Securing REST API with WSO2 IS and XACML Policy

Question

I try to secure my rest API(in wso2 ESB) with OAuth mediator and wso2 IS. I want to permit a user with a valid token, when, the request is matching a specific URI (that call from ESB exp /sample/test) and also matches with other conditions such as scope_name and client_ip. I can check username, scope_name in XACML policy and permit it but I want to add client_id and specific URI!

This is my sample Rest API in WSO2 ESB:

<api xmlns="http://ws.apache.org/ns/synapse" name="sample" context="/sample">
   <resource methods="GET" uri-template="/test">
      <inSequence>
         <log level="custom">
            <property name="ip address" expression="get-property('axis2','REMOTE_ADDR')"/>
         </log>
         <oauthService remoteServiceUrl="https://localhost:9444/services/" username="admin" password="admin"/>
         <payloadFactory media-type="json">
            <format>{"result":true}</format>
            <args/>
         </payloadFactory>
         <respond/>
      </inSequence>
   </resource>
</api>

in WSO2 IS I create a service provider with below config:

<?xml version="1.0" encoding="UTF-8"?><ServiceProvider>
  <ApplicationName>samplesp</ApplicationName>
  <Description/>
  <InboundAuthenticationConfig>
    <InboundAuthenticationRequestConfigs>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>samplesp</InboundAuthKey>
        <InboundAuthType>passivests</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>U_SCMKqXqfJqSvyoD5LKFQ3Or7ka</InboundAuthKey>
        <InboundAuthType>oauth2</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <inboundConfiguration><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<oAuthAppDO>
    <oauthConsumerKey>U_SCMKqXqfJqSvyoD5LKFQ3Or7ka</oauthConsumerKey>
    <applicationName>samplesp</applicationName>
    <callbackUrl></callbackUrl>
    <oauthVersion>OAuth-2.0</oauthVersion>
    <grantTypes>refresh_token password client_credentials </grantTypes>
    <scopeValidators>
        <scopeValidator>XACML Scope Validator</scopeValidator>
    </scopeValidators>
    <pkceSupportPlain>true</pkceSupportPlain>
    <pkceMandatory>false</pkceMandatory>
    <userAccessTokenExpiryTime>360000</userAccessTokenExpiryTime>
    <applicationAccessTokenExpiryTime>360000</applicationAccessTokenExpiryTime>
    <refreshTokenExpiryTime>846000</refreshTokenExpiryTime>
    <idTokenExpiryTime>360000</idTokenExpiryTime>
    <audiences/>
    <bypassClientCredentials>false</bypassClientCredentials>
    <requestObjectSignatureValidationEnabled>false</requestObjectSignatureValidationEnabled>
    <idTokenEncryptionEnabled>false</idTokenEncryptionEnabled>
    <idTokenEncryptionAlgorithm>null</idTokenEncryptionAlgorithm>
    <idTokenEncryptionMethod>null</idTokenEncryptionMethod>
    <backChannelLogoutUrl></backChannelLogoutUrl>
    <tokenType>Default</tokenType>
</oAuthAppDO>
]]></inboundConfiguration>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>samplesp</InboundAuthKey>
        <InboundAuthType>openid</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
    </InboundAuthenticationRequestConfigs>
  </InboundAuthenticationConfig>
  <LocalAndOutBoundAuthenticationConfig>
    <AuthenticationSteps/>
    <AuthenticationType>default</AuthenticationType>
    <alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
    <UseTenantDomainInUsername>false</UseTenantDomainInUsername>
    <UseUserstoreDomainInRoles>false</UseUserstoreDomainInRoles>
    <UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
    <EnableAuthorization>false</EnableAuthorization>
  </LocalAndOutBoundAuthenticationConfig>
  <RequestPathAuthenticatorConfigs/>
  <InboundProvisioningConfig>
    <ProvisioningUserStore/>
    <IsProvisioningEnabled>false</IsProvisioningEnabled>
    <IsDumbModeEnabled>false</IsDumbModeEnabled>
  </InboundProvisioningConfig>
  <OutboundProvisioningConfig>
    <ProvisioningIdentityProviders/>
  </OutboundProvisioningConfig>
  <ClaimConfig>
    <RoleClaimURI/>
    <LocalClaimDialect>true</LocalClaimDialect>
    <IdpClaim/>
    <ClaimMappings/>
    <AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
    <SPClaimDialects/>
  </ClaimConfig>
  <PermissionAndRoleConfig>
    <Permissions/>
    <RoleMappings/>
    <IdpRoles/>
  </PermissionAndRoleConfig>
  <IsSaaSApp>false</IsSaaSApp>
</ServiceProvider>

The below XACML configuration Denying unless permit with a rule. it is working for permitting just scope_name and username and It does not work for other conditions(client_ip and specific API URI). It should allow the only request that has /sample/.* URIs and for example 10.2.3.4 IP, but I don't know how to do this!!!

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="Apolicy2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" Version="1.0">
      <Target>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/sample/.*</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
      <Rule Effect="Permit" RuleId="rule-1">
         <Target>
            <AnyOf>
               <AllOf>
                  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">soheyl</AttributeValue>
                     <AttributeDesignator AttributeId="http://wso2.org/identity/user/username" Category="http://wso2.org/identity/user" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                  </Match>
                  <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                     <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">samplescope</AttributeValue>
                     <AttributeDesignator AttributeId="http://wso2.org/identity/oauth-scope/scope-name" Category="http://wso2.org/identity/oauth-scope" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
                  </Match>
               </AllOf>
            </AnyOf>
         </Target>
         <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
                  <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Apply>
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">samplesp</AttributeValue>
            </Apply>
         </Condition>
      </Rule>
   </Policy>   

Answer 1

Put one more rule at the end of Rule rule-1 as below and give a try

<Rule Effect="Deny" RuleId="Deny-Rule"/>