Milestone 1.7.0 fix/authx pro wrong policy xml (#77)

Co-authored-by: Copilot <[email protected]>

Author: simonkurtz-MSFT

README.md

@@ -22,7 +22,7 @@ _Try it out, learn from it, apply it in your setups._
 |:----------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | [Simple API Management](./infrastructure/simple-apim)                             | Just the basics with a publicly accessible API Management instance fronting your APIs. This is the innermost way to experience and experiment with the APIM policies. |
 | [API Management & Container Apps](./infrastructure/apim-aca)                      | APIs are often implemented in containers running in Azure Container Apps. This architecture accesses the container apps publicly. It's beneficial to test both APIM and container app URLs here to contrast and compare experiences of API calls through and bypassing APIM. It is not intended to be a security baseline. |
-| [Secure Front Door & API Management & Container Apps](./infrastructure/afd-apim)  | A higher-fidelity implementation of a secured setup in which Azure Front Door connects to APIM via the new private link integration. This traffic, once it traverses through Front Door, rides entirely on Microsoft-owned and operated networks. Similarly, the connection from APIM to Container Apps is secured but through a VNet configuration (it is also entirely possible to do this via private link). APIM Standard V2 is used here to accept a private link from Front Door. |
+| [Secure Front Door & API Management & Container Apps](./infrastructure/afd-apim-pe)  | A higher-fidelity implementation of a secured setup in which Azure Front Door connects to APIM via the new private link integration. This traffic, once it traverses through Front Door, rides entirely on Microsoft-owned and operated networks. Similarly, the connection from APIM to Container Apps is secured but through a VNet configuration (it is also entirely possible to do this via private link). APIM Standard V2 is used here to accept a private link from Front Door. |
 
 ## 📁 List of Samples
 
@@ -291,4 +291,4 @@ Furthermore, [Houssem Dellai](https://github.com/HoussemDellai) was instrumental
 
 [Andrew Redman](https://github.com/anotherRedbeard) for contributing the _Azure Maps_ sample.
 
-The original author of this project is [Simon Kurtz](https://github.com/simonkurtz-msft).
+The original author of this project is [Simon Kurtz](https://github.com/simonkurtz-msft).

infrastructure/afd-apim-pe/create.ipynb

@@ -38,16 +38,17 @@
     "    PolicyFragment('AuthZ-Match-All', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-all.xml')), 'Authorizes if all of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('AuthZ-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-any.xml')), 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('Http-Response-200', utils.read_policy_xml(utils.determine_shared_policy_path('pf-http-response-200.xml')), 'Returns a 200 OK response for the current HTTP method.'),\n",
+    "    PolicyFragment('Product-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-product-match-any.xml')), 'Proceeds if any of the specified products match the context product name.'),\n",
     "    PolicyFragment('Remove-Request-Headers', utils.read_policy_xml(utils.determine_shared_policy_path('pf-remove-request-headers.xml')), 'Removes request headers from the incoming request.')\n",
     "]\n",
     "\n",
     "# 4) Define the APIs and their operations and policies\n",
     "\n",
     "# Policies\n",
-    "hello_world_policy_xml  = utils.read_policy_xml(HELLO_WORLD_XML_POLICY_PATH)\n",
+    "pol_hello_world  = utils.read_policy_xml(HELLO_WORLD_XML_POLICY_PATH)\n",
     "\n",
     "# Hello World (Root)\n",
-    "api_hwroot_get  = GET_APIOperation('This is a GET for API 1', hello_world_policy_xml)\n",
+    "api_hwroot_get  = GET_APIOperation('This is a GET for API 1', pol_hello_world)\n",
     "api_hwroot      = API('hello-world', 'Hello World', '', 'This is the root API for Hello World', operations = [api_hwroot_get])\n",
     "\n",
     "apis: List[API] = [api_hwroot]\n",
@@ -56,22 +57,22 @@
     "if use_ACA:\n",
     "    utils.print_info('ACA APIs will be created.')\n",
     "\n",
-    "    backend_policy_xml          = utils.read_policy_xml(BACKEND_XML_POLICY_PATH)\n",
-    "    aca_backend_1_policy_xml    = backend_policy_xml.format(backend_id = 'aca-backend-1')\n",
-    "    aca_backend_2_policy_xml    = backend_policy_xml.format(backend_id = 'aca-backend-2')\n",
-    "    aca_backend_pool_policy_xml = backend_policy_xml.format(backend_id = 'aca-backend-pool')\n",
+    "    pol_backend          = utils.read_policy_xml(BACKEND_XML_POLICY_PATH)\n",
+    "    pol_aca_backend_1    = pol_backend.format(backend_id = 'aca-backend-1')\n",
+    "    pol_aca_backend_2    = pol_backend.format(backend_id = 'aca-backend-2')\n",
+    "    pol_aca_backend_pool = pol_backend.format(backend_id = 'aca-backend-pool')\n",
     "\n",
     "    # Hello World (ACA Backend 1)\n",
     "    api_hwaca_1_get = GET_APIOperation('This is a GET for Hello World on ACA Backend 1')\n",
-    "    api_hwaca_1 = API('hello-world-aca-1', 'Hello World (ACA 1)', '/aca-1', 'This is the ACA API for Backend 1', policyXml = aca_backend_1_policy_xml, operations = [api_hwaca_1_get])\n",
+    "    api_hwaca_1 = API('hello-world-aca-1', 'Hello World (ACA 1)', '/aca-1', 'This is the ACA API for Backend 1', policyXml = pol_aca_backend_1, operations = [api_hwaca_1_get])\n",
     "\n",
     "    # Hello World (ACA Backend 2)\n",
     "    api_hwaca_2_get = GET_APIOperation('This is a GET for Hello World on ACA Backend 2')\n",
-    "    api_hwaca_2 = API('hello-world-aca-2', 'Hello World (ACA 2)', '/aca-2', 'This is the ACA API for Backend 2', policyXml = aca_backend_2_policy_xml, operations = [api_hwaca_2_get])\n",
+    "    api_hwaca_2 = API('hello-world-aca-2', 'Hello World (ACA 2)', '/aca-2', 'This is the ACA API for Backend 2', policyXml = pol_aca_backend_2, operations = [api_hwaca_2_get])\n",
     "\n",
     "    # Hello World (ACA Backend Pool)\n",
     "    api_hwaca_pool_get = GET_APIOperation('This is a GET for Hello World on ACA Backend Pool')\n",
-    "    api_hwaca_pool = API('hello-world-aca-pool', 'Hello World (ACA Pool)', '/aca-pool', 'This is the ACA API for Backend Pool', policyXml = aca_backend_pool_policy_xml, operations = [api_hwaca_pool_get])\n",
+    "    api_hwaca_pool = API('hello-world-aca-pool', 'Hello World (ACA Pool)', '/aca-pool', 'This is the ACA API for Backend Pool', policyXml = pol_aca_backend_pool, operations = [api_hwaca_pool_get])\n",
     "\n",
     "    # Add ACA APIs to the existing apis array\n",
     "    apis += [api_hwaca_1, api_hwaca_2, api_hwaca_pool]\n",

infrastructure/apim-aca/create.ipynb

@@ -36,33 +36,34 @@
     "    PolicyFragment('AuthZ-Match-All', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-all.xml')), 'Authorizes if all of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('AuthZ-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-any.xml')), 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('Http-Response-200', utils.read_policy_xml(utils.determine_shared_policy_path('pf-http-response-200.xml')), 'Returns a 200 OK response for the current HTTP method.'),\n",
+    "    PolicyFragment('Product-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-product-match-any.xml')), 'Proceeds if any of the specified products match the context product name.'),\n",
     "    PolicyFragment('Remove-Request-Headers', utils.read_policy_xml(utils.determine_shared_policy_path('pf-remove-request-headers.xml')), 'Removes request headers from the incoming request.')\n",
     "]\n",
     "\n",
     "# 4) Define the APIs and their operations and policies\n",
     "\n",
     "# Policies\n",
-    "hello_world_policy_xml      = utils.read_policy_xml(HELLO_WORLD_XML_POLICY_PATH)\n",
-    "backend_policy_xml          = utils.read_policy_xml(BACKEND_XML_POLICY_PATH)\n",
-    "aca_backend_1_policy_xml    = backend_policy_xml.format(backend_id = 'aca-backend-1')\n",
-    "aca_backend_2_policy_xml    = backend_policy_xml.format(backend_id = 'aca-backend-2')\n",
-    "aca_backend_pool_policy_xml = backend_policy_xml.format(backend_id = 'aca-backend-pool')\n",
+    "pol_hello_world      = utils.read_policy_xml(HELLO_WORLD_XML_POLICY_PATH)\n",
+    "pol_backend          = utils.read_policy_xml(BACKEND_XML_POLICY_PATH)\n",
+    "pol_aca_backend_1    = pol_backend.format(backend_id = 'aca-backend-1')\n",
+    "pol_aca_backend_2    = pol_backend.format(backend_id = 'aca-backend-2')\n",
+    "pol_aca_backend_pool = pol_backend.format(backend_id = 'aca-backend-pool')\n",
     "\n",
     "# Hello World (Root)\n",
-    "api_hwroot_get = GET_APIOperation('This is a GET for Hello World in the root', hello_world_policy_xml)\n",
+    "api_hwroot_get = GET_APIOperation('This is a GET for Hello World in the root', pol_hello_world)\n",
     "api_hwroot  = API('hello-world', 'Hello World', '', 'This is the root API for Hello World', operations = [api_hwroot_get])\n",
     "\n",
     "# Hello World (ACA Backend 1)\n",
     "api_hwaca_1_get = GET_APIOperation('This is a GET for Hello World on ACA Backend 1')\n",
-    "api_hwaca_1 = API('hello-world-aca-1', 'Hello World (ACA 1)', '/aca-1', 'This is the ACA API for Backend 1', policyXml = aca_backend_1_policy_xml, operations = [api_hwaca_1_get])\n",
+    "api_hwaca_1 = API('hello-world-aca-1', 'Hello World (ACA 1)', '/aca-1', 'This is the ACA API for Backend 1', policyXml = pol_aca_backend_1, operations = [api_hwaca_1_get])\n",
     "\n",
     "# Hello World (ACA Backend 2)\n",
     "api_hwaca_2_get = GET_APIOperation('This is a GET for Hello World on ACA Backend 2')\n",
-    "api_hwaca_2 = API('hello-world-aca-2', 'Hello World (ACA 2)', '/aca-2', 'This is the ACA API for Backend 2', policyXml = aca_backend_2_policy_xml, operations = [api_hwaca_2_get])\n",
+    "api_hwaca_2 = API('hello-world-aca-2', 'Hello World (ACA 2)', '/aca-2', 'This is the ACA API for Backend 2', policyXml = pol_aca_backend_2, operations = [api_hwaca_2_get])\n",
     "\n",
     "# Hello World (ACA Backend Pool)\n",
     "api_hwaca_pool_get = GET_APIOperation('This is a GET for Hello World on ACA Backend Pool')\n",
-    "api_hwaca_pool = API('hello-world-aca-pool', 'Hello World (ACA Pool)', '/aca-pool', 'This is the ACA API for Backend Pool', policyXml = aca_backend_pool_policy_xml, operations = [api_hwaca_pool_get])\n",
+    "api_hwaca_pool = API('hello-world-aca-pool', 'Hello World (ACA Pool)', '/aca-pool', 'This is the ACA API for Backend Pool', policyXml = pol_aca_backend_pool, operations = [api_hwaca_pool_get])\n",
     "\n",
     "# APIs Array\n",
     "apis: List[API] = [api_hwroot, api_hwaca_1, api_hwaca_2, api_hwaca_pool]\n",

infrastructure/simple-apim/create.ipynb

@@ -36,16 +36,17 @@
     "    PolicyFragment('AuthZ-Match-All', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-all.xml')), 'Authorizes if all of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('AuthZ-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-any.xml')), 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('Http-Response-200', utils.read_policy_xml(utils.determine_shared_policy_path('pf-http-response-200.xml')), 'Returns a 200 OK response for the current HTTP method.'),\n",
+    "    PolicyFragment('Product-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-product-match-any.xml')), 'Proceeds if any of the specified products match the context product name.'),\n",
     "    PolicyFragment('Remove-Request-Headers', utils.read_policy_xml(utils.determine_shared_policy_path('pf-remove-request-headers.xml')), 'Removes request headers from the incoming request.')\n",
     "]\n",
     "\n",
     "# 4) Define the APIs and their operations and policies\n",
     "\n",
     "# Policies\n",
-    "hello_world_policy_xml = utils.read_policy_xml(HELLO_WORLD_XML_POLICY_PATH)\n",
+    "pol_hello_world = utils.read_policy_xml(HELLO_WORLD_XML_POLICY_PATH)\n",
     "\n",
     "# Hello World (Root)\n",
-    "api_hwroot_get = GET_APIOperation('This is a GET for API 1', hello_world_policy_xml)\n",
+    "api_hwroot_get = GET_APIOperation('This is a GET for API 1', pol_hello_world)\n",
     "api_hwroot = API('hello-world', 'Hello World', '', 'This is the root API for Hello World', operations = [api_hwroot_get])\n",
     "\n",
     "# APIs Array\n",