From e6f1ea2c34826cea2219d76758eafa932b77ce8e Mon Sep 17 00:00:00 2001
From: akila94 <akilaaroshanaa@gmail.com>
Date: Mon, 12 Feb 2024 10:24:06 +0530
Subject: [PATCH] Add jwt claim based access validator policy templates

---
 .../jwtClaimBasedAccessValidator_v1.j2        |  4 ++
 .../jwtClaimBasedAccessValidator_v1.json      | 52 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2
 create mode 100644 modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json

diff --git a/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2 b/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2
new file mode 100644
index 0000000000..b6ceb17e78
--- /dev/null
+++ b/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2
@@ -0,0 +1,4 @@
+<property name="grantVerificationClaim"  value = "{{grantVerificationClaim}}"/>
+<property name="grantVerificationClaimValue" value="{{grantVerificationClaimValue}}"/>
+<property name="shouldAllowValidation" value="{{shouldAllowValidation}}"/>
+<class name="{{claimBasedAccessGrantValidator}}"/>
diff --git a/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
new file mode 100644
index 0000000000..810209fdcf
--- /dev/null
+++ b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
@@ -0,0 +1,52 @@
+{
+    "category": "Mediation",
+    "name": "jwtClaimBasedAccessValidator",
+    "version": "v1",
+    "displayName": "JWT claim based access grant validator",
+    "description": "This policy validates configured claim name and value in this policy with the claim name and value sent in the JWT access token to grant access to the API resource.",
+    "applicableFlows": [
+      "request"
+    ],
+    "supportedGateways": [
+      "Synapse"
+    ],
+    "supportedApiTypes": [
+      "HTTP"
+    ],
+    "policyAttributes": [
+      {
+        "name": "grantVerificationClaim",
+        "displayName": "Access grant claim name",
+        "description": "This should be the name the custom claim which is expected in the JWT access token",
+        "validationRegex": "^[a-zA-Z_]+$",
+        "type": "String",
+        "defaultValue": "aut",
+        "required": true
+      },
+      {
+        "name": "grantVerificationClaimValue",
+        "displayName": "Access grant claim value",
+        "description": "This should be the alue of a custom claim which is expected in the JWT access token",
+        "type": "String",
+        "defaultValue": "APPLICATION",
+        "required": true
+      },
+      {
+        "name": "shouldAllowValidation",
+        "displayName": "Allow claim based access grant validation",
+        "description": "If ticked, the claim based access grant validation will be performed.",
+        "type": "Boolean",
+        "defaultValue": "true",
+        "required": false
+      },
+      {
+        "name": "claimBasedAccessGrantValidator",
+        "displayName": "JWT claim based access grant validation mediator",
+        "description": "Fully qualified class name for the validation implementation",
+        "validationRegex": "^([a-zA-Z_$][a-zA-Z\\d_$.]*)$",
+        "type": "String",
+        "defaultValue": "org.wso2.carbon.apimgt.gateway.mediators.ClaimBasedResourceAccessValidationMediator",
+        "required": true
+      }
+    ]
+  }
\ No newline at end of file