Section 9.4. Examining Booleans and Conditional Policies with Apol

9.4. Examining Booleans and Conditional Policies with Apol

We can use apol to more easily examine conditional policy statements and the associated Booleans. Apol proves particularly useful when trying to understand the effects of conditional policy statements and when the same condition is repeated several places within the policy.

Figure 9-1, we show how to use apol to examine defined Booleans within a policy. The Booleans tab under the Policy Components tab shows all Booleans and their default and current values. Apol also enables you to change the current value of a Boolean, which proves useful when exploring conditional policy rules, as you will see shortly.

Figure 9-1. Examining Boolean variables using apol

More interesting is when you are searching the policy rules. In the TE Rules tab under the Policy Rules tab, you can configure apol to show all rules, whether enabled or disabled, and show their current state, as shown in Figure 9-2. Most rules are not in conditional statements and will not show a current state. However, those that are in conditional statements will have their current state (enabled/disabled) so indicated, as shown in Figure 9-2.

Figure 9-2. Viewing disabled conditional rules in apol

You can use the Booleans tab to change the current value of a Boolean to experiment with the effects within apol. For example, in Figure 9-3, we changed the current value of user_ping from its default value of false to a current value of true. This will then effect what rules are enabled or disabled, as shown in Figure 9-4, where rules that were previously disabled now become enabled.

Figure 9-3. Changing current state of Boolean value in apol

Figure 9-4. Changing current Boolean values in apol changes the enabled/disabled state of rules

Finally, by using the Conditional Expression tab under the Policy Rules tab, you can search for entire conditional statements by searching for Booleans, as illustrated in Figure 9-5. Apol will show you all conditional expressions that use the provided Boolean variable and their true and false list of rules. Further, the tool will collapse like conditionals (for example, if there are five conditionals all with the same conditional expression, apol will show them as one combined conditional), making it easier to understand the entire set of related conditional rules. As with the rule search shown in Figure 9-4, the current state of the Boolean variables will affect the result of this search.

Figure 9-5. Searching conditional expressions by Boolean name within apol