Add visibility restrictions in the developer portal based on the Organizations

[chamilaadhi]

Problem

Need to restrict API and applications based on the user organization. Refer https://docs.google.com/document/d/1U_rYpwpKyvM_hEzUzUVHJ7Gu-N-xu7Of97r4cRxlMQM/edit

Tasks

• Add the capability to set API’s organization visibility from the publisher portal
• Dev portal search based on organization.
• Resolve user organization when login into the developer portal
• Capability to create Application sharable to the organization.
• Set available organizations for business plans

[chamilaadhi]

Initial implementation wso2/carbon-apimgt#12512

This PR set visibility restriction for API using organization and filter API in the dev portal listing page based on the user organization

[chamilaadhi]

Add Application sharing for with the organization wso2/carbon-apimgt#12517

[chamilaadhi]

Publisher side UI changes to set organization visibility to APIs wso2/apim-apps#729

[chamilaadhi]

Additional fixes wso2/carbon-apimgt#12519 wso2/carbon-apimgt#12521

[chamilaadhi]

Add application sharing with the organization wso2/apim-apps#730

[chamilaadhi]

Add capability to add organizations to business plans and filter it in the devportal for the API based on user organization wso2/carbon-apimgt#12523

[chamilaadhi]

Moving to registry property to store organization information instead of introducing new field to rxt.
wso2/carbon-apimgt#12528

Above change needs carbon-registry fix wso2/carbon-registry#440 as well. Currently we can only search with one registry property. with this we can use multiple properties

[chamilaadhi]

Since there is a new property added to the API, we need to do a registry resource migration. To prevent this, we could add a default property value to all the migrated API when generating the indexed data. Following PRs do this

wso2/carbon-apimgt#12529
wso2/carbon-registry#441

When migrating to the new version, with this change, we have to do a reindexing only

[chamilaadhi]

Setup IS 7.0 with APIM developer portal. IS 7 is setup as a federated authenticator. We need to add custom oidc claims to retrieve organization and organization id since it is not available in APIM

Following flow is configured

Steps on configuring can be found in https://docs.google.com/document/d/1MpsVrYCL4lT5p6rjB_ViAbU09yCCyzTLuDII9Clcsq0/edit?usp=sharing

[chamilaadhi]

Add organization visibility for subscription policy in admin porta

wso2/apim-apps#738

[chamilaadhi]

Show organization name in dev portal UI from wso2/apim-apps#742

Additional bug fixes wso2/carbon-apimgt#12559

[chamilaadhi]

Based on the review , moved the org visibility to its own field in publisher portal configuration section https://git
hub.com/wso2/apim-apps/pull/742/commits/cc7cf140b7a7beb129cb8eee93ca55b41d3665d2

Additionally, introduced a config to enable org feature

    [apim.organization_based_access_control]
    enable = true

carbon-apimgt related changes for above two changes wso2/carbon-apimgt#12572

[chamilaadhi]

Fix logout issue wso2/apim-apps#751

Additionally, Provide capability to show organization specific token and authorization endpoint in the dev portal
wso2/carbon-apimgt#12592

For this to work, need to provide a templated url to the keymanager connector display url.

[chamilaadhi]

After discussion, planned to get implement keymanager visibilty based on user organization. This way, we will have to register keymanager per organization.

Backend pr for this wso2/carbon-apimgt#12592

This introduces new table

    CREATE TABLE IF NOT EXISTS AM_KEY_MANAGER_ALLOWED_ORGS (
      KEY_MANAGER_UUID VARCHAR(50) NOT NULL,
      ALLOWED_ORGANIZATIONS VARCHAR(50) NOT NULL,
      PRIMARY KEY (KEY_MANAGER_UUID, ALLOWED_ORGANIZATIONS),
      FOREIGN KEY (KEY_MANAGER_UUID) REFERENCES AM_KEY_MANAGER(UUID) ON DELETE CASCADE
    );

[chamilaadhi]

Add keymanager visibility UI wso2/apim-apps#780

[chamilaadhi]

Add capability to enable/disable feature wso2/apim-apps#783

config

  [apim.organization_based_access_control]
  enable = true

[chamilaadhi]

Refactor business plans wso2/carbon-apimgt#12634

[chamilaadhi]

Add capability to use multiple keymanagers with same issuer with wso2/carbon-apimgt#12652

To differentiate the keymanage, Need to configure 'Token Handling Options' section in the keymanager

Ex:

This example, based on organization filed in the access token, relavant KM is selected

[chamilaadhi]

Add support for orgs with spaces in the name
wso2/carbon-apimgt#12653
wso2/apim-apps#791

[chamilaadhi]

Fix logout issue for publisher wso2/apim-apps#795

Bug fixes wso2/carbon-apimgt#12655

[chamilaadhi]

Provide a config to change the claim that is used for organization resolving. wso2/carbon-apimgt#12670

Now you can set organization id or any claim as the organization

    [apim.organization_based_access_control]
    enable = true
    organization_selector_local_claim = "http://wso2.org/claims/organizationId" # optional

[chamilaadhi]

Pending Tasks

• Support unified search, definition search (Support swagger document content search via Publisher/Developer Portal search #3103), etc and tag listing
• UI revamp
• On the fly migration using CustomAPIIndexer. add default 'all' to the org property in the API
• Enabling Application sharing feature with org feature
• Update db schemas for all the database types
• Handle apictl related scenarios
• Analytics related data population
• Integration test and unit test fixing