2020-05-14 23:29:41 +02:00
|
|
|
Rules examples
|
|
|
|
==============
|
|
|
|
|
|
|
|
This page contains a few useful Perl expressions you can use in your
|
2020-05-18 09:56:39 +02:00
|
|
|
:ref:`Handler rules<rules>`, SAML/OIDC/CAS security
|
2020-05-14 23:29:41 +02:00
|
|
|
rules, 2FA Activation rules, etc.
|
|
|
|
|
|
|
|
Using session attributes
|
|
|
|
------------------------
|
|
|
|
|
|
|
|
Session attributes are visible in the Manager's Session browser, any
|
|
|
|
attribute you see there can be used in a rule!
|
|
|
|
|
|
|
|
- Restricting access to a single user:
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
$uid eq "dwho"
|
|
|
|
$uidNumber == 1000
|
|
|
|
$cn eq "Doctor Who"
|
2020-09-16 16:55:34 +02:00
|
|
|
$email eq "dwho@badwolf.org"
|
2020-05-14 23:29:41 +02:00
|
|
|
etc.
|
|
|
|
|
|
|
|
|
2020-05-18 09:56:39 +02:00
|
|
|
.. tip::
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
In Perl, ``eq`` means *Equal* and must be used on strings.
|
2020-05-18 09:56:39 +02:00
|
|
|
``==`` should be used only on numbers
|
2020-05-14 23:29:41 +02:00
|
|
|
|
2020-12-10 09:12:42 +01:00
|
|
|
.. danger::
|
|
|
|
|
|
|
|
In Perl, ``@`` character means an array and ``%`` a hash!
|
|
|
|
If you want to write a macro with these characters, you have to escape them like this:
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
$my_email = "$uid\@my-domain.com"
|
|
|
|
$percent = "$rate\%more"
|
|
|
|
|
2020-05-14 23:29:41 +02:00
|
|
|
- Restricting access to specific groups
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
$groups =~ /\b(?:admins|su)\b/ # admins OR su
|
|
|
|
$groups =~ /\badmin_[1-3a]\b/ # admin_1 OR admin_2 OR admin_3 OR admin_a
|
|
|
|
|
2020-09-03 12:24:31 +02:00
|
|
|
defined $hGroups->{'administrators'}
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
# 2.0.8 and higher only
|
|
|
|
inGroup('administrators')
|
|
|
|
|
|
|
|
- Combining multiple expressions
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
inGroup('timelords') and not $uid eq 'missy'
|
|
|
|
|
|
|
|
- Using Perl's regular expressions
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
$cn =~ /^Doctor.*/i
|
|
|
|
$email !~ /@spam.com$/
|
|
|
|
|
|
|
|
- Filtering on Authentication Level
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
$authenticationLevel >= 3
|
|
|
|
|
|
|
|
- Filtering on Authentication method
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
$_auth ne 'Demo'
|
|
|
|
|
2020-11-18 10:10:23 +01:00
|
|
|
- Checking if the user has a an **available** second factor.
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
# Since 2.0.10
|
|
|
|
has2f()
|
|
|
|
has2f('TOTP')
|
|
|
|
has2f('TOTP') or has2f('U2F')
|
|
|
|
|
|
|
|
# Before 2.0.10
|
|
|
|
$_2fDevices =~ /"type":\s*"TOTP"/s
|
2020-05-14 23:29:41 +02:00
|
|
|
|
2020-05-18 09:56:39 +02:00
|
|
|
.. tip::
|
2020-05-14 23:29:41 +02:00
|
|
|
|
|
|
|
In Perl, ``ne`` means *Not Equal* and must be used on
|
|
|
|
strings. ``\b`` means *word Boundary*. (?:) means *non capturing*
|
2020-05-18 09:56:39 +02:00
|
|
|
parenthesis.
|
2020-05-14 23:29:41 +02:00
|
|
|
|
2020-11-18 10:10:23 +01:00
|
|
|
|
2020-05-14 23:29:41 +02:00
|
|
|
Using environment variables
|
|
|
|
---------------------------
|
|
|
|
|
|
|
|
- Comparing the IP address
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
$env->{REMOTE_ADDR} =~ /^10\./
|
|
|
|
|
|
|
|
- Comparing requested URI
|
|
|
|
|
|
|
|
::
|
|
|
|
|
|
|
|
$env->{REQUEST_URI} =~ /test/
|
|
|
|
|