Groovy script rules and OAuth Groovy script rules must end execution with a Matcher instance. This could either be a Matcher from the list of PingAccess Matchers or from the Hamcrest library. For more information on Hamcrest, see the Hamcrest Tutorial.
Examples
In the following example, the Simple Groovy rule inserts a custom HTTP header, and the script ends with a call to the Matcher
pass()
. The pass()
Matcher signals that the
rule has passed.
test = "let's get Groovy!"
exc?.response?.header?.add("X-Groovy", "$test")
pass()
In the following example, the OAuth Groovy rule checks the HTTP
method and confirms the OAuth scope, and a Matcher is evaluated at the end of each
line of execution. The first Matcher used is the hasScope()
Matcher
that confirms if the OAuth access token has the WRITE
scope. If
this is true, the rule passes.
//Get the HTTP method name
def methodName = exc?.request?.method?.methodName()
if (methodName == "POST") {
hasScope("WRITE")
} else {
fail()
}
The fail()
Matcher combination is evaluated when the
methodName
does not equal POST
. This Matcher
combination evaluates to false.
PingAccess Matchers
The following table lists the PingAccess Matchers available for the Groovy script rule and the OAuth Groovy script rule.
Matcher | Description |
---|---|
|
Signals that the rule has passed. |
|
Signals that the rule has failed. |
|
Validates the source IP address of the request against the cidrstring parameter in CIDR notation. When source IP headers defined in the HTTP Requests page are found, the source IP address determined from those headers is used as the source address. For agents, this value is also potentially controlled by the override options on the gent settings. Example:
|
|
Validates the source IP address against the ipAddress and the prefixSize parameters specified individually. When source IP headers defined in the HTTP Requests page are found, the source IP address determined from those headers is used as the source address. For agents, this value is also potentially controlled by the override options on the Agent settings. Example:
|
|
Validates the source IP address in the first of the specified headerNames using the cidr value. Can be specified as part of a Groovy script as a means of overriding the configuration stored in PingAccess for a specific Groovy script rule. Valid values for the listValueLocation parameter are FIRST, LAST, and ANY. This parameter controls where, in a multivalued list of source IP addresses, the last source should be taken from. If ANY is used, if any of the source IP addresses in a matching header match the CIDR value, the Matcher evaluates to true. Example:
|
|
Validates the source IP address in the first of the specified headerNames using the address and prefixSize values. In all other respects, this Matcher behaves the same as the version that uses a cidr value for comparison. Example:
|
|
Validates that the value returned by the xPathString parameter is equal to the xPathValue parameter. Example:
|
|
Validates that the current server time is between the startTime and endTime parameters. Example:
|
|
Validates that the current server time is between the specified 24-hour formatted time range between the startTime and endTime parameters. Example:
|
|
Validates that the HTTP header field value is equal to the value parameter. Example:
|
|
Validates that all of the HTTP header fields map to the associated value. The first fieldValuesMap string contains the HTTP header name, and the second string contains the value to compare the incoming request header value with. The caseSensitive parameter determines whether a case-sensitive comparison is performed on the value. The second string in the fieldValuesMap supports Java regular expressions. If multiple pairs of strings are present in the fieldValuesMap parameter, then all conditions must be met in order for the Matcher to pass. Example:
|
|
Validates that all of the HTTP form fields maps to the associated value. The first fieldValuesMap string contains the form header name, and the second string contains the value to compare the incoming request header value with. The caseSensitive parameter determines whether a case-sensitive comparison is performed on the value. Note:
This Matcher determines whether to use fields passed in the URL or forms with a content-type header of application/x-www-form-urlencoded. The second string in the fieldValuesMap supports Java regular expressions. If multiple pairs of strings are present in the fieldValuesMap parameter, then all conditions must be met in order for the Matcher to pass. Example:
|
|
Validates that the HTTP header field value is not equal to the value parameter. Example:
|
|
Validates that the HTTP body contains the value parameter. Example:
|
|
Validates that the HTTP body does not contain the value parameter. Example:
|
|
Validates that the PingAccess token contains the attribute name and value. Example:
|
|
Validates that the PingAccess token contains a matching ACR value. |
The following table lists the PingAccess Matchers available to only the OAuth Groovy script rule.
Matcher | Description |
---|---|
|
Validates that the OAuth access token contains the scope parameter. Example:
|
|
Validates that the OAuth access token contains the list of scopes. Example:
|
|
Checks for an attribute value within the current OAuth2 policy context. Example:
|