LinkedIn
Twitter
Hello,
I am facing an issue with data masking when AssignMessage policy is used to set a payload.
Here is my example scenario -
1. API receives Json payload request with 'Password' field in it.
{
"credentials": {
"UserId":"1234",
"password":"MyPassword"
}
}
2. API extracts the password field from request json into a private variable.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ExtractVariables async="false" continueOnError="false" enabled="true" name="EV-FetchPassword">
<DisplayName>EV-FetchPassword</DisplayName>
<Properties/>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<JSONPayload>
<Variable name="private.password">
<JSONPath>$.credentials.password</JSONPath>
</Variable>
</JSONPayload>
<Source clearPayload="false">request</Source>
</ExtractVariables>
3. Private variable for password is then used in Assign Message policy to build a SOAP XML payload to be sent to back-end target.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="AM-BuildBackendSoapRequest">
<DisplayName>AM-BuildBackendSoapRequest</DisplayName>
<Properties/>
<Set>
<Payload contentType="application/xml">
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://abc.com/Request">
<soapenv:Header/>
<soapenv:Body>
<ns:Request>
<ns:UserId>5678</ns:UserId>
<ns:Password>{private.password}</ns:Password>
<ns:OtherFields>OtherFields</ns:OtherFields>
</ns:Request>
</soapenv:Body>
</soapenv:Envelope>
</Payload>
</Set>
<IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="request"/>
</AssignMessage>
4. As password is sensitive information, it is supposed to be masked and hidden everywhere in the api trace. Here is the masking configuration set in the environment.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<MaskDataConfiguration name="default">
<JSONPathsRequest>
<JSONPathRequest>$.credentials.password</JSONPathRequest>
</JSONPathsRequest>
<JSONPathsResponse>
<JSONPathResponse>$.credentials.password</JSONPathResponse>
</JSONPathsResponse>
<Namespaces>
<Namespace prefix="ns">http://abc.com/Request</Namespace>
</Namespaces>
<Variables>
<Variable>request.content.credentials.password</Variable>
<Variable>response.content.credentials.password</Variable>
</Variables>
<XPathsRequest>
<XPathRequest>//ns:Password</XPathRequest>
</XPathsRequest>
<XPathsResponse>
<XPathResponse>//ns:Password</XPathResponse>
</XPathsResponse>
</MaskDataConfiguration>
When request is executed to the API endpoint -
1. Password field value is masked at each stage in the API trace except at AssignMessage Policy.
2. At AssignMessage stage, payload has password masked but trace also shows message.content variable with Password value unmasked.
Why does it show message.content flow variable? If it is there to display the newly constructed payload, it should use the data masking config available in the environment to mask the the password value.
Please note that masking whole message.content as a variable is not a good approach as we might need to check few fields in payload at various policies.
Thanks. @Dino-at-Google @Anil Sagar @ Google
Solved
1 ACCEPTED SOLUTION
Can you please try using this in AssignMessage ?
<AssignTo>request</AssignTo>
...in place of
<AssignTo createNew="false" transport="http" type="request"/>
Because you are not explicitly specifying a message variable with AssignTo, the AssignMessage policy is assigning to "message", and this variable is not covered by the <XPathsRequest> element in the MaskDataConfiguration .
I just tested this, and it works for me. When I use the former configuration, the masking works as desired.
When I use the latter, the password is not masked.
Can you please try using this in AssignMessage ?
<AssignTo>request</AssignTo>
...in place of
<AssignTo createNew="false" transport="http" type="request"/>
Because you are not explicitly specifying a message variable with AssignTo, the AssignMessage policy is assigning to "message", and this variable is not covered by the <XPathsRequest> element in the MaskDataConfiguration .
I just tested this, and it works for me. When I use the former configuration, the masking works as desired.
When I use the latter, the password is not masked.
Thanks Dino . It works.
However I still think that it should have resolved the AssignTo variable as per execution flow i.e request in this case. and should have applied the mask config accordingly.
https://docs.apigee.com/api-platform/reference/policies/assign-message-policy#assignto
