/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2011-2015 ForgeRock AS. All rights reserved.
*
* The contents of this file are subject to the terms
* of the Common Development and Distribution License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License at
* See the License for the specific language governing
* permission and limitations under the License.
*
* When distributing Covered Code, include this CDDL
* Header Notice in each file and include the License file
* If applicable, add the following below the CDDL Header,
* with the fields enclosed by brackets [] replaced by
* your own identifying information:
* "Portions Copyrighted [year] [name of copyright owner]"
*/
/*
* This script is called from the router "onRequest" trigger, to enforce a central
* set of authorization rules.
*
* This default implemention simply restricts requests via HTTP to users that are assigned
* an "openidm-admin" role, and optionally to those that authenticate with TLS mutual
* authentication (assigned an "openidm-cert" role).
*/
/*jslint regexp:false sub:true */
/*global httpAccessConfig */
if (pattern === "*") {
// Accept all patterns
return true;
// pattern matches exactly
return true;
// Ends with "/*" or "/"
// See if parent pattern matches
if (id.length >= parentResource.length && id.substring(0, parentResource.length) === parentResource) {
return true;
}
}
return false;
}
function containsIgnoreCase(a, o) {
if (typeof(a) !== 'undefined' && a !== null) {
for (i = 0; i <= a.length; i++) {
str1 = o;
str2 = a[i];
if (typeof(o) !== 'undefined' && o !== null) {
str1 = o.toLowerCase();
}
if (typeof(a[i]) !== 'undefined' && a[i] !== null) {
str2 = a[i].toLowerCase();
}
return true;
}
}
}
return false;
}
var i;
return true;
}
return true;
}
}
return false;
}
return true;
}
}
function contains(a, o) {
var i;
if (typeof(a) !== 'undefined' && a !== null) {
for (i = 0; i <= a.length; i++) {
if (a[i] === o) {
return true;
}
}
}
return false;
}
function isMyTask() {
}
}
}
var userCandidateTasksQueryParams = {
"_queryId": "filtered-query",
},
return true;
}
}
roles = "";
if (i === 0) {
} else {
}
}
"_queryId": "filtered-query",
};
userGroupCandidateTasks = openidm.query("workflow/taskinstance", userGroupCandidateTasksQueryParams).result;
return true;
}
}
return false;
}
function canUpdateTask() {
}
isProcessOneOfUserProcesses = false,
i;
if (processFilter(processForUser)) {
isProcessOneOfUserProcesses = true;
}
}
return isProcessOneOfUserProcesses;
}
function isAllowedToStartProcess() {
return isProcessOnUsersList(function (process) {
});
}
function isOneOfMyWorkflows() {
}
if (
)
{
return true;
}
return false;
}
returnVal = false;
}
function ownDataOnly() {
// in the case of a literal read on themselves
}
/**
* Look through the whole patchOperation set and return false if any
* field in the set refers to something other than those provided in the argument
* @param {Array} allowedFields - The list of fields which the patch operations are allowed to target
* @returns {Boolean}
*/
function restrictPatchToFields(allowedFields) {
var patchOps;
} else {
return false;
}
// removes leading slashses from jsonpointer field specifications,
// and only considers the first path item in the jsonpointer path
}, true);
}
/**
* Given a managed object name and the global request details, look up the
* schema for the object and ensure that each of the changed properties in
* the request are marked as "userEditable" : true.
* @param {string} objectName - the name of the managed object (ex: "user")
* @returns {Boolean}
*/
function onlyEditableManagedObjectProperties(objectName) {
if (!managedObjectConfig || !managedObjectConfig.schema || !managedObjectConfig.schema.properties) {
return false;
}
// Every property provided during the create call must be checked
return result &&
}, true);
// Only those properties which have changed must be checked
return result &&
(
// either the value has not changed...
// or the user is allowed to edit it
(
)
);
}, true);
} else if (request.method === "patch" || (request.method === "action" && request.action === "patch")) {
// Every field being patched must be checked
return restrictPatchToFields(
// generate an array of all userEditable properties in the schema
.pairs()
// pair[1] is the property content
})
// pair[0] is the property name
return pair[0];
})
.value()
);
}
return false;
}
/* DEPRECATED FUNCTION */
getTopLevelProp = function (prop) {
// removes a leading slash and only returns the first part of a string before a possible subsequent slash
};
return true;
}
// we could accept a csv list or an array of properties for the allowedPropertiesList arg.
if (typeof allowedPropertiesList === "string") {
}
} else if (!request.patchOperations) {
return true;
} else {
}
// check each of the fields they are attempting to patch and make sure they are approved
for (i in operations) {
if ((operations[i].field && !containsIgnoreCase(allowedPropertiesList, getTopLevelProp(operations[i].field)))) {
return false;
}
}
return true;
}
if (!currentUser) { // this would be odd, but just in case
return false;
}
// if the new value does not match the current value, then they must be updating it
// if the field they are attempting to update isn't allowed for them, then reject request.
if (!_.isEqual(currentUser[i], request.content[i]) && !containsIgnoreCase(allowedPropertiesList,i)) {
return false;
}
}
return true;
}
// they should only be providing parameters that they are allowed to define
if (!containsIgnoreCase(allowedPropertiesList,i)) {
return false;
}
}
}
return true;
}
function disallowQueryExpression() {
return !request.queryExpression;
}
function disallowCommandAction() {
}
//////// Do not alter functions below here as part of your authz configuration
// Check resource ID
// Check excludePatterns
ex = false;
ex = true;
break;
}
}
}
if (!ex) {
// Check roles
// Check method
// Check action
return true;
}
} else {
return true;
}
}
}
}
}
}
}
return false;
}
function isSelfServiceRequest() {
}
function isAJAXRequest() {
// one of these custom headers must be present for all HTTP-based requests, to prevent CSRF attacks
// X-Requested-With is common from AJAX libraries such as jQuery
// Basic auth headers are acceptible for convenience from cURL commands;
// We don't return the request header to prompt the browser to provide basic auth headers,
// so it will only be present if someone explicitly provides them, as in a cURL request.
// The custom authn headers for OpenIDM
return true;
}
return false;
}
function allow() {
var roles,
action = "";
}
// We only need to block non-AJAX requests when the action is not "read"
return false;
}
logger.debug("Access Check for HTTP request for resource id: {}, role: {}, method: {}, action: {}", request.resourcePath, roles, request.method, action);
}
// Load the access configuration script (httpAccessConfig obj)
if (!allow()) {
// console.log(JSON.stringify(request));
// console.log(JSON.stringify(context, null, 4));
throw {
"code" : 403,
"message" : "Access denied"
};
} else {
}