How can i use an expression in an APM policy to look for a URI path and then set the branch rule accordingly

Question

How can i use an expression in an APM policy to look for a URI path and then set the branch rule accordingly. I could probably setup the advanced resource assignment item and create a bunch of branch rules that look for specific URI paths alone to be sent over that branch. I would be looking to do 2 checks, one for the URI path and then for a specific URI path i would need to look at the users Group object ID or IDs that he would come in with for accessing that specific URI path, to be able to decide to allow him or no. The specific branch rules would have expressions looking for both these checks. I am trying to configure something like this

Branch rule1:

expr {[mcget {HTTP::URI}] contains "/SOANDSO1/*" && [mcget {session.oauth.client./Common/AzureADB2B_act_ oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxxxxxx"}

will be allowed

if there is no match to any of the branch rules, we would have to put a branch rule to look for anything else in the URI path thats being called thats not part of the above guarded URIs and just allow them.( those URIs are not needed to be restricted )

Is that the correct syntax for looking at a HTTP URI using expressions ? and how can I handle the rest of the traffic that does not match successfully with any of these match branch rules

stanislas_piro2 · Accepted Answer

So URI condition matches... /Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 639: variable found, let's add it to the local cache "session.server.landinguri"="/soandso1/abc/"(length=28)and in TCL with &amp;&amp; operator, second condition is evaluated only if first is successful /Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 610: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" was not found in the local cache for session "fdc12271"but this variable does not exists:/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 625: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" for session "fdc12271" was not found in MEMCACHEDlook in session variables the name of the expected variable... you may find a variable with "last" to replace the box name like:session.oauth.client.last.id_token.group

stanislas_piro2 · Answer

this is not correct syntax... except if your URI contains a star character...

expr {[mcget {session.server.landinguri}] starts_with "/SOANDSO1/" && [mcget {session.oauth.client./Common/AzureADB2B_act_ oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxxxxxx"}

when you configure branches, there is always a fallback branch for sessions not matching any branches.

sricharan61 · Answer

I have tried this solution, the logs show the advanced resource assign trying to match these rules as well, but none of the rules are matched and ends up going to the fall back branch. I have made sure I am meeting all the requirements of URI condition and the group OID comming in. The logs show the OID for the mentioned group come in for the users request as well.

Is the HTTP::URI supported to be used in an expression ? I am using this

expr {[mcget {HTTP::URI}] starts_with "/SOANDSO1/" && [mcget {session.oauth.client./Common/AzureADB2B_act_ oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxxx-xxxxx-xxxx-xxxxxxxxxxxx"}

It looks like its not able to look for the URI at all.

stanislas_piro2 · Answer

Sorry,&nbsp;I saw the wildcard issue but not the HTTP::uri... ;)&nbsp;HTTP::uri is per request (only in irules) ... if you want the initial uri matching, you have to use : session.server.landinguri&nbsp;the code above is changed to match this.&nbsp;if the goal is to restrict URI after authentication, you must create ACL with /SOANDSO1/* in path, then assign this ACL in Advanced ressource assign object.

sricharan61 · Answer

Hi Stanislas&nbsp;We are planning to use authentication using oauth to azureAD, we would need to use ACLs at later point, but that might get too complicated to use ACLs as we would be looking to invoke the match conditions using expressions for multiple user groups to be sent over to different ACLs, which would be too many and also gets too complicated to look for users in multiple groups to be allowed to both or more than two ACLs. ( would need custom expressions looking for a match of more than 1 user group id and may be combine ACLs as their assignment )&nbsp;This is why we wanted to look at simple branching rules based on 2 checks for each branch, one the path and next the specific user group id allowed to access that path. I have tried the expression with session.server.landinguri but could not get a match to the rule still. I am not using any authentication at this point for the purpose of testing this. This is what the logs show.&nbsp;&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: AccessPolicyProcessor/AccessPolicy.cpp: 'execute()': 658: Rule to evaluate = "expr {[mcget {session.server.landinguri}] contains "/soandso1/abc/" &amp;&amp; [mcget {session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups}] contains "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx"}"&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 610: variable "session.server.landinguri" was not found in the local cache for session "fdc12271"&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 617: try to get it from MEMCACHED&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 639: variable found, let's add it to the local cache "session.server.landinguri"="/soandso1/abc/"(length=28)&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 610: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" was not found in the local cache for session "fdc12271"&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 617: try to get it from MEMCACHED&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: ./AccessPolicyProcessor/Session.h: 'getSessionVar()': 625: variable "session.oauth.client./Common/AzureADB2BforInternalApps_act_oauth_client_ag.id_token.groups" for session "fdc12271" was not found in MEMCACHED&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: AccessPolicyProcessor/AccessPolicy.cpp: 'execute()': 658: Rule to evaluate = ""&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: Following rule 'fallback' from item 'Advanced Resource Assign(1)' to ending 'Deny&nbsp;/Common/AzureADB2BforInternalApps:Common:fdc12271: Access policy result: Logon_Deny&nbsp;

Forum Discussion

How can i use an expression in an APM policy to look for a URI path and then set the branch rule accordingly

5 Replies

Recent Discussions

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Related Content

expression in an APM policy

Auditing Security Policy Updates

iRule based 'Natural Speech' Expression Language

Minimizing Security Complexity: Managing Distributed WAF Policies

Advanced iRules: Regular Expressions