JanssenProject
diff --git a/‎.github/workflows/test-cedarling.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/test-cedarling.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/assets/cedarling/ssa_creation_tui.png‎
64.1 KB b/‎docs/assets/cedarling/ssa_creation_tui.png‎
64.1 KB
diff --git a/‎docs/cedarling/cedarling-lock-server.md‎
Lines changed: 250 additions & 7 deletions b/‎docs/cedarling/cedarling-lock-server.md‎
Lines changed: 250 additions & 7 deletions
diff --git a/‎docs/cedarling/cedarling-properties.md‎
Lines changed: 9 additions & 6 deletions b/‎docs/cedarling/cedarling-properties.md‎
Lines changed: 9 additions & 6 deletions
diff --git a/‎jans-cedarling/Cargo.toml‎
Lines changed: 3 additions & 1 deletion b/‎jans-cedarling/Cargo.toml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎jans-cedarling/bindings/cedarling_go/cedarling.go‎
Lines changed: 4 additions & 0 deletions b/‎jans-cedarling/bindings/cedarling_go/cedarling.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎jans-cedarling/bindings/cedarling_go/go.mod‎
Lines changed: 1 addition & 1 deletion b/‎jans-cedarling/bindings/cedarling_go/go.mod‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎jans-cedarling/bindings/cedarling_go/internal/gen.go‎
Lines changed: 9 additions & 0 deletions b/‎jans-cedarling/bindings/cedarling_go/internal/gen.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎jans-cedarling/bindings/cedarling_go/internal/methods.go‎
Lines changed: 4 additions & 0 deletions b/‎jans-cedarling/bindings/cedarling_go/internal/methods.go‎
Lines changed: 4 additions & 0 deletions
@@ -27,6 +27,7 @@ jobs:
     - name: Run Clippy on native target
       working-directory: jans-cedarling
       run: |
+        rustup component add clippy
         cargo clippy -- -Dwarnings
   wasm_tests:
     runs-on: ubuntu-latest
@@ -51,6 +52,7 @@ jobs:
     - name: Run Clippy on WASM target
       working-directory: jans-cedarling
       run: |
+        rustup component add clippy
         cargo clippy --target wasm32-unknown-unknown -- -Dwarnings
   python_tests:
     runs-on: ubuntu-latest
@@ -92,6 +94,7 @@ jobs:
     - name: Run build rust artifacts
       working-directory: jans-cedarling/bindings/cedarling_go
       run: |
+        rustup component add clippy
         cargo build -r -p cedarling_go
         cp "../../target/release/libcedarling_go.so" "."
     - name: Install Go dependencies
 
@@ -4,16 +4,259 @@ tags:
   - lock server
 ---
 
-# Integrate Cedarling With Lock Server
+# Cedarling Lock Integration Setup Guide
 
-## This content is in progress
+For a Cedarling client to communicate with the Lock Server, it has to perform [Dynamic Client Registration **(DCR)**](https://datatracker.ietf.org/doc/html/rfc7591) with the Jans Auth Server.
 
-The Janssen Project documentation is currently in development. Topic pages are being created in order of broadest relevance, and this page is coming in the near future.
+By default, clients cannot obtain the necessary scopes to interact with the lock server. Additional configuration is required on both the Auth Server and the client. 
 
-## Have questions in the meantime?
+This guide will walk you through the following setup processes:
 
-While this documentation is in progress, you can ask questions through [GitHub Discussions](https://github.com/JanssenProject/jans/discussions) or the [community chat on Gitter](https://gitter.im/JanssenProject/Lobby). Any questions you have will help determine what information our documentation should cover.
+- [Auth Server Setup](#auth-server-setup)
+- [Client Setup](#client-setup)
 
-## Want to contribute?
+---
+
+## Auth Server Setup
+
+### 1. Creating an SSA JWT
+
+First, create a Software Statement Assertion (SSA) for your Cedarling client.
+
+The easiest way to do this is to use the Jans TUI:
+
+```sh
+jans tui
+```
+
+Navigate to:
+    `Auth Server` > `SSA` > `Add SSA`
+
+![SSA Creation using the Jans TUI!](../assets/cedarling/ssa_creation_tui.png "SSA Creation using the Jans TUI")
+
+When creating the SSA, ensure you:
+
+- Add the `Client Credentials` grant type
+- Include the following software roles:
+    - `https://jans.io/oauth/lock/log.write`
+    - `https://jans.io/oauth/lock/health.write`
+    - `https://jans.io/oauth/lock/telemetry.write`
+
+After creation, **export the SSA token** and save it securely.
+
+### 2. Setting up the Interception Script
+
+Next, configure an [*interception script*](../janssen-server/developer/interception-scripts.md) to automatically add the required scopes when a Cedarling client registers.
+
+In your server, create a script file at `/opt/jans/jetty/jans-auth/custom/script/add_cedarling_scopes.py` with the following content:
+
+```py
+from io.jans.model.custom.script.type.client import ClientRegistrationType
+from io.jans.service.cdi.util import CdiUtil
+from io.jans.orm.util import ArrayHelper
+from io.jans.as.server.service import ScopeService
+from io.jans.as.model.util import JwtUtil
+
+class ClientRegistration(ClientRegistrationType):
+    def __init__(self, currentTimeMillis):
+        self.currentTimeMillis = currentTimeMillis
+
+    def init(self, customScript, configurationAttributes):
+        print "Cedarling Client registration. Initialization"
+        
+        if (not configurationAttributes.containsKey("jwks_uri")):
+            print "Cedarling Client registration. Initialization failed. Property jwks_uri is not specified"
+            return False
+        else:
+            self.jwks_uri = configurationAttributes.get("jwks_uri").getValue2()
+
+        if (not configurationAttributes.containsKey("scope_list")):
+            print "Cedarling Client registration. Initialization failed. Property scope_list is not specified"
+            return False
+        else:
+            self.scope_list = configurationAttributes.get("scope_list").getValue2().split(" ")
+
+        if (not configurationAttributes.containsKey("trigger_scope")):
+            print "Cedarling Client registration. Initialization failed. Property trigger_scope is not specified"
+            return False
+        else:
+            self.trigger_scope = configurationAttributes.get("trigger_scope").getValue2()
+        
+        # used to check if the scopes we're adding exists in the AS
+        self.scopeService = CdiUtil.bean(ScopeService)
+
+        print "Cedarling Client registration. Initialized successfully"
+        return True   
+
+    def destroy(self, configurationAttributes):
+        print "Cedarling Client registration. Destroy"
+        print "Cedarling Client registration. Destroyed successfully"
+        return True   
+
+    def createClient(self, context):
+        print "Cedarling Client registration. createClient"
+
+        # Check if the request has an SSA
+        registerRequest = context.getRegisterRequest()
+        ssa = registerRequest.getSoftwareStatement()
+        if ssa == "":
+            print "Cedarling Client registration. No SSA provided, defaulting"
+            return True
+
+        # Check if the request has a trigger_scope (this is set as 'cedarling' by default) in the request.
+        # The trigger_scope is used to determine if we should add the scopes needed by Cedarling to the
+        # registering client.
+        # request_scopes = ArrayHelper.toString(registerRequest.getScope())
+        request_scopes = registerRequest.getScope()
+        if self.trigger_scope not in request_scopes:
+            print "Cedarling Client registration. the scope '%s' was not included in the request, defaulting" % self.trigger_scope
+            return True
+
+        # add cedarling scopes
+        client = context.getClient()
+        scopes = client.getScopes()
+        for scope in self.scope_list:
+            foundScope = self.scopeService.getScopeById(scope)
+            if foundScope is None:
+                print "did not find scope '%s' in the AS" % scope
+                return False
+            if len(scopes) == 0:
+                scopes = [foundScope.getDn()]
+            else:
+                scopes = ArrayHelper.addItemToStringArray(scopes, foundScope.getDn())
+
+        client.setScopes(scopes)
+
+        print "Cedarling Client registration. added Cedarling scopes"
+        return True
+
+    def updateClient(self, context):
+        print "Cedarling Client registration. UpdateClient method"
+        pass
+
+    def getApiVersion(self):
+        return 11
+
+    def getSoftwareStatementHmacSecret(self, context):
+        return ""
+
+    def getSoftwareStatementJwks(self, context):
+        print "SSA Cedarling Client registration. getting jwks from '%s'" %  self.jwks_uri
+        jwks = JwtUtil.getJSONWebKeys(self.jwks_uri)
+        if jwks is None:
+            print "SSA Cedarling Client registration. jwks not found"
+        return jwks.toString()
+
+    def modifyPutResponse(self, responseAsJsonObject, executionContext):
+        return False
+
+    def modifyReadResponse(self, responseAsJsonObject, executionContext):
+        return False
+
+    def modifyPostResponse(self, responseAsJsonObject, executionContext):
+        return False
+```
+
+* *you can also find a copy of this script in [jans/jans-cedarling/lock-server-script/add_cedarling_scopes.py](../../jans-cedarling/lock-server-script/add_cedarling_scopes.py)*.
+
+Next, create a JSON file named `script_schema.json` with the following content: 
+
+```json
+{
+  "name": "add_cedarling_scopes",
+  "aliases": null,
+  "description": "A DCR script that adds the required scopes by a client to interact with the lock server",
+  "scriptType": "client_registration",
+  "programmingLanguage": "python",
+  "moduleProperties": [],
+  "configurationProperties": [
+	{
+		"value1": "jwks_uri",
+		"value2": "https://demoexample.jans.io/jans-auth/restv1/jwks",
+		"hide": false,
+		"description": "JWKS URI used for the SSA validation"
+	},
+	{
+		"value1": "scope_list",
+		"value2": "https://jans.io/oauth/lock/log.write https://jans.io/oauth/lock/health.write https://jans.io/oauth/lock/telemetry.write",
+		"hide": false,
+		"description": "space-separated scopes that will be added by the script"
+	},
+	{
+		"value1": "trigger_scope",
+		"value2": "cedarling",
+		"hide": false,
+		"description": "the scope that must be present for the script to run"
+	}
+  ],
+  "level": 100,
+  "revision": 0,
+  "enabled": true,
+  "scriptError": null,
+  "modified": false,
+  "internal": false,
+  "locationType": "file",
+  "locationPath": "add_cedarling_scopes.py"
+}
+```
+
+* *you can also find a copy of this schema in [jans/jans-cedarling/lock-server-script/script_schema.json](../../jans-cedarling/lock-server-script/script_schema.json)*.
+
+> Note:
+>
+> Do not change the field ordering; The Jans server expects a specific structure.
+
+Finally, register the script with the Auth Server:
+
+```sh
+jans cli --operation-id post-config-scripts --data ./script_schema.json
+```
+
+### 3. Testing the Setup
+
+You can verify the setup by initializing a client registration with your SSA:
+
+```sh
+curl -kX POST https://demoexample.jans.io/jans-auth/restv1/register \
+  -H "Content-Type: application/json" \
+  -d '{
+    "token_endpoint_auth_method": "client_secret_basic",
+    "grant_types": ["client_credentials"],
+    "client_name": "cedarling-test",
+    "access_token_as_jwt": true,
+    "scope": "cedarling",
+    "software_statement": "<YOUR_SSA_HERE>"
+}'
+```
+
+A successful response will contain the following scopes:
+
+```json
+{
+  "scope": "https://jans.io/oauth/lock/log.write https://jans.io/oauth/lock/health.write https://jans.io/oauth/lock/telemetry.write"
+}
+```
+
+> Note:
+>
+> If you want to learn more about configuring the example interception script, see the [reference](../janssen-server/developer/interception-scripts.md).
+
+---
+
+## Client Setup
+
+To enable Lock Server integration in the Cedarling client, configure the appropriate [bootstrap properties](./cedarling-properties.md).
+
+Here's a table of the available properties:
 
-If you have content you'd like to contribute to this page in the meantime, you can get started with our [Contribution guide](https://docs.jans.io/head/CONTRIBUTING/).
+| Property | Description | Allowed Values | Default |
+| --- | --- | --- | --- |
+| `CEDARLING_LOCK` | Toggles the all the Lock Server integration features. | `enabled`, `disabled` | `disabled` |
+| `CEDARLING_LOCK_SERVER_CONFIGURATION_URI` | URI to fetch Lock Server metadata (`.well-known/lock-master-configuration`). Required if `CEDARLING_LOCK` is `enabled`. | String | `""` |
+| `CEDARLING_LOCK_DYNAMIC_CONFIGURATION` (WIP) | Toggles listening for Server-Sent Events (SSE) config updates. | `enabled`, `disabled` | `disabled` |
+| `CEDARLING_LOCK_SSA_JWT` | SSA JWT used for DCR. This is required if you followed the [auth server setup](#auth-server-setup). | String | `""` |
+| `CEDARLING_LOCK_LOG_INTERVAL` | Frequency (in seconds) of sending log messages to the Lock Server. `0` disables transmission. | uint | `0` |
+| `CEDARLING_LOCK_HEALTH_INTERVAL` (WIP) | Frequency (in seconds) of sending health messages to the Lock Server. `0` disables transmission. | uint | `0` |
+| `CEDARLING_LOCK_TELEMETRY_INTERVAL` (WIP) | Frequency (in seconds) of sending telemetry messages to the Lock Server. `0` disables transmission. | uint | `0` |
+| `CEDARLING_LOCK_LISTEN_SSE` (WIP) | Toggles listening for updates from the Lock Server via SSE. | `enabled`, `disabled` | `disabled` |
+| `CEDARLING_LOCK_ACCEPT_INVALID_CERTS` | Allows connection to servers with invalid certificates (for testing purposes only; not available for WASM builds).| `enabled`, `disabled` | `disabled` |
@@ -14,7 +14,7 @@ These Bootstrap Properties control default application level behavior.
 
 * **`CEDARLING_APPLICATION_NAME`** : Human friendly identifier for this application
 * **`CEDARLING_POLICY_STORE_URI`** : Location of policy store JSON, used if policy store is not local.
-* **`CEDARLING_POLICY_STORE_ID`** : The identifier of the policy store in case there is more then one policy_store_id in the policy store.
+* **`CEDARLING_POLICY_STORE_ID`** : The identifier of the policy store in case there is more than one policy_store_id in the policy store.
 * **`CEDARLING_USER_AUTHZ`** : When `enabled`, Cedar engine authorization is queried for a User principal.
 * **`CEDARLING_WORKLOAD_AUTHZ`** : When `enabled`, Cedar engine authorization is queried for a Workload principal.
 * **`CEDARLING_PRINCIPAL_BOOLEAN_OPERATION`** : property specifies what boolean operation to use for the `USER` and `WORKLOAD` when making authz (authorization) decisions. [See here](#user-workload-boolean-operation).
@@ -39,22 +39,25 @@ These Bootstrap Properties control default application level behavior.
 * **`CEDARLING_LOCAL_JWKS`** : JWKS file with public keys
 * **`CEDARLING_POLICY_STORE_LOCAL`** : JSON object as string with policy store. You can use [this](https://jsontostring.com/) converter.
 * **`CEDARLING_POLICY_STORE_LOCAL_FN`** : Local file with JSON object with policy store
-* **`CEDARLING_JWT_SIG_VALIDATION`** : `enabled` | `disabled` -- Whether to check the signature  of all JWT tokens. This requires an `iss` is present.
+* **`CEDARLING_JWT_SIG_VALIDATION`** : `enabled` | `disabled` -- Whether to check the signature of all JWT tokens. This requires an `iss` is present.
 * **`CEDARLING_JWT_STATUS_VALIDATION`** : `enabled` | `disabled` -- Whether to check the status of the JWT. On startup, the Cedarling should fetch and retreive the latest Status List JWT from the `.well-known/openid-configuration` via the `status_list_endpoint` claim and cache it. See the [IETF Draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/) for more info.
 * **`CEDARLING_JWT_SIGNATURE_ALGORITHMS_SUPPORTED`** : Only tokens signed with these algorithms are acceptable to the Cedarling.
-* **`CEDARLING_ID_TOKEN_TRUST_MODE`** :  `Strict` | `None`. Varying levels of validations based on the preference of the developer.
+* **`CEDARLING_ID_TOKEN_TRUST_MODE`** : `Strict` | `None`. Varying levels of validations based on the preference of the developer.
 `Strict` mode requires (1) id_token `aud` matches the access_token `client_id`; (2) if a Userinfo token is present, the `sub` matches the id_token, and that the `aud` matches the access token client_id.
 
-**The following bootstrap properties are only needed for enterprise deployments.**
+**The following bootstrap properties are only needed for the Lock Server Integration.**
 
 * **`CEDARLING_LOCK`** : `enabled` | `disabled`. If `enabled`, the Cedarling will connect to the Lock Server for policies, and subscribe for SSE events.
 * **`CEDARLING_LOCK_SERVER_CONFIGURATION_URI`** : Required if `LOCK` == `enabled`. URI where Cedarling can get JSON file with all required metadata about the Lock Server, i.e. `.well-known/lock-master-configuration`.
 * **`CEDARLING_LOCK_DYNAMIC_CONFIGURATION`** : `enabled` | `disabled`, controls whether Cedarling should listen for SSE config updates.
 * **`CEDARLING_LOCK_SSA_JWT`** : SSA for DCR in a Lock Server deployment. The Cedarling will validate this SSA JWT prior to DCR.
-* **`CEDARLING_LOCK_LOG_INTERVAL`** : How often to send log messages to Lock Server (0 to turn off trasmission).
+* **`CEDARLING_LOCK_LOG_INTERVAL`** : How often to send log messages to Lock Server (0 to turn off transmission).
 * **`CEDARLING_LOCK_HEALTH_INTERVAL`** : How often to send health messages to Lock Server (0 to turn off transmission).
 * **`CEDARLING_LOCK_TELEMETRY_INTERVAL`** : How often to send telemetry messages to Lock Server (0 to turn off transmission).
-* **`CEDARLING_LOCK_LISTEN_SSE`** :  `enabled` | `disabled`: controls whether Cedarling should listen for updates from the Lock Server.
+* **`CEDARLING_LOCK_LISTEN_SSE`** : `enabled` | `disabled`: controls whether Cedarling should listen for updates from the Lock Server.
+* **`CEDARLING_LOCK_ACCEPT_INVALID_CERTS`** : `enabled` | `disabled`: Allows interaction with a Lock server with invalid certificates. Mainly used for testing. Doesn't work for WASM builds.
+
+controls whether Cedarling should listen for updates from the Lock Server.
 
 ## Required properties for startup
 
 
@@ -1,6 +1,6 @@
 [workspace]
 resolver = "2"
-members = ["bindings/*", "cedarling", "sparkv", "test_utils"]
+members = ["bindings/*", "cedarling", "http_utils", "sparkv", "test_utils"]
 
 [workspace.dependencies]
 serde = { version = "1.0", features = ["derive"] }
@@ -10,13 +10,15 @@ sparkv = { path = "sparkv" }
 jsonwebtoken = "9.3.0"
 jsonwebkey = "0.3.5"
 chrono = "0.4"
+http_utils = { path = "http_utils" }
 cedarling = { path = "cedarling" }
 test_utils = { path = "test_utils" }
 wasm-bindgen = "0.2"
 wasm-bindgen-futures = "0.4"
 web-sys = "0.3"
 serde-wasm-bindgen = "0.6"
 tokio = "1.42.0"
+tokio-util = "0.7.15"
 
 
 [profile.release]
 
@@ -109,3 +109,7 @@ func (c *Cedarling) GetLogsByRequestId(request_id string) []string {
 func (c *Cedarling) GetLogsByRequestIdAndTag(request_id string, tag string) []string {
 	return internal.CallGetLogsByRequestIdAndTag(c.instance_id, request_id, tag)
 }
+
+func (c *Cedarling) ShutDown() {
+	internal.CallShutDown(c.instance_id)
+}
@@ -2,4 +2,4 @@ module github.com/JanssenProject/jans/jans-cedarling/bindings/cedarling_go
 
 go 1.20
 
-require github.com/ihciah/rust2go v0.0.0-20250312161018-7394c455c373
+require github.com/ihciah/rust2go v0.0.0-20250427082441-4d6d8d2c2959
@@ -40,6 +40,7 @@ const void c_G2RCall_get_log_ids(const void*, const void*);
 const void c_G2RCall_get_logs_by_tag(const void*, const void*);
 const void c_G2RCall_get_logs_by_request_id(const void*, const void*);
 const void c_G2RCall_get_logs_by_request_id_and_tag(const void*, const void*);
+const void c_G2RCall_shut_down(const void*);
 */
 import "C"
 import (
@@ -418,3 +419,11 @@ func (G2RCallImpl) get_logs_by_request_id_and_tag(instance_id *uint, id *string,
 	asmcall.CallFuncG0P1(unsafe.Pointer(C.c_rust2go_internal_drop), unsafe.Pointer(_internal_slot[1]))
 	return val
 }
+func (G2RCallImpl) shut_down(instance_id *uint) {
+	_internal_params := [1]unsafe.Pointer{}
+	instance_id_ref, instance_id_buffer := cvt_ref(cntC_uintptr_t, refC_uintptr_t)(instance_id)
+	_internal_params[0] = unsafe.Pointer(&instance_id_ref)
+	asmcall.CallFuncG0P1(unsafe.Pointer(C.c_G2RCall_shut_down), unsafe.Pointer(&_internal_params))
+	runtime.KeepAlive(_internal_params)
+	runtime.KeepAlive(instance_id_buffer)
+}
@@ -90,3 +90,7 @@ func CallGetLogsByRequestIdAndTag(instance_id uint, request_id string, tag strin
 	logs := G2R.get_logs_by_request_id_and_tag(&instance_id, &request_id, &tag)
 	return logs
 }
+
+func CallShutDown(instance_id uint) {
+	G2R.shut_down(&instance_id)
+}
Original file line number	Diff line number	Diff line change
`@@ -109,3 +109,7 @@ func (c *Cedarling) GetLogsByRequestId(request_id string) []string {`
`109`	`109`	`func (c *Cedarling) GetLogsByRequestIdAndTag(request_id string, tag string) []string {`
`110`	`110`	`return internal.CallGetLogsByRequestIdAndTag(c.instance_id, request_id, tag)`
`111`	`111`	`}`
	`112`	`+`
	`113`	`+func (c *Cedarling) ShutDown() {`
	`114`	`+ internal.CallShutDown(c.instance_id)`
	`115`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -2,4 +2,4 @@ module github.com/JanssenProject/jans/jans-cedarling/bindings/cedarling_go`
`2`	`2`
`3`	`3`	`go 1.20`
`4`	`4`
`5`		`-require github.com/ihciah/rust2go v0.0.0-20250312161018-7394c455c373`
	`5`	`+require github.com/ihciah/rust2go v0.0.0-20250427082441-4d6d8d2c2959`
Original file line number	Diff line number	Diff line change
`@@ -90,3 +90,7 @@ func CallGetLogsByRequestIdAndTag(instance_id uint, request_id string, tag strin`
`90`	`90`	`logs := G2R.get_logs_by_request_id_and_tag(&instance_id, &request_id, &tag)`
`91`	`91`	`return logs`
`92`	`92`	`}`
	`93`	`+`
	`94`	`+func CallShutDown(instance_id uint) {`
	`95`	`+ G2R.shut_down(&instance_id)`
	`96`	`+}`