Forum Discussion
CirrusHow can i use an expression in an APM policy to look for a URI path and then set the branch rule accordingly
How can i use an expression in an APM policy to look for a URI path and then set the branch rule accordingly. I could probably setup the advanced resource assignment item and create a bunch of branch rules that look for specific URI paths alone to be sent over that branch. I would be looking to do 2 checks, one for the URI path and then for a specific URI path i would need to look at the users Group object ID or IDs that he would come in with for accessing that specific URI path, to be able to decide to allow him or no. The specific branch rules would have expressions looking for both these checks. I am trying to configure something like this
Branch rule1:
expr {[mcget {HTTP::URI}] contains "/SOANDSO1/*" && [mcget {session.oauth.client./Common/AzureADB2B_act_ oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxxxxxx"}
will be allowed
if there is no match to any of the branch rules, we would have to put a branch rule to look for anything else in the URI path thats being called thats not part of the above guarded URIs and just allow them.( those URIs are not needed to be restricted )
Is that the correct syntax for looking at a HTTP URI using expressions ? and how can I handle the rest of the traffic that does not match successfully with any of these match branch rules
So URI condition matches...
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 639: variable found, let's add it to the local cache "session.server.landinguri"="/soandso1/abc/"(length=28)and in TCL with && operator, second condition is evaluated only if first is successful
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 610: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" was not found in the local cache for session "fdc12271"but this variable does not exists:
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 625: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" for session "fdc12271" was not found in MEMCACHEDlook in session variables the name of the expected variable... you may find a variable with "last" to replace the box name like:
session.oauth.client.last.id_token.group
5 Replies
Stanislas_Piro2Cumulonimbus
this is not correct syntax... except if your URI contains a star character...
expr {[mcget {session.server.landinguri}] starts_with "/SOANDSO1/" && [mcget {session.oauth.client./Common/AzureADB2B_act_ oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxxxxxx"}when you configure branches, there is always a fallback branch for sessions not matching any branches.
sricharan61I have tried this solution, the logs show the advanced resource assign trying to match these rules as well, but none of the rules are matched and ends up going to the fall back branch. I have made sure I am meeting all the requirements of URI condition and the group OID comming in. The logs show the OID for the mentioned group come in for the users request as well.
Is the HTTP::URI supported to be used in an expression ? I am using this
expr {[mcget {HTTP::URI}] starts_with "/SOANDSO1/" && [mcget {session.oauth.client./Common/AzureADB2B_act_ oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxxxxxx"}
It looks like its not able to look for the URI at all.
- Stanislas_Piro2
Sorry,
I saw the wildcard issue but not the HTTP::uri... ;)
HTTP::uri is per request (only in irules) ... if you want the initial uri matching, you have to use : session.server.landinguri
the code above is changed to match this.
if the goal is to restrict URI after authentication, you must create ACL with /SOANDSO1/* in path, then assign this ACL in Advanced ressource assign object.
- sricharan61
Hi Stanislas
We are planning to use authentication using oauth to azureAD, we would need to use ACLs at later point, but that might get too complicated to use ACLs as we would be looking to invoke the match conditions using expressions for multiple user groups to be sent over to different ACLs, which would be too many and also gets too complicated to look for users in multiple groups to be allowed to both or more than two ACLs. ( would need custom expressions looking for a match of more than 1 user group id and may be combine ACLs as their assignment )
This is why we wanted to look at simple branching rules based on 2 checks for each branch, one the path and next the specific user group id allowed to access that path.
I have tried the expression with session.server.landinguri but could not get a match to the rule still. I am not using any authentication at this point for the purpose of testing this. This is what the logs show.
/Common/AzureADB2BforInternalApps:Common:fdc12271: AccessPolicyProcessor/AccessPolicy.cpp: 'execute()': 658: Rule to evaluate = "expr {[mcget {session.server.landinguri}] contains "/soandso1/abc/" && [mcget {session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"}"
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 610: variable "session.server.landinguri" was not found in the local cache for session "fdc12271"
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 617: try to get it from MEMCACHED
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 639: variable found, let's add it to the local cache "session.server.landinguri"="/soandso1/abc/"(length=28)
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 610: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" was not found in the local cache for session "fdc12271"
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 617: try to get it from MEMCACHED
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 625: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" for session "fdc12271" was not found in MEMCACHED
/Common/AzureADB2BforInternalApps:Common:fdc12271: AccessPolicyProcessor/AccessPolicy.cpp: 'execute()': 658: Rule to evaluate = ""
/Common/AzureADB2BforInternalApps:Common:fdc12271: Following rule 'fallback' from item 'Advanced Resource Assign(1)' to ending 'Deny
/Common/AzureADB2BforInternalApps:Common:fdc12271: Access policy result: Logon_Deny
- Stanislas_Piro2
So URI condition matches...
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 639: variable found, let's add it to the local cache "session.server.landinguri"="/soandso1/abc/"(length=28)and in TCL with && operator, second condition is evaluated only if first is successful
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 610: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" was not found in the local cache for session "fdc12271"but this variable does not exists:
/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 625: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" for session "fdc12271" was not found in MEMCACHEDlook in session variables the name of the expected variable... you may find a variable with "last" to replace the box name like:
session.oauth.client.last.id_token.group
