Add the Product Match Any policy fragment

simonkurtz-MSFT · simonkurtz-MSFT · commit 4ccd06dae650 · 2025-06-26T00:30:42.000-04:00
diff --git a/infrastructure/afd-apim-pe/create.ipynb b/infrastructure/afd-apim-pe/create.ipynb
@@ -38,6 +38,7 @@
     "    PolicyFragment('AuthZ-Match-All', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-all.xml')), 'Authorizes if all of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('AuthZ-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-any.xml')), 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('Http-Response-200', utils.read_policy_xml(utils.determine_shared_policy_path('pf-http-response-200.xml')), 'Returns a 200 OK response for the current HTTP method.'),\n",
+    "    PolicyFragment('Product-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-product-match-any.xml')), 'Proceeds if any of the specified products match the context product name.'),\n",
     "    PolicyFragment('Remove-Request-Headers', utils.read_policy_xml(utils.determine_shared_policy_path('pf-remove-request-headers.xml')), 'Removes request headers from the incoming request.')\n",
     "]\n",
     "\n",
diff --git a/infrastructure/apim-aca/create.ipynb b/infrastructure/apim-aca/create.ipynb
@@ -36,6 +36,7 @@
     "    PolicyFragment('AuthZ-Match-All', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-all.xml')), 'Authorizes if all of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('AuthZ-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-any.xml')), 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('Http-Response-200', utils.read_policy_xml(utils.determine_shared_policy_path('pf-http-response-200.xml')), 'Returns a 200 OK response for the current HTTP method.'),\n",
+    "    PolicyFragment('Product-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-product-match-any.xml')), 'Proceeds if any of the specified products match the context product name.'),\n",
     "    PolicyFragment('Remove-Request-Headers', utils.read_policy_xml(utils.determine_shared_policy_path('pf-remove-request-headers.xml')), 'Removes request headers from the incoming request.')\n",
     "]\n",
     "\n",
diff --git a/infrastructure/simple-apim/create.ipynb b/infrastructure/simple-apim/create.ipynb
@@ -36,6 +36,7 @@
     "    PolicyFragment('AuthZ-Match-All', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-all.xml')), 'Authorizes if all of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('AuthZ-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-authz-match-any.xml')), 'Authorizes if any of the specified roles match the JWT role claims.'),\n",
     "    PolicyFragment('Http-Response-200', utils.read_policy_xml(utils.determine_shared_policy_path('pf-http-response-200.xml')), 'Returns a 200 OK response for the current HTTP method.'),\n",
+    "    PolicyFragment('Product-Match-Any', utils.read_policy_xml(utils.determine_shared_policy_path('pf-product-match-any.xml')), 'Proceeds if any of the specified products match the context product name.'),\n",
     "    PolicyFragment('Remove-Request-Headers', utils.read_policy_xml(utils.determine_shared_policy_path('pf-remove-request-headers.xml')), 'Removes request headers from the incoming request.')\n",
     "]\n",
     "\n",
diff --git a/shared/apim-policies/fragments/pf-product-match-any.xml b/shared/apim-policies/fragments/pf-product-match-any.xml
@@ -0,0 +1,24 @@
+<!--
+    - Expected context variables:
+      - "products": A csv of product names to check against. Any match will allow the policy to continue processing.
+      
+    - This fragment only blocks access (returns 403) when no products match. If any product matches, processing continues normally.
+-->
+<fragment>
+    <choose>
+        <!-- Check if NONE of the allowed products match the context product name -->
+        <when condition="@{
+            var allowedProducts = context.Variables.GetValueOrDefault<string>("products", "").ToString().Split(',');
+            var contextProduct = context.Product != null ? context.Product.Name.ToLower().Trim() : string.Empty;
+        
+            // Check if NO allowed product matches the product names in the context
+            return !allowedProducts.Any(product => contextProduct.Contains(product.Trim().ToLower()));
+        }">
+            <return-response>
+                <set-status code="403" reason="Forbidden" />
+                <set-body>Access denied - no matching product found</set-body>
+            </return-response>
+        </when>
+        <!-- If products match, continue processing (no action needed) -->
+    </choose>
+</fragment>
