Add xacml docs.

wso2-extensions · Dec 20, 2024 · fd65a69 · fd65a69
1 parent beaad0b
commit fd65a69
Show file tree

Hide file tree

Showing 2 changed files with 197 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ Please follow the below steps.
 1. Add the jar files in `<XACML_CONNECTOR>/dropins` folder to the
 `<IS_HOME>/repository/components/dropins` folder.
 
-2. Add the jar file in  <XACML_CONNECTOR>/api-server folder to the 
+2. Add the jar file in  `<XACML_CONNECTOR>/api-server` folder to the 
 `<IS_HOME>/repository/deployment/server/webapps/api/WEB-INF/lib` folder.
 
 3. Add the `<XACML_CONNECTOR>/config-files/entitlement.properties` file to the 
@@ -57,4 +57,176 @@ file to the `<IS_HOME>/repository/resources/conf/default.json`.
 `<XACML_CONNECTOR>/config-files/policies`  to the
 `<IS_HOME>/repository/resources/identity/policies/xacml/default` folder.
 
-8. Restart Identity Server.
+8. Add XACML rest api webapp resides in folder `<XACML_CONNECTOR>/webapps` to the
+`<IS_HOME>/repository/deployment/server/webapps` folder.
+
+9. Add the below configuration to the `<IS_HOME>/repository/conf/deployment.toml` file.
+
+```toml
+# Entitlement Policies API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "GET"
+scopes = ["internal_entitlement_policy_mgt_view"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "POST"
+scopes = ["internal_entitlement_policy_mgt_create"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "PATCH"
+scopes = ["internal_entitlement_policy_mgt_update"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/policies(.*)"
+secure = "true"
+http_method = "DELETE"
+scopes = ["internal_entitlement_policy_mgt_delete"]
+
+# Entitlement Subscriber API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "GET"
+scopes = ["internal_entitlement_subscriber_mgt_view"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "POST"
+scopes = ["internal_entitlement_subscriber_mgt_create"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "PATCH"
+scopes = ["internal_entitlement_subscriber_mgt_update"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/subscribers(.*)"
+secure = "true"
+http_method = "DELETE"
+scopes = ["internal_entitlement_subscriber_mgt_delete"]
+
+# Entitlement Policy Publish API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/publish(.*)"
+secure = "true"
+http_method = "POST"
+scopes = ["internal_entitlement_policy_publish"]
+
+# Entitlement Global Policy Combining Algorithm API
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/combining-algorithm(.*)"
+secure = "true"
+http_method = "GET"
+scopes = ["internal_entitlement_gpa_get"]
+
+[[resource.access_control]]
+context = "(.*)/api/identity/entitlement/v1/entitlements/combining-algorithm(.*)"
+secure = "true"
+http_method = "PATCH"
+scopes = ["internal_entitlement_gpa_set"]
+
+[[api_resources]]
+name = "Entitlement Policies API"
+identifier = "/api/identity/entitlement/v1/entitlements/policies"
+requiresAuthorization = true
+description = "API representation of the Entitlements Policy Management API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Create Policy"
+name = "internal_entitlement_policy_mgt_create"
+description = "Create new Policy"
+
+[[api_resources.scopes]]
+displayName = "Update Policy"
+name = "internal_entitlement_policy_mgt_update"
+description = "Update Policy"
+
+[[api_resources.scopes]]
+displayName = "View Policy"
+name = "internal_entitlement_policy_mgt_view"
+description = "View Policy"
+
+[[api_resources.scopes]]
+displayName = "Delete Policy"
+name = "internal_entitlement_policy_mgt_delete"
+description = "Delete Policy"
+
+[[api_resources]]
+name = "Entitlement Subscriber API"
+identifier = "/api/identity/entitlement/v1/entitlements/subscribers"
+requiresAuthorization = true
+description = "API representation of the Entitlement Subscriber Management API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Create Subscriber"
+name = "internal_entitlement_subscriber_mgt_create"
+description = "Create new Subscriber"
+
+[[api_resources.scopes]]
+displayName = "Update Subscriber"
+name = "internal_entitlement_subscriber_mgt_update"
+description = "Update Subscriber"
+
+[[api_resources.scopes]]
+displayName = "View Subscriber"
+name = "internal_entitlement_subscriber_mgt_view"
+description = "View Subscriber"
+
+[[api_resources.scopes]]
+displayName = "Delete Subscriber"
+name = "internal_entitlement_subscriber_mgt_delete"
+description = "Delete Subscriber"
+
+[[api_resources]]
+name = "Entitlement Global Policy Combining Algorithm API"
+identifier = "/api/identity/entitlement/v1/entitlements/combining-algorithm"
+requiresAuthorization = true
+description = "API representation of the Entitlement Global Policy Combining Algorithm API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Set Global Policy Combining Algorithm API"
+name = "internal_entitlement_gpa_set"
+description = "Set Global Policy Combining Algorithm"
+
+[[api_resources.scopes]]
+displayName = "Get Global Policy Combining Algorithm API"
+name = "internal_entitlement_gpa_get"
+description = "Get Global Policy Combining Algorithm"
+
+[[api_resources]]
+name = "Entitlement Policy Publish API"
+identifier = "/api/identity/entitlement/v1/entitlements/publish"
+requiresAuthorization = true
+description = "API representation of the Entitlements Policy Publish API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Publish Policy"
+name = "internal_entitlement_policy_publish"
+description = "Publish new Policy"
+
+[[api_resources]]
+name = "Entitlement Policy Mgt API"
+identifier = "/api/identity/entitlement/v1/decision"
+requiresAuthorization = true
+description = "API representation of the Entitlements Policy Mgt API"
+type = "TENANT"
+
+[[api_resources.scopes]]
+displayName = "Policy Mgt"
+name = "internal_manage_pep"
+description = "Policy Mgt"
+```
+
+10. Restart Identity Server.
diff --git a/setup.sh b/setup.sh
@@ -89,4 +89,27 @@ echo "Ensuring XACML policies directory exists..."
 mkdir -p "$POLICIES_DIR"
 echo "Copying XACML policies..."
 cp -r "$XACML_CONNECTOR/policies/"* "$POLICIES_DIR/"
+
+# Step 8: Copy entitlements webapp.
+echo "Copying entitlements webapp..."
+WEBAPPS_DIR="$IS_HOME/repository/deployment/server/webapps"
+echo "Ensuring webapps directory exists..."
+mkdir -p "$WEBAPPS_DIR"
+echo "Copying entitlements webapp..."
+cp -r "$XACML_CONNECTOR/webapps/"* "$WEBAPPS_DIR/"
+
+# Step 9: Append content to deployment.toml
+echo "Appending content to deployment.toml..."
+DEPLOYMENT_TOML="$IS_HOME/repository/conf/deployment.toml"
+XACML_DEPLOYMENT_TOML="$XACML_CONNECTOR/config-files/deployment.toml"
+if [ -f "$DEPLOYMENT_TOML" ] && [ -f "$XACML_DEPLOYMENT_TOML" ]; then
+  cat "$XACML_DEPLOYMENT_TOML" >> "$DEPLOYMENT_TOML" || {
+    echo "Error appending content to deployment.toml."
+    exit 1
+  }
+else
+  echo "Error: deployment.toml or XACML deployment.toml not found."
+  exit 1
+fi
+
 echo "Script completed successfully."