Update deployment.toml config and add policy templates

README.md

@@ -234,6 +234,9 @@ description = "Policy Mgt"
 ```toml
 [console.policyAdministration]
 enabled = "true"
+
+[console.ui]
+isXacmlConnectorEnabled = "true"
 ```
 
 10. Restart Identity Server.

resources/deployment.toml

@@ -0,0 +1,169 @@
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "GET"
+scopes = ["internal_entitlement_policy_mgt_view"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "POST"
+scopes = ["internal_entitlement_policy_mgt_create"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "PATCH"
+scopes = ["internal_entitlement_policy_mgt_update"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "DELETE"
+scopes = ["internal_entitlement_policy_mgt_delete"]
+
+# Entitlement Subscriber API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "GET"
+scopes = ["internal_entitlement_subscriber_mgt_view"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "POST"
+scopes = ["internal_entitlement_subscriber_mgt_create"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "PATCH"
+scopes = ["internal_entitlement_subscriber_mgt_update"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "DELETE"
+scopes = ["internal_entitlement_subscriber_mgt_delete"]
+
+# Entitlement Policy Publish API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/publish(.*)"
+secure = "true"
+http_method = "POST"
+scopes = ["internal_entitlement_policy_publish"]
+
+# Entitlement Global Policy Combining Algorithm API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/combining-algorithm(.*)"
+secure = "true"
+http_method = "GET"
+scopes = ["internal_entitlement_gpa_get"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/combining-algorithm(.*)"
+secure = "true"
+http_method = "PATCH"
+scopes = ["internal_entitlement_gpa_set"]
+
+[[api_resources]]
+name = "Entitlement Policies API"
+identifier = "/api/identity/entitlement/v1/entitlements/policies"
+requiresAuthorization = true
+description = "API representation of the Entitlements Policy Management API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Create Policy"
+name = "internal_entitlement_policy_mgt_create"
+description = "Create new Policy"
+
+[[api_resources.scopes]]
+displayName = "Update Policy"
+name = "internal_entitlement_policy_mgt_update"
+description = "Update Policy"
+
+[[api_resources.scopes]]
+displayName = "View Policy"
+name = "internal_entitlement_policy_mgt_view"
+description = "View Policy"
+
+[[api_resources.scopes]]
+displayName = "Delete Policy"
+name = "internal_entitlement_policy_mgt_delete"
+description = "Delete Policy"
+
+[[api_resources]]
+name = "Entitlement Subscriber API"
+identifier = "/api/identity/entitlement/v1/entitlements/subscribers"
+requiresAuthorization = true
+description = "API representation of the Entitlement Subscriber Management API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Create Subscriber"
+name = "internal_entitlement_subscriber_mgt_create"
+description = "Create new Subscriber"
+
+[[api_resources.scopes]]
+displayName = "Update Subscriber"
+name = "internal_entitlement_subscriber_mgt_update"
+description = "Update Subscriber"
+
+[[api_resources.scopes]]
+displayName = "View Subscriber"
+name = "internal_entitlement_subscriber_mgt_view"
+description = "View Subscriber"
+
+[[api_resources.scopes]]
+displayName = "Delete Subscriber"
+name = "internal_entitlement_subscriber_mgt_delete"
+description = "Delete Subscriber"
+
+[[api_resources]]
+name = "Entitlement Global Policy Combining Algorithm API"
+identifier = "/api/identity/entitlement/v1/entitlements/combining-algorithm"
+requiresAuthorization = true
+description = "API representation of the Entitlement Global Policy Combining Algorithm API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Set Global Policy Combining Algorithm API"
+name = "internal_entitlement_gpa_set"
+description = "Set Global Policy Combining Algorithm"
+
+[[api_resources.scopes]]
+displayName = "Get Global Policy Combining Algorithm API"
+name = "internal_entitlement_gpa_get"
+description = "Get Global Policy Combining Algorithm"
+
+[[api_resources]]
+name = "Entitlement Policy Publish API"
+identifier = "/api/identity/entitlement/v1/entitlements/publish"
+requiresAuthorization = true
+description = "API representation of the Entitlements Policy Publish API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Publish Policy"
+name = "internal_entitlement_policy_publish"
+description = "Publish new Policy"
+
+[[api_resources]]
+name = "Entitlement Policy Mgt API"
+identifier = "/api/identity/entitlement/v1/decision"
+requiresAuthorization = true
+description = "API representation of the Entitlements Policy Mgt API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Policy Mgt"
+name = "internal_manage_pep"
+description = "Policy Mgt"
+
+[console.policyAdministration]
+enabled = "true"
+
+[console.ui]
+isXacmlConnectorEnabled = "true"

resources/policies/authn_group_based_policy_template.xml

@@ -0,0 +1,33 @@
+<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="authn_group_based_policy_template"
+        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
+    <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the groups of the user (defined by GROUP_1 and GROUP_2). Users who are in at least one of the given groups, will be allowed and any others will be denied.</Description>
+    <Target>
+        <AnyOf>
+            <AllOf>
+                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
+                </Match>
+                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
+                </Match>
+            </AllOf>
+        </AnyOf>
+    </Target>
+    <Rule Effect="Permit" RuleId="permit_by_roles">
+        <Condition>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GROUP_1</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/claims/groups" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+                </Apply>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GROUP_2</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/claims/groups" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
+    <Rule Effect="Deny" RuleId="deny_others"/>
+</Policy>

resources/policies/authn_role_based_policy_template.xml

@@ -0,0 +1,33 @@
+<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="authn_role_based_policy_template"
+        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
+    <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
+    <Target>
+        <AnyOf>
+            <AllOf>
+                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
+                </Match>
+                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
+                </Match>
+            </AllOf>
+        </AnyOf>
+    </Target>
+    <Rule Effect="Permit" RuleId="permit_by_roles">
+        <Condition>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/ROLE_1</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/claims/roles" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+                </Apply>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/ROLE_2</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/claims/roles" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
+    <Rule Effect="Deny" RuleId="deny_others"/>
+</Policy>

resources/policies/authn_scope_based_policy_template.xml

@@ -0,0 +1,32 @@
+<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="authn_scope_based_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
+    <Description>This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the oauth scope(s) (SCOPE1, SCOPE2). Users who are granted with the given scopes will be allowed and any other user will be denied.</Description>
+    <Target>
+        <AnyOf>
+            <AllOf>
+                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
+                </Match>
+                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
+                </Match>
+            </AllOf>
+        </AnyOf>
+    </Target>
+    <Rule Effect="Permit" RuleId="permit_by_scopes">
+        <Condition>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SCOPE1</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/auth-context-request-param/scope:20" Category="http://wso2.org/identity/auth-context-request-param" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
+                </Apply>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SCOPE2</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/auth-context-request-param/scope:20" Category="http://wso2.org/identity/auth-context-request-param" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
+    <Rule Effect="Deny" RuleId="deny_others"></Rule>
+</Policy>

resources/policies/authn_time_and_role_based_policy_template.xml

@@ -0,0 +1,42 @@
+<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="authn_time_and_role_based_policy_template"
+        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
+    <Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the Roles of the user (defined by ROLE_1 and ROLE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users who have at least one of the given roles will be able to login within the given time. Any other requests will be denied.</Description>
+    <Target>
+        <AnyOf>
+            <AllOf>
+                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
+                </Match>
+                <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
+                    <AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
+                </Match>
+            </AllOf>
+        </AnyOf>
+    </Target>
+    <Rule Effect="Permit" RuleId="permit_by_roles_and_time">
+        <Condition>
+            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
+                <Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range">
+                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
+                        <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#time" MustBePresent="true"></AttributeDesignator>
+                    </Apply>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue>
+                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue>
+                </Apply>
+                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
+                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/ROLE_1</AttributeValue>
+                        <AttributeDesignator AttributeId="http://wso2.org/claims/roles" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+                    </Apply>
+                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
+                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/ROLE_2</AttributeValue>
+                        <AttributeDesignator AttributeId="http://wso2.org/claims/roles" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
+                    </Apply>
+                </Apply>
+            </Apply>
+        </Condition>
+    </Rule>
+    <Rule Effect="Deny" RuleId="deny_others"/>
+</Policy>