resources/script/router-authz.js

	router-authz.js revision f8eb547a5996303c92e9482cf659642871c7252c
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk/**
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk *
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * Copyright (c) 2011-2012 ForgeRock AS. All rights reserved.
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk *
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * The contents of this file are subject to the terms
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * of the Common Development and Distribution License
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * (the License). You may not use this file except in
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * compliance with the License.
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk *
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * You can obtain a copy of the License at
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * http://forgerock.org/license/CDDLv1.0.html
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * See the License for the specific language governing
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * permission and limitations under the License.
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk *
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * When distributing Covered Code, include this CDDL
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * Header Notice in each file and include the License file
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * at http://forgerock.org/license/CDDLv1.0.html
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * If applicable, add the following below the CDDL Header,
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * with the fields enclosed by brackets [] replaced by
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * your own identifying information:
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * "Portions Copyrighted [year] [name of copyright owner]"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk */
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk/*
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * This script is called from the router "onRequest" trigger, to enforce a central
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * set of authorization rules.
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk *
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * This default implemention simply restricts requests via HTTP to users that are assigned
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * an "openidm-admin" role, and optionally to those that authenticate with TLS mutual
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * authentication (assigned an "openidm-cert" role).
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk */
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk/**
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * A configuration for allowed requests.  Each entry in the config contains a pattern to match
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * against the incoming request ID and, in the event of a match, the associated roles, methods,
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * and actions that are allowed for requests on that particular pattern.
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk *
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * pattern:  A pattern to match against an incoming request's resource ID
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * roles:  A comma separated list of allowed roles
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * methods:  A comma separated list of allowed methods
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * actions:  A comma separated list of allowed actions
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * customAuthz: A custom function for additional authorization logic/checks (optional)
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk *
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * A single '*' character indicates all possible values.  With patterns ending in "/*", the "*"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * acts as a wild card to indicate the pattern accepts all resource IDs "below" the specified
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * pattern (prefix).  For example the pattern "managed/*" would match "managed/user" or anything
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * starting with "managed/".  Note: it would not match "managed", which would need to have its
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk * own entry in the config.
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk */
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenkvar accessConfig =
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk{
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    "configs" : [
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk      // Anyone can read from these endpoints
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "pattern"    : "info/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "roles"      : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "methods"    : "read",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "actions"    : "*"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "pattern"    : "config/ui/configuration",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "roles"      : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "methods"    : "read",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "actions"    : "*"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        // These options should only be available anonymously if selfReg is enabled
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "pattern"    : "config/ui/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "roles"      : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "methods"    : "read",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "actions"    : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "customAuthz" : "checkIfUIIsEnabled('selfRegistration')"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "pattern"    : "managed/user/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "roles"      : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "methods"    : "create",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "actions"    : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "customAuthz" : "checkIfUIIsEnabled('selfRegistration') && managedUserRestrictedToAllowedRoles('openidm-authorized')"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        // Anonymous user can call the siteIdentification endpoint if it is enabled:
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "pattern"    : "endpoint/siteIdentification",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "roles"      : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "methods"    : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "actions"    : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "customAuthz" : "checkIfUIIsEnabled('siteIdentification')"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        // Anonymous user can call the securityQA endpoint if it enabled:
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "pattern"    : "endpoint/securityQA",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "roles"      : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "methods"    : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "actions"    : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "customAuthz" : "checkIfUIIsEnabled('securityQuestions')"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        // This is needed by both self reg and security questions
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "pattern"    : "policy/managed/user/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "roles"      : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "methods"    : "read,action",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "actions"    : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk           "customAuthz" : "checkIfUIIsEnabled('selfRegistration') || checkIfUIIsEnabled('securityQuestions')"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk      // openidm-admin can request anything
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-admin",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "*", // default to all methods allowed
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "*" // default to all actions allowed
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        // admin can request anything in managed/user
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "managed/user/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "admin",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "*", // default to all methods allowed
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "*" // default to all actions allowed
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "managed/user",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "admin",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "*", // default to all methods allowed
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "*" // default to all actions allowed
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        // Additional checks for authenticated users
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "policy/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-authorized", // openidm-authorized is logged-in users
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "read,action",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "*"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "config/ui/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-authorized",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "read",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "*"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "authentication",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-authorized",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "action",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "reauthenticate"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-authorized",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "create,read,update,patch,action,query", // note the missing 'delete' - by default, users cannot delete things
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "customAuthz" : "ownDataOnly() && managedUserRestrictedToAllowedRoles('openidm-authorized')"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        // enforcement of which notifications you can read and delete is done within the endpoint
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "endpoint/usernotifications",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-authorized",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "read,delete",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "*"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        // Workflow-related endpoints for authorized users
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "workflow/taskinstance/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-authorized",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "action",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "complete",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "customAuthz" : "isMyTask()"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "workflow/taskinstance/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-authorized",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "read,update",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "customAuthz" : "canUpdateTask()"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "workflow/processinstance/",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-authorized",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "action",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "createProcessInstance",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "customAuthz": "isAllowedToStartProcess()"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "workflow/processdefinition/*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-authorized",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : "read",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "customAuthz": "isOneOfMyWorkflows()"
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        },
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        // Clients authenticated via SSL mutual authentication
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "pattern"   : "*",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "roles"     : "openidm-cert",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "methods"   : "",  // default to no methods allowed
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            "actions"   : ""  // default to no actions allowed
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        }
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    ]
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk};
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenkfunction isMyTask() {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    var taskInstanceId = request.id.split("/")[2];
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    var taskInstance = openidm.read("workflow/taskinstance/" + taskInstanceId);
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    return taskInstance.assignee === request.parent.security.username;
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk}
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenkfunction canUpdateTask() {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    var taskInstanceId = request.id.split("/")[2];
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    return isMyTask() || isUserCandidateForTask(taskInstanceId);
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk}
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenkfunction isUserCandidateForTask(taskInstanceId) {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    var userCandidateTasksQueryParams = {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        "_queryId": "filtered-query",
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        "taskCandidateUser": request.parent.security.username
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    };
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    var userCandidateTasks = openidm.query("workflow/taskinstance", userCandidateTasksQueryParams).result;
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    for (var i = 0; i < userCandidateTasks.length; i++) {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        if (taskInstanceId === userCandidateTasks[i]._id) {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk            return true;
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        }
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    }
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    var roles = "";
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk    for (var i = 0; i < request.parent.security['openidm-roles'].length; i++) {
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        var role = request.parent.security['openidm-roles'][i];
c1350cf5bc50458ba79cc93ff9e0e5fe3f1aeeb0jeff.schenk        if (i === 0) {
            roles = role;
        } else {
            roles = roles + "," + role;
        }
    }

    var userGroupCandidateTasksQueryParams = {
        "_queryId": "filtered-query",
        "taskCandidateGroup": roles
    };
    var userGroupCandidateTasks = openidm.query("workflow/taskinstance", userGroupCandidateTasksQueryParams).result;
    for (var i = 0; i < userGroupCandidateTasks.length; i++) {
        if (taskInstanceId === userGroupCandidateTasks[i]._id) {
            return true;
        }
    }

    return false;
}

function isAllowedToStartProcess() {
    var processDefinitionId = request.value._processDefinitionId;
    return isProcessOnUsersList(processDefinitionId);
}

function isOneOfMyWorkflows() {
    var processDefinitionId = request.id.split("/")[2];
    return isProcessOnUsersList(processDefinitionId);
}

function isProcessOnUsersList(processDefinitionId) {
    var processesForUserQueryParams = {
        "_queryId": "query-processes-for-user",
        "userId": request.parent.security.userid.id
    };
    var processesForUser = openidm.query("endpoint/getprocessesforuser", processesForUserQueryParams);

    var isProcessOneOfUserProcesses = false;
    for (var i = 0; i < processesForUser.length; i++) {
        var processForUser = processesForUser[i];
        if (processDefinitionId === processForUser._id) {
            isProcessOneOfUserProcesses = true;
        }
    }
    return isProcessOneOfUserProcesses;
}

function isQueryOneOf(allowedQueries) {
    if (
            request.method === "query" &&
            allowedQueries[request.id] &&
            contains(allowedQueries[request.id], request.params["_queryId"])
       )
    {
        return true
    }

    return false;
}

function checkIfUIIsEnabled(param) {
    var ui_config = openidm.read("config/ui/configuration");
    var returnVal = false;
    return (ui_config && ui_config.configuration && ui_config.configuration[param]);
}

function ownDataOnly() {
    var userId = "";

    userId = request.id.match(/managed\/user\/(.*)/i);
    if (userId && userId.length === 2)
    {
        userId = userId[1];
    }

    if (request.params && request.params.userId)
    {
        // something funny going on if we have two different values for userId
        if (userId !== null && userId.length && userId !== request.params.userId) {
            return false;
        }
        userId = request.params.userId;
    }

    if (request.value && request.value.userId)
    {
        // something funny going on if we have two different values for userId
        if (userId !== null  && userId.length && userId !== request.params.userId) {
            return false;
        }
        userId = request.value.userId;
    }

    return userId === request.parent.security.userid.id;

}

function managedUserRestrictedToAllowedRoles(allowedRolesList) {
    var i = 0,requestedRoles = [],params = {};

    if (!request.id.match(/^managed\/user/)) {
        return true;
    }

    if (request.value) {
        params = request.value;
    }
    else { // this would be strange, but worth checking
        return true; // true because they don't appear to be setting anything
    }


    if (request.method === "patch" || (request.method === "action" && request.params["_action"] === "patch")) {
        for (i in params) {
            if ((params[i].test && params[i].test.match(/^\/?roles$/)) ||
                (params[i].add && params[i].add.match(/^\/?roles$/)) ||
                (params[i].replace && params[i].replace.match(/^\/?roles$/))) {

                requestedRoles = requestedRoles.concat(params[i].value.split(','))
            }
        }
    } else if ((request.method === "create" || request.method === "update") &&
                params && (params.roles || params["/roles"])) {

        if (typeof params.roles !== "string" && typeof params["/roles"] !== "string") { // this would also be strange, but worth checking
            return false; // false because I don't know (and so don't trust) what they are trying to set.
        }

        if (params.roles) {
            requestedRoles = requestedRoles.concat(params.roles.split(","));
        }
        if (params["/roles"]) {
            requestedRoles = requestedRoles.concat(params['/roles'].split(","));
        }
    }

    if (requestedRoles.length) { // if there are no requested roles, then no problem

        // we could accept a csv list or an array of roles for the rolesList arg.
        if (typeof allowedRolesList === "string") {
            allowedRolesList = allowedRolesList.split(',');
        }

        for (i in requestedRoles) {
            if (! contains(allowedRolesList, requestedRoles[i])) {
                return false;
            }
        }
    }
    return true;
}

//////// Do not alter functions below here as part of your authz configuration


function passesAccessConfig(id, roles, method, action) {
    for (var i = 0; i < accessConfig.configs.length; i++) {
        var config = accessConfig.configs[i];
        var pattern = config.pattern;
        // Check resource ID
        if (matchesResourceIdPattern(id, pattern)) {
            // Check roles
            if (containsItems(roles, config.roles.split(','))) {
                // Check method
                if (method == 'undefined' || containsItem(method, config.methods)) {
                    // Check action
                    if (action == 'undefined' || action == "" || containsItem(action, config.actions)) {
                        if (typeof(config.customAuthz) != 'undefined') {
                            if (eval(config.customAuthz)) {
                                return true;
                            }
                        } else {
                            return true;
                        }
                    }
                }
            }
        }
    }
    return false;
}

function matchesResourceIdPattern(id, pattern) {
    if (pattern == "*") {
        // Accept all patterns
        return true;
    } else if (id == pattern) {
        // pattern matches exactly
        return true;
    } else if (pattern.indexOf("/*", pattern.length - 2) !== -1) {
        // Ends with "/*" or "/"
        // See if parent pattern matches
        var parentResource = pattern.substring(0, pattern.length - 1);
        if (id.length >= parentResource.length && id.substring(0, parentResource.length) == parentResource) {
            return true
        }
    }
    return false;
}

function containsItems(items, configItems) {
    if (configItems == "*") {
        return true;
    }
    for (var i = 0; i < items.length; i++) {
        if (contains(configItems, items[i])) {
            return true;
        }
    }
    return false
}

function containsItem(item, configItems) {
    if (configItems == "*") {
        return true;
    }
    return contains(configItems.split(','), item);
}

function contains(a, o) {
    if (typeof(a) != 'undefined' && a != null) {
        for (var i = 0; i <= a.length; i++) {
            if (a[i] === o) {
                return true;
            }
        }
    }
    return false;
}

function allow() {
    if (request.parent == null || request.parent == undefined || request.parent.type != 'http') {
        return true;
    }

    var roles = request.parent.security['openidm-roles'];
    var action = "";
    if (request.params && request.params['_action']) {
        action = request.params['_action'];
    }

    // Check REST requests against the access configuration
    if (request.parent.type == 'http') {
        logger.debug("Access Check for HTTP request for resource id: " + request.id);
        if (passesAccessConfig(request.id, roles, request.method, action)) {
            logger.debug("Request allowed");
            return true;
        }
    }
}

if (!allow()) {
//    java.lang.System.out.println(request);
    throw {
        "openidmCode" : 403,
        "message" : "Access denied"
    }
}