Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Feb 26, 2020

how to combine two irules and trigger the latter only when the first does not

I have two irules, one to do user id injection( for an IDP auth user using our access policy ) and the other one to do a logout-call to the IDP server.       Now, the requirement is to do user in...
application delivery
BIG-IP Access Policy Manager (APM)
if
LTM
set
NAG's avatar
NAG
Icon for Cirrostratus rankCirrostratus
Feb 26, 2020

Hi

You cannot choose between iRules applied to a Virtual Server as they are executed based on the events.

 

As you are using the event HTTP_REQUEST event in both the rules, I have combined them into one iRule used if and and else logic. Code in the last else block is run only if first two conditions dint match

when HTTP_REQUEST {
 
set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
 
	if { [HTTP::uri] contains "/logout-apm" and $tid contains "xxxxxxx-xxxxxx-xxxx-xxxxxxxxxxxxxx"} {
			if { [HTTP::uri] contains "post_logout_redirect_uri" } {
				set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
				# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
				HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
			} else {
				# log local0. "logout uri not contains post_logout_redirect_uri parameter"
 
				HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
 
			}
 
	} elseif  { [HTTP::uri] contains "/logout-apm" and $tid contains "yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy"} {
 
			if { [HTTP::uri] contains "post_logout_redirect_uri" } {
					set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
					# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
					HTTP::redirect "https://login-test.wecenergygroup.com/yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
			} else {
					# log local0. "logout uri not contains post_logout_redirect_uri parameter"
					HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
			}
	} else {
		#If already exists ,consider it malicious attempt and remove the headers
		HTTP::header remove F5-auth-User-Id
		HTTP::header remove F5-auth-Tenant-Id
		#set variables from access policy and insert headers to send to backend
		set OID [ACCESS::session data get "session.oauth.jwt.payload.last.oid"]
		set TID [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
		set user2 [ACCESS::session data get "session.oauth.scope./Common/pps_act_oauth_scope_1_ag.UserInfo.email"]
		set uri [string tolower [HTTP::uri]]
		HTTP::header insert "F5-auth-User-Id" $OID
		HTTP::header insert "F5-auth-OID" $OID
		HTTP::header insert "F5-auth-Tenant-Id" $TID
		HTTP::header insert "F5-auth-User-email" $user2
		log local0. "$OID: [HTTP::header value $OID]"
		log local0. "$TID: [HTTP::header value $TID]"
		log local0. "$user2: [HTTP::header value $user2]"
		log local0. "LOG INFO: $OID"
		log local0. "LOG INFO2: $TID"
		log local0. "LOG INFO3: $user2"
	}
	
}

Hope this helps,

Nag