Token Policy Path is being ignored

Support
1

I have both the dashboard and gateway communicating together quite nicely. However, if I add a regex for a policy on an api that is defined as such: .*\/api\/patient:

And I only approve a POST method, my belief is that a GET request on the endpoint shouldn’t succeed. But contrary to what I believe, it works just fine. Why is my regex policy rule being ignored? I’ve checked the logs and there is no mention of loading the policy nor any errors.

Any help is appreicated,
Thanks.

2

The regex looks ok, and when tested against /api/patient works fine, but not against api/patient. IO have a feeling that when Tyk is trying to match your path, it’s matching against the latter.

If the regex is not matched then the method won’t be checked either

When you do a hot reload (save an API or a Policy), your gateway logs (if you tail them) should reload and show you which policy IDs are loaded, like so:

[Jun  1 04:25:30]  INFO policy: --> Processing policy ID: 55d452f530c55e11c1000003
[Jun  1 04:25:30]  INFO policy: --> Processing policy ID: 564085e030c55e5c29000003
...
[Jun  1 04:25:30]  INFO policy: --> Processing policy ID: 123456787878
[Jun  1 04:25:30]  INFO policy: --> Processing policy ID: 5731f94930c55e39d7000003
[Jun  1 04:25:30]  INFO main: Gateway started (v2.1.0.3)
[Jun  1 04:25:30]  INFO main: --> Listening on port: 80

If your policy ID is not showing (the ID is in the URL of the policy detail view), then you’ll need to see if any policies are being loaded or how you have configured your policy loader.

3

Hi Martin,

Thanks for the quick reply. Below is my log for when I do a policy update, there doesn’t seem to be any loading of policies at all.

Jun  1 11:21:14 Tyk1 tyk-analytics[1555]: time="Jun  1 11:21:14" level=info msg="Sending notification{PolicyChanged 56dda6b5dd1e2c28de000002}"
Jun  1 11:21:14 Tyk1 tyk[1588]: time="Jun  1 11:21:14" level=info msg="Reloading endpoints"
Jun  1 11:21:14 Tyk1 tyk[1588]: time="Jun  1 11:21:14" level=info msg="Initiating reload"
Jun  1 11:21:24 Tyk1 tyk[1588]: time="Jun  1 11:21:24" level=info msg="Detected 1 APIs"
Jun  1 11:21:24 Tyk1 tyk[1588]: time="Jun  1 11:21:24" level=info msg="--> Loading API: GateKeeper"
Jun  1 11:21:24 Tyk1 tyk[1588]: time="Jun  1 11:21:24" level=info msg="----> Tracking: (no host)"
Jun  1 11:21:24 Tyk1 tyk[1588]: time="Jun  1 11:21:24" level=info msg="----> Checking security policy: Token"
Jun  1 11:21:24 Tyk1 tyk[1588]: time="Jun  1 11:21:24" level=info msg="Loading uptime tests..."
Jun  1 11:21:24 Tyk1 tyk[1588]: time="Jun  1 11:21:24" level=info msg="API reload complete"
4

Ok cool, what does your tyk.conf look like? Especially the policies section?

5 
{
  "listen_port": 443,
  "node_secret": "********",
  "secret": "*********",
  "template_path": "/opt/tyk-gateway/templates",
  "tyk_js_path": "/opt/tyk-gateway/js/tyk.js",
  "use_db_app_configs": true,
  "app_path": "/opt/tyk-gateway/apps",
  "middleware_path": "/opt/tyk-gateway/middleware",
  "use_db_app_configs": true,
    "db_app_conf_options": {
        "connection_string": "http://192.168.10.146:3000",
        "node_is_segmented": false,
        "tags": []
  },
  "storage": {
    "type": "redis",
    "host": "localhost",
    "port": 6379,
    "username": "",
    "password": "",
    "database": 0,
    "optimisation_max_idle": 500,
    "optimisation_max_active": 800
  },
  "enable_analytics": true,
  "analytics_config": {
    "type": "mongo",
    "csv_dir": "/tmp",
    "mongo_url": "mongodb://127.0.0.1:27017/tyk_analytics",
    "mongo_db_name": "",
    "mongo_collection": "tyk_analytics",
    "purge_delay": 5,
    "ignored_ips": []
  },
  "health_check": {
    "enable_health_checks": true,
    "health_check_value_timeouts": 60
  },
  "optimisations_use_async_session_write": true,
  "allow_master_keys": false,

  "policies": {
    "policy_source": "service",
    "policy_connection_string": "http://192.168.10.146:3000"
    },
  "hash_keys": true,
  "suppress_redis_signal_reload": false,
  "close_connections": true,
  "local_session_cache": {
    "disable_cached_session_state": true
  },
  "uptime_tests": {
    "disable": false,
    "config": {
      "enable_uptime_analytics": true,
      "failure_trigger_sample_size": 3,
      "time_wait": 300,
      "checker_pool_size": 50
    }
  },
"http_server_options": {
    "override_defaults": false,
    "use_ssl": true,
    "flush_interval": 1,
    "certificates": [
        {
            "domain_name": "**********",
            "cert_file": "/opt/tyk-gateway/certs/*******.crt",
            "key_file": "/opt/tyk-gateway/certs/*******.key"
        }
    ]
},
  "hostname": "***********",
  "enable_custom_domains": true,
  "enable_jsvm": true
}
6

Interesting, that all looks ok. Is the policy marked as active in your dashboard?

7

Martin, see below image:

lVSMPDs.png1626×560 31.8 KB

8

Ok, let’s do an experiment.

Make sure your API has the Auth Token security option set

  1. Generate a token that uses this policy (it will also need to grant access to your API
  2. Use the token to make sure it gets through
  3. Disable access at the policy level (just check the deny access option)
  4. Try to use the token again

If the token is denied your policy is loaded, in which case you just need to amend your regex (as I said, don’t match the starting slash)

9

Martin,

After clicking “Deny access” and clicking the “Update” button, the token was still able to use the api granted to it.

10

Ok that is very strange.

Are you running on docker (your logs look mixed)?

Can you restart the gateway to see what it loads from a cold start?

Does your dashboard log have any output to indicate it is refusing the policy request (might be an invalid nonce)?

11

Hi Martin, this is my output from gateway restart

Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Hostname set: ********"
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Connection dropped, connecting.."
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=warning msg="Host checker data is no longer purged by Tyk Gateway, please use Tyk-Pump."
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=warning msg="Cache purging is no longer part of Tyk Gateway, please use Tyk-Pump."
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Starting Poller"
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Setting up Server"
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="--> Using SSL (https)"
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Registering node."
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Node registered" id=1f896f4a-ca49-4586-533b-2e71c7dd0bcc
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Starting heartbeat."
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Detected 1 APIs"
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="--> Loading API: *******"
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="----> Tracking: (no host)"
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="----> Checking security policy: Token"
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Loading uptime tests..."
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="Gateway started (v2.1.0.2)"
Jun  1 16:48:03 Tyk1 tyk[3066]: time="Jun  1 16:48:03" level=info msg="--> Listening on port: 443"

My dashboard just announces that it requested to change the policy

12

I think I know what it is, it’s a legacy hangover which we need to remove, try this:

In the policies section of your Tyk.conf file add:

"policy_record_name":"policies",

I think that should fix it.

13

Thank you, that did the trick, and it is indeed obeying the policy rules. Thank you so much!

1 Like