Forum Discussion

sricharan61's avatar
sricharan61
Icon for Cirrus rankCirrus
Feb 26, 2020

how to combine two irules and trigger the latter only when the first does not

I have two irules, one to do user id injection( for an IDP auth user using our access policy ) and the other one to do a logout-call to the IDP server.

 

 

 

Now, the requirement is to do user injection only when the user is still logged in and not after the user has logged out of the IDP. Based on this requirement, I would like to trigger the user-injection irule only when the logout-call is not still invoked by the user. Is there a way we can accomplish this either may be through settings any variables across irules or if not by combining the irules first and trying with setting the variables globally.

 

 

 

Here are the two irules,

 

 

 

Logout-call irule:

 

 

 

 

 

when HTTP_REQUEST {

 

set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]

 

if { [HTTP::uri] contains "/logout-apm" and $tid contains "xxxxxxx-xxxxxx-xxxx-xxxxxxxxxxxxxx"}

 

{

 

  

 

  if { [HTTP::uri] contains "post_logout_redirect_uri" } {

 

 set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]

 

 # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

 

 HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

 

 

 

 }

 

 else {

 

  # log local0. "logout uri not contains post_logout_redirect_uri parameter"

 

  HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"

 

   

 

 }

 

 }

 

elseif { [HTTP::uri] contains "/logout-apm" and $tid contains "yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy"}

 

 {

 

   

 

 if { [HTTP::uri] contains "post_logout_redirect_uri" } {

 

 set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]

 

 # log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

 

 HTTP::redirect "https://login-test.wecenergygroup.com/yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"

 

   

 

 }

 

 else {

 

  # log local0. "logout uri not contains post_logout_redirect_uri parameter"

 

  HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"

 

  

 

 }

 

 }

 

}

 

 

 

User Identification Injection irule:

 

 

 

when HTTP_REQUEST {

 #If already exists ,consider it malicious attempt and remove the headers

 HTTP::header remove F5-auth-User-Id

 

 HTTP::header remove F5-auth-Tenant-Id

  

 #set variables from access policy and insert headers to send to backend

 set OID [ACCESS::session data get "session.oauth.jwt.payload.last.oid"]

 

 set TID [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]

 

 set user2 [ACCESS::session data get "session.oauth.scope./Common/pps_act_oauth_scope_1_ag.UserInfo.email"]

 

 set uri [string tolower [HTTP::uri]]

 

 HTTP::header insert "F5-auth-User-Id" $OID

 

 HTTP::header insert "F5-auth-OID" $OID

 

 HTTP::header insert "F5-auth-Tenant-Id" $TID

 

 HTTP::header insert "F5-auth-User-email" $user2

 

 

 

 log local0. "$OID: [HTTP::header value $OID]"

 

 log local0. "$TID: [HTTP::header value $TID]"

 

 log local0. "$user2: [HTTP::header value $user2]"

 

 log local0. "LOG INFO: $OID"

 

 log local0. "LOG INFO2: $TID"

 

 log local0. "LOG INFO3: $user2"

 

}

APM
application delivery
if
LTM
set

1 Reply

Sort By
  • NAG's avatar
    NAG
    Icon for Cirrostratus rankCirrostratus
    Feb 26, 2020

    Hi

    You cannot choose between iRules applied to a Virtual Server as they are executed based on the events.

     

    As you are using the event HTTP_REQUEST event in both the rules, I have combined them into one iRule used if and and else logic. Code in the last else block is run only if first two conditions dint match

    when HTTP_REQUEST {
 
set tid [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
 
	if { [HTTP::uri] contains "/logout-apm" and $tid contains "xxxxxxx-xxxxxx-xxxx-xxxxxxxxxxxxxx"} {
			if { [HTTP::uri] contains "post_logout_redirect_uri" } {
				set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
				# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
				HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
			} else {
				# log local0. "logout uri not contains post_logout_redirect_uri parameter"
 
				HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
 
			}
 
	} elseif  { [HTTP::uri] contains "/logout-apm" and $tid contains "yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy"} {
 
			if { [HTTP::uri] contains "post_logout_redirect_uri" } {
					set postLogoutValue [URI::query [HTTP::uri] post_logout_redirect_uri]
					# log local0. "Logout Value: $postLogoutValue - Redirect Uri: https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
					HTTP::redirect "https://login-test.wecenergygroup.com/yyyyyyy-yyyyy-yyyy-yyyyyyyyyyyyyyyy/oauth2/v2.0/logout?p=b2c_1a_ya_signup_signin&amp&post_logout_redirect_uri=https://[HTTP::host]$postLogoutValue"
			} else {
					# log local0. "logout uri not contains post_logout_redirect_uri parameter"
					HTTP::redirect "https://login.microsoftonline.com/common/oauth2/v2.0/logout"
			}
	} else {
		#If already exists ,consider it malicious attempt and remove the headers
		HTTP::header remove F5-auth-User-Id
		HTTP::header remove F5-auth-Tenant-Id
		#set variables from access policy and insert headers to send to backend
		set OID [ACCESS::session data get "session.oauth.jwt.payload.last.oid"]
		set TID [ACCESS::session data get "session.oauth.jwt.payload.last.tid"]
		set user2 [ACCESS::session data get "session.oauth.scope./Common/pps_act_oauth_scope_1_ag.UserInfo.email"]
		set uri [string tolower [HTTP::uri]]
		HTTP::header insert "F5-auth-User-Id" $OID
		HTTP::header insert "F5-auth-OID" $OID
		HTTP::header insert "F5-auth-Tenant-Id" $TID
		HTTP::header insert "F5-auth-User-email" $user2
		log local0. "$OID: [HTTP::header value $OID]"
		log local0. "$TID: [HTTP::header value $TID]"
		log local0. "$user2: [HTTP::header value $user2]"
		log local0. "LOG INFO: $OID"
		log local0. "LOG INFO2: $TID"
		log local0. "LOG INFO3: $user2"
	}
	
}

    Hope this helps,

    Nag