This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

AccessControl variable SourceAddress

Posted on 11-06-2018 10:27 AM
andresquijano
New Member
Reply posted on --/--/---- --:-- AM

Hi,

I want to be able to store on each user app as a custom attribute the IP range they will be calling the proxies, in order to use that value inside an AccessControl policy, something like:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AccessControl async="false" continueOnError="false" enabled="true" name="IP-Access-Control">
    <DisplayName>IP Access Control</DisplayName>
    <IPRules noRuleMatchAction="DENY">
        <MatchRule action="ALLOW">
            <SourceAddress mask="32">{verifyapikey.Verify-API-Key.ip-range}</SourceAddress>
        </MatchRule>
    </IPRules>
</AccessControl>

But that doesn't work. Is it possible to use a variable reference in that policy? I saw on another question that the proposed answer was to use a JS callout, but that answer was to only check for ip equality, and I would like to have the flexibility of CIDR notation (i.e. use masks a la /24) without having to manually implement it in JS.

Thanks

1 6 505
Topic Labels
6 REPLIES 6

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

I understand the question.

Sadly, The SourceAddress is not dynamically specifiable.

There is an outstanding request in the backlog for the capability you seek: b/67167219

Do you have an enterprise account? If so, you may be able to raise the importance of this request by speaking with your sales contact.

0 Likes

Posted on --/--/---- --:-- AM
andresquijano
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks for your reply Dino. We are in procurement for an enterprise account, so not for the time being.

I managed to work around this using a Javascript policy:

var ip = context.getVariable('proxy.client.ip'); 

var mask = context.getVariable('verifyapikey.Verify-API-Key.iprange');

if (!inSubNet(ip, mask)) {
  throw new Error("Illegal IP: " + ip);
}
0 Likes

Posted on --/--/---- --:-- AM
DineshPalanivel
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Hello Dino

Is there any movement on the bug b/67167219? I have a similar requirement.

0 Likes

Posted on --/--/---- --:-- AM
ssvaidyanathan
Staff
In response to DineshPalanivel
Reply posted on --/--/---- --:-- AM

https://docs.apigee.com/api-platform/reference/policies/access-control-policy#deny-using-variables

0 Likes

Posted on --/--/---- --:-- AM
DineshPalanivel
New Member
In response to ssvaidyanathan
Reply posted on --/--/---- --:-- AM

Unfortunately it won't work for a dynamic list of IPs. Example: We might have a varying list of IPs in KVMs and how do we handle that scenario?

0 Likes

Posted on --/--/---- --:-- AM
dknezic
Staff
In response to DineshPalanivel
Reply posted on --/--/---- --:-- AM

Use a javascript policy to implement the needed custom logic to suit how you're storing this in the KVM

0 Likes