resources/script/access.js

d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel/**
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle *
fe9f72dff43cb29a114d7df94815720bedd2acacJake Feasel * Copyright (c) 2011-2015 ForgeRock AS. All rights reserved.
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle *
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * The contents of this file are subject to the terms
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * of the Common Development and Distribution License
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * (the License). You may not use this file except in
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * compliance with the License.
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle *
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * You can obtain a copy of the License at
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * http://forgerock.org/license/CDDLv1.0.html
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * See the License for the specific language governing
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * permission and limitations under the License.
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle *
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * When distributing Covered Code, include this CDDL
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * Header Notice in each file and include the License file
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * at http://forgerock.org/license/CDDLv1.0.html
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * If applicable, add the following below the CDDL Header,
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * with the fields enclosed by brackets [] replaced by
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * your own identifying information:
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * "Portions Copyrighted [year] [name of copyright owner]"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle */
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel// A configuration for allowed HTTP requests. Each entry in the configuration contains a pattern
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel// to match against the incoming request ID and, in the event of a match, the associated roles,
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// methods, and actions that are allowed for requests on that particular pattern.
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel//
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// pattern:  A pattern to match against an incoming request's resource ID
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// roles:  A comma separated list of allowed roles
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// methods:  A comma separated list of allowed methods
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// actions:  A comma separated list of allowed actions
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// customAuthz: A custom function for additional authorization logic/checks (optional)
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// excludePatterns: A comma separated list of patterns to exclude from the pattern match (optional)
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel//
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// A single '*' character indicates all possible values.  With patterns ending in "/*", the "*"
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// acts as a wild card to indicate the pattern accepts all resource IDs "below" the specified
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// pattern (prefix).  For example the pattern "managed/*" would match "managed/user" or anything
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel// starting with "managed/".  Note: it would not match "managed", which would need to have its
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// own entry in the config.
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel/*jslint vars:true*/
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feaselvar httpAccessConfig =
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel{
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle    "configs" : [
6d6e444ceb98763016f5db82e87ee254bdc9b4e2huck.elliott         // proxy back to configured OpenAM server endpoints
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
6d6e444ceb98763016f5db82e87ee254bdc9b4e2huck.elliott            "pattern"    : "endpoint/openam/*",
6d6e444ceb98763016f5db82e87ee254bdc9b4e2huck.elliott            "roles"      : "*",
6d6e444ceb98763016f5db82e87ee254bdc9b4e2huck.elliott            "methods"    : "*",
6d6e444ceb98763016f5db82e87ee254bdc9b4e2huck.elliott            "actions"    : "*"
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        },
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        // Anyone can read from these endpoints
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle           "pattern"    : "info/*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle           "roles"      : "*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle           "methods"    : "read",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle           "actions"    : "*"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
39c49620d529487e3d1d181e2f713f6490d563a4huck.elliott            "pattern"    : "config/ui/themeconfig",
39c49620d529487e3d1d181e2f713f6490d563a4huck.elliott            "roles"      : "*",
39c49620d529487e3d1d181e2f713f6490d563a4huck.elliott            "methods"    : "read",
39c49620d529487e3d1d181e2f713f6490d563a4huck.elliott            "actions"    : "*"
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        },
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle           "pattern"    : "config/ui/configuration",
dc53767f6614db736c8a95a165beae870ac1e3d9Jake Feasel           "roles"      : "*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle           "methods"    : "read",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle           "actions"    : "*"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
56e64ff6659314e50b245916e2e0f87c7beadd73Jake Feasel        {
56e64ff6659314e50b245916e2e0f87c7beadd73Jake Feasel           "pattern"    : "config/selfservice/kbaConfig",
dc53767f6614db736c8a95a165beae870ac1e3d9Jake Feasel           "roles"      : "*",
56e64ff6659314e50b245916e2e0f87c7beadd73Jake Feasel           "methods"    : "read",
56e64ff6659314e50b245916e2e0f87c7beadd73Jake Feasel           "actions"    : "*",
56e64ff6659314e50b245916e2e0f87c7beadd73Jake Feasel           "customAuthz": "checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('passwordReset')"
56e64ff6659314e50b245916e2e0f87c7beadd73Jake Feasel        },
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        // externally-visisble Self-Service endpoints
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel           "pattern"    : "selfservice/registration",
dc53767f6614db736c8a95a165beae870ac1e3d9Jake Feasel           "roles"      : "*",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel           "methods"    : "read,action",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel           "actions"    : "submitRequirements",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel           "customAuthz" : "checkIfUIIsEnabled('selfRegistration')"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel           "pattern"    : "selfservice/reset",
dc53767f6614db736c8a95a165beae870ac1e3d9Jake Feasel           "roles"      : "*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle           "methods"    : "read,action",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel           "actions"    : "submitRequirements",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel           "customAuthz" : "checkIfUIIsEnabled('passwordReset')"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel        {
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "pattern"    : "selfservice/username",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "roles"      : "*",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "methods"    : "read,action",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "actions"    : "submitRequirements",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "customAuthz" : "checkIfUIIsEnabled('forgotUsername')"
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel        },
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel        {
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "pattern"   : "policy/managed/user",
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "roles"     : "*",
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "methods"   : "read",
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "actions"   : "",
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "customAuthz" : "checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('passwordReset')"
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel        },
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel        {
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "pattern"   : "policy/managed/user/-",
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "roles"     : "*",
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "methods"   : "action",
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "actions"   : "validateObject",
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel            "customAuthz" : "checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('passwordReset')"
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel        },
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel        {
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "pattern"    : "selfservice/kba",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "roles"      : "openidm-authorized",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "methods"    : "read",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "actions"    : "*",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel           "customAuthz" : "checkIfUIIsEnabled('kbaEnabled')"
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel        },
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        // rules governing requests originating from forgerock-selfservice
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        {
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "pattern"   : "managed/user",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "roles"     : "openidm-reg",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "methods"   : "create",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "actions"   : "*",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "customAuthz" : "checkIfUIIsEnabled('selfRegistration') && isSelfServiceRequest() && onlyEditableManagedObjectProperties('user')"
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        },
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        {
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "pattern"   : "managed/user",
dc53767f6614db736c8a95a165beae870ac1e3d9Jake Feasel            "roles"     : "*",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "methods"   : "query",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "actions"   : "*",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel            "customAuthz" : "(checkIfUIIsEnabled('forgotUsername') || checkIfUIIsEnabled('passwordReset')) && isSelfServiceRequest()"
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        },
bc8c81ffe4a2b429ac35ab7aafae5dfb96a232c5Jake Feasel        {
bc8c81ffe4a2b429ac35ab7aafae5dfb96a232c5Jake Feasel            "pattern"   : "managed/user/*",
dc53767f6614db736c8a95a165beae870ac1e3d9Jake Feasel            "roles"     : "*",
bc8c81ffe4a2b429ac35ab7aafae5dfb96a232c5Jake Feasel            "methods"   : "read",
bc8c81ffe4a2b429ac35ab7aafae5dfb96a232c5Jake Feasel            "actions"   : "*",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel            "customAuthz" : "(checkIfUIIsEnabled('forgotUsername') || checkIfUIIsEnabled('passwordReset')) && isSelfServiceRequest()"
bc8c81ffe4a2b429ac35ab7aafae5dfb96a232c5Jake Feasel        },
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        {
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "pattern"   : "managed/user/*",
dc53767f6614db736c8a95a165beae870ac1e3d9Jake Feasel            "roles"     : "*",
64ba371e3cbe8b12b58382cda10ba649bf5e4faaJake Feasel            "methods"   : "patch,action",
64ba371e3cbe8b12b58382cda10ba649bf5e4faaJake Feasel            "actions"   : "patch",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "customAuthz" : "checkIfUIIsEnabled('passwordReset') && isSelfServiceRequest() && onlyEditableManagedObjectProperties('user')"
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        },
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        {
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "pattern"   : "external/email",
dc53767f6614db736c8a95a165beae870ac1e3d9Jake Feasel            "roles"     : "*",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "methods"   : "action",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "actions"   : "send",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel            "customAuthz" : "(checkIfUIIsEnabled('forgotUsername') || checkIfUIIsEnabled('passwordReset') || checkIfUIIsEnabled('selfRegistration')) && isSelfServiceRequest()"
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel        },
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel
7dd62a2d0c4b0033b7af1745a5f2fb9316664310Jake Feasel        // openidm-admin can request nearly anything (except query expressions on repo endpoints)
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "pattern"   : "*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-admin",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "methods"   : "*", // default to all methods allowed
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "actions"   : "*", // default to all actions allowed
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "customAuthz" : "disallowQueryExpression()",
7dd62a2d0c4b0033b7af1745a5f2fb9316664310Jake Feasel            "excludePatterns": "repo,repo/*"
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel        },
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel        // additional rules for openidm-admin that selectively enable certain parts of system/
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "pattern"   : "system/*",
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "roles"     : "openidm-admin",
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "methods"   : "create,read,update,delete,patch,query", // restrictions on 'action'
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "actions"   : "",
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "customAuthz" : "disallowQueryExpression()"
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel        },
c04dfceddf82ad0f501864d59e07589079d051ecJake Feasel        // Allow access to custom scripted endpoints
c04dfceddf82ad0f501864d59e07589079d051ecJake Feasel        {
c04dfceddf82ad0f501864d59e07589079d051ecJake Feasel            "pattern"   : "system/*",
c04dfceddf82ad0f501864d59e07589079d051ecJake Feasel            "roles"     : "openidm-admin",
c04dfceddf82ad0f501864d59e07589079d051ecJake Feasel            "methods"   : "script",
c04dfceddf82ad0f501864d59e07589079d051ecJake Feasel            "actions"   : "*"
c04dfceddf82ad0f501864d59e07589079d051ecJake Feasel        },
d9554aece2386e1da54a7a8511ec09e78eeeabceAndi Egloff        // Note that these actions are available directly on system as well
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "pattern"   : "system/*",
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "roles"     : "openidm-admin",
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel            "methods"   : "action",
56cbc2397b26fdd0e57ceb78657514d88f260e80Jake Feasel            "actions"   : "test,testConfig,createconfiguration,liveSync,authenticate"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller        // Disallow command action on repo
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "pattern"   : "repo",
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "roles"     : "openidm-admin",
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "methods"   : "*", // default to all methods allowed
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "actions"   : "*", // default to all actions allowed
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "customAuthz" : "disallowCommandAction()"
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller        },
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "pattern"   : "repo/*",
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "roles"     : "openidm-admin",
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "methods"   : "*", // default to all methods allowed
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "actions"   : "*", // default to all actions allowed
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller            "customAuthz" : "disallowCommandAction()"
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller        },
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        // Additional checks for authenticated users
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "pattern"   : "policy/*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-authorized", // openidm-authorized is logged-in users
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "methods"   : "read,action",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "actions"   : "*"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "pattern"   : "config/ui/*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-authorized",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "methods"   : "read",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "actions"   : "*"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "pattern"   : "authentication",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-authorized",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "methods"   : "action",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "actions"   : "reauthenticate"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
1a567b028f1f8cbe69be745202d6c07d37e92d9eJake Feasel
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        // This rule is primarily controlled by the ownDataOnly function - that will only allow
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        // access to the endpoint from which the user originates
1a567b028f1f8cbe69be745202d6c07d37e92d9eJake Feasel        // (For example a managed/user with the _id of bob will only be able to access managed/user/bob)
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
56cbc2397b26fdd0e57ceb78657514d88f260e80Jake Feasel            "pattern"   : "*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-authorized",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel            "methods"   : "read",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel            "actions"   : "*",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel            "customAuthz" : "ownDataOnly()"
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        },
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        {
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel            "pattern"   : "*",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel            "roles"     : "openidm-authorized",
64ba371e3cbe8b12b58382cda10ba649bf5e4faaJake Feasel            "methods"   : "update,patch,action",
64ba371e3cbe8b12b58382cda10ba649bf5e4faaJake Feasel            "actions"   : "patch",
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel            "customAuthz" : "ownDataOnly() && onlyEditableManagedObjectProperties('user')"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel        {
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel            "pattern"   : "selfservice/user/*",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel            "roles"     : "openidm-authorized",
64ba371e3cbe8b12b58382cda10ba649bf5e4faaJake Feasel            "methods"   : "patch,action",
64ba371e3cbe8b12b58382cda10ba649bf5e4faaJake Feasel            "actions"   : "patch",
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel            "customAuthz" : "(request.resourcePath === 'selfservice/user/' + context.security.authorization.id) && onlyEditableManagedObjectProperties('user')"
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel        },
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        // enforcement of which notifications you can read and delete is done within the endpoint
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        {
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "pattern"   : "endpoint/usernotifications",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-authorized",
cb8b8ead63db27ce2eaae3584deb6b6d35366678Jake Feasel            "methods"   : "read",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "actions"   : "*"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
cb8b8ead63db27ce2eaae3584deb6b6d35366678Jake Feasel        {
cb8b8ead63db27ce2eaae3584deb6b6d35366678Jake Feasel            "pattern"   : "endpoint/usernotifications/*",
cb8b8ead63db27ce2eaae3584deb6b6d35366678Jake Feasel            "roles"     : "openidm-authorized",
cb8b8ead63db27ce2eaae3584deb6b6d35366678Jake Feasel            "methods"   : "delete",
cb8b8ead63db27ce2eaae3584deb6b6d35366678Jake Feasel            "actions"   : "*"
cb8b8ead63db27ce2eaae3584deb6b6d35366678Jake Feasel        },
cb8b8ead63db27ce2eaae3584deb6b6d35366678Jake Feasel
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        // Workflow-related endpoints for authorized users
b0fda3084c76621b5c86f24ffe4b70e864181290Jake Feasel
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        {
b0fda3084c76621b5c86f24ffe4b70e864181290Jake Feasel            "pattern"   : "endpoint/getprocessesforuser",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-authorized",
fe9f72dff43cb29a114d7df94815720bedd2acacJake Feasel            "methods"   : "read",
fe9f72dff43cb29a114d7df94815720bedd2acacJake Feasel            "actions"   : "*"
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel        },
b0fda3084c76621b5c86f24ffe4b70e864181290Jake Feasel        {
b0fda3084c76621b5c86f24ffe4b70e864181290Jake Feasel            "pattern"   : "endpoint/gettasksview",
b0fda3084c76621b5c86f24ffe4b70e864181290Jake Feasel            "roles"     : "openidm-authorized",
b0fda3084c76621b5c86f24ffe4b70e864181290Jake Feasel            "methods"   : "query",
fe9f72dff43cb29a114d7df94815720bedd2acacJake Feasel            "actions"   : "*"
c5e82a0c28bdc179de9af4587b5fe9572a963279omebold        },
c5e82a0c28bdc179de9af4587b5fe9572a963279omebold        {
c5e82a0c28bdc179de9af4587b5fe9572a963279omebold            "pattern"   : "workflow/taskinstance/*",
c5e82a0c28bdc179de9af4587b5fe9572a963279omebold            "roles"     : "openidm-authorized",
c5e82a0c28bdc179de9af4587b5fe9572a963279omebold            "methods"   : "action",
c5e82a0c28bdc179de9af4587b5fe9572a963279omebold            "actions"   : "complete",
c5e82a0c28bdc179de9af4587b5fe9572a963279omebold            "customAuthz" : "isMyTask()"
c5e82a0c28bdc179de9af4587b5fe9572a963279omebold        },
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        {
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "pattern"   : "workflow/taskinstance/*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-authorized",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "methods"   : "read,update",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "actions"   : "*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "customAuthz" : "canUpdateTask()"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        {
cb8b8ead63db27ce2eaae3584deb6b6d35366678Jake Feasel            "pattern"   : "workflow/processinstance",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-authorized",
570f8c78ae20fe7facc876bf5144ef0c99a8e804omebold            "methods"   : "create",
570f8c78ae20fe7facc876bf5144ef0c99a8e804omebold            "actions"   : "*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "customAuthz": "isAllowedToStartProcess()"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        {
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "pattern"   : "workflow/processdefinition/*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-authorized",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "methods"   : "*",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "actions"   : "read",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "customAuthz": "isOneOfMyWorkflows()"
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        },
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        // Clients authenticated via SSL mutual authentication
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        {
166e4fdaabc1ed81b4680f35f3de7bc889d0d7f0Jake Feasel            "pattern"   : "managed/user",
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle            "roles"     : "openidm-cert",
2e36d8e60ec1acc656396fbd2d86ae01bcea0d57Jake Feasel            "methods"   : "patch,action",
2e36d8e60ec1acc656396fbd2d86ae01bcea0d57Jake Feasel            "actions"   : "patch",
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel            "customAuthz" : "isQueryOneOf({'managed/user': ['for-userName']}) && restrictPatchToFields(['password'])"
c435eacb0cab04714ce858484e971fd820ea8823Chad Kienle        },
c435eacb0cab04714ce858484e971fd820ea8823Chad Kienle        // Security Management
c435eacb0cab04714ce858484e971fd820ea8823Chad Kienle        {
c435eacb0cab04714ce858484e971fd820ea8823Chad Kienle            "pattern"   : "security/*",
c435eacb0cab04714ce858484e971fd820ea8823Chad Kienle            "roles"     : "openidm-admin",
c435eacb0cab04714ce858484e971fd820ea8823Chad Kienle            "methods"   : "read,create,update,delete",
c435eacb0cab04714ce858484e971fd820ea8823Chad Kienle            "actions"   : ""
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle        }
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel    ]
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle};
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle// Additional custom authorization functions go here