Policy Checking as part of CI/CD flow

Not applicable

As part of Governance, Need to check whether the developer has applied security policies or not in CI/CD flow. How can we achieve this?

I see below API to get the list of policies for a proxy. However, that is giving me the display names of the policies as a response.

curl -X GET --header "Accept: application/json" "https://api.enterprise.apigee.com/v1/organizations/ravibabunannuri-eval/apis/helloworld/revisions/1/policies"

Could you please let me know the way to check the kind of policies applied to an API Proxy and inform the developer about missing mandatory policies?

Thanks,

Ravibabu

Solved Solved
1 4 386
1 ACCEPTED SOLUTION

You must inspect the policies themselves for the policyType attribute. The API request is like this:

GET https://api.enterprise.apigee.com/v1/o/ORG/apis/PROXY/revisions/REV/policies/POLICYNAME

And the result looks like:

{
  "policyType": "RaiseFault",
  "displayName": "RaiseFault-UnknownRequest",
  "faultResponse": {
    "actions": [{
      "Set": {
        "payload": {
          "contentType": "application/json",
          "value": "{  \"error\" : \"{variable}\" }"
        },
        "reasonPhrase": "Not Found",
        "statusCode": "404"
      }
    }]
  },
  "faultRules": [],
  "ignoreUnresolvedVariables": true,
  "name": "RaiseFault-UnknownRequest"
}

Here is an example of scanning for the existence of any JavaCallout policies in all API Proxies (all revisions).

https://github.com/DinoChiesa/apigee-edge-js/blob/master/examples/findJavaPolicies.js

You could start with that and build a tool that scans all PROXIES and looks for the presence of ... whatever it is you need to verify. The tool might return a list of all API Proxies that did not comply with your requirements. Presumably the requirement is not "must have a policy of type X" but rather "must have a policy of type X that gets called in PreFlow" or something like that. Your check will probably be a little more elaborate that "is there a policy in the proxy?"

Normally though, this kind of enforcement is done via inspection of the source code repository. You could also inspect the deployed code, if you want to be doubly-sure. But Apigee Edge ought not be the source-of-truth code repo.

View solution in original post

4 REPLIES 4

You must inspect the policies themselves for the policyType attribute. The API request is like this:

GET https://api.enterprise.apigee.com/v1/o/ORG/apis/PROXY/revisions/REV/policies/POLICYNAME

And the result looks like:

{
  "policyType": "RaiseFault",
  "displayName": "RaiseFault-UnknownRequest",
  "faultResponse": {
    "actions": [{
      "Set": {
        "payload": {
          "contentType": "application/json",
          "value": "{  \"error\" : \"{variable}\" }"
        },
        "reasonPhrase": "Not Found",
        "statusCode": "404"
      }
    }]
  },
  "faultRules": [],
  "ignoreUnresolvedVariables": true,
  "name": "RaiseFault-UnknownRequest"
}

Here is an example of scanning for the existence of any JavaCallout policies in all API Proxies (all revisions).

https://github.com/DinoChiesa/apigee-edge-js/blob/master/examples/findJavaPolicies.js

You could start with that and build a tool that scans all PROXIES and looks for the presence of ... whatever it is you need to verify. The tool might return a list of all API Proxies that did not comply with your requirements. Presumably the requirement is not "must have a policy of type X" but rather "must have a policy of type X that gets called in PreFlow" or something like that. Your check will probably be a little more elaborate that "is there a policy in the proxy?"

Normally though, this kind of enforcement is done via inspection of the source code repository. You could also inspect the deployed code, if you want to be doubly-sure. But Apigee Edge ought not be the source-of-truth code repo.

Thanks a lot Dino for the help.

Sure I agree with you Dino. Wil scan the source code and enforce this instead of making calls to edge. That way we can avoid unnecessary load on edge. Hope that approach is fine for lower environments.

The way we are maintaining code base is one repo for each proxy and another repo for shared flows. That way it is going to be complex to scan all the xml files and verify whether the policy is available or not.

BTW, if you have a curl command to verify the policies in shared flow, could you please share?

Similar for Shared Flows.

curl -i -n $mgmtserver/v1/o/ORGNAME/sharedflows/SHAREDFLOW/revisions/REV/policies/POLICYNAME

I see the policies which are in shared flow. Thanks you so much Dino.