From b68f97a1aa25edbb5f046801c73c41591a4e067c Mon Sep 17 00:00:00 2001
From: akila94 <akilaaroshanaa@gmail.com>
Date: Mon, 12 Feb 2024 10:24:06 +0530
Subject: [PATCH 1/4] Add jwt claim based access validator policy templates

---
 .../jwtClaimBasedAccessValidator_v1.j2        |  4 ++
 .../jwtClaimBasedAccessValidator_v1.json      | 52 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2
 create mode 100644 modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json

diff --git a/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2 b/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2
new file mode 100644
index 0000000000..b6ceb17e78
--- /dev/null
+++ b/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2
@@ -0,0 +1,4 @@
+<property name="grantVerificationClaim"  value = "{{grantVerificationClaim}}"/>
+<property name="grantVerificationClaimValue" value="{{grantVerificationClaimValue}}"/>
+<property name="shouldAllowValidation" value="{{shouldAllowValidation}}"/>
+<class name="{{claimBasedAccessGrantValidator}}"/>
diff --git a/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
new file mode 100644
index 0000000000..810209fdcf
--- /dev/null
+++ b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
@@ -0,0 +1,52 @@
+{
+    "category": "Mediation",
+    "name": "jwtClaimBasedAccessValidator",
+    "version": "v1",
+    "displayName": "JWT claim based access grant validator",
+    "description": "This policy validates configured claim name and value in this policy with the claim name and value sent in the JWT access token to grant access to the API resource.",
+    "applicableFlows": [
+      "request"
+    ],
+    "supportedGateways": [
+      "Synapse"
+    ],
+    "supportedApiTypes": [
+      "HTTP"
+    ],
+    "policyAttributes": [
+      {
+        "name": "grantVerificationClaim",
+        "displayName": "Access grant claim name",
+        "description": "This should be the name the custom claim which is expected in the JWT access token",
+        "validationRegex": "^[a-zA-Z_]+$",
+        "type": "String",
+        "defaultValue": "aut",
+        "required": true
+      },
+      {
+        "name": "grantVerificationClaimValue",
+        "displayName": "Access grant claim value",
+        "description": "This should be the alue of a custom claim which is expected in the JWT access token",
+        "type": "String",
+        "defaultValue": "APPLICATION",
+        "required": true
+      },
+      {
+        "name": "shouldAllowValidation",
+        "displayName": "Allow claim based access grant validation",
+        "description": "If ticked, the claim based access grant validation will be performed.",
+        "type": "Boolean",
+        "defaultValue": "true",
+        "required": false
+      },
+      {
+        "name": "claimBasedAccessGrantValidator",
+        "displayName": "JWT claim based access grant validation mediator",
+        "description": "Fully qualified class name for the validation implementation",
+        "validationRegex": "^([a-zA-Z_$][a-zA-Z\\d_$.]*)$",
+        "type": "String",
+        "defaultValue": "org.wso2.carbon.apimgt.gateway.mediators.ClaimBasedResourceAccessValidationMediator",
+        "required": true
+      }
+    ]
+  }
\ No newline at end of file

From ceb361661d7eef8a886b8f7a1b74a0a8ecac9116 Mon Sep 17 00:00:00 2001
From: akila94 <akilaaroshanaa@gmail.com>
Date: Mon, 12 Feb 2024 11:26:22 +0530
Subject: [PATCH 2/4] Add EOF line

---
 .../specifications/jwtClaimBasedAccessValidator_v1.json         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
index 810209fdcf..5753f992b5 100644
--- a/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
+++ b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
@@ -49,4 +49,4 @@
         "required": true
       }
     ]
-  }
\ No newline at end of file
+  }

From 8e5018c260ffed1c86f1f907a20eb5c2ddce5d1d Mon Sep 17 00:00:00 2001
From: akila94 <akilaaroshanaa@gmail.com>
Date: Mon, 12 Feb 2024 12:30:57 +0530
Subject: [PATCH 3/4] Fix typo

---
 .../specifications/jwtClaimBasedAccessValidator_v1.json         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
index 5753f992b5..fd1e17fda8 100644
--- a/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
+++ b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
@@ -26,7 +26,7 @@
       {
         "name": "grantVerificationClaimValue",
         "displayName": "Access grant claim value",
-        "description": "This should be the alue of a custom claim which is expected in the JWT access token",
+        "description": "This should be the value of a custom claim which is expected in the JWT access token",
         "type": "String",
         "defaultValue": "APPLICATION",
         "required": true

From e6259323e26e9b53308458e493b2555c71593998 Mon Sep 17 00:00:00 2001
From: akila94 <akilaaroshanaa@gmail.com>
Date: Tue, 13 Feb 2024 15:37:28 +0530
Subject: [PATCH 4/4] Refactor templates

---
 .../jwtClaimBasedAccessValidator_v1.j2        | 10 +++--
 .../jwtClaimBasedAccessValidator_v1.json      | 37 +++++++++----------
 2 files changed, 24 insertions(+), 23 deletions(-)

diff --git a/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2 b/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2
index b6ceb17e78..aadb3a1a48 100644
--- a/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2
+++ b/modules/distribution/resources/operation_policies/definitions/jwtClaimBasedAccessValidator_v1.j2
@@ -1,4 +1,6 @@
-<property name="grantVerificationClaim"  value = "{{grantVerificationClaim}}"/>
-<property name="grantVerificationClaimValue" value="{{grantVerificationClaimValue}}"/>
-<property name="shouldAllowValidation" value="{{shouldAllowValidation}}"/>
-<class name="{{claimBasedAccessGrantValidator}}"/>
+<class name="org.wso2.carbon.apimgt.gateway.mediators.ClaimBasedResourceAccessValidationMediator">
+    <property name="accessVerificationClaim"  value = "{{accessVerificationClaim}}"/>
+    <property name="accessVerificationClaimValue" value="{{accessVerificationClaimValue}}"/>
+    <property name="accessVerificationClaimValueRegex" value="{{accessVerificationClaimValueRegex}}"/>
+    <property name="shouldAllowValidation" value="{{shouldAllowValidation}}"/>
+</class>
diff --git a/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
index fd1e17fda8..f7a82112eb 100644
--- a/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
+++ b/modules/distribution/resources/operation_policies/specifications/jwtClaimBasedAccessValidator_v1.json
@@ -2,7 +2,7 @@
     "category": "Mediation",
     "name": "jwtClaimBasedAccessValidator",
     "version": "v1",
-    "displayName": "JWT claim based access grant validator",
+    "displayName": "JWT claim based access validator",
     "description": "This policy validates configured claim name and value in this policy with the claim name and value sent in the JWT access token to grant access to the API resource.",
     "applicableFlows": [
       "request"
@@ -15,38 +15,37 @@
     ],
     "policyAttributes": [
       {
-        "name": "grantVerificationClaim",
-        "displayName": "Access grant claim name",
-        "description": "This should be the name the custom claim which is expected in the JWT access token",
+        "name": "accessVerificationClaim",
+        "displayName": "Access verification claim name",
+        "description": "This should be the name the custom claim which is expected in the JWT access token.",
         "validationRegex": "^[a-zA-Z_]+$",
         "type": "String",
         "defaultValue": "aut",
         "required": true
       },
       {
-        "name": "grantVerificationClaimValue",
-        "displayName": "Access grant claim value",
-        "description": "This should be the value of a custom claim which is expected in the JWT access token",
+        "name": "accessVerificationClaimValue",
+        "displayName": "Access verification claim value",
+        "description": "This should be the value of a custom claim which is expected in the JWT access token.",
         "type": "String",
         "defaultValue": "APPLICATION",
         "required": true
       },
       {
-        "name": "shouldAllowValidation",
-        "displayName": "Allow claim based access grant validation",
-        "description": "If ticked, the claim based access grant validation will be performed.",
-        "type": "Boolean",
-        "defaultValue": "true",
+        "name": "accessVerificationClaimValueRegex",
+        "displayName": "Access verification claim value regex",
+        "description": "If a regex is provided, the claim values will be matched using this regex. Otherwise they will be checked for equality.",
+        "type": "String",
+        "defaultValue": "",
         "required": false
       },
       {
-        "name": "claimBasedAccessGrantValidator",
-        "displayName": "JWT claim based access grant validation mediator",
-        "description": "Fully qualified class name for the validation implementation",
-        "validationRegex": "^([a-zA-Z_$][a-zA-Z\\d_$.]*)$",
-        "type": "String",
-        "defaultValue": "org.wso2.carbon.apimgt.gateway.mediators.ClaimBasedResourceAccessValidationMediator",
-        "required": true
+        "name": "shouldAllowValidation",
+        "displayName": "Allow flow when claims are not matching",
+        "description": "Tick this to allow the flow when the claims are not matching. Keeping this un-ticked will allow the flow only when the claims are matched.",
+        "type": "Boolean",
+        "defaultValue": "false",
+        "required": false
       }
     ]
   }