Is there any way to decrypt a bearer token in an API management policy in order to create a condition it's acr_values, for example a tenant.
Looking at the MS documentation it does not seem possible, I would be looking to achieve something like:
<when condition="#(context.Request.Headers["Authorization"] --DO MAGIC HERE-- .acr_values["tenant"] == "contoso" ">
<set-backend-service base-url="http://contoso.com/api/8.2/" />
</when>
Alternatively something like the example here but for setting the backed service:
http://devjourney.com/blog/2017/03/23/extract-jwt-claims-in-azure-api-management-policy/
Documentation I've read:
https://learn.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#example-4
https://learn.microsoft.com/en-us/azure/api-management/policies/authorize-request-based-on-jwt-claims?toc=api-management/toc.json#policy
Did you try .AsJwt() method (https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables):
<policies>
<inbound>
<base />
<set-header name="tenant" exists-action="append">
<value>#{
var jwt = context.Request.Headers.GetValueOrDefault("Authorization").AsJwt();
return jwt?.Claims.GetValueOrDefault("tenant") ?? "unknown";
}</value>
</set-header>
<choose>
<when condition="#(context.Request.Headers.GetValueOrDefault("tenant", "unknown") == "some-tenant" )">
<set-backend-service base-url="http://contoso.com/api/8.2/" />
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
Also I'm not sure if you need it as a header to backend request, if not consider using set-variable policy.
Ok so I got it working in a very hacky way, you can set vales of the decrypted token in the header and then set conditions on that header.
<policies>
<inbound>
<base />
<set-header name="tenant" exists-action="append">
<value>#{
string tenant = "unknown";
string authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
if (authHeader?.Length > 0)
{
string[] authHeaderParts = authHeader.Split(' ');
if (authHeaderParts?.Length == 2 && authHeaderParts[0].Equals("Bearer", StringComparison.InvariantCultureIgnoreCase))
{
Jwt jwt;
if (authHeaderParts[1].TryParseJwt(out jwt))
{
tenant = (jwt.Claims.GetValueOrDefault("tenant", "unknown"));
}
}
}
return tenant;
}</value>
</set-header>
<choose>
<when condition="#(context.Request.Headers.GetValueOrDefault("tenant", "unknown") == "some-tenant" )">
<set-backend-service base-url="http://contoso.com/api/8.2/" />
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
A few years have passed since this has been answered, but as I found a less verbose solution, without actually modifying the request headers, i thought it would be nice to share for others:
<set-variable name="tenant" value="#{
var authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
return authHeader.AsJwt()?.Claims.GetValueOrDefault("tenant", "");
}" />
...
<choose>
<when condition="#(context.Variables.GetValueOrDefault("tenant", "") == "your-tenant-id")">
Related
I try to check request body like this.
<set-variable name="isBody" value="#{
bool rtn_result = false;
if (context.Request.Body == null)
{
rtn_result = true;
}
return rtn_result;
}" />
but 'rtn_result' return false always
I followed the document and they told me
"context.Request Body: IMessageBody or null if request doesn't have a body."
What I mistake?
What is the right thing?
What should I do?
Thx.
Your if condition does not make sense.
It returns true if there's no body.
Please change it to:
if (context.Request.Body != null)
{
rtn_result = true;
}
Complete policy:
<policies>
<inbound>
<base />
<set-variable name="isBody" value="#{
bool rtn_result = false;
if (context.Request.Body != null)
{
rtn_result = true;
}
return rtn_result;
}" />
<return-response>
<set-status code="200" reason="OK" />
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>#{
var response = new JObject();
response["hasBody"] = context.Variables.GetValueOrDefault<bool>("isBody");
return response.ToString();
}</set-body>
</return-response>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
Result with body:
Result without body:
I'm trying to import a policy to azure api management using a bicep template as follows:
resource allOpsPolicy 'Microsoft.ApiManagement/service/apis/policies#2021-12-01-preview' = {
name: 'policy'
parent: apimapi_v1
properties: {
value: loadTextContent('all-ops-policy.xml')
format: 'xml'
}
}
The content of the all-ops-policy.xml file is as follows:
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Request.OriginalUrl.ToString().EndsWith("Public") == false)">
<rewrite-uri template="#(String.Concat(context.Request.OriginalUrl.ToString(),"/", "MapServer"))" copy-unmatched-params="false" />
</when>
<otherwise />
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
When run I get the following error:
One or more fields contain incorrect values: (Code: ValidationError)
'Public' is an unexpected token. Expecting white space.
Can anyone see where I'm going wrong?
The problem was the value of the format property of the allOpsPolicy resource.
I changed from
format: 'xml'
to
format: 'rawxml'
then it worked!
Thanks to Nisha for solving this one
Please replace the single quotes ` with double quotes ".
context.Request.OriginalUrl.ToString().EndsWith('Public') == false)
context.Request.OriginalUrl.ToString().EndsWith("Public") == false
It seems there's also one single quote too much:
String.Concat(context.Request.OriginalUrl.ToString(),'/'', 'MapServer')
String.Concat(context.Request.OriginalUrl.ToString(),"/", "MapServer")
Complete policy:
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Request.OriginalUrl.ToString().EndsWith("Public") == false)">
<rewrite-uri template="#(String.Concat(context.Request.OriginalUrl.ToString(),"/", "MapServer"))" copy-unmatched-params="false" />
</when>
<otherwise />
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
Issue is not reproducable:
I have an API management inbound policy where I can grab a users id from within a JWT. For the purpose of some testing, I then want API management to check in the policy, "Is this ID within the list of tester IDs that are allowed to access here"
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="myurl" />
</validate-jwt>
<set-header name="header-value-userId" exists-action="override">
<value>#(context.Request.Headers.GetValueOrDefault("Authorization").AsJwt()?.Claims.GetValueOrDefault("oid"))</value>
</set-header>
<!--
PSEUDOCDOE below to describe my intention
How can I check that the abover header-value-userId value is within a hardcoded list at this point?
#{
string[] userList = ["user1", "user2", "user3"];
var match = userList.FirstOrDefault(x => x.Contains(header-value-userId));
if(match == null)
return bad request
}
-->
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
Thanks for any help.
--- UPDATE ---
Thanks to the answer from Markus Meyer I now have this working. See below my now full working example.
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="myurl" />
</validate-jwt>
<set-variable name="isValidUser" value="#{
var email = context.Request.Headers.GetValueOrDefault("Authorization").AsJwt()?.Claims.GetValueOrDefault("emails");
string[] emailList = new string[] { "email1#gmail.com", "email2#gmail.com" };
var match = emailList.Any(x => x.Contains(email));
if(match == true)
{
return true;
}
return false;
}" />
<choose>
<when condition="#(context.Variables.GetValueOrDefault<bool>("isValidUser") == false)">
<return-response>
<set-status code="401" reason="Unauthorized" />
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>#("{\"status\": \"" + "User not valid" + "\"}")</set-body>
</return-response>
</when>
<otherwise>
<return-response>
<set-status code="200" reason="Valid" />
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>#("{\"status\": \"" + "User valid" + "\"}")</set-body>
</return-response>
</otherwise>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
Using the choose policy allows you to check a boolean condition.
In the current example, the condition is set in the set-variable policy
return-response will return your wanted response.
Complete example:
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="myurl" />
</validate-jwt>
<set-header name="header-value-userId" exists-action="override">
<value>#(context.Request.Headers.GetValueOrDefault("Authorization").AsJwt()?.Claims.GetValueOrDefault("oid"))</value>
</set-header>
<set-variable name="isValidUser" value="#{
string[] userList = new string[] { "user1", "user2", "user3" };
var match = userList.FirstOrDefault(x => x.Contains("header-value-userId"));
if(match == null)
{
return true;
}
return false;
}" />
<choose>
<when condition="#(context.Variables.GetValueOrDefault<bool>("isValidUser") == false)">
<return-response>
<set-status code="401" reason="Unauthorized" />
<set-header name="Content-Type" exists-action="override">
<value>application/json</value>
</set-header>
<set-body>#("{\"status\": \"" + "User not valid" + "\"}")</set-body>
</return-response>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
A few things to note:
This this the correct code for the string[]:
string[] userList = new string[] { "user1", "user2", "user3" };
There's no need to store the usereId into the header. The value can also be stored in a variable.
We are creating our API management instance and associated endpoints through Terraform. All our API endpoints (close to a hundred) share the same policy logic for routing the request to an Azure function.
An example policy is like so -
resource "azurerm_api_management_api_operation_policy"
"api_put_policy" {
api_name = azurerm_api_management_api.my_api.name
resource_group_name = azurerm_resource_group.main.name
api_management_name = azurerm_api_management.my_api.name
operation_id = azurerm_api_management_api_operation.my_api.operation_id
xml_content = <<XML
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Request.Headers.GetValueOrDefault("Key") == "password")">
<set-backend-service base-url="${data.azurerm_function_app.MyFunctionApp.default_hostname}" />
</when>
<when condition="#(context.Request.Headers.GetValueOrDefault("Key") != null)">
<return-response>
<set-status code="400" reason="Bad Request" />
<set-body>An incorrect Key header has been passed in the request</set-body>
</return-response>
</when>
<otherwise>
<set-backend-service base-url="${other-route-variable}" />
</otherwise>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
So we have the same XML_content being used on every API endpoint, only the variables get set differently depending what function app is going to be routed to.
Is there a way this xml content could be moved into a file where parameters can be passed through to then generate the XML for every API policy so we have the logic stored in only one place?
I have looked at a variety of uses of the file() function but can't see anything that could be done to achieve what I need here.
Thanks
Yes, you can use the templatefile function for that [1]. The templatefile function works in the following way:
templatefile(path, vars)
Where the path represents the file location and the vars are a map of variables that will be used to replace the placeholders in the file itself. I will give an example based on the XML file you have. You would first create the template file inside of the same directory probably (e.g., xml_content.tpl):
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Request.Headers.GetValueOrDefault("Key") == ${password})">
<set-backend-service base-url="${hostname_url}" />
</when>
<when condition="#(context.Request.Headers.GetValueOrDefault("Key") != null)">
<return-response>
<set-status code="400" reason="Bad Request" />
<set-body>An incorrect Key header has been passed in the request</set-body>
</return-response>
</when>
<otherwise>
<set-backend-service base-url="${other-route-variable}" />
</otherwise>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
Notice that I removed the password value and the data source output in url. Those will now expect variables with names password and hostname_url to be provided when using the templatefile function:
resource "azurerm_api_management_api_operation_policy" "api_put_policy" {
api_name = azurerm_api_management_api.my_api.name
resource_group_name = azurerm_resource_group.main.name
api_management_name = azurerm_api_management.my_api.name
operation_id = azurerm_api_management_api_operation.my_api.operation_id
xml_content = templatefile("${path.root}/xml_content.tpl",
password = var.password
hostname_url = data.azurerm_function_app.MyFunctionApp.default_hostname
)
}
Whenever this is called, it will look for the placeholder values and replace them. Two additional things to note:
With the current setup, the "${other-route-variable}" would be required to be provided in the templatefile function call, otherwise it would fail.
The path.root option is built-in in Terraform [2].
In theory, if you were to create a module from this to make it more portable, then you would just have to change the path to the file so it can be provided through a variable probably.
[1] https://www.terraform.io/language/functions/templatefile
[2] https://www.terraform.io/language/expressions/references#filesystem-and-workspace-info
How to prevent large file requests using Azure APIM?
Example: Block any POST request having file size > 50MB
You can apply the following policy for all your APIs. For each POST request, the policy will check the body size, and if the size is above 50MB, it will return status 413 - Payload Too Large.
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Request.Method == "POST")">
<set-variable name="bodySize" value="#(context.Request.Headers["Content-Length"][0])" />
<choose>
<when condition="#(int.Parse(context.Variables.GetValueOrDefault<string>("bodySize"))<52428800)">
<!--let it pass through by doing nothing-->
</when>
<otherwise>
<return-response>
<set-status code="413" reason="Payload Too Large" />
<set-body>#{
return "Maximum allowed size for the POST requests is 52428800 bytes (50 MB). This request has size of "+ context.Variables.GetValueOrDefault<string>("bodySize") +" bytes";
}
</set-body>
</return-response>
</otherwise>
</choose>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
There are policies called quota-by-Key and quota-by-subscription , which will help the users to block the calls that exceed the bandwidth specified. Please verify this link for more details.enter link description here