API" +type = "TENANT" + +[[api_resources.scopes]] +displayName = "Create Policy" +name = "internal_entitlement_policy_mgt_create" +description = "Create new Policy" + +[[api_resources.scopes]] +displayName = "Update Policy" +name = "internal_entitlement_policy_mgt_update" +description = "Update Policy" + +[[api_resources.scopes]] +displayName = "View Policy" +name = "internal_entitlement_policy_mgt_view" +description = "View Policy" + +[[api_resources.scopes]] +displayName = "Delete Policy" +name = "internal_entitlement_policy_mgt_delete" +description = "Delete Policy" + +[[api_resources]] +name = "Entitlement Subscriber API" +identifier = "/api/identity/entitlement/v1/entitlements/subscribers" +requiresAuthorization = true +description = "API representation of the Entitlement Subscriber Management API" +type = "TENANT" + +[[api_resources.scopes]] +displayName = "Create Subscriber" +name = "internal_entitlement_subscriber_mgt_create" +description = "Create new Subscriber" + +[[api_resources.scopes]] +displayName = "Update Subscriber" +name = "internal_entitlement_subscriber_mgt_update" +description = "Update Subscriber" + +[[api_resources.scopes]] +displayName = "View Subscriber" +name = "internal_entitlement_subscriber_mgt_view" +description = "View Subscriber" + +[[api_resources.scopes]] +displayName = "Delete Subscriber" +name = "internal_entitlement_subscriber_mgt_delete" +description = "Delete Subscriber" + +[[api_resources]] +name = "Entitlement Global Policy Combining Algorithm API" +identifier = "/api/identity/entitlement/v1/entitlements/combining-algorithm" +requiresAuthorization = true +description = "API representation of the Entitlement Global Policy Combining Algorithm API" +type = "TENANT" + +[[api_resources.scopes]] +displayName = "Set Global Policy Combining Algorithm API" +name = "internal_entitlement_gpa_set" +description = "Set Global Policy Combining Algorithm" + +[[api_resources.scopes]] +displayName = "Get Global Policy Combining Algorithm API" +name = "internal_entitlement_gpa_get" +description = "Get Global Policy Combining Algorithm" + +[[api_resources]] +name = "Entitlement Policy Publish API" +identifier = "/api/identity/entitlement/v1/entitlements/publish" +requiresAuthorization = true +description = "API representation of the Entitlements Policy Publish API" +type = "TENANT" + +[[api_resources.scopes]] +displayName = "Publish Policy" +name = "internal_entitlement_policy_publish" +description = "Publish new Policy" + +[[api_resources]] +name = "Entitlement Policy Mgt API" +identifier = "/api/identity/entitlement/v1/decision" +requiresAuthorization = true +description = "API representation of the Entitlements Policy Mgt API" +type = "TENANT" + +[[api_resources.scopes]] +displayName = "Policy Mgt" +name = "internal_manage_pep" +description = "Policy Mgt" + +[console.policyAdministration] +enabled = "true" + +[console.ui] +isXacmlConnectorEnabled = "true" diff --git a/resources/policies/authn_group_based_policy_template.xml b/resources/policies/authn_group_based_policy_template.xml new file mode 100644 index 000000000..cb31697e3 --- /dev/null +++ b/resources/policies/authn_group_based_policy_template.xml @@ -0,0 +1,33 @@ + + This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the groups of the user (defined by GROUP_1 and GROUP_2). Users who are in at least one of the given groups, will be allowed and any others will be denied. + + + + + SP_NAME + + + + authenticate + + + + + + + + + + GROUP_1 + + + + GROUP_2 + + + + + + + diff --git a/resources/policies/authn_role_based_policy_template.xml b/resources/policies/authn_role_based_policy_template.xml new file mode 100644 index 000000000..484351938 --- /dev/null +++ b/resources/policies/authn_role_based_policy_template.xml @@ -0,0 +1,33 @@ + + This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied. + + + + + SP_NAME + + + + authenticate + + + + + + + + + + Internal/ROLE_1 + + + + Internal/ROLE_2 + + + + + + + diff --git a/resources/policies/authn_scope_based_policy_template.xml b/resources/policies/authn_scope_based_policy_template.xml new file mode 100644 index 000000000..ea5e8347d --- /dev/null +++ b/resources/policies/authn_scope_based_policy_template.xml @@ -0,0 +1,32 @@ + + This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the oauth scope(s) (SCOPE1, SCOPE2). Users who are granted with the given scopes will be allowed and any other user will be denied. + + + + + SP_NAME + + + + authenticate + + + + + + + + + + SCOPE1 + + + + SCOPE2 + + + + + + + diff --git a/resources/policies/authn_time_and_role_based_policy_template.xml b/resources/policies/authn_time_and_role_based_policy_template.xml new file mode 100644 index 000000000..523acd668 --- /dev/null +++ b/resources/policies/authn_time_and_role_based_policy_template.xml @@ -0,0 +1,42 @@ + + This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the Roles of the user (defined by ROLE_1 and ROLE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users who have at least one of the given roles will be able to login within the given time. Any other requests will be denied. + + + + + SP_NAME + + + + authenticate + + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + Internal/ROLE_1 + + + + Internal/ROLE_2 + + + + + + + + diff --git a/resources/policies/authn_time_and_scope_based_policy_template.xml b/resources/policies/authn_time_and_scope_based_policy_template.xml new file mode 100644 index 000000000..c3c7c4b62 --- /dev/null +++ b/resources/policies/authn_time_and_scope_based_policy_template.xml @@ -0,0 +1,41 @@ + + This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the oauth scope(s) (SCOPE1 or SCOPE2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users who are logging in between the given time and who grant the given scopes will be allowed to login and any other user will be denied. + + + + + SP_NAME + + + + authenticate + + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + SCOPE1 + + + + SCOPE2 + + + + + + + + diff --git a/resources/policies/authn_time_and_user_claim_based_policy_template.xml b/resources/policies/authn_time_and_user_claim_based_policy_template.xml new file mode 100644 index 000000000..cb94b3744 --- /dev/null +++ b/resources/policies/authn_time_and_user_claim_based_policy_template.xml @@ -0,0 +1,43 @@ + + This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users with the given claim values and who are logged in within the given time range will be allowed and any other users will be denied. + + + + + SP_NAME + + + + authenticate + + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + + + CLAIM_VALUE_1 + + + + + + CLAIM_VALUE_2 + + + + + + diff --git a/resources/policies/authn_time_and_user_store_based_policy_template.xml b/resources/policies/authn_time_and_user_store_based_policy_template.xml new file mode 100644 index 000000000..52acf39ec --- /dev/null +++ b/resources/policies/authn_time_and_user_store_based_policy_template.xml @@ -0,0 +1,45 @@ + + This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the user store (USERSTORE_1 or USERSTORE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users who are in the given userstores and who are logged in within the given time range will be allowed and any other users will be denied. + + + + + authenticate + + + + SP_NAME + + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + + + + USERSTORE_1 + + + + + + USERSTORE_2 + + + + + + + \ No newline at end of file diff --git a/resources/policies/authn_time_based_policy_template.xml b/resources/policies/authn_time_based_policy_template.xml new file mode 100644 index 000000000..6277dc3a8 --- /dev/null +++ b/resources/policies/authn_time_based_policy_template.xml @@ -0,0 +1,29 @@ + + This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the login time. Any authentication attempt outside the specified time range(09:00:00 to 17:00:00) will be denied. + + + + + SP_NAME + + + + authenticate + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + + diff --git a/resources/policies/authn_user_claim_based_policy_template.xml b/resources/policies/authn_user_claim_based_policy_template.xml new file mode 100644 index 000000000..255a4e75d --- /dev/null +++ b/resources/policies/authn_user_claim_based_policy_template.xml @@ -0,0 +1,36 @@ + + This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2). Users with the given claim values will be allowed and any other users will be denied. + + + + + SP_NAME + + + + authenticate + + + + + + + + + + + + + CLAIM_VALUE_1 + + + + + + CLAIM_VALUE_2 + + + + + + diff --git a/resources/policies/authn_user_store_based_policy_template.xml b/resources/policies/authn_user_store_based_policy_template.xml new file mode 100644 index 000000000..fc3a8392b --- /dev/null +++ b/resources/policies/authn_user_store_based_policy_template.xml @@ -0,0 +1,36 @@ + + This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the user store (USERSTORE_1 or USERSTORE_2). Users who are in the given userstores will be allowed and any other users will be denied. + + + + + authenticate + + + + SP_NAME + + + + + + + + + + + + + USERSTORE_1 + + + + + + USERSTORE_2 + + + + + + \ No newline at end of file diff --git a/resources/policies/eval_permission_tree_policy.xml b/resources/policies/eval_permission_tree_policy.xml new file mode 100644 index 000000000..270aa4137 --- /dev/null +++ b/resources/policies/eval_permission_tree_policy.xml @@ -0,0 +1,26 @@ + + This policy provides the ability to authorize users based on permission tree. + + + + + ui.execute + + + + + + + + + + + + + + + + + + + diff --git a/resources/policies/provisioning_role_based_policy_template.xml b/resources/policies/provisioning_role_based_policy_template.xml new file mode 100644 index 000000000..f7a83f2eb --- /dev/null +++ b/resources/policies/provisioning_role_based_policy_template.xml @@ -0,0 +1,70 @@ + + This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the roles of the user (ROLE_1, ROLE_2). Provisioning attempts to the users with given role(s) will be allowed and all others will be denied. + + + + + SP_NAME + + + + IDP_NAME + + + + provisioning + + + + + + + + + + + POST + + + + + + + + + ROLE_1 + + + + ROLE_2 + + + + + + + + + + + PUT + + + + + + + + + Internal/ROLE_1 + + + + Internal/ROLE_2 + + + + + + + \ No newline at end of file diff --git a/resources/policies/provisioning_time_and_role_based_policy_template.xml b/resources/policies/provisioning_time_and_role_based_policy_template.xml new file mode 100644 index 000000000..4cdd60b1d --- /dev/null +++ b/resources/policies/provisioning_time_and_role_based_policy_template.xml @@ -0,0 +1,89 @@ + + This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the roles of the user (ROLE_1, ROLE_2) and time of the day (eg. between 09:00:00 to 17:00:00). Provisioning attempts to the users with given role(s) between the given time will be allowed and all others will be denied. + + + + + SP_NAME + + + + IDP_NAME + + + + provisioning + + + + + + + + + + + POST + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + ROLE_1 + + + + ROLE_2 + + + + + + + + + + + + + PUT + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + Internal/ROLE_1 + + + + Internal/ROLE_2 + + + + + + + + diff --git a/resources/policies/provisioning_time_and_user_claim_based_policy_template.xml b/resources/policies/provisioning_time_and_user_claim_based_policy_template.xml new file mode 100644 index 000000000..0a5c6a52e --- /dev/null +++ b/resources/policies/provisioning_time_and_user_claim_based_policy_template.xml @@ -0,0 +1,96 @@ + + This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2) and time of the day (eg. between 09:00:00 to 17:00:00). Provisioning attempts to the users with the given claim values between the given time will be allowed and all others will be denied. + + + + + SP_NAME + + + + IDP_NAME + + + + provisioning + + + + + + + + + + + POST + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + + + + CLAIM_VALUE_1 + + + + + + CLAIM_VALUE_2 + + + + + + + + + + + PUT + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + + + + CLAIM_VALUE_1 + + + + + + CLAIM_VALUE_2 + + + + + + + diff --git a/resources/policies/provisioning_time_based_policy_template.xml b/resources/policies/provisioning_time_based_policy_template.xml new file mode 100644 index 000000000..18845fdfb --- /dev/null +++ b/resources/policies/provisioning_time_based_policy_template.xml @@ -0,0 +1,33 @@ + + This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the requested time. Any provisioning attempt outside the specified time range(09:00:00 to 17:00:00) will be denied. + + + + + SP_NAME + + + + IDP_NAME + + + + provisioning + + + + + + + + + + + + 09:00:00 + 17:00:00 + + + + + \ No newline at end of file diff --git a/resources/policies/provisioning_user_claim_based_policy_template.xml b/resources/policies/provisioning_user_claim_based_policy_template.xml new file mode 100644 index 000000000..1e92df072 --- /dev/null +++ b/resources/policies/provisioning_user_claim_based_policy_template.xml @@ -0,0 +1,78 @@ + + This template policy provides ability to authorize provisioning requests initiated from a given service provider(defined by SP_NAME) to a given identity provider(defined by IDP_NAME) in the outbound provisioning flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2). Users with the given claim values will be allowed and any other users will be denied. + + + + + SP_NAME + + + + IDP_NAME + + + + provisioning + + + + + + + + + + + POST + + + + + + + + + + + + CLAIM_VALUE_1 + + + + + + CLAIM_VALUE_2 + + + + + + + + + + PUT + + + + + + + + + + + + CLAIM_VALUE_1 + + + + + + CLAIM_VALUE_2 + + + + + + \ No newline at end of file diff --git a/resources/policies/scope_based_token_issuance_policy_template.xml b/resources/policies/scope_based_token_issuance_policy_template.xml new file mode 100755 index 000000000..2fd08daa3 --- /dev/null +++ b/resources/policies/scope_based_token_issuance_policy_template.xml @@ -0,0 +1,41 @@ + + This policy template provides ability to validate OAuth2 access token to a given service provider(defined by SP_NAME) in the issuance flow based on the scope (defined by SCOPE_1). It allows validation of token on time of the day (eg. between 09:00:00 to 18:00:00). + + + + + playground2 + + + + scope_validation + + + + + + + + + + + + + 09:00:00 + 22:00:00 + + + + SCOPE_1 + + + + SCOPE_2 + + + + + + + + diff --git a/resources/policies/scope_based_token_validation_policy_template.xml b/resources/policies/scope_based_token_validation_policy_template.xml new file mode 100755 index 000000000..90b37ab4f --- /dev/null +++ b/resources/policies/scope_based_token_validation_policy_template.xml @@ -0,0 +1,38 @@ + + This policy template provides ability to validate OAuth2 access token to a given service provider(defined by SP_NAME) in the validation flow based on the scope (defined by SCOPE_1). It allows validation of token on time of the day (eg. between 09:00:00 to 18:00:00). + + + + + test_server + + + + token_validation + + + + SCOPE_1 + + + + + + + + + + + + + 09:00:00 + 18:00:00 + + + + + + + + +