我有以下策略语法,当与GET请求一起传递时,该策略仅适用于一个证书。
<choose>
<when condition="@(context.Request.Certificate != null && !context.Request.Certificate.Issuer.Contains("CN=itv.mit-xperts.com"))">
<return-response>
<set-status code="403" reason="Invalid client certificate Issuer" />
</return-response>
</when>
</choose>
如果我使用策略在两个证书之间进行验证,那么它将始终转到403,因为OR语句总是返回true:
<choose>
<when condition="@((context.Request.Certificate != null) && (!context.Request.Certificate.Issuer.Contains("CN=itv.mit-xperts.com") || !context.Request.Certificate.Issuer.Contains("CN=DigiCert Test SHA2 Intermediate CA-1")))">
<return-response>
<set-status code="403" reason="Invalid client certificate Issuer" />
</return-response>
</when>
</choose>
API在没有证书的情况下工作,但如果证书通过,则"何时"标记可能会采取行动,也可能不会采取行动。我希望只有在使用任何其他颁发者的证书时,条件才能转到403。颁发者信息根据证书包含许多不同的属性,但CN=某些文本仍然很常见
我对XML及其语法或函数一无所知。
以下Microsoft文档可能会有所帮助,但我没有找到任何可能有帮助的语法:
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients#checking-发行人和主体
https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions
https://learn.microsoft.com/en-us/azure/api-management/api-management-transformation-policies
您的问题似乎不在于语法,而在于布尔逻辑:
(context.Request.Certificate != null) &&
(
!context.Request.Certificate.Issuer.Contains("CN=itv.mit-xperts.com") ||
!context.Request.Certificate.Issuer.Contains("CN=DigiCert Test SHA2 Intermediate CA-1")
)
在发卡行不包含CN=itv.mit-xperts.com和不包含CN=itv.mit-xperts.com的任何时间,这将被评估为true
看起来你实际上想要的是一个AND条件:
(context.Request.Certificate != null) &&
(
!context.Request.Certificate.Issuer.Contains("CN=itv.mit-xperts.com") &&
!context.Request.Certificate.Issuer.Contains("CN=DigiCert Test SHA2 Intermediate CA-1")
)
只有当颁发者不包含CN=itv.mit-xperts.com并且它也不包含CN=DigiCert Test SHA2 Intermediate CA-1时,才会出现这种情况
或者,你可以将NOT移到括号外,将and改为OR,这可能更容易理解:
(context.Request.Certificate != null) &&
!(
context.Request.Certificate.Issuer.Contains("CN=itv.mit-xperts.com") ||
context.Request.Certificate.Issuer.Contains("CN=DigiCert Test SHA2 Intermediate CA-1")
)
当发卡行不包含CN=itv.mit-xperts.com或CN=DigiCert Test SHA2 Intermediate CA-1时,情况就是这样
看起来你也可以使用LINQ:
var validIssuers = new []
{
"CN=itv.mit-xperts.com",
"CN=DigiCert Test SHA2 Intermediate CA-1",
};
var issuer = context.Request?.Certificate.Issuer;
return issuer != null && !validIssuers.Any(i => issuer.Contains(i));