diff --git a/docs/cedarling/python/usage.md b/docs/cedarling/python/usage.md index ea5179b620a..d4198223de0 100644 --- a/docs/cedarling/python/usage.md +++ b/docs/cedarling/python/usage.md @@ -7,232 +7,103 @@ tags: # Python usage -In this example, we will show an example Python script that calls the `cedarling_python` module and calls the `authz` function. Before beginning, ensure that you have completed the [building steps](./README.md#building) and are currently in a virtual Python environment that has the `cedarling_python` module installed. +In this example, we will show an example Python script that calls the `cedarling_python` module and calls the `authorize()` function. -## Demo script +- Before beginning, ensure that you have completed the [building steps](./README.md#building) and are currently in a virtual Python environment that has the `cedarling_python` module installed. You can confirm this with `pip list`. +- Run the script `jans/jans-cedarling/bindings/cedarling_python/example.py` from within the virtual environment. -```python -from cedarling_python import MemoryLogConfig, DisabledLoggingConfig, StdOutLogConfig -from cedarling_python import PolicyStoreSource, PolicyStoreConfig, BootstrapConfig, JwtConfig -from cedarling_python import Cedarling, ResourceData, Request - -# use MemoryLogConfig to store logs in memory with a time-to-live of 120 seconds -# by default it is 60 seconds -log_config = MemoryLogConfig(log_ttl=100) -# we can also set value to as property -# log_config.log_ttl = 120 - -# use DisabledLoggingConfig to ignore all logging -# log_config = DisabledLoggingConfig() - -# use StdOutLogConfig to print logs to stdout -log_config = StdOutLogConfig() - -# Create policy source configuration -with open("policy-store.json", - mode="r", encoding="utf8") as f: - policy_raw_json = f.read() -""" -This policy store contains 2 policy as such: +## Output +``` +(venv) $ python example.py +Policy store location not provided, use 'CEDARLING_LOCAL_POLICY_STORE' environment variable +Used default policy store path: example_files/policy-store.json + +{"id":"0193414e-9672-786a-986c-57f48d41c4e4","time":1731967489,"log_kind":"System","pdp_id":"c0ec33ff-9482-4bdc-83f6-2925a41a3280","msg":"configuration parsed successfully"} +{"id":"0193414e-9672-786a-986c-57f5379086c3","time":1731967489,"log_kind":"System","pdp_id":"c0ec33ff-9482-4bdc-83f6-2925a41a3280","msg":"Cedarling Authz initialized successfully","application_id":"TestApp"} +{"id":"0193414e-9676-7d8a-b55b-3f0097355851","time":1731967489,"log_kind":"Decision","pdp_id":"c0ec33ff-9482-4bdc-83f6-2925a41a3280","msg":"Result of authorize.","application_id":"TestApp","action":"Jans::Action::\"Read\"","resource":"Jans::Application::\"some_id\"","context":{"user_agent":"Linux","operating_system":"Linux","network_type":"Local","network":"127.0.0.1","geolocation":["America"],"fraud_indicators":["Allowed"],"device_health":["Healthy"],"current_time":1731967489},"person_principal":"Jans::User::\"qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0\"","person_diagnostics":{"reason":["840da5d85403f35ea76519ed1a18a33989f855bf1cf8"],"errors":[]},"person_decision":"ALLOW","workload_principal":"Jans::Workload::\"d7f71bea-c38d-4caf-a1ba-e43c74a11a62\"","workload_diagnostics":{"reason":["444da5d85403f35ea76519ed1a18a33989f855bf1cf8"],"errors":[]},"workload_decision":"ALLOW","role_authorize_info":[{"role_principal":"Jans::Role::\"CasaAdmin\"","role_diagnostics":{"reason":[],"errors":[]},"role_decision":"DENY"}],"authorized":true} +Result of workload authorization: ALLOW +Policy ID used: +444da5d85403f35ea76519ed1a18a33989f855bf1cf8 +Errors during authorization: 0 + +Result of person authorization: ALLOW +Policy ID used: +840da5d85403f35ea76519ed1a18a33989f855bf1cf8 +Errors during authorization: 0 + +Role authorization present +Role authorization result: DENY +Errors during authorization: 0 +``` + +## Explanation +Cedarling creates principal entities from the access, ID and userinfo tokens. The action, resource and context entities are declared in code. These four entities together form the `PARC` format that cedarling evaluates against policies provided in the policy store. The principal entities can be either User, Workload or Role. After forming the entities, cedarling evaluates them against the policies provided in the policy store. If entity is explicitly permitted by a policy, the result of the evaluation is `ALLOW`, otherwise it is `DENY`. + +In this case there are two policies in the store, one for User entities and one for Workload entities: + +``` +@444da5d85403f35ea76519ed1a18a33989f855bf1cf8 permit( principal is Jans::Workload, - action in [Jans::Action::"Update"], - resource is Jans::Issue + action in [Jans::Action::"Read"], + resource is Jans::Application )when{ - principal.org_id == resource.org_id + resource.name == "Some Application" }; +@840da5d85403f35ea76519ed1a18a33989f855bf1cf8 permit( principal is Jans::User, - action in [Jans::Action::"Update"], - resource is Jans::Issue + action in [Jans::Action::"Read"], + resource is Jans::Application )when{ - principal.country == resource.country + resource.name == "Some Application" }; -""" -# for now we support only json source -policy_source = PolicyStoreSource(json=policy_raw_json) - -policy_store_config = PolicyStoreConfig(source=policy_source) - - -# Create jwt configuration -# do not validate JWT tokens -jwt_config = JwtConfig(enabled=False) - -# collect all in the BootstrapConfig -bootstrap_config = BootstrapConfig( - application_name="TestApp", - log_config=log_config, - policy_store_config=policy_store_config, - jwt_config=jwt_config -) - -# initialize cedarling instance -# all values in the bootstrap_config is parsed and validated at this step. -instance = Cedarling(bootstrap_config) - -# returns a list of all active log ids -# active_log_ids = instance.get_log_ids() - -# get log entry by id -# log_entry = instance.get_log_by_id(active_log_ids[0]) +``` +These two policies say that a Principal entity (User or Workload) is allowed to execute a `Read` action on an Application resource when the resource is named "Some Application". As there are no policies for Role entities, the result of the evaluation for the Role entity is `DENY`. -# show logs -print("Logs stored in memory:") -print(*instance.pop_logs(), sep="\n\n") +In the script, the action, resource and context entities are used to create the request and execute the `authorize()` call: +```python -# //// Execute authentication request //// +action = 'Jans::Action::"Read"' -# Creating cedar resource object. -# field resource_type and id is mandatory -# other fields are attributes of the resource. -resource = ResourceData(resource_type="Jans::Issue", - id="random_id", org_id="some_long_id", country="US") -# or we can init resource using dict resource = ResourceData.from_dict({ - "type": "Jans::Issue", - "id": "random_id", - "org_id": "some_long_id", - "country": "US" + "type": "Jans::Application", + "id": "some_id", + "app_id": "application_id", + "name": "Some Application", + "url": { + "host": "jans.test", + "path": "/protected-endpoint", + "protocol": "http" + } }) - -action_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJib0c4ZGZjNU1LVG4zN283Z3NkQ2V5cUw4THBXUXRnb080MW0xS1p3ZHEwIiwiY29kZSI6ImJmMTkzNGY2LTM5MDUtNDIwYS04Mjk5LTZiMmUzZmZkZGQ2ZSIsImlzcyI6Imh0dHBzOi8vYWRtaW4tdWktdGVzdC5nbHV1Lm9yZyIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJjbGllbnRfaWQiOiI1YjQ0ODdjNC04ZGIxLTQwOWQtYTY1My1mOTA3YjgwOTQwMzkiLCJhdWQiOiI1YjQ0ODdjNC04ZGIxLTQwOWQtYTY1My1mOTA3YjgwOTQwMzkiLCJhY3IiOiJiYXNpYyIsIng1dCNTMjU2IjoiIiwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSJdLCJvcmdfaWQiOiJzb21lX2xvbmdfaWQiLCJhdXRoX3RpbWUiOjE3MjQ4MzA3NDYsImV4cCI6MTcyNDk0NTk3OCwiaWF0IjoxNzI0ODMyMjU5LCJqdGkiOiJseFRtQ1ZSRlR4T2pKZ3ZFRXBvek1RIiwibmFtZSI6IkRlZmF1bHQgQWRtaW4gVXNlciIsInN0YXR1cyI6eyJzdGF0dXNfbGlzdCI6eyJpZHgiOjIwMSwidXJpIjoiaHR0cHM6Ly9hZG1pbi11aS10ZXN0LmdsdXUub3JnL2phbnMtYXV0aC9yZXN0djEvc3RhdHVzX2xpc3QifX19._eQT-DsfE_kgdhA0YOyFxxPEMNw44iwoelWa5iU1n9s" -""" -JSON payload of access token -{ - "sub": "boG8dfc5MKTn37o7gsdCeyqL8LpWQtgoO41m1KZwdq0", - "code": "bf1934f6-3905-420a-8299-6b2e3ffddd6e", - "iss": "https://admin-ui-test.gluu.org", - "token_type": "Bearer", - "client_id": "5b4487c4-8db1-409d-a653-f907b8094039", - "aud": "5b4487c4-8db1-409d-a653-f907b8094039", - "acr": "basic", - "x5t#S256": "", - "scope": [ - "openid", - "profile" - ], - "org_id": "some_long_id", - "auth_time": 1724830746, - "exp": 1724945978, - "iat": 1724832259, - "jti": "lxTmCVRFTxOjJgvEEpozMQ", - "name": "Default Admin User", - "status": { - "status_list": { - "idx": 201, - "uri": "https://admin-ui-test.gluu.org/jans-auth/restv1/status_list" - } - } +context = { + "current_time": int(time.time()), + "device_health": ["Healthy"], + "fraud_indicators": ["Allowed"], + "geolocation": ["America"], + "network": "127.0.0.1", + "network_type": "Local", + "operating_system": "Linux", + "user_agent": "Linux" } -""" - -id_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY3IiOiJiYXNpYyIsImFtciI6IjEwIiwiYXVkIjoiNWI0NDg3YzQtOGRiMS00MDlkLWE2NTMtZjkwN2I4MDk0MDM5IiwiZXhwIjoxNzI0ODM1ODU5LCJpYXQiOjE3MjQ4MzIyNTksInN1YiI6ImJvRzhkZmM1TUtUbjM3bzdnc2RDZXlxTDhMcFdRdGdvTzQxbTFLWndkcTAiLCJpc3MiOiJodHRwczovL2FkbWluLXVpLXRlc3QuZ2x1dS5vcmciLCJqdGkiOiJzazNUNDBOWVNZdWs1c2FIWk5wa1p3Iiwibm9uY2UiOiJjMzg3MmFmOS1hMGY1LTRjM2YtYTFhZi1mOWQwZTg4NDZlODEiLCJzaWQiOiI2YTdmZTUwYS1kODEwLTQ1NGQtYmU1ZC01NDlkMjk1OTVhMDkiLCJqYW5zT3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsImNfaGFzaCI6InBHb0s2WV9SS2NXSGtVZWNNOXV3NlEiLCJhdXRoX3RpbWUiOjE3MjQ4MzA3NDYsImdyYW50IjoiYXV0aG9yaXphdGlvbl9jb2RlIiwic3RhdHVzIjp7InN0YXR1c19saXN0Ijp7ImlkeCI6MjAyLCJ1cmkiOiJodHRwczovL2FkbWluLXVpLXRlc3QuZ2x1dS5vcmcvamFucy1hdXRoL3Jlc3R2MS9zdGF0dXNfbGlzdCJ9fX0.8BwLLGkFpWGx8wGpvVmNk_Ao8nZrP_WT-zoo-MY4zqY" -""" -JSON payload of id token -{ - "acr": "basic", - "amr": "10", - "aud": "5b4487c4-8db1-409d-a653-f907b8094039", - "exp": 1724835859, - "iat": 1724832259, - "sub": "boG8dfc5MKTn37o7gsdCeyqL8LpWQtgoO41m1KZwdq0", - "iss": "https://admin-ui-test.gluu.org", - "jti": "sk3T40NYSYuk5saHZNpkZw", - "nonce": "c3872af9-a0f5-4c3f-a1af-f9d0e8846e81", - "sid": "6a7fe50a-d810-454d-be5d-549d29595a09", - "jansOpenIDConnectVersion": "openidconnect-1.0", - "c_hash": "pGoK6Y_RKcWHkUecM9uw6Q", - "auth_time": 1724830746, - "grant": "authorization_code", - "status": { - "status_list": { - "idx": 202, - "uri": "https://admin-ui-test.gluu.org/jans-auth/restv1/status_list" - } - } -} -""" - -userinfo_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb3VudHJ5IjoiVVMiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IlVzZXJOYW1lRXhhbXBsZSIsInN1YiI6ImJvRzhkZmM1TUtUbjM3bzdnc2RDZXlxTDhMcFdRdGdvTzQxbTFLWndkcTAiLCJpc3MiOiJodHRwczovL2FkbWluLXVpLXRlc3QuZ2x1dS5vcmciLCJnaXZlbl9uYW1lIjoiQWRtaW4iLCJtaWRkbGVfbmFtZSI6IkFkbWluIiwiaW51bSI6IjhkMWNkZTZhLTE0NDctNDc2Ni1iM2M4LTE2NjYzZTEzYjQ1OCIsImNsaWVudF9pZCI6IjViNDQ4N2M0LThkYjEtNDA5ZC1hNjUzLWY5MDdiODA5NDAzOSIsImF1ZCI6IjViNDQ4N2M0LThkYjEtNDA5ZC1hNjUzLWY5MDdiODA5NDAzOSIsInVwZGF0ZWRfYXQiOjE3MjQ3Nzg1OTEsIm5hbWUiOiJEZWZhdWx0IEFkbWluIFVzZXIiLCJuaWNrbmFtZSI6IkFkbWluIiwiZmFtaWx5X25hbWUiOiJVc2VyIiwianRpIjoiZmFpWXZhWUlUMGNEQVQ3Rm93MHBRdyIsImphbnNBZG1pblVJUm9sZSI6WyJhcGktYWRtaW4iXSwiZXhwIjoxNzI0OTQ1OTc4fQ.3LTc8YLvEeb7ONZp_FKA7yPP7S6e_VTzwhvAWUJrL4M" -""" -JSON payload of userinfo token -{ - "country": "US", - "email": "user@example.com", - "username": "UserNameExample", - "sub": "boG8dfc5MKTn37o7gsdCeyqL8LpWQtgoO41m1KZwdq0", - "iss": "https://admin-ui-test.gluu.org", - "given_name": "Admin", - "middle_name": "Admin", - "inum": "8d1cde6a-1447-4766-b3c8-16663e13b458", - "client_id": "5b4487c4-8db1-409d-a653-f907b8094039", - "aud": "5b4487c4-8db1-409d-a653-f907b8094039", - "updated_at": 1724778591, - "name": "Default Admin User", - "nickname": "Admin", - "family_name": "User", - "jti": "faiYvaYIT0cDAT7Fow0pQw", - "jansAdminUIRole": [ - "api-admin" - ], - "exp": 1724945978 -} -""" - -# Creating cedarling request request = Request( - action_token, + access_token, id_token, userinfo_token, - action='Jans::Action::"Update"', - context={}, resource=resource) + action=action, + resource=resource, context=context) -# Authorize call authorize_result = instance.authorize(request) -print(*instance.pop_logs(), sep="\n\n") - -# if you change org_id result will be false assert authorize_result.is_allowed() - -# watch on the decision for workload -workload_result = authorize_result.workload() -print(workload_result.decision) - -# show diagnostic information -workload_diagnostic = workload_result.diagnostics -for i, reason in enumerate(workload_diagnostic.reason): - if i == 0: - print("reason policies:") - print(reason) - -for i, error in enumerate(workload_diagnostic.errors): - if i == 0: - print("errors:") - print("id:", error.id, "error:", error.error) -``` - -- Save the script in a file called `example.py` -- Save [this](https://github.com/JanssenProject/jans/blob/main/jans-cedarling/bindings/cedarling_python/example_files/policy-store.json) demo policy store file to `policy-store.json` in the same location -- Run the example script: - -``` -(venv) $ python example.py -Logs stored in memory: -{"id":"01929b39-b7d9-7e58-8abb-329c19c3d821","time":1729181104,"log_kind":"System","pdp_id":"1039a067-88de-4e8b-8d5f-421fc912b94f","msg":"PolicyStore loaded successfully","application_id":"TestApp"} -{"id":"01929b39-b7d9-7e58-8abb-329dfb797de1","time":1729181104,"log_kind":"System","pdp_id":"1039a067-88de-4e8b-8d5f-421fc912b94f","msg":"JWT service loaded successfully","application_id":"TestApp"} -{"id":"01929b39-b7d9-7e58-8abb-329e91d2b37f","time":1729181104,"log_kind":"System","pdp_id":"1039a067-88de-4e8b-8d5f-421fc912b94f","msg":"Cedarling Authz initialized successfully","application_id":"TestApp"} -Logs stored in memory: - -{"id":"01929b39-b7db-766c-95a8-4790ff90532d","time":1729181104,"log_kind":"Decision","pdp_id":"1039a067-88de-4e8b-8d5f-421fc912b94f","msg":"Result of authorize with resource as workload entity","application_id":"TestApp","principal":"Jans::Workload::\"5b4487c4-8db1-409d-a653-f907b8094039\"","action":"Jans::Action::\"Update\"","resource":"Jans::Issue::\"random_id\"","context":{},"decision":"ALLOW","diagnostics":{"reason":["840da5d85403f35ea76519ed1a18a33989f855bf1cf8"],"errors":[]}} ``` +Cedarling will return `is_allowed()` as `True` only if both the User and Workload entity evaluations are `ALLOW`. -As you can see, the logs from cedarling's initialization and the result of the authorize call is printed to the console. ## Exposed functions diff --git a/jans-cedarling/bindings/cedarling_python/README.md b/jans-cedarling/bindings/cedarling_python/README.md index f678451fe82..39186bff985 100644 --- a/jans-cedarling/bindings/cedarling_python/README.md +++ b/jans-cedarling/bindings/cedarling_python/README.md @@ -146,7 +146,7 @@ If you only want to build the library without installing it in the Python enviro To run the tests, with `pytest`: - 1. Make sure that you have installed the `cedarling_python` package in your virtual enviroment or system. + 1. Make sure that you have installed the `cedarling_python` package in your virtual environment or system. 1. Install `pytest`: ```bash diff --git a/jans-cedarling/bindings/cedarling_python/cedarling_python.pyi b/jans-cedarling/bindings/cedarling_python/cedarling_python.pyi index 9b76e950eba..3a6a162f61c 100644 --- a/jans-cedarling/bindings/cedarling_python/cedarling_python.pyi +++ b/jans-cedarling/bindings/cedarling_python/cedarling_python.pyi @@ -86,7 +86,10 @@ class Request: resource: ResourceData context: Dict[str, Any] - def __init__(self, access_token: str, + def __init__(self, + access_token: str, + id_token: str, + userinfo_token: str, action: str, resource: ResourceData, context: Dict[str, Any]) -> None: ... diff --git a/jans-cedarling/bindings/cedarling_python/example.py b/jans-cedarling/bindings/cedarling_python/example.py index f861ad42fe9..f1eacf706f5 100644 --- a/jans-cedarling/bindings/cedarling_python/example.py +++ b/jans-cedarling/bindings/cedarling_python/example.py @@ -2,7 +2,7 @@ from cedarling_python import PolicyStoreSource, PolicyStoreConfig, BootstrapConfig, JwtConfig from cedarling_python import Cedarling from cedarling_python import ResourceData, Request -import os +import os, time DEFAULT_POLICY_STORE_PATH = "example_files/policy-store.json" @@ -21,9 +21,8 @@ # Read policy store from file policy_store_location = os.getenv("CEDARLING_LOCAL_POLICY_STORE", None) if policy_store_location is None: - print("Policy store location not provided, use 'CEDARLING_LOCAL_POLICY_STORE' enviroment variable") - print("used default policy store path", DEFAULT_POLICY_STORE_PATH) - print() + print("Policy store location not provided, use 'CEDARLING_LOCAL_POLICY_STORE' environment variable") + print(f"Used default policy store path: {DEFAULT_POLICY_STORE_PATH}\n") policy_store_location = DEFAULT_POLICY_STORE_PATH with open(policy_store_location, "r") as f: policy_raw_json = f.read() @@ -56,144 +55,189 @@ # log_entry = instance.get_log_by_id(active_log_ids[0]) -# show logs -print("Logs stored in memory:") -print(*instance.pop_logs()) +# show logs; only applicable to MemoryLogConfig logger +#print("Logs stored in memory:") +#print(*instance.pop_logs()) # //// Execute authentication request //// # field resource_type and id is mandatory # other fields are attributes of the resource. -resource = ResourceData(resource_type="Jans::Issue", - id="random_id", org_id="some_long_id", country="US") +resource = ResourceData(resource_type="Jans::Application", + id="random_id", + app_id="application_id", + name="Some Application", + url={ + "host": "jans.test", + "path": "/protected-endpoint", + "protocol": "http" + } + ) + # or we can init resource using dict resource = ResourceData.from_dict({ - "type": "Jans::Issue", - "id": "random_id", - "org_id": "some_long_id", - "country": "US" + "type": "Jans::Application", + "id": "some_id", + "app_id": "application_id", + "name": "Some Application", + "url": { + "host": "jans.test", + "path": "/protected-endpoint", + "protocol": "http" + } }) -action_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJib0c4ZGZjNU1LVG4zN283Z3NkQ2V5cUw4THBXUXRnb080MW0xS1p3ZHEwIiwiY29kZSI6ImJmMTkzNGY2LTM5MDUtNDIwYS04Mjk5LTZiMmUzZmZkZGQ2ZSIsImlzcyI6Imh0dHBzOi8vYWRtaW4tdWktdGVzdC5nbHV1Lm9yZyIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJjbGllbnRfaWQiOiI1YjQ0ODdjNC04ZGIxLTQwOWQtYTY1My1mOTA3YjgwOTQwMzkiLCJhdWQiOiI1YjQ0ODdjNC04ZGIxLTQwOWQtYTY1My1mOTA3YjgwOTQwMzkiLCJhY3IiOiJiYXNpYyIsIng1dCNTMjU2IjoiIiwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSJdLCJvcmdfaWQiOiJzb21lX2xvbmdfaWQiLCJhdXRoX3RpbWUiOjE3MjQ4MzA3NDYsImV4cCI6MTcyNDk0NTk3OCwiaWF0IjoxNzI0ODMyMjU5LCJqdGkiOiJseFRtQ1ZSRlR4T2pKZ3ZFRXBvek1RIiwibmFtZSI6IkRlZmF1bHQgQWRtaW4gVXNlciIsInN0YXR1cyI6eyJzdGF0dXNfbGlzdCI6eyJpZHgiOjIwMSwidXJpIjoiaHR0cHM6Ly9hZG1pbi11aS10ZXN0LmdsdXUub3JnL2phbnMtYXV0aC9yZXN0djEvc3RhdHVzX2xpc3QifX19._eQT-DsfE_kgdhA0YOyFxxPEMNw44iwoelWa5iU1n9s" +access_token = "eyJraWQiOiJjb25uZWN0X2Y5YTAwN2EyLTZkMGItNDkyYS05MGNkLWYwYzliMWMyYjVkYl9zaWdfcnMyNTYiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJxenhuMVNjcmI5bFd0R3hWZWRNQ2t5LVFsX0lMc3BaYVFBNmZ5dVlrdHcwIiwiY29kZSI6IjNlMmEyMDEyLTA5OWMtNDY0Zi04OTBiLTQ0ODE2MGMyYWIyNSIsImlzcyI6Imh0dHBzOi8vYWNjb3VudC5nbHV1Lm9yZyIsInRva2VuX3R5cGUiOiJCZWFyZXIiLCJjbGllbnRfaWQiOiJkN2Y3MWJlYS1jMzhkLTRjYWYtYTFiYS1lNDNjNzRhMTFhNjIiLCJhdWQiOiJkN2Y3MWJlYS1jMzhkLTRjYWYtYTFiYS1lNDNjNzRhMTFhNjIiLCJhY3IiOiJzaW1wbGVfcGFzc3dvcmRfYXV0aCIsIng1dCNTMjU2IjoiIiwibmJmIjoxNzMxOTUzMDMwLCJzY29wZSI6WyJyb2xlIiwib3BlbmlkIiwicHJvZmlsZSIsImVtYWlsIl0sImF1dGhfdGltZSI6MTczMTk1MzAyNywiZXhwIjoxNzMyMTIxNDYwLCJpYXQiOjE3MzE5NTMwMzAsImp0aSI6InVaVWgxaERVUW82UEZrQlBud3BHemciLCJ1c2VybmFtZSI6IkRlZmF1bHQgQWRtaW4gVXNlciIsInN0YXR1cyI6eyJzdGF0dXNfbGlzdCI6eyJpZHgiOjMwNiwidXJpIjoiaHR0cHM6Ly9qYW5zLnRlc3QvamFucy1hdXRoL3Jlc3R2MS9zdGF0dXNfbGlzdCJ9fX0.Pt-Y7F-hfde_WP7ZYwyvvSS11rKYQWGZXTzjH_aJKC5VPxzOjAXqI3Igr6gJLsP1aOd9WJvOPchflZYArctopXMWClbX_TxpmADqyCMsz78r4P450TaMKj-WKEa9cL5KtgnFa0fmhZ1ZWolkDTQ_M00Xr4EIvv4zf-92Wu5fOrdjmsIGFot0jt-12WxQlJFfs5qVZ9P-cDjxvQSrO1wbyKfHQ_txkl1GDATXsw5SIpC5wct92vjAVm5CJNuv_PE8dHAY-KfPTxOuDYBuWI5uA2Yjd1WUFyicbJgcmYzUSVt03xZ0kQX9dxKExwU2YnpDorfwebaAPO7G114Bkw208g" + """ -JSON payload of access token +Payload of access_token: { - "sub": "boG8dfc5MKTn37o7gsdCeyqL8LpWQtgoO41m1KZwdq0", - "code": "bf1934f6-3905-420a-8299-6b2e3ffddd6e", - "iss": "https://admin-ui-test.gluu.org", + "sub": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0", + "code": "3e2a2012-099c-464f-890b-448160c2ab25", + "iss": "https://account.gluu.org", "token_type": "Bearer", - "client_id": "5b4487c4-8db1-409d-a653-f907b8094039", - "aud": "5b4487c4-8db1-409d-a653-f907b8094039", - "acr": "basic", + "client_id": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62", + "aud": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62", + "acr": "simple_password_auth", "x5t#S256": "", + "nbf": 1731953030, "scope": [ + "role", "openid", - "profile" + "profile", + "email" ], - "org_id": "some_long_id", - "auth_time": 1724830746, - "exp": 1724945978, - "iat": 1724832259, - "jti": "lxTmCVRFTxOjJgvEEpozMQ", - "name": "Default Admin User", + "auth_time": 1731953027, + "exp": 1732121460, + "iat": 1731953030, + "jti": "uZUh1hDUQo6PFkBPnwpGzg", + "username": "Default Admin User", "status": { "status_list": { - "idx": 201, - "uri": "https://admin-ui-test.gluu.org/jans-auth/restv1/status_list" + "idx": 306, + "uri": "https://jans.test/jans-auth/restv1/status_list" } } } """ -id_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY3IiOiJiYXNpYyIsImFtciI6IjEwIiwiYXVkIjoiNWI0NDg3YzQtOGRiMS00MDlkLWE2NTMtZjkwN2I4MDk0MDM5IiwiZXhwIjoxNzI0ODM1ODU5LCJpYXQiOjE3MjQ4MzIyNTksInN1YiI6ImJvRzhkZmM1TUtUbjM3bzdnc2RDZXlxTDhMcFdRdGdvTzQxbTFLWndkcTAiLCJpc3MiOiJodHRwczovL2FkbWluLXVpLXRlc3QuZ2x1dS5vcmciLCJqdGkiOiJzazNUNDBOWVNZdWs1c2FIWk5wa1p3Iiwibm9uY2UiOiJjMzg3MmFmOS1hMGY1LTRjM2YtYTFhZi1mOWQwZTg4NDZlODEiLCJzaWQiOiI2YTdmZTUwYS1kODEwLTQ1NGQtYmU1ZC01NDlkMjk1OTVhMDkiLCJqYW5zT3BlbklEQ29ubmVjdFZlcnNpb24iOiJvcGVuaWRjb25uZWN0LTEuMCIsImNfaGFzaCI6InBHb0s2WV9SS2NXSGtVZWNNOXV3NlEiLCJhdXRoX3RpbWUiOjE3MjQ4MzA3NDYsImdyYW50IjoiYXV0aG9yaXphdGlvbl9jb2RlIiwic3RhdHVzIjp7InN0YXR1c19saXN0Ijp7ImlkeCI6MjAyLCJ1cmkiOiJodHRwczovL2FkbWluLXVpLXRlc3QuZ2x1dS5vcmcvamFucy1hdXRoL3Jlc3R2MS9zdGF0dXNfbGlzdCJ9fSwicm9sZSI6IkFkbWluIn0.pU6-2tleV9OzpIMH4coVzu9kmh6Po6VPMchoRGYFYjQ" +id_token = "eyJraWQiOiJjb25uZWN0X2Y5YTAwN2EyLTZkMGItNDkyYS05MGNkLWYwYzliMWMyYjVkYl9zaWdfcnMyNTYiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiYnhhQ1QwWlFYYnY0c2J6alNEck5pQSIsInN1YiI6InF6eG4xU2NyYjlsV3RHeFZlZE1Da3ktUWxfSUxzcFphUUE2Znl1WWt0dzAiLCJhbXIiOltdLCJpc3MiOiJodHRwczovL2FjY291bnQuZ2x1dS5vcmciLCJub25jZSI6IjI1YjJiMTZiLTMyYTItNDJkNi04YThlLWU1ZmE5YWI4ODhjMCIsInNpZCI6IjZkNDQzNzM0LWI3YTItNGVkOC05ZDNhLTE2MDZkMmY5OTI0NCIsImphbnNPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiYXVkIjoiZDdmNzFiZWEtYzM4ZC00Y2FmLWExYmEtZTQzYzc0YTExYTYyIiwiYWNyIjoic2ltcGxlX3Bhc3N3b3JkX2F1dGgiLCJjX2hhc2giOiJWOGg0c085Tnp1TEthd1BPLTNETkxBIiwibmJmIjoxNzMxOTUzMDMwLCJhdXRoX3RpbWUiOjE3MzE5NTMwMjcsImV4cCI6MTczMTk1NjYzMCwiZ3JhbnQiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJpYXQiOjE3MzE5NTMwMzAsImp0aSI6ImlqTFpPMW9vUnlXcmdJbjdjSWROeUEiLCJzdGF0dXMiOnsic3RhdHVzX2xpc3QiOnsiaWR4IjozMDcsInVyaSI6Imh0dHBzOi8vamFucy50ZXN0L2phbnMtYXV0aC9yZXN0djEvc3RhdHVzX2xpc3QifX19.Nw7MRaJ5LtDak_LdEjrICgVOxDwd1p1I8WxD7IYw0_mKlIJ-J_78rGPski9p3L5ZNCpXiHtVbnhc4lJdmbh-y6mrD3_EY_AmjK50xpuf6YuUuNVtFENCSkj_irPLkIDG65HeZherWsvH0hUn4FVGv8Sw9fjny9Doi-HGHnKg9Qvphqre1U8hCphCVLQlzXAXmBkbPOC8tDwId5yigBKXP50cdqDcT-bjXf9leIdGgq0jxb57kYaFSElprLN9nUygM4RNCn9mtmo1l4IsdTlvvUb3OMAMQkRLfMkiKBjjeSF3819mYRLb3AUBaFH16ZdHFBzTSB6oA22TYpUqOLihMg" + """ -JSON payload of id token +Payload of id_token: { - "acr": "basic", - "amr": "10", - "aud": "5b4487c4-8db1-409d-a653-f907b8094039", - "exp": 1724835859, - "iat": 1724832259, - "sub": "boG8dfc5MKTn37o7gsdCeyqL8LpWQtgoO41m1KZwdq0", - "iss": "https://admin-ui-test.gluu.org", - "jti": "sk3T40NYSYuk5saHZNpkZw", - "nonce": "c3872af9-a0f5-4c3f-a1af-f9d0e8846e81", - "sid": "6a7fe50a-d810-454d-be5d-549d29595a09", - "jansOpenIDConnectVersion": "openidconnect-1.0", - "c_hash": "pGoK6Y_RKcWHkUecM9uw6Q", - "auth_time": 1724830746, - "grant": "authorization_code", + "sub": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0", + "code": "3e2a2012-099c-464f-890b-448160c2ab25", + "iss": "https://account.gluu.org", + "token_type": "Bearer", + "client_id": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62", + "aud": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62", + "acr": "simple_password_auth", + "x5t#S256": "", + "nbf": 1731953030, + "scope": [ + "role", + "openid", + "profile", + "email" + ], + "auth_time": 1731953027, + "exp": 1732121460, + "iat": 1731953030, + "jti": "uZUh1hDUQo6PFkBPnwpGzg", + "username": "Default Admin User", "status": { "status_list": { - "idx": 202, - "uri": "https://admin-ui-test.gluu.org/jans-auth/restv1/status_list" + "idx": 306, + "uri": "https://jans.test/jans-auth/restv1/status_list" } - }, - "role": "Admin" + } } """ -userinfo_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb3VudHJ5IjoiVVMiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20iLCJ1c2VybmFtZSI6IlVzZXJOYW1lRXhhbXBsZSIsInN1YiI6ImJvRzhkZmM1TUtUbjM3bzdnc2RDZXlxTDhMcFdRdGdvTzQxbTFLWndkcTAiLCJpc3MiOiJodHRwczovL2FkbWluLXVpLXRlc3QuZ2x1dS5vcmciLCJnaXZlbl9uYW1lIjoiQWRtaW4iLCJtaWRkbGVfbmFtZSI6IkFkbWluIiwiaW51bSI6IjhkMWNkZTZhLTE0NDctNDc2Ni1iM2M4LTE2NjYzZTEzYjQ1OCIsImNsaWVudF9pZCI6IjViNDQ4N2M0LThkYjEtNDA5ZC1hNjUzLWY5MDdiODA5NDAzOSIsImF1ZCI6IjViNDQ4N2M0LThkYjEtNDA5ZC1hNjUzLWY5MDdiODA5NDAzOSIsInVwZGF0ZWRfYXQiOjE3MjQ3Nzg1OTEsIm5hbWUiOiJEZWZhdWx0IEFkbWluIFVzZXIiLCJuaWNrbmFtZSI6IkFkbWluIiwiZmFtaWx5X25hbWUiOiJVc2VyIiwianRpIjoiZmFpWXZhWUlUMGNEQVQ3Rm93MHBRdyIsImphbnNBZG1pblVJUm9sZSI6WyJhcGktYWRtaW4iXSwiZXhwIjoxNzI0OTQ1OTc4fQ.3LTc8YLvEeb7ONZp_FKA7yPP7S6e_VTzwhvAWUJrL4M" +userinfo_token = "eyJraWQiOiJjb25uZWN0X2Y5YTAwN2EyLTZkMGItNDkyYS05MGNkLWYwYzliMWMyYjVkYl9zaWdfcnMyNTYiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJxenhuMVNjcmI5bFd0R3hWZWRNQ2t5LVFsX0lMc3BaYVFBNmZ5dVlrdHcwIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInJvbGUiOlsiQ2FzYUFkbWluIl0sImlzcyI6Imh0dHBzOi8vYWNjb3VudC5nbHV1Lm9yZyIsImdpdmVuX25hbWUiOiJBZG1pbiIsIm1pZGRsZV9uYW1lIjoiQWRtaW4iLCJpbnVtIjoiYTZhNzAzMDEtYWY0OS00OTAxLTk2ODctMGJjZGNmNGUzNGZhIiwiY2xpZW50X2lkIjoiZDdmNzFiZWEtYzM4ZC00Y2FmLWExYmEtZTQzYzc0YTExYTYyIiwiYXVkIjoiZDdmNzFiZWEtYzM4ZC00Y2FmLWExYmEtZTQzYzc0YTExYTYyIiwidXBkYXRlZF9hdCI6MTczMTY5ODEzNSwibmFtZSI6IkRlZmF1bHQgQWRtaW4gVXNlciIsIm5pY2tuYW1lIjoiQWRtaW4iLCJmYW1pbHlfbmFtZSI6IlVzZXIiLCJqdGkiOiJPSW4zZzFTUFNEU0tBWUR6RU5Wb3VnIiwiZW1haWwiOiJhZG1pbkBqYW5zLnRlc3QiLCJqYW5zQWRtaW5VSVJvbGUiOlsiYXBpLWFkbWluIl19.CIahQtRpoTkIQx8KttLPIKH7gvGG8OmYCMzz7wch6k792DVYQG1R7q3sS9Ema1rO5Fm_GgjOsR0yTTMKsyhHDLBwkDd3cnMLgsh2AwVFZvxtpafTlUAPfjvMAy9YTtkPcY6rNUhsYLSSOA83kt6pHdIv5nI-G6ybqgg-bLBRpwZDoOV0TulRhmuukdiuugTXHT6Bb-K3ZeYs8CwewztnxoFTSDghSzq7VZIraV8SLTBLx5_xswn9mefamyB2XNN3o6vXuMyf4BEbYSCuJ3pu6YtNgfyWwt9cF8PYe4PVLoXZuJKN-cy4qrtgy43QXPCg96jSQUJqgLb5ZL5_3udm2Q" + """ -JSON payload of userinfo token +Payload of userinfo_token: { - "country": "US", - "email": "user@example.com", - "username": "UserNameExample", - "sub": "boG8dfc5MKTn37o7gsdCeyqL8LpWQtgoO41m1KZwdq0", - "iss": "https://admin-ui-test.gluu.org", + "sub": "qzxn1Scrb9lWtGxVedMCky-Ql_ILspZaQA6fyuYktw0", + "email_verified": true, + "role": [ + "CasaAdmin" + ], + "iss": "https://account.gluu.org", "given_name": "Admin", "middle_name": "Admin", - "inum": "8d1cde6a-1447-4766-b3c8-16663e13b458", - "client_id": "5b4487c4-8db1-409d-a653-f907b8094039", - "aud": "5b4487c4-8db1-409d-a653-f907b8094039", - "updated_at": 1724778591, + "inum": "a6a70301-af49-4901-9687-0bcdcf4e34fa", + "client_id": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62", + "aud": "d7f71bea-c38d-4caf-a1ba-e43c74a11a62", + "updated_at": 1731698135, "name": "Default Admin User", "nickname": "Admin", "family_name": "User", - "jti": "faiYvaYIT0cDAT7Fow0pQw", + "jti": "OIn3g1SPSDSKAYDzENVoug", + "email": "admin@jans.test", "jansAdminUIRole": [ "api-admin" - ], - "exp": 1724945978 + ] } """ """ Policies used: -@840da5d85403f35ea76519ed1a18a33989f855bf1cf8 +@444da5d85403f35ea76519ed1a18a33989f855bf1cf8 permit( principal is Jans::Workload, - action in [Jans::Action::"Update"], - resource is Jans::Issue + action in [Jans::Action::"Read"], + resource is Jans::Application )when{ - principal.org_id == resource.org_id + resource.name == "Some Application" }; -@444da5d85403f35ea76519ed1a18a33989f855bf1cf8 +@840da5d85403f35ea76519ed1a18a33989f855bf1cf8 permit( principal is Jans::User, - action in [Jans::Action::"Update"], - resource is Jans::Issue + action in [Jans::Action::"Read"], + resource is Jans::Application )when{ - principal.country == resource.country + resource.name == "Some Application" }; """ +# Creating context for request +context = { + "current_time": int(time.time()), + "device_health": ["Healthy"], + "fraud_indicators": ["Allowed"], + "geolocation": ["America"], + "network": "127.0.0.1", + "network_type": "Local", + "operating_system": "Linux", + "user_agent": "Linux" +} + # Creating cedarling request + +action = 'Jans::Action::"Read"' + request = Request( - action_token, + access_token, id_token, userinfo_token, - action='Jans::Action::"Update"', - context={}, resource=resource) + action=action, + resource=resource, context=context) # Authorize call authorize_result = instance.authorize(request) -print(*instance.pop_logs()) -# if you change org_id result will be false +# Print logs from MemoryLogConfig +#print(*instance.pop_logs()) + +""" +authorize_result.is_allowed() only returns true if +policies permit both User and Workload authorization +""" assert authorize_result.is_allowed() @@ -203,11 +247,11 @@ # show diagnostic information workload_diagnostic = workload_result.diagnostics -print("Policy ID(s) used:") +print("Policy ID used:") for diagnostic in workload_diagnostic.reason: print(diagnostic) -print("Errors during authorization:") +print(f"Errors during authorization: {len(workload_diagnostic.errors)}") for diagnostic in workload_diagnostic.errors: print(diagnostic) @@ -217,16 +261,23 @@ person_result = authorize_result.person() print(f"Result of person authorization: {person_result.decision}") person_diagnostic = person_result.diagnostics -print("Policy ID(s) used:") +print("Policy ID used:") for diagnostic in person_diagnostic.reason: print(diagnostic) -print("Errors during authorization:") +print(f"Errors during authorization: {len(person_diagnostic.errors)}") for diagnostic in person_diagnostic.errors: print(diagnostic) +print() # watch on the decision for role if present role_result = authorize_result.role() -if role_result is not None: - print(authorize_result.role().decision) +if role_result is None: + print("Role authorization absent") +else: + print("Role authorization present") + print(f"Role authorization result: {role_result.decision}") + print(f"Errors during authorization: {len(role_result.diagnostics.errors)}") + for diagnostic in role_result.diagnostics.errors: + print(diagnostic) diff --git a/jans-cedarling/bindings/cedarling_python/example_files/policy-store.json b/jans-cedarling/bindings/cedarling_python/example_files/policy-store.json index 4e9f8bba741..2366bb32123 100644 --- a/jans-cedarling/bindings/cedarling_python/example_files/policy-store.json +++ b/jans-cedarling/bindings/cedarling_python/example_files/policy-store.json @@ -6,17 +6,78 @@ "description": "", "policies": { "840da5d85403f35ea76519ed1a18a33989f855bf1cf8": { - "description": "simple policy example for principal workload", + "description": "simple policy example for principal user", "creation_date": "2024-09-20T17:22:39.996050", - "policy_content": "cGVybWl0KAogICAgcHJpbmNpcGFsIGlzIEphbnM6Oldvcmtsb2FkLAogICAgYWN0aW9uIGluIFtKYW5zOjpBY3Rpb246OiJVcGRhdGUiXSwKICAgIHJlc291cmNlIGlzIEphbnM6Oklzc3VlCil3aGVuewogICAgcHJpbmNpcGFsLm9yZ19pZCA9PSByZXNvdXJjZS5vcmdfaWQKfTs=" + "policy_content": "cGVybWl0CigKcHJpbmNpcGFsIGlzIEphbnM6OlVzZXIsCmFjdGlvbiBpbiBbSmFuczo6QWN0aW9uOjoiUmVhZCJdLApyZXNvdXJjZSBpcyBKYW5zOjpBcHBsaWNhdGlvbgopd2hlbnsKcmVzb3VyY2UubmFtZSA9PSAiU29tZSBBcHBsaWNhdGlvbiIKfTs=" }, "444da5d85403f35ea76519ed1a18a33989f855bf1cf8": { - "description": "simple policy example for principal user", + "description": "simple policy example for principal workload", "creation_date": "2024-09-20T17:22:39.996050", - "policy_content": "cGVybWl0KAogICAgcHJpbmNpcGFsIGlzIEphbnM6OlVzZXIsCiAgICBhY3Rpb24gaW4gW0phbnM6OkFjdGlvbjo6IlVwZGF0ZSJdLAogICAgcmVzb3VyY2UgaXMgSmFuczo6SXNzdWUKKXdoZW57CiAgICBwcmluY2lwYWwuY291bnRyeSA9PSByZXNvdXJjZS5jb3VudHJ5Cn07" + "policy_content": "cGVybWl0CigKcHJpbmNpcGFsIGlzIEphbnM6Oldvcmtsb2FkLAphY3Rpb24gaW4gW0phbnM6OkFjdGlvbjo6IlJlYWQiXSwKcmVzb3VyY2UgaXMgSmFuczo6QXBwbGljYXRpb24KKXdoZW57CnJlc291cmNlLm5hbWUgPT0gIlNvbWUgQXBwbGljYXRpb24iCn07" + } + }, + "trusted_issuers": { + "595426354a058891fa795ba3d5109af177c684ab5875": { + "name": "Jans", + "description": "Janssen", + "openid_configuration_endpoint": "https://account.gluu.org/.well-known/openid-configuration", + "access_tokens": { + "trusted": true, + "principal_identifier": "jti" + }, + "id_tokens": {}, + "userinfo_tokens": { + "user_id": "sub", + "role_mapping": "role", + "claim_mapping": { + "email": { + "parser": "regex", + "type": "Jans::email_address", + "regex_expression": "^(?P[^@]+)@(?P.+)$", + "UID": { + "attr": "uid", + "type": "String" + }, + "DOMAIN": { + "attr": "domain", + "type": "String" + } + }, + "profile": { + "parser": "regex", + "type": "Jans::Url", + "regex_expression": "(?x) ^(?P[a-zA-Z][a-zA-Z0-9+.-]*):\\/\\/(?P[^\\/:\\#?]+)(?::(?\\d+))?(?P\\/[^?\\#]*)?(?:\\?(?P[^\\#]*))?(?:(?P.*))?/gm", + "SCHEME": { + "attr": "scheme", + "type": "String" + }, + "HOST": { + "attr": "host", + "type": "String" + }, + "PORT": { + "attr": "port", + "type": "String" + }, + "PATH": { + "attr": "path", + "type": "String" + }, + "QUERY": { + "attr": "query", + "type": "String" + }, + "FRAGMENT": { + "attr": "fragment", + "type": "String" + } + } + } + }, + "tx_tokens": {} } }, - "schema": "eyJKYW5zIjp7ImNvbW1vblR5cGVzIjp7IlVybCI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJob3N0Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwicGF0aCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn0sInByb3RvY29sIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifX19fSwiZW50aXR5VHlwZXMiOnsiVHJ1c3RlZElzc3VlciI6eyJzaGFwZSI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJpc3N1ZXJfZW50aXR5X2lkIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJVcmwifX19fSwiV29ya2xvYWQiOnsic2hhcGUiOnsidHlwZSI6IlJlY29yZCIsImF0dHJpYnV0ZXMiOnsiY2xpZW50X2lkIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwiaXNzIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJUcnVzdGVkSXNzdWVyIn0sIm5hbWUiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJvcmdfaWQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9fX19LCJVc2VyIjp7Im1lbWJlck9mVHlwZXMiOlsiUm9sZSJdLCJzaGFwZSI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJjb3VudHJ5Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwiZW1haWwiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJzdWIiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJ1c2VybmFtZSI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn19fX0sIkFjY2Vzc190b2tlbiI6eyJzaGFwZSI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJhdWQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJleHAiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IkxvbmcifSwiaWF0Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJMb25nIn0sImlzcyI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiVHJ1c3RlZElzc3VlciJ9LCJqdGkiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9fX19LCJpZF90b2tlbiI6eyJzaGFwZSI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJhY3IiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJhbXIiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJhdWQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJleHAiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IkxvbmcifSwiaWF0Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJMb25nIn0sImlzcyI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiVHJ1c3RlZElzc3VlciJ9LCJqdGkiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJzdWIiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9fX19LCJJc3N1ZSI6eyJzaGFwZSI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJjb3VudHJ5Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwib3JnX2lkIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifX19fSwiUm9sZSI6e319LCJhY3Rpb25zIjp7IlVwZGF0ZSI6eyJhcHBsaWVzVG8iOnsicmVzb3VyY2VUeXBlcyI6WyJJc3N1ZSJdLCJwcmluY2lwYWxUeXBlcyI6WyJXb3JrbG9hZCIsIlVzZXIiLCJSb2xlIl19fX19fQ==" + "schema": "eyJKYW5zIjp7ImNvbW1vblR5cGVzIjp7IkNvbnRleHQiOnsidHlwZSI6IlJlY29yZCIsImF0dHJpYnV0ZXMiOnsiY3VycmVudF90aW1lIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJMb25nIn0sImRldmljZV9oZWFsdGgiOnsidHlwZSI6IlNldCIsImVsZW1lbnQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9fSwiZnJhdWRfaW5kaWNhdG9ycyI6eyJ0eXBlIjoiU2V0IiwiZWxlbWVudCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn19LCJnZW9sb2NhdGlvbiI6eyJ0eXBlIjoiU2V0IiwiZWxlbWVudCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn19LCJuZXR3b3JrIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwibmV0d29ya190eXBlIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwib3BlcmF0aW5nX3N5c3RlbSI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn0sInVzZXJfYWdlbnQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9fX0sIlVybCI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJob3N0Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwicGF0aCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn0sInByb3RvY29sIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifX19LCJlbWFpbF9hZGRyZXNzIjp7InR5cGUiOiJSZWNvcmQiLCJhdHRyaWJ1dGVzIjp7ImRvbWFpbiI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn0sInVpZCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn19fX0sImVudGl0eVR5cGVzIjp7IkFjY2Vzc190b2tlbiI6eyJzaGFwZSI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJhdWQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJleHAiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IkxvbmcifSwiaWF0Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJMb25nIn0sImlzcyI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiVHJ1c3RlZElzc3VlciJ9LCJqdGkiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJuYmYiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IkxvbmcifSwic2NvcGUiOnsidHlwZSI6IlNldCIsImVsZW1lbnQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9fX19fSwiQXBwbGljYXRpb24iOnsic2hhcGUiOnsidHlwZSI6IlJlY29yZCIsImF0dHJpYnV0ZXMiOnsiYXBwX2lkIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwibmFtZSI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn0sInVybCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiVXJsIn19fX0sIkhUVFBfUmVxdWVzdCI6eyJzaGFwZSI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJhY2NlcHQiOnsidHlwZSI6IlNldCIsImVsZW1lbnQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9fSwiaGVhZGVyIjp7InR5cGUiOiJTZXQiLCJlbGVtZW50Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifX0sInVybCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiVXJsIn19fX0sIlJvbGUiOnt9LCJUcnVzdGVkSXNzdWVyIjp7InNoYXBlIjp7InR5cGUiOiJSZWNvcmQiLCJhdHRyaWJ1dGVzIjp7Imlzc3Vlcl9lbnRpdHlfaWQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlVybCJ9fX19LCJVc2VyIjp7Im1lbWJlck9mVHlwZXMiOlsiUm9sZSJdLCJzaGFwZSI6eyJ0eXBlIjoiUmVjb3JkIiwiYXR0cmlidXRlcyI6eyJlbWFpbCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiZW1haWxfYWRkcmVzcyJ9LCJwaG9uZV9udW1iZXIiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyIsInJlcXVpcmVkIjpmYWxzZX0sInJvbGUiOnsidHlwZSI6IlNldCIsImVsZW1lbnQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9fSwic3ViIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwidXNlcm5hbWUiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyIsInJlcXVpcmVkIjpmYWxzZX19fX0sIlVzZXJpbmZvX3Rva2VuIjp7InNoYXBlIjp7InR5cGUiOiJSZWNvcmQiLCJhdHRyaWJ1dGVzIjp7ImF1ZCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn0sImJpcnRoZGF0ZSI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIiwicmVxdWlyZWQiOmZhbHNlfSwiZW1haWwiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6ImVtYWlsX2FkZHJlc3MiLCJyZXF1aXJlZCI6ZmFsc2V9LCJleHAiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IkxvbmciLCJyZXF1aXJlZCI6ZmFsc2V9LCJpYXQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IkxvbmciLCJyZXF1aXJlZCI6ZmFsc2V9LCJpc3MiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlRydXN0ZWRJc3N1ZXIifSwianRpIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwibmFtZSI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIiwicmVxdWlyZWQiOmZhbHNlfSwicGhvbmVfbnVtYmVyIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmciLCJyZXF1aXJlZCI6ZmFsc2V9LCJyb2xlIjp7InR5cGUiOiJTZXQiLCJlbGVtZW50Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwicmVxdWlyZWQiOmZhbHNlfSwic3ViIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifX19fSwiV29ya2xvYWQiOnsic2hhcGUiOnsidHlwZSI6IlJlY29yZCIsImF0dHJpYnV0ZXMiOnsiY2xpZW50X2lkIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmcifSwiaXNzIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJUcnVzdGVkSXNzdWVyIn0sIm5hbWUiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyIsInJlcXVpcmVkIjpmYWxzZX0sInJwX2lkIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmciLCJyZXF1aXJlZCI6ZmFsc2V9LCJzcGlmZmVfaWQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyIsInJlcXVpcmVkIjpmYWxzZX19fX0sImlkX3Rva2VuIjp7InNoYXBlIjp7InR5cGUiOiJSZWNvcmQiLCJhdHRyaWJ1dGVzIjp7ImFjciI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn0sImFtciI6eyJ0eXBlIjoiU2V0IiwiZWxlbWVudCI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIn19LCJhdWQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJhenAiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyIsInJlcXVpcmVkIjpmYWxzZX0sImJpcnRoZGF0ZSI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiU3RyaW5nIiwicmVxdWlyZWQiOmZhbHNlfSwiZW1haWwiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6ImVtYWlsX2FkZHJlc3MiLCJyZXF1aXJlZCI6ZmFsc2V9LCJleHAiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IkxvbmcifSwiaWF0Ijp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJMb25nIn0sImlzcyI6eyJ0eXBlIjoiRW50aXR5T3JDb21tb24iLCJuYW1lIjoiVHJ1c3RlZElzc3VlciJ9LCJqdGkiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJuYW1lIjp7InR5cGUiOiJFbnRpdHlPckNvbW1vbiIsIm5hbWUiOiJTdHJpbmciLCJyZXF1aXJlZCI6ZmFsc2V9LCJwaG9uZV9udW1iZXIiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyIsInJlcXVpcmVkIjpmYWxzZX0sInJvbGUiOnsidHlwZSI6IlNldCIsImVsZW1lbnQiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9LCJyZXF1aXJlZCI6ZmFsc2V9LCJzdWIiOnsidHlwZSI6IkVudGl0eU9yQ29tbW9uIiwibmFtZSI6IlN0cmluZyJ9fX19fSwiYWN0aW9ucyI6eyJDb21wYXJlIjp7ImFwcGxpZXNUbyI6eyJyZXNvdXJjZVR5cGVzIjpbIkFwcGxpY2F0aW9uIl0sInByaW5jaXBhbFR5cGVzIjpbIlVzZXIiLCJSb2xlIiwiV29ya2xvYWQiXSwiY29udGV4dCI6eyJ0eXBlIjoiQ29udGV4dCJ9fX0sIkRFTEVURSI6eyJhcHBsaWVzVG8iOnsicmVzb3VyY2VUeXBlcyI6WyJIVFRQX1JlcXVlc3QiXSwicHJpbmNpcGFsVHlwZXMiOlsiV29ya2xvYWQiXSwiY29udGV4dCI6eyJ0eXBlIjoiQ29udGV4dCJ9fX0sIkV4ZWN1dGUiOnsiYXBwbGllc1RvIjp7InJlc291cmNlVHlwZXMiOlsiQXBwbGljYXRpb24iXSwicHJpbmNpcGFsVHlwZXMiOlsiVXNlciIsIlJvbGUiLCJXb3JrbG9hZCJdLCJjb250ZXh0Ijp7InR5cGUiOiJDb250ZXh0In19fSwiR0VUIjp7ImFwcGxpZXNUbyI6eyJyZXNvdXJjZVR5cGVzIjpbIkhUVFBfUmVxdWVzdCJdLCJwcmluY2lwYWxUeXBlcyI6WyJXb3JrbG9hZCJdLCJjb250ZXh0Ijp7InR5cGUiOiJDb250ZXh0In19fSwiSEVBRCI6eyJhcHBsaWVzVG8iOnsicmVzb3VyY2VUeXBlcyI6WyJIVFRQX1JlcXVlc3QiXSwicHJpbmNpcGFsVHlwZXMiOlsiV29ya2xvYWQiXSwiY29udGV4dCI6eyJ0eXBlIjoiQ29udGV4dCJ9fX0sIk1vbml0b3IiOnsiYXBwbGllc1RvIjp7InJlc291cmNlVHlwZXMiOlsiQXBwbGljYXRpb24iXSwicHJpbmNpcGFsVHlwZXMiOlsiVXNlciIsIlJvbGUiLCJXb3JrbG9hZCJdLCJjb250ZXh0Ijp7InR5cGUiOiJDb250ZXh0In19fSwiUEFUQ0giOnsiYXBwbGllc1RvIjp7InJlc291cmNlVHlwZXMiOlsiSFRUUF9SZXF1ZXN0Il0sInByaW5jaXBhbFR5cGVzIjpbIldvcmtsb2FkIl0sImNvbnRleHQiOnsidHlwZSI6IkNvbnRleHQifX19LCJQVVQiOnsiYXBwbGllc1RvIjp7InJlc291cmNlVHlwZXMiOlsiSFRUUF9SZXF1ZXN0Il0sInByaW5jaXBhbFR5cGVzIjpbIldvcmtsb2FkIl0sImNvbnRleHQiOnsidHlwZSI6IkNvbnRleHQifX19LCJSZWFkIjp7ImFwcGxpZXNUbyI6eyJyZXNvdXJjZVR5cGVzIjpbIkFwcGxpY2F0aW9uIl0sInByaW5jaXBhbFR5cGVzIjpbIlVzZXIiLCJSb2xlIiwiV29ya2xvYWQiXSwiY29udGV4dCI6eyJ0eXBlIjoiQ29udGV4dCJ9fX0sIlNlYXJjaCI6eyJhcHBsaWVzVG8iOnsicmVzb3VyY2VUeXBlcyI6WyJBcHBsaWNhdGlvbiJdLCJwcmluY2lwYWxUeXBlcyI6WyJVc2VyIiwiUm9sZSIsIldvcmtsb2FkIl0sImNvbnRleHQiOnsidHlwZSI6IkNvbnRleHQifX19LCJTaGFyZSI6eyJhcHBsaWVzVG8iOnsicmVzb3VyY2VUeXBlcyI6WyJBcHBsaWNhdGlvbiJdLCJwcmluY2lwYWxUeXBlcyI6WyJVc2VyIiwiUm9sZSIsIldvcmtsb2FkIl0sImNvbnRleHQiOnsidHlwZSI6IkNvbnRleHQifX19LCJUYWciOnsiYXBwbGllc1RvIjp7InJlc291cmNlVHlwZXMiOlsiQXBwbGljYXRpb24iXSwicHJpbmNpcGFsVHlwZXMiOlsiVXNlciIsIlJvbGUiLCJXb3JrbG9hZCJdLCJjb250ZXh0Ijp7InR5cGUiOiJDb250ZXh0In19fSwiVGVzdCI6eyJhcHBsaWVzVG8iOnsicmVzb3VyY2VUeXBlcyI6WyJBcHBsaWNhdGlvbiJdLCJwcmluY2lwYWxUeXBlcyI6WyJVc2VyIiwiUm9sZSIsIldvcmtsb2FkIl0sImNvbnRleHQiOnsidHlwZSI6IkNvbnRleHQifX19LCJXcml0ZSI6eyJhcHBsaWVzVG8iOnsicmVzb3VyY2VUeXBlcyI6WyJBcHBsaWNhdGlvbiJdLCJwcmluY2lwYWxUeXBlcyI6WyJVc2VyIiwiUm9sZSIsIldvcmtsb2FkIl0sImNvbnRleHQiOnsidHlwZSI6IkNvbnRleHQifX19fX19" } } -} \ No newline at end of file +} diff --git a/jans-cedarling/schema/cedarling_core.cedarschema b/jans-cedarling/schema/cedarling_core.cedarschema index d68c9db59ce..446c0f39baf 100644 --- a/jans-cedarling/schema/cedarling_core.cedarschema +++ b/jans-cedarling/schema/cedarling_core.cedarschema @@ -1,157 +1,157 @@ namespace Jans { // ****** TYPES ****** type Url = { - protocol: String, host: String, path: String, + protocol: String }; type email_address = { - id: String, domain: String, + uid: String }; type Context = { - network: String, - network_type: String, - user_agent: String, - operating_system: String, - device_health: Set, - current_time: Long, - geolocation: Set, - fraud_indicators: Set, + network: String, + network_type: String, + user_agent: String, + operating_system: String, + device_health: Set, + current_time: Long, + geolocation: Set, + fraud_indicators: Set, }; // ****** Entities ****** - entity Workload = { + entity Workload = { client_id: String, iss: TrustedIssuer, - name: String, - spiffe_id: String, - rp_id: String + name?: String, + rp_id?: String, + spiffe_id?: String }; - entity Access_token = { + entity Access_token = { aud: String, exp: Long, iat: Long, iss: TrustedIssuer, jti: String, nbf: Long, - scope: String, + scope: Set }; entity TrustedIssuer = { - issuer_entity_id: Url, + issuer_entity_id: Url }; entity Role; - entity User in [Role] { - sub: String, - username: String, + entity User in [Role] = { email: email_address, - phone_number: String, + phone_number?: String, role: Set, + sub: String, + "username"?: String }; - entity id_token = { - acr: Set, - amr: String, + entity id_token = { + acr: String, + amr: Set, aud: String, - azp: String, - birthdate: String, - email: email_address, + azp?: String, + birthdate?: String, + email?: email_address, exp: Long, iat: Long, iss: TrustedIssuer, - jti: String, - name: String, - phone_number: String, - role: Set, - sub: String, + jti: String, + name?: String, + phone_number?: String, + role?: Set, + sub: String }; - entity Userinfo_token = { + entity Userinfo_token = { aud: String, - birthdate: String, - email: email_address, - exp: Long, - iat: Long, + birthdate?: String, + email?: email_address, + exp?: Long, + iat?: Long, iss: TrustedIssuer, jti: String, - name: String, - phone_number: String, - role: Set, - sub: String, + name?: String, + phone_number?: String, + role?: Set, + sub: String }; entity HTTP_Request = { - "url": Url, - "header": Set, - "accept": Set, + accept: Set, + header: Set, + url: Url }; entity Application = { - "name": String, - "url": Url, - "app_id": String + app_id: String, + name: String, + url: Url }; // ****** Actions ****** action Compare appliesTo { - principal: [User, Role, Workload], - resource: Application, - context: Context, + principal: [User, Role, Workload], + resource: [Application], + context: Context }; action Execute appliesTo { - principal: [User, Role, Workload], - resource: Application, - context: Context, + principal: [User, Role, Workload], + resource: [Application], + context: Context }; action Monitor appliesTo { - principal: [User, Role, Workload], - resource: Application, - context: Context, + principal: [User, Role, Workload], + resource: [Application], + context: Context }; action Read appliesTo { - principal: [User, Role, Workload], - resource: Application, - context: Context, + principal: [User, Role, Workload], + resource: [Application], + context: Context }; action Search appliesTo { - principal: [User, Role, Workload], - resource: Application, - context: Context, + principal: [User, Role, Workload], + resource: [Application], + context: Context }; action Share appliesTo { - principal: [User, Role, Workload], - resource: Application, - context: Context, + principal: [User, Role, Workload], + resource: [Application], + context: Context }; action Tag appliesTo { - principal: [User, Role, Workload], - resource: Application, - context: Context, + principal: [User, Role, Workload], + resource: [Application], + context: Context }; action Write appliesTo { - principal: [User, Role, Workload], - resource: Application, - context: Context, + principal: [User, Role, Workload], + resource: [Application], + context: Context }; action GET appliesTo { - principal: Workload, - resource: HTTP_Request, - context: Context, + principal: [Workload], + resource: [HTTP_Request], + context: Context }; action PUT appliesTo { - principal: Workload, - resource: HTTP_Request, - context: Context, + principal: [Workload], + resource: [HTTP_Request], + context: Context }; action DELETE appliesTo { - principal: Workload, - resource: HTTP_Request, - context: Context, + principal: [Workload], + resource: [HTTP_Request], + context: Context }; action HEAD appliesTo { - principal: Workload, - resource: HTTP_Request, - context: Context, + principal: [Workload], + resource: [HTTP_Request], + context: Context }; action PATCH appliesTo { - principal: Workload, - resource: HTTP_Request, - context: Context, + principal: [Workload], + resource: [HTTP_Request], + context: Context }; } diff --git a/jans-cedarling/schema/cedarling_core.json b/jans-cedarling/schema/cedarling_core.json index 216a7cd0c06..07488c9a857 100644 --- a/jans-cedarling/schema/cedarling_core.json +++ b/jans-cedarling/schema/cedarling_core.json @@ -1,55 +1,66 @@ { "Jans": { "commonTypes": { - "Url": { - "type": "Record", - "attributes": { - "host": { - "type": "String" - }, - "path": { - "type": "String" - }, - "protocol": { - "type": "String" - } - } - }, "Context": { "type": "Record", "attributes": { "current_time": { - "type": "Long" + "type": "EntityOrCommon", + "name": "Long" }, "device_health": { "type": "Set", "element": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" } }, "fraud_indicators": { "type": "Set", "element": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" } }, "geolocation": { "type": "Set", "element": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" } }, "network": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" }, "network_type": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" }, "operating_system": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" }, "user_agent": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" + } + } + }, + "Url": { + "type": "Record", + "attributes": { + "host": { + "type": "EntityOrCommon", + "name": "String" + }, + "path": { + "type": "EntityOrCommon", + "name": "String" + }, + "protocol": { + "type": "EntityOrCommon", + "name": "String" } } }, @@ -57,120 +68,142 @@ "type": "Record", "attributes": { "domain": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" }, - "id": { - "type": "String" + "uid": { + "type": "EntityOrCommon", + "name": "String" } } } }, "entityTypes": { - "Workload": { + "Access_token": { "shape": { "type": "Record", "attributes": { - "client_id": { - "type": "String" + "aud": { + "type": "EntityOrCommon", + "name": "String" + }, + "exp": { + "type": "EntityOrCommon", + "name": "Long" + }, + "iat": { + "type": "EntityOrCommon", + "name": "Long" }, "iss": { - "type": "Entity", + "type": "EntityOrCommon", "name": "TrustedIssuer" }, - "name": { - "type": "String" + "jti": { + "type": "EntityOrCommon", + "name": "String" }, - "rp_id": { - "type": "String" + "nbf": { + "type": "EntityOrCommon", + "name": "Long" }, - "spiffe_id": { - "type": "String" + "scope": { + "type": "Set", + "element": { + "type": "EntityOrCommon", + "name": "String" + } } } } }, - "id_token": { + "Application": { "shape": { "type": "Record", "attributes": { - "acr": { - "type": "Set", - "element": { - "type": "String" - } - }, - "amr": { - "type": "String" - }, - "aud": { - "type": "String" - }, - "azp": { - "type": "String" - }, - "birthdate": { - "type": "String" - }, - "email": { - "type": "email_address" - }, - "exp": { - "type": "Long" - }, - "iat": { - "type": "Long" - }, - "iss": { - "type": "Entity", - "name": "TrustedIssuer" - }, - "jti": { - "type": "String" + "app_id": { + "type": "EntityOrCommon", + "name": "String" }, "name": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" }, - "phone_number": { - "type": "String" + "url": { + "type": "EntityOrCommon", + "name": "Url" + } + } + } + }, + "HTTP_Request": { + "shape": { + "type": "Record", + "attributes": { + "accept": { + "type": "Set", + "element": { + "type": "EntityOrCommon", + "name": "String" + } }, - "role": { + "header": { "type": "Set", "element": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" } }, - "sub": { - "type": "String" + "url": { + "type": "EntityOrCommon", + "name": "Url" } } } }, "Role": {}, - "Access_token": { + "TrustedIssuer": { "shape": { "type": "Record", "attributes": { - "aud": { - "type": "String" - }, - "exp": { - "type": "Long" - }, - "iat": { - "type": "Long" + "issuer_entity_id": { + "type": "EntityOrCommon", + "name": "Url" + } + } + } + }, + "User": { + "memberOfTypes": [ + "Role" + ], + "shape": { + "type": "Record", + "attributes": { + "email": { + "type": "EntityOrCommon", + "name": "email_address" }, - "iss": { - "type": "Entity", - "name": "TrustedIssuer" + "phone_number": { + "type": "EntityOrCommon", + "name": "String", + "required": false }, - "jti": { - "type": "String" + "role": { + "type": "Set", + "element": { + "type": "EntityOrCommon", + "name": "String" + } }, - "nbf": { - "type": "Long" + "sub": { + "type": "EntityOrCommon", + "name": "String" }, - "scope": { - "type": "String" + "username": { + "type": "EntityOrCommon", + "name": "String", + "required": false } } } @@ -180,129 +213,177 @@ "type": "Record", "attributes": { "aud": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" }, "birthdate": { - "type": "String" + "type": "EntityOrCommon", + "name": "String", + "required": false }, "email": { - "type": "email_address" + "type": "EntityOrCommon", + "name": "email_address", + "required": false }, "exp": { - "type": "Long" + "type": "EntityOrCommon", + "name": "Long", + "required": false }, "iat": { - "type": "Long" + "type": "EntityOrCommon", + "name": "Long", + "required": false }, "iss": { - "type": "Entity", + "type": "EntityOrCommon", "name": "TrustedIssuer" }, "jti": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" }, "name": { - "type": "String" + "type": "EntityOrCommon", + "name": "String", + "required": false }, "phone_number": { - "type": "String" + "type": "EntityOrCommon", + "name": "String", + "required": false }, "role": { "type": "Set", "element": { - "type": "String" - } + "type": "EntityOrCommon", + "name": "String" + }, + "required": false }, "sub": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" } } } }, - "HTTP_Request": { + "Workload": { "shape": { "type": "Record", "attributes": { - "accept": { - "type": "Set", - "element": { - "type": "String" - } + "client_id": { + "type": "EntityOrCommon", + "name": "String" }, - "header": { - "type": "Set", - "element": { - "type": "String" - } + "iss": { + "type": "EntityOrCommon", + "name": "TrustedIssuer" }, - "url": { - "type": "Url" + "name": { + "type": "EntityOrCommon", + "name": "String", + "required": false + }, + "rp_id": { + "type": "EntityOrCommon", + "name": "String", + "required": false + }, + "spiffe_id": { + "type": "EntityOrCommon", + "name": "String", + "required": false } } } }, - "User": { - "memberOfTypes": [ - "Role" - ], + "id_token": { "shape": { "type": "Record", "attributes": { - "email": { - "type": "email_address" - }, - "phone_number": { - "type": "String" + "acr": { + "type": "EntityOrCommon", + "name": "String" }, - "role": { + "amr": { "type": "Set", "element": { - "type": "String" + "type": "EntityOrCommon", + "name": "String" } }, - "sub": { - "type": "String" + "aud": { + "type": "EntityOrCommon", + "name": "String" }, - "username": { - "type": "String" - } - } - } - }, - "Application": { - "shape": { - "type": "Record", - "attributes": { - "app_id": { - "type": "String" + "azp": { + "type": "EntityOrCommon", + "name": "String", + "required": false + }, + "birthdate": { + "type": "EntityOrCommon", + "name": "String", + "required": false + }, + "email": { + "type": "EntityOrCommon", + "name": "email_address", + "required": false + }, + "exp": { + "type": "EntityOrCommon", + "name": "Long" + }, + "iat": { + "type": "EntityOrCommon", + "name": "Long" + }, + "iss": { + "type": "EntityOrCommon", + "name": "TrustedIssuer" + }, + "jti": { + "type": "EntityOrCommon", + "name": "String" }, "name": { - "type": "String" + "type": "EntityOrCommon", + "name": "String", + "required": false }, - "url": { - "type": "Url" - } - } - } - }, - "TrustedIssuer": { - "shape": { - "type": "Record", - "attributes": { - "issuer_entity_id": { - "type": "Url" + "phone_number": { + "type": "EntityOrCommon", + "name": "String", + "required": false + }, + "role": { + "type": "Set", + "element": { + "type": "EntityOrCommon", + "name": "String" + }, + "required": false + }, + "sub": { + "type": "EntityOrCommon", + "name": "String" } } } } }, "actions": { - "HEAD": { + "Compare": { "appliesTo": { "resourceTypes": [ - "HTTP_Request" + "Application" ], "principalTypes": [ + "User", + "Role", "Workload" ], "context": { @@ -310,7 +391,7 @@ } } }, - "PATCH": { + "DELETE": { "appliesTo": { "resourceTypes": [ "HTTP_Request" @@ -323,7 +404,7 @@ } } }, - "Read": { + "Execute": { "appliesTo": { "resourceTypes": [ "Application" @@ -338,14 +419,12 @@ } } }, - "Search": { + "GET": { "appliesTo": { "resourceTypes": [ - "Application" + "HTTP_Request" ], "principalTypes": [ - "User", - "Role", "Workload" ], "context": { @@ -353,14 +432,12 @@ } } }, - "Tag": { + "HEAD": { "appliesTo": { "resourceTypes": [ - "Application" + "HTTP_Request" ], "principalTypes": [ - "User", - "Role", "Workload" ], "context": { @@ -368,7 +445,7 @@ } } }, - "Write": { + "Monitor": { "appliesTo": { "resourceTypes": [ "Application" @@ -383,7 +460,7 @@ } } }, - "GET": { + "PATCH": { "appliesTo": { "resourceTypes": [ "HTTP_Request" @@ -396,7 +473,7 @@ } } }, - "DELETE": { + "PUT": { "appliesTo": { "resourceTypes": [ "HTTP_Request" @@ -409,7 +486,7 @@ } } }, - "Monitor": { + "Read": { "appliesTo": { "resourceTypes": [ "Application" @@ -424,7 +501,7 @@ } } }, - "Execute": { + "Search": { "appliesTo": { "resourceTypes": [ "Application" @@ -439,12 +516,14 @@ } } }, - "PUT": { + "Share": { "appliesTo": { "resourceTypes": [ - "HTTP_Request" + "Application" ], "principalTypes": [ + "User", + "Role", "Workload" ], "context": { @@ -452,7 +531,7 @@ } } }, - "Compare": { + "Tag": { "appliesTo": { "resourceTypes": [ "Application" @@ -467,7 +546,7 @@ } } }, - "Share": { + "Write": { "appliesTo": { "resourceTypes": [ "Application"