conditions
Evaluate conditions and accept or reject the request
conditions
The conditions action evaluates a set of conditions and returns accept if all
conditions match, or reject if they do not. It is a shorthand for the common
pattern of using an if block to accept or reject a request based on
conditions.
The following conditions action:
conditions all {
user.group == "admin";
aaa.realm == "example.com";
}
is equivalent to:
if all {
user.group == "admin";
aaa.realm == "example.com";
} then {
accept;
} else {
reject;
}
Syntax
conditions <all | any | none> {
<namespace attribute> <comparison operator> <value>;
<namespace attribute> <comparison operator> [<value> <value> <value>];
...
}
Supported matching strategies are:
all: All condition rules must match for the request to be acceptedany: Any condition rule must match for the request to be acceptednone: None of the condition rules must match for the request to be accepted
Examples
Certificate verification pipeline
Use conditions in a TLS verification pipeline to validate certificate fields:
@verification {
conditions all {
cert.subject.cn == "test.server.some.company.com";
cert.subject.o == "OSC Demo Certificates";
cert.issuer.cn starts "OSC Test CA";
cert.subject_alt.dns ends ".some.company.com";
cert.subject_alt.dns contains "server";
}
}
Simple realm gate
Accept only requests for a specific realm:
@execute {
conditions all {
aaa.realm == "corporate.example.com";
}
}
See Also
- if - Conditional execution with
thenandelseblocks - accept - Unconditionally accept a request
- reject - Unconditionally reject a request
- Comparison Operators - for comparison operators
- Execution Context - for namespace attributes
- Data Types