How to prevent large file POST requests using Azure APIM? - azure

How to prevent large file requests using Azure APIM?
Example: Block any POST request having file size > 50MB

You can apply the following policy for all your APIs. For each POST request, the policy will check the body size, and if the size is above 50MB, it will return status 413 - Payload Too Large.
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Request.Method == "POST")">
<set-variable name="bodySize" value="#(context.Request.Headers["Content-Length"][0])" />
<choose>
<when condition="#(int.Parse(context.Variables.GetValueOrDefault<string>("bodySize"))<52428800)">
<!--let it pass through by doing nothing-->
</when>
<otherwise>
<return-response>
<set-status code="413" reason="Payload Too Large" />
<set-body>#{
return "Maximum allowed size for the POST requests is 52428800 bytes (50 MB). This request has size of "+ context.Variables.GetValueOrDefault<string>("bodySize") +" bytes";
}
</set-body>
</return-response>
</otherwise>
</choose>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>

There are policies called quota-by-Key and quota-by-subscription , which will help the users to block the calls that exceed the bandwidth specified. Please verify this link for more details.enter link description here

Related

azure apim import policy - Too many characters in character literal

I'm trying to import a policy to azure api management using a bicep template as follows:
resource allOpsPolicy 'Microsoft.ApiManagement/service/apis/policies#2021-12-01-preview' = {
name: 'policy'
parent: apimapi_v1
properties: {
value: loadTextContent('all-ops-policy.xml')
format: 'xml'
}
}
The content of the all-ops-policy.xml file is as follows:
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Request.OriginalUrl.ToString().EndsWith("Public") == false)">
<rewrite-uri template="#(String.Concat(context.Request.OriginalUrl.ToString(),"/", "MapServer"))" copy-unmatched-params="false" />
</when>
<otherwise />
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
When run I get the following error:
One or more fields contain incorrect values: (Code: ValidationError)
'Public' is an unexpected token. Expecting white space.
Can anyone see where I'm going wrong?
The problem was the value of the format property of the allOpsPolicy resource.
I changed from
format: 'xml'
to
format: 'rawxml'
then it worked!
Thanks to Nisha for solving this one
Please replace the single quotes ` with double quotes ".
context.Request.OriginalUrl.ToString().EndsWith('Public') == false)
context.Request.OriginalUrl.ToString().EndsWith("Public") == false
It seems there's also one single quote too much:
String.Concat(context.Request.OriginalUrl.ToString(),'/'', 'MapServer')
String.Concat(context.Request.OriginalUrl.ToString(),"/", "MapServer")
Complete policy:
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Request.OriginalUrl.ToString().EndsWith("Public") == false)">
<rewrite-uri template="#(String.Concat(context.Request.OriginalUrl.ToString(),"/", "MapServer"))" copy-unmatched-params="false" />
</when>
<otherwise />
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
Issue is not reproducable:

APIM caching not working with same vary-by-query-parameters

I am working on APIM caching and while testing. I found caching not working. If below header or query parameters (userAuthorizationToken,ProductCode, PageNo, Limit) remain same it should return cache response.
I am using postman to test the endpoint by calling "GetProduct" passing parameters. then I enter more records in database and call the Getproduct again it return more records. However, caching duration not met.
Any advice.
<policies>
<inbound>
<base />
<cache-lookup vary-by-developer="false" vary-by-developer-groups="false" downstream-caching-type="none" must-revalidate="true" allow-private-response-caching="true" caching-type="internal" >
<vary-by-header>userAuthorizationToken</vary-by-header>
<vary-by-query-parameter>productCode</vary-by-query-parameter>
<vary-by-query-parameter>pageNo</vary-by-query-parameter>
<vary-by-query-parameter>limit</vary-by-query-parameter>
</cache-lookup>
</inbound>
<backend>
<base/>
</backend>
<outbound>
<cache-store duration="2400" />
<base/>
</outbound>
<on-error> ....etc
Unfortunately, I can't access APIM in azure portal.

Azure API management not sending retry when function app disabled

I've configured an API Management policy to retry to a second region if the first encounters an error.
However, when I disable the primary function app, based in Sydney, there are no retries recorded in Application insights - only the original failing request. There are no function calls recorded in the Melbourne function app.
I've tried a bunch of different configurations. Both region function apps are running fine.
I've got the copied the code below, is there something that I'm missing or not understanding?
Thanks in advance
API Policy
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Variables.GetValueOrDefault<int>('RetryCounter', 0) == 0)">
<set-backend-service base-url="{{syndey-function-app}}" />
</when>
<otherwise>
<set-backend-service base-url="{{melbourne-function-app}}" />
</otherwise>
</choose>
</inbound>
<backend>
<retry count="1" interval="0" first-fast-retry="true" condition="#(
context.Response.StatusCode > 400
)">
<set-variable name="RetryCounter" value="#(context.Variables.GetValueOrDefault<int>('RetryCounter', 0) + 1)" />
<forward-request buffer-request-body="true" timeout="15"/>
</retry>
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
403 Error Response
<h1 id="unavailable">Error 403 - This web app is stopped.</h1>
<p id="tryAgain">
The web app you have attempted to reach is currently stopped and does not
accept any requests. Please try to reload the page or visit it again soon.
</p>
<p id="toAdmin">
If you are the web app administrator, please find the common 403 error
scenarios and resolution <a href="https://go.microsoft.com/fwlink/?linkid=2095007"
target="_blank">here</a>. For further troubleshooting tools and recommendations,
please visit Azure Portal.
</p>
I had to replace the single quotes to double quotes because of an error on save:
context.Variables.GetValueOrDefault<int>('RetryCounter', 0) => context.Variables.GetValueOrDefault<int>("RetryCounter", 0)
For testing I created two mocked services:
Returns status code 200:
https://rfqapiservicey27itmeb4cf7q.azure-api.net/echo/200/test
Returns status code 403:
https://rfqapiservicey27itmeb4cf7q.azure-api.net/echo/403/test
The retry section in the backend section will never return to the inbound section. So the choose condition was only hit at the very beginning.
Therefore, the choose condition has to be moved to the backend section.
<policies>
<inbound>
<base />
<set-backend-service base-url="https://rfqapiservicey27itmeb4cf7q.azure-api.net/echo/403" />
<!--
<set-backend-service base-url="{{syndey-function-app}}" />
-->
</inbound>
<backend>
<retry count="1" interval="0" first-fast-retry="true" condition="#(
context.Response.StatusCode > 400
)">
<set-variable name="RetryCounter" value="#(context.Variables.GetValueOrDefault<int>("RetryCounter", 0) + 1)" />
<choose>
<when condition="#(context.Variables.GetValueOrDefault<int>("RetryCounter", 0) > 1)">
<set-backend-service base-url="https://rfqapiservicey27itmeb4cf7q.azure-api.net/echo/200" />
<!--
<set-backend-service base-url="{{melbourne-function-app}}" />
-->
</when>
</choose>
<forward-request buffer-request-body="true" timeout="15" />
</retry>
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
My sample operation executes as expected:
https://rfqapiservicey27itmeb4cf7q.azure-api.net/sample/test
The first hit in the backend requests the 403 resource:
This request is failing, and the retry policy sets the 200 in the backend section:
This second request is successful when will return 200 and leave the backend section:

How to use a variable when returning response in policy definition?

I'm configuring inbound policies in an instance of Azure API Management.
First, I set a variable:
<set-variable name="var1" value="" />
Then I send a request
<send-request mode="new" response-variable-name="var1" timeout="20" ignore-error="false">
Which returns a JSON. When testing I get the following message in trace tab:
GET request to 'https://my-api.azure-api.net/api/data' has been sent, result stored in 'var1' variable.
I guess the send-request policy works and the result is stored in the variable.
Then I want to return a response (still in inbound, I get 500 when trying to do it in outbound):
<return-response response-variable-name="existing response variable">
<set-status code="200" reason="OK" />
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>
{
"success": true,
"var1": context.Variables["var1"]
}
</set-body>
</return-response>
My problem is it doesn't work... It just renders context.Variables["var1"].
And so does:
#context.Variables["var1"]
#{ context.Variables.GetValueOrDefault<string>("var1") }
#context.Variables.GetValueOrDefault("var1")
All of them are rendered as written, no value is being extracted.
Edit: I also tried adding a placeholder string and then using
<find-and-replace from="Placeholder" to="context.Variables.GetValueOrDefault("var1")" />
And try to place it in inbound and outbound alike. But this policy did not launch.
It's a JSON object that I want to append to the response (small detail: in reality I have this issue with multiple variables).
My question is: how can I add my declared variable to the response?
There are two ways you can go about this. You could to use policy expressions for that: https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions. The thing to remember is that they can only be used to construct whole value for policy, not part of it, so:
<set-body>#("{\"success\": true, \"var1\": " + ((IResponse)context.Variables["var1"]).Body.As<string>() + "}"</set-body>
Or with set-body policy you could use liquid template:
<set-variable name="var1body" value="#((IResponse)context.Variables["var1"]).Body.As<string>())" />
<set-body template="liquid">
{
"success": true,
"var1": {{context.Variables["var1body"]}}
}
</set-body>
I assume you have some sidecar request going on additionally to your main request flow.
This sample adds the response from send-request to the response body of the main request:
<policies>
<inbound>
<base />
<!-- main request -->
<set-backend-service base-url="https://reqres.in" />
<rewrite-uri template="/api/users/2" />
<!-- sidecar request -->
<send-request mode="new" response-variable-name="var1" timeout="20" ignore-error="true">
<set-url>https://reqres.in/api/unkown/2</set-url>
<set-method>GET</set-method>
</send-request>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
<set-body template="none">#{
var body = context.Response.Body.As<JObject>(true);
body["var1"] = ((IResponse)context.Variables["var1"]).Body.As<JObject>();
return body.ToString();
}</set-body>
</outbound>
<on-error>
<base />
</on-error>
</policies>

Decrypt bearer token in Azure API Management to get acr_values

Is there any way to decrypt a bearer token in an API management policy in order to create a condition it's acr_values, for example a tenant.
Looking at the MS documentation it does not seem possible, I would be looking to achieve something like:
<when condition="#(context.Request.Headers["Authorization"] --DO MAGIC HERE-- .acr_values["tenant"] == "contoso" ">
<set-backend-service base-url="http://contoso.com/api/8.2/" />
</when>
Alternatively something like the example here but for setting the backed service:
http://devjourney.com/blog/2017/03/23/extract-jwt-claims-in-azure-api-management-policy/
Documentation I've read:
https://learn.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#example-4
https://learn.microsoft.com/en-us/azure/api-management/policies/authorize-request-based-on-jwt-claims?toc=api-management/toc.json#policy
Did you try .AsJwt() method (https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables):
<policies>
<inbound>
<base />
<set-header name="tenant" exists-action="append">
<value>#{
var jwt = context.Request.Headers.GetValueOrDefault("Authorization").AsJwt();
return jwt?.Claims.GetValueOrDefault("tenant") ?? "unknown";
}</value>
</set-header>
<choose>
<when condition="#(context.Request.Headers.GetValueOrDefault("tenant", "unknown") == "some-tenant" )">
<set-backend-service base-url="http://contoso.com/api/8.2/" />
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
Also I'm not sure if you need it as a header to backend request, if not consider using set-variable policy.
Ok so I got it working in a very hacky way, you can set vales of the decrypted token in the header and then set conditions on that header.
<policies>
<inbound>
<base />
<set-header name="tenant" exists-action="append">
<value>#{
string tenant = "unknown";
string authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
if (authHeader?.Length > 0)
{
string[] authHeaderParts = authHeader.Split(' ');
if (authHeaderParts?.Length == 2 && authHeaderParts[0].Equals("Bearer", StringComparison.InvariantCultureIgnoreCase))
{
Jwt jwt;
if (authHeaderParts[1].TryParseJwt(out jwt))
{
tenant = (jwt.Claims.GetValueOrDefault("tenant", "unknown"));
}
}
}
return tenant;
}</value>
</set-header>
<choose>
<when condition="#(context.Request.Headers.GetValueOrDefault("tenant", "unknown") == "some-tenant" )">
<set-backend-service base-url="http://contoso.com/api/8.2/" />
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
A few years have passed since this has been answered, but as I found a less verbose solution, without actually modifying the request headers, i thought it would be nice to share for others:
<set-variable name="tenant" value="#{
var authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
return authHeader.AsJwt()?.Claims.GetValueOrDefault("tenant", "");
}" />
...
<choose>
<when condition="#(context.Variables.GetValueOrDefault("tenant", "") == "your-tenant-id")">

Resources