02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
fe9f72dff43cb29a114d7df94815720bedd2acacJake Feasel * Copyright (c) 2011-2015 ForgeRock AS. All rights reserved.
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * The contents of this file are subject to the terms
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * of the Common Development and Distribution License
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * (the License). You may not use this file except in
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * compliance with the License.
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * You can obtain a copy of the License at
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * See the License for the specific language governing
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * permission and limitations under the License.
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * When distributing Covered Code, include this CDDL
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * Header Notice in each file and include the License file
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * If applicable, add the following below the CDDL Header,
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * with the fields enclosed by brackets [] replaced by
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * your own identifying information:
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle * "Portions Copyrighted [year] [name of copyright owner]"
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel// A configuration for allowed HTTP requests. Each entry in the configuration contains a pattern
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel// to match against the incoming request ID and, in the event of a match, the associated roles,
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// methods, and actions that are allowed for requests on that particular pattern.
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// pattern: A pattern to match against an incoming request's resource ID
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// roles: A comma separated list of allowed roles
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// methods: A comma separated list of allowed methods
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// actions: A comma separated list of allowed actions
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// customAuthz: A custom function for additional authorization logic/checks (optional)
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// excludePatterns: A comma separated list of patterns to exclude from the pattern match (optional)
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// A single '*' character indicates all possible values. With patterns ending in "/*", the "*"
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// acts as a wild card to indicate the pattern accepts all resource IDs "below" the specified
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// pattern (prefix). For example the pattern "managed/*" would match "managed/user" or anything
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel// starting with "managed/". Note: it would not match "managed", which would need to have its
759cbe36aeb56cbe1e788d90fbaa7f1a7e797f5dJake Feasel// own entry in the config.
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel/*jslint vars:true*/
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle "configs" : [
6d6e444ceb98763016f5db82e87ee254bdc9b4e2huck.elliott // proxy back to configured OpenAM server endpoints
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle // Anyone can read from these endpoints
56e64ff6659314e50b245916e2e0f87c7beadd73Jake Feasel "customAuthz": "checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('passwordReset')"
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel // externally-visisble Self-Service endpoints
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel "customAuthz" : "checkIfUIIsEnabled('selfRegistration')"
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel "customAuthz" : "checkIfUIIsEnabled('passwordReset')"
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel "customAuthz" : "checkIfUIIsEnabled('forgotUsername')"
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel "customAuthz" : "checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('passwordReset')"
6fc66c9c25e5e5831e0edfc88aa0e15f233f43baJake Feasel "customAuthz" : "checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('passwordReset')"
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel "customAuthz" : "checkIfUIIsEnabled('kbaEnabled')"
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel // rules governing requests originating from forgerock-selfservice
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel "customAuthz" : "checkIfUIIsEnabled('selfRegistration') && isSelfServiceRequest() && onlyEditableManagedObjectProperties('user')"
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel "customAuthz" : "(checkIfUIIsEnabled('forgotUsername') || checkIfUIIsEnabled('passwordReset')) && isSelfServiceRequest()"
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel "customAuthz" : "(checkIfUIIsEnabled('forgotUsername') || checkIfUIIsEnabled('passwordReset')) && isSelfServiceRequest()"
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel "customAuthz" : "checkIfUIIsEnabled('passwordReset') && isSelfServiceRequest() && onlyEditableManagedObjectProperties('user')"
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel "customAuthz" : "(checkIfUIIsEnabled('forgotUsername') || checkIfUIIsEnabled('passwordReset') || checkIfUIIsEnabled('selfRegistration')) && isSelfServiceRequest()"
7dd62a2d0c4b0033b7af1745a5f2fb9316664310Jake Feasel // openidm-admin can request nearly anything (except query expressions on repo endpoints)
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle "methods" : "*", // default to all methods allowed
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel "actions" : "*", // default to all actions allowed
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel // additional rules for openidm-admin that selectively enable certain parts of system/
94bf3f92ee8bb97dc3d2dbd9993c8a7f0c829e33Jake Feasel "methods" : "create,read,update,delete,patch,query", // restrictions on 'action'
c04dfceddf82ad0f501864d59e07589079d051ecJake Feasel // Allow access to custom scripted endpoints
d9554aece2386e1da54a7a8511ec09e78eeeabceAndi Egloff // Note that these actions are available directly on system as well
56cbc2397b26fdd0e57ceb78657514d88f260e80Jake Feasel "actions" : "test,testConfig,createconfiguration,liveSync,authenticate"
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller // Disallow command action on repo
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller "methods" : "*", // default to all methods allowed
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller "actions" : "*", // default to all actions allowed
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller "methods" : "*", // default to all methods allowed
280f5f217c81e0b90c2b526a8a03849c1371545cBrendan Mmiller "actions" : "*", // default to all actions allowed
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle // Additional checks for authenticated users
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle "roles" : "openidm-authorized", // openidm-authorized is logged-in users
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel // This rule is primarily controlled by the ownDataOnly function - that will only allow
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel // access to the endpoint from which the user originates
1a567b028f1f8cbe69be745202d6c07d37e92d9eJake Feasel // (For example a managed/user with the _id of bob will only be able to access managed/user/bob)
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel "customAuthz" : "ownDataOnly() && onlyEditableManagedObjectProperties('user')"
5e06232b13d26983ad66f05a5d5f839d5eb4216cJake Feasel "customAuthz" : "(request.resourcePath === 'selfservice/user/' + context.security.authorization.id) && onlyEditableManagedObjectProperties('user')"
d01b29a2b512ef92eede086eb0eec386988c7c12Jake Feasel // enforcement of which notifications you can read and delete is done within the endpoint
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle // Workflow-related endpoints for authorized users
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle // Clients authenticated via SSL mutual authentication
0cbb44acdcab0e5a2d60c601698454b6a01bd0b3Jake Feasel "customAuthz" : "isQueryOneOf({'managed/user': ['for-userName']}) && restrictPatchToFields(['password'])"
c435eacb0cab04714ce858484e971fd820ea8823Chad Kienle // Security Management
02756b6ea45125f8f83409870493fff95a5b6a2eChad Kienle// Additional custom authorization functions go here