4 Replies Latest reply on Jan 4, 2017 3:50 AM by dcarson

    Matching a wildcard expression in a list of strings

    dcarson

      I've got a scenario where I've got to bypass some of our web gateway controls based on AD group membership and the URL they're accessing; the way I'd normally do this is along the lines of "If URL matches in list <list> AND Authenticated.UserGroups contains <whatever>" however in this case I have a massive list of AD Groups and one to five URLs per group that members should be excluded from so straight away I'd be looking at 60+ rules and this is only going to grow once the rule set goes live.

       

      My idea was to build a wildcard expression in a user defined variable and use that to retrieve the AD group name then search for the group name. For example;

      1. Set user-defined.regex to regex(<hostname>##<AD-Group-Prefix>(.*))
      2. Search the whitelist for anything matching user-defined.regex
        1. Whitelist will be a list of strings formatted like microsoft.com##<AD-Group-Prefix>WintelTeam
      3. User List.Matches and some string functions to extract the full AD Group name (i..e <AD-Group-Prefix>WintelTeam)
      4. Rule set then checks if Authenticated.UserGroups contains the retrieved AD Group

       

      Doing this in reverse would be easy however unless I'm missing something there doesn't seem to be a way to do this. Can anyone suggest how I could do this or an alternative approach.

       

      Unfortunately consolidating the lists / groups is not an option as that's what my initial push was, as the per group whitelist can contain a few URLs we can't name the AD groups based on the site/host names, for the purposes of this assume there'll be no overlap with sites being in more than one group, but users may be in more than one group. I'm really hoping to avoid the "easy" way of doing this as it's going to result in an unmanageable rule set.

       

      Any suggestions would be greatly appreciated.

        • 1. Re: Matching a wildcard expression in a list of strings
          deathbywedgie

          I'm not able to try to build it out at this moment, but I bet you could do it with a maptype list, where domain names are the keys and comma or pipe delimited lists of groups are the values. I'd see it playing out something like this:

           

          1. Test URL.SmartMatch against the list of keys

          2. If it's true then use List.LastMatches to extract the first match and then look up the list of groups from the MapType list

          3. Convert the value string to a list and check whether the user's list of groups contains any match in that list

           

          I'd be interested in seeing the finished product if/when you get it working.

           

          /r/Chad

          1 of 1 people found this helpful
          • 2. Re: Matching a wildcard expression in a list of strings
            dcarson

            Thanks for that Chad, really appreciate you pointing me in the direction of MapType lists, I've pretty much achieved with what I'm looking to do.

             

            I've not put together a finished product and wouldn't be able to upload it as it would be company property, but my PoC rule set goes something like this;

            1. I have a MapList of Key: <Hostname> Value: AD Group
            2. In the rule set I do Map.Keys(ListName) contains URL.Host -> Continue -> Set User-Defined.ExclusionGroup = Map.GetStringValue(ListName,List.LastMatches)
            3. I then to Authentication.UserGroups contains User-Defined.ExclusionGroup -> Continue -> Set.User-Defined.Bypass = True
            4. Set.User-Defined.Bypass can then be used as a parameter for whether or not future rules are triggered.

             

            Seems to work for what I'm trying to do and means I'm not trying to reinvent the wheel. Thank you very much for pointing me in the right direction.

            • 3. Re: Matching a wildcard expression in a list of strings
              deathbywedgie

              That sounds perfect except for one potential problem, but if it works for you guys then you should be good to go. The only problem I foresee is that if you require an exact host match and a group needs an entire domain then you'd have to have an entry for every possible hostname on a given domain. For instance, if they need all of google.com, you'd need google.com, www.google.com, docs.google.com, etc.

               

              If you use URL.SmartMatch the way I suggested and then compare it not to a list object but to Map.Keys(ListName) as you mentioned, then you could put specific hosts when you still want to or you could put top level domain names. (Full URLs would work too if you need them.)

              1 of 1 people found this helpful
              • 4. Re: Matching a wildcard expression in a list of strings
                dcarson

                Thanks again, I've updated the rule set to use URL.SmartMatch, it's not really required just now, but I may as well make things as future proof as possible