This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Is there a way to check list of api proxies in an organization with the policies attached to it

Posted on 06-01-2023 01:47 AM
nikhildflow
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi All,

We are planning to move all the internal API proxies (that lies inside our server) to edge micro -gateway/envoy. --To reduce the latency

So as these both don't support not much policies other than Auth/Quota/Analytics - we are checking for api proxies that have policies other than these 3 above.

If there are too many proxies that has policies other than these 3, we may consider not implementing envoy/microgateway

 

So is there a way to check the policies attached to each api proxies in a single organization rather going through manually through each proxies.

can someone please help
@dandino

Solved Solved
0 2 229
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Ideally the configuration you have in your Apigee system is not "the source of truth". In the ideal case you have a git repo (or other source code repository) that contains all the configuration that you are applying to Apigee, and therefore checking if there are policies outside of a particular set is a pretty simple task. You just scan the filesystem behind the git repo, and check for policies outside your convention. It's a find/grep exercise. There's a little more to it than that, But not much.

Sometimes the Apigee management plane IS the source of truth, and you cannot just find/grep. When this is the case, you have some other options:

  1. perform a "bulk export" of every API Proxy, and then resort to the find/grep process I described above.
  2. Use a tool like apigee-scanner which tickles the Apigee API to retrieve details about each proxy and then flags proxies for you that meet certain criteria.

The apigee-scanner tool does not currently have a scanner that checks for "any proxy that has policies other than X, Y, or Z". But the tool is open-source, and is designed to be extensible, and you can write your own scanners pretty easily, and plug them into the tool. By following the pattern on the existing scanners, you should be able to quickly build the scanner you want, and then run it against your own organization, to find any out-of-spec proxies.

The apigee-scanner tool is effectively an general-purpose orchestrated find/grep , of the kind I described in the first paragraph.

EDIT: I've updated the scanner tool to accept a regex for the policytype scanner, so you can do what you want with something like this:

$ node ./scanProxies.js --token $TOKEN -o $ORG --latestrevision \
   --policytype "/^(?!(Quota|VerifyAPIKey|OAuthV2)).+$/"

That uses a little bit of regex magic - it's a negative lookahead on the policy type name. The result will show you the all proxies for which the latest revision includes any policy that is not one of Quota, VerifyAPIKey, or OAuthV2. Example:

Apigee proxy scanner tool, version: 20220616-1334
Node.js v20.1.0

[
  {
    "name": "Demo-Incidents-2",
    "revision": 8,
    "policies": [
      "set-integration-request.xml",
      "set-request-payload.xml"
    ],
    "scan": "policy type name '/^(?!(Quota|VerifyAPIKey|OAuthV2)).+$/'"
  },
  {
    "name": "Demo-Incidents3",
    "revision": 1,
    "policies": [
      "set-integration-request.xml"
    ],
    "scan": "policy type name '/^(?!(Quota|VerifyAPIKey|OAuthV2)).+$/'"
  },
  {
    "name": "Hipster-Products-API",
    "revision": 48,
    "policies": [
      "Catch-All-Error-Response.xml",
      "Data-Capture-1.xml",
      "ExtractVariable-OauthToken.xml",
      "Rate-Limit-Exceeded-Error-Response.xml",
      "SA-RateLimit.xml",
      "SC-Ping-JWKS.xml",
      "Verify-JWT.xml",
      "add-cors.xml",
      "printtrace.xml"
    ],
    "scan": "policy type name '/^(?!(Quota|VerifyAPIKey|OAuthV2)).+$/'"
  },
  ...

   

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Ideally the configuration you have in your Apigee system is not "the source of truth". In the ideal case you have a git repo (or other source code repository) that contains all the configuration that you are applying to Apigee, and therefore checking if there are policies outside of a particular set is a pretty simple task. You just scan the filesystem behind the git repo, and check for policies outside your convention. It's a find/grep exercise. There's a little more to it than that, But not much.

Sometimes the Apigee management plane IS the source of truth, and you cannot just find/grep. When this is the case, you have some other options:

  1. perform a "bulk export" of every API Proxy, and then resort to the find/grep process I described above.
  2. Use a tool like apigee-scanner which tickles the Apigee API to retrieve details about each proxy and then flags proxies for you that meet certain criteria.

The apigee-scanner tool does not currently have a scanner that checks for "any proxy that has policies other than X, Y, or Z". But the tool is open-source, and is designed to be extensible, and you can write your own scanners pretty easily, and plug them into the tool. By following the pattern on the existing scanners, you should be able to quickly build the scanner you want, and then run it against your own organization, to find any out-of-spec proxies.

The apigee-scanner tool is effectively an general-purpose orchestrated find/grep , of the kind I described in the first paragraph.

EDIT: I've updated the scanner tool to accept a regex for the policytype scanner, so you can do what you want with something like this:

$ node ./scanProxies.js --token $TOKEN -o $ORG --latestrevision \
   --policytype "/^(?!(Quota|VerifyAPIKey|OAuthV2)).+$/"

That uses a little bit of regex magic - it's a negative lookahead on the policy type name. The result will show you the all proxies for which the latest revision includes any policy that is not one of Quota, VerifyAPIKey, or OAuthV2. Example:

Apigee proxy scanner tool, version: 20220616-1334
Node.js v20.1.0

[
  {
    "name": "Demo-Incidents-2",
    "revision": 8,
    "policies": [
      "set-integration-request.xml",
      "set-request-payload.xml"
    ],
    "scan": "policy type name '/^(?!(Quota|VerifyAPIKey|OAuthV2)).+$/'"
  },
  {
    "name": "Demo-Incidents3",
    "revision": 1,
    "policies": [
      "set-integration-request.xml"
    ],
    "scan": "policy type name '/^(?!(Quota|VerifyAPIKey|OAuthV2)).+$/'"
  },
  {
    "name": "Hipster-Products-API",
    "revision": 48,
    "policies": [
      "Catch-All-Error-Response.xml",
      "Data-Capture-1.xml",
      "ExtractVariable-OauthToken.xml",
      "Rate-Limit-Exceeded-Error-Response.xml",
      "SA-RateLimit.xml",
      "SC-Ping-JWKS.xml",
      "Verify-JWT.xml",
      "add-cors.xml",
      "printtrace.xml"
    ],
    "scan": "policy type name '/^(?!(Quota|VerifyAPIKey|OAuthV2)).+$/'"
  },
  ...

   

Jump to Solution

Posted on --/--/---- --:-- AM
nikhildflow
Bronze 2
Bronze 2
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thanks a lot @dchiesa1 ! Let me try this out 🙂

Jump to Solution
0 Likes
Top Solution Authors
View all