Access Control Policy And Flow Variables

Not applicable

Hi,

I need to configure IP whitelisting. I'm doing that by implementing access control policy but i need to manage dynamic IP addresses. Is it supported by Access Control Policy to load IP addresses from flow variables (as in example)?

<MatchRule action="ALLOW">

<SourceAddress mask="32">{ipaddress}</SourceAddress>

</MatchRule>

Or as for Regex in Regex policy this is not supported?

1 14 2,162
14 REPLIES 14

Nope, it's not. Not currently. There's an outstanding feature request asking for that very thing.

In the meantime, you could get what you want it with some simple JavaScript. basically just inspect the client.ip context variable and compare to whatever you like.

var ip = context.getVariable('client.ip'); 
// do comparison here
var whiteList = context.getVariable('ip_whitelist');
// maybe JSON.parse the above to get an array.
whiteList = JSON.parse(whiteList);
if (whiteList.indexOf(ip) === -1) {
  throw new Error("illegal IP");
}

The JS can refer to a dynamic list stored in a context variable, in the same way it retrieves the client.ip.

@Dino How can we handle mask with this approach?

Hi Tariq. I don't understand your question.

Maybe you could post it as a new question? and add some details.

But we have to white-list ip addresses based on CIDR notation. I don't want to store 100 ip addresses in KVM and then lookup them in javascript.

If you have 100 known CIDRs, why not just embed them into the AccessControl policy?

That's the purpose of the policy.

Hi, Is this feature still not in apigee yet?

The capability is not available in Apigee Edge.

@Dino @Dino-at-Google

I saw that in cloud release 19.03.01 (see item # 117659213) that using a variable template is now supported. Can you provide an example of how to use the functionality? We have tried essentially the same thing above and the shared flow that contains the policy does not deploy.

The AccessControl Policy documentation has been updated to reflect the use of variables

The AccessControl policy now allows for variables to be referenced for the mask and IP addresses. Please see the updated documentation page for details on usage.

HI Omid, but still it says one IP in variable. If you see above requirement which have IP with mask, can we achieve that now you mean ?

is it now possible to store list of ip address in a key and use that key in access control policy as variable to match with client ip address?

 I am interested in the same functionality. Did you find anything in the end? 

Can you be more specific?  Also please ask a new question as a new question.  not as a comment on an old question thread.