Find proxy with SSL Info comment out

ElangoD · 09-24-2021 12:56 PM

Hi Team,

We have OPDK Installation and have the below requirement and we don’t want to download the proxy bundle to accomplish that. Is it possible/

Need to find list of policies that <SSLInfo> block is commented out or not there

For example:

A) In below SSL INFO commented out

<HTTPTargetConnection>
        <Properties/>
        <!--<SSLInfo>-->
        <!--  <Enabled>true</Enabled>-->
        <!--  <TrustStore>ref://myTrustStoreRef</TrustStore>-->
        <!--</SSLInfo>-->
        <URL>https://mocktarget.apigee.net</URL>
  </HTTPTargetConnection>

B) No SSL Info:

<HTTPTargetConnection>
        <Properties/>
               <URL>https://mocktarget.apigee.net</URL>
  </HTTPTargetConnection>

Get all the proxy name that meet either example a) and b)

cjking

This information is stored only in the proxy bundle, so there's no way to do it without downloading the bundle.

dchiesa1

Actually in OPDK and Apigee Edge it is possible to inquire as to the contents and configuration of the TargetEndpoint, from the administrative API. This is how you get it.

curl -i -H "$AUTH" $mgmtserver/v1/o/$ORG/apis/$APIPROXY/revisions/$REV/targets/$TARGET_NAME

The response is something like this:

{
  "connection" : {
    "connectionType" : "httpConnection",
    "sSLInfo" : {
      "ciphers" : [ ],
      "clientAuthEnabled" : "false",
      "enabled" : "true",
      "ignoreValidationErrors" : false,
      "protocols" : [ ]
    },
    "uRL" : "https://target.example.com"
  },
  "connectionType" : "httpConnection",
  "description" : "",
  "faultRules" : [ ],
  "flows" : [ ],
  "name" : "target-1",
  ...

The tricky part is... it's a hierarchy. Basically you'd have to brute force search, like this:

for each API, get all revisions

for each api-revision, get all targets

for each target, examine SSLInfo.

And then you'd need to apply the logic there. If there is a "missing" SSLInfo, the response you get from the Admin API may still show an SSLInfo element, but it will be "enabled: false" and etc.

Ideally these SSLInfo entries from backend (target) should have their own TrustStore and Keystore. So you'd want to check for the presence and validity of those child elements of the SSLInfo property.

You could write a script that basically walks through all the API Proxies, and does this search. Could write it in bash, or powershell, or nodejs, or Java, or etc. In fact, I've written one in nodejs, find it here. It searches for targets with

no SSLInfo
SSLInfo. present but enabled = false
ignoreValidationErrors = true
No truststore explicitly specified

...and prints out the list of proxies. Example for my org:

$ node ~/dev/apigee-edge-js-examples/findTargetNoTruststore.js -n -o $ORGNAME -R \^r.\*   -L 

{
  "report": "Proxies with bad SSLInfo",
  "search": "latest revision",
  "org": "ORGNAME",
  "now": "2021-10-07T20:07:59.372Z",
  "found": [
    {
      "proxy": "rajm_patients_proxy",
      "revisions": [
        {
          "revision": "2",
          "targets": [
            {
              "name": "FirestoreEndpoint",
              "reasonFlagged": "No SSLInfo"
            }
          ]
        }
      ]
    },
    {
      "proxy": "response-shaping",
      "revisions": [
        {
          "revision": "1",
          "targets": [
            {
              "name": "amadeus",
              "reasonFlagged": "SSLInfo.ignoreValidationErrors = true"
            }
          ]
        }
      ]
    },
    {
      "proxy": "rftest1",
      "revisions": [
        {
          "revision": "1",
          "targets": [
            {
              "name": "default",
              "reasonFlagged": "No SSLInfo"
            }
          ]
        }
      ]
    }
  ]
}

The upshot is ... you don't have to download each bundle, but you DO need to do a brute-force search. There's no way to just send a query to Apigee asking "hey, give me all the proxies that have targets that have SSLInfo that does not comply with my convention."