Usage
Functional Behavior
The following matrix describes functional behavior when policies are configured as ((Policy1 || Policy2) && Policy3). This example policy is for reference to illustrate the functional behavior.
# | Policy Structure | Policy 1 Matched | Policy 2 Matched | Policy 3 Matched | Final Action |
---|---|---|---|---|---|
1 | ((Policy1 || Policy2) && Policy3) | No | No | No | DENY |
2 | ((Policy1 || Policy2) && Policy3) | Yes | No | No | DENY |
3 | ((Policy1 || Policy2) && Policy3) | Yes | Yes | No | DENY |
4 | ((Policy1 || Policy2) && Policy3) | No | Yes | No | DENY |
5 | ((Policy1 || Policy2) && Policy3) | No | No | Yes | DENY |
6 | ((Policy1 || Policy2) && Policy3) | Yes | Yes | Yes | ALLOW |
7 | ((Policy1 || Policy2) && Policy3) | Yes | No | Yes | ALLOW |
8 | ((Policy1 || Policy2) && Policy3) | No | Yes | Yes | ALLOW |
9 | ((Policy1 || Policy2) && Policy3) | Yes | Yes | N/A | ALLOW |
10 | ((Policy1 || Policy2) && Policy3) | Yes | No | N/A | ALLOW |
11 | ((Policy1 || Policy2) && Policy3) | No | Yes | N/A | ALLOW |
12 | ((Policy1 || Policy2) && Policy3) | No | No | N/A | DENY |
13 | ((Policy1 || Policy2) && Policy3) | No | N/A | N/A | DENY |
14 | ((Policy1 || Policy2) && Policy3) | Yes | N/A | N/A | ALLOW |
Various Scenarios
Standalone Match Policy
- Processing Adapter: com.mashery.proxy.customer.generic.api-policy-connector
- Perform Pre-processing: Yes
- Data to make available for pre-processing:
Policy Structure Example:
Policies: [ [{ "Name": "Match", "Operation": "ContainsAny", "Context": "Request", "ArgumentLocation": "${request.remoteAddr}", "MatchExpression": ["12.34.567.89", "12.34.567.90"] }, { "Name": "Match", "Operation": "ContainsAny", "Context": "Request", "Effect" : "Allow", "ArgumentLocation": "${request.headers.get('X-Forwarded-For')}", "MatchExpression": ["12.34.567.89", "12.34.567.90"] }], [{ "Name": "Match", "Operation": "ContainsAll", "Context": "Response", "Effect":"Deny", "ArgumentLocation": "${request.headers.get('API_Key')}", "MatchExpression": ["z5sq9cg2r8b4nxds52xqrqf3"] }] ]
Match Policy With Payload Processing
JsonPath Example:
- Processing Adapter: com.mashery.proxy.customer.generic.api-policy-connector
- Perform Pre-processing: Yes
- Data to make available for pre-processing:
Policy Structure Example:
Policies: [ [{ "Name": "Match", "Operation": "JsonPath", "Context": "Request", "ArgumentLocation": "${request.payload}", "MatchExpression": ["$.SearchRequest.api_key"] }] ]
Sample Json Request:{ "SearchRequest": { "api_key": "testkey", "search_url": "http://www.google.com" } }
- Data to make available for post-processing:
Policy Structure Example:
Policies: [ [{ "Name": "Match", "Operation": "JsonPath", "Context": "Response", "ArgumentLocation": "${response.payload}", "MatchExpression": ["$..book[0].title"] }] ]
Sample Json Response:{ "store": { "book": [ { "category": "reference", "author": "Nigel Rees", "title": "Sayings of the Century", "price": 8.95 }, { "category": "fiction", "author": "Evelyn Waugh", "title": "Sword of Honour", "price": 12.99, "apikey":"7wgtjgfwfrsttejgcmm3s6rq", } ], "bicycle": { "color": "red", "price": 19.95 } }, "expensive": 10 }
XPath Example:
- Processing Adapter: com.mashery.proxy.customer.generic.api-policy-connector
- Perform Pre-processing: Yes
- Data to make available for pre-processing:
Policy Structure Example:
Policies: [ [{ "Name": "Match", "Operation": "XPath", "Context": "Request", "ArgumentLocation": "${request.payload}", "MatchExpression": ["/employees/employee[@id=1]/firstName/text()"] }] ]
Sample XML Request:<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <employees> <employee id="1"> <firstName>Lokesh</firstName> <lastName>Gupta</lastName> <department> <id>101</id> <name>IT</name> </department> </employee> <employee id="2"> <firstName>Brian</firstName> <lastName>Schultz</lastName> <department> <id>102</id> <name>HR</name> </department> </employee> </employees>
- Data to make available for post-processing:
Policy Structure Example:
Policies: [ [{ "Name": "Match", "Operation": "XPath", "Context": "Response", "ArgumentLocation": "${response.payload}", "MatchExpression": ["/employees/employee[@id=2]/firstName/text()"] }] ]
Sample XML Response:<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <employees> <employee id="1"> <firstName>Lokesh</firstName> <lastName>Gupta</lastName> <department> <id>101</id> <name>IT</name> </department> </employee> <employee id="2"> <firstName>Brian</firstName> <lastName>Schultz</lastName> <department> <id>102</id> <name>HR</name> </department> </employee> </employees>
For more details about XPath and JSONPath expression syntax, refer to the JSONPath and XPath User Guide.
Chaining Match Policy with OAuth2JWT for JWT Context
- Processing Adapter: com.mashery.proxy.customer.generic.oauth2-jwt-authenticator
- Perform Pre-processing: Yes
- Data to make available for pre-processing:
Policy Structure Example:
processors:com.mashery.proxy.customer.generic.api-policy-connector com.mashery.proxy.customer.generic.api-policy-connector.Policies: [ [{ "Name": "Match", "Operation": "ContainsAny", "Context": "Request", "ArgumentLocation": "${request.remoteAddr}", "MatchExpression": ["12.34.567.89", "12.34.567.90"] }, { "Name": "Match", "Operation": "ContainsAny", "Context": "Request", "ArgumentLocation": "${request.headers.get('X-Forwarded-For')}", "MatchExpression": ["12.34.567.89", "12.34.567.90] }], ] Policies:[ [{ "Name": "Match", "Operation": "ContainsAny", "Context": "JWTToken", "ArgumentLocation": "${jwtPayload.nonStandardClaims['roles']}", "MatchExpression": ["Admin", "Writer"] }] ]
Standard Chaining of Match Policy with other Connector and Processors
- Processing Adapter: Mashery_Proxy_Processor_Chain
- Perform Pre-processing: Yes
-
Data to make available for pre-processing:
Policy Structure Example:
processors:com.mashery.proxy.customer.generic.api-policy-connector, com.mashery.proxy.core.add-headers-processor com.mashery.proxy.customer.generic.api-policy-connector.Policies: [ [{ "Name": "Match", "Operation": "ContainsAny", "Context": "Request", "ArgumentLocation": "${request.remoteAddr}", "MatchExpression": ["12.34.567.89", "12.34.567.90"] }, { "Name": "Match", "Operation": "ContainsAny", "Context": "Request", "ArgumentLocation": "${request.headers.get('X-Forwarded-For')}", "MatchExpression": ["12.34.567.89", "12.34.567.90] }], ] com.mashery.proxy.core.add-headers-processor.testKey:testValue