Forum Discussion
sricharan61
Cirrus
Cirrushow to combine two irules and trigger the latter only when the first does not
I have two irules, one to do user id injection( for an IDP auth user using our access policy ) and the other one to do a logout-call to the IDP server.
Now, the requirement is to do user injection only when the user is still logged in and not after the user has logged out of the IDP. Based on this requirement, I would like to trigger the user-injection irule only when the logout-call is not still invoked by the user. Is there a way we can accomplish this either may be through settings any variables across irules or if not by combining the irules first and trying with setting the variables globally.
Here are the two irules,
Logout-call irule:
when HTTP_REQUEST {
set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
if { [HTTP::uri] contains "/logout-apm" and $tid contains "xxxxxxx-xxxxxx-xxxx-xxxxxxxxxxxxxx"}
{
if { [HTTP::uri] contains "post_logout_redirect_uri" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
}
elseif { [HTTP::uri] contains "/logout-apm" and $tid contains "yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy"}
{
if { [HTTP::uri] contains "post_logout_redirect_uri" } {
set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
}
else {
# log local0. "logout uri not contains post_logout_redirect_uri parameter"
HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
}
}
}
User Identification Injection irule:
when HTTP_REQUEST {
#If already exists ,consider it malicious attempt and remove the headers
HTTP::header remove F5-auth-User-Id
HTTP::header remove F5-auth-Tenant-Id
#set variables from access policy and insert headers to send to backend
set OID [ACCESS::session data get "session.oauth.jwt.payload.last.oid"]
set TID [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
set user2 [ACCESS::session data get "session.oauth.scope./Common/pps_act_oauth_scope_1_ag.UserInfo.email"]
set uri [string tolower [HTTP::uri]]
HTTP::header insert "F5-auth-User-Id" $OID
HTTP::header insert "F5-auth-OID" $OID
HTTP::header insert "F5-auth-Tenant-Id" $TID
HTTP::header insert "F5-auth-User-email" $user2
log local0. "$OID: [HTTP::header value $OID]"
log local0. "$TID: [HTTP::header value $TID]"
log local0. "$user2: [HTTP::header value $user2]"
log local0. "LOG INFO: $OID"
log local0. "LOG INFO2: $TID"
log local0. "LOG INFO3: $user2"
}
NAGCirrostratus
Hi
You cannot choose between iRules applied to a Virtual Server as they are executed based on the events.
As you are using the event HTTP_REQUEST event in both the rules, I have combined them into one iRule used if and and else logic. Code in the last else block is run only if first two conditions dint match
when HTTP_REQUEST { set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"] if { [HTTP::uri] contains "/logout-apm" and $tid contains "xxxxxxx-xxxxxx-xxxx-xxxxxxxxxxxxxx"} { if { [HTTP::uri] contains "post_logout_redirect_uri" } { set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri] # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" } else { # log local0. "logout uri not contains post_logout_redirect_uri parameter" HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout" } } elseif { [HTTP::uri] contains "/logout-apm" and $tid contains "yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy"} { if { [HTTP::uri] contains "post_logout_redirect_uri" } { set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri] # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" HTTP::redirect "https://login-test.wecenergygroup.com/yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue" } else { # log local0. "logout uri not contains post_logout_redirect_uri parameter" HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout" } } else { #If already exists ,consider it malicious attempt and remove the headers HTTP::header remove F5-auth-User-Id HTTP::header remove F5-auth-Tenant-Id #set variables from access policy and insert headers to send to backend set OID [ACCESS::session data get "session.oauth.jwt.payload.last.oid"] set TID [ACCESS::session data get "session.oauth.jwt.payload.last.tid"] set user2 [ACCESS::session data get "session.oauth.scope./Common/pps_act_oauth_scope_1_ag.UserInfo.email"] set uri [string tolower [HTTP::uri]] HTTP::header insert "F5-auth-User-Id" $OID HTTP::header insert "F5-auth-OID" $OID HTTP::header insert "F5-auth-Tenant-Id" $TID HTTP::header insert "F5-auth-User-email" $user2 log local0. "$OID: [HTTP::header value $OID]" log local0. "$TID: [HTTP::header value $TID]" log local0. "$user2: [HTTP::header value $user2]" log local0. "LOG INFO: $OID" log local0. "LOG INFO2: $TID" log local0. "LOG INFO3: $user2" } }Hope this helps,
Nag