conditions

conditions

The conditions action evaluates a set of conditions and returns accept if all conditions match, or reject if they do not. It is a shorthand for the common pattern of using an if block to accept or reject a request based on conditions.

The following conditions action:

conditions all {
    user.group == "admin";
    aaa.realm == "example.com";
}

is equivalent to:

if all {
    user.group == "admin";
    aaa.realm == "example.com";
} then {
    accept;
} else {
    reject;
}

Syntax

conditions <all | any | none> {
    <namespace attribute> <comparison operator> <value>;
    <namespace attribute> <comparison operator> [<value> <value> <value>];
    ...
}

Supported matching strategies are:

• all: All condition rules must match for the request to be accepted
• any: Any condition rule must match for the request to be accepted
• none: None of the condition rules must match for the request to be accepted

Examples

Certificate verification pipeline

Use conditions in a TLS verification pipeline to validate certificate fields:

@verification {
    conditions all {
        cert.subject.cn == "test.server.some.company.com";
        cert.subject.o == "OSC Demo Certificates";
        cert.issuer.cn starts "OSC Test CA";
        cert.subject_alt.dns ends ".some.company.com";
        cert.subject_alt.dns contains "server";
    }
}

Simple realm gate

Accept only requests for a specific realm:

@execute {
    conditions all {
        aaa.realm == "corporate.example.com";
    }
}

See Also

• if - Conditional execution with then and else blocks
• accept - Unconditionally accept a request
• reject - Unconditionally reject a request
• Comparison Operators - for comparison operators
• Execution Context - for namespace attributes
• Data Types