Apigee X restrict traffic based on openapi spec

mblau · 04-21-2022 02:06 PM

Hello, I am trying to set up an api proxy that is generated from an openapi spec and was trying to figure out how I might be able to restrict the traffic to my backend to only the routes found in the openapi spec. I see there is a way of having a policy to validate the openapi spec from a file but it doesn't appear to restrict access to routes not defined in the spec.

dchiesa1

a policy to validate the openapi spec from a file but it doesn't appear to restrict access to routes not defined in the spec.

If that is really what you're seeing, then I think that's a bug. The OASValidation policy is documented to

"validate an incoming request ... message against an OpenAPI 3.0 Specification (JSON or YAML)."

And all reasonable definitions of "Validate" would imply that for a request that contains a {path, operation} pair that is not in the spec, the policy wouldf reject that request. Is that not what you are seeing?

Where have you attached the OASValidation policy? I would guess you'd want this policy attached to the Proxy Request PreFlow in order to check all inbound requests. [link for discussion of attaching policies] Have you done that?

If you have, can you share a trace session showing that the policy has accepted an invalid request?

mblau

After much trial and error I was mostly able to get this to work and will mark this as resolved.

dchiesa1

Can you explain what you did that solved your problem?