Mask configurations for vnd specific JSON content ...

Report Inappropriate Content · 08-23-2015 09:10 PM

Hi,

Is there a way to mask data for request and response with a vendor specific JSON content Type. I tried mask configurations but, it doesnt seem to be working.

Our content type looks something like - application/vnd.<company_name>+json

Thanks in advance.

Report Inappropriate Content

Hi @jaskaran.rm,

This has to be standard JSON. Vendor specific content-type is not supported. Content-type has to be "application/json".

Thanks,

Rajesh Doda

adas

@jaskaran.rmWe allow mask config to be specified as xmlpath or jsonpath for request and response. At runtime, we apply those rules depending on the content type - application/xml or application/json. Vendor specific json with the content type you specified, is not supportef and would have no effect on the data masking.

Report Inappropriate Content

I tried masking the flow variable request.content, but it doesn't seem to be working

davidmathai

@arghya das I talked to @rakeshapi about this issue also. Is there a workaround for Data not being masked for vendor specific content types. The request/response body is still a valid JSON, but we have to switch to a vendor specific content type before sending the API call to the target system. Is there a way Apigee can still be configured to mask the data regardless of the header? This is defeating the purpose of masking as the data is viewable in clear text in those policies where the content type is set to something other than 'application/json.

Report Inappropriate Content

@arghya das

- Can we mask the whole request?

adas

@jaskaran.rm The way it works is this:

Imagine this is your payload:

Request Payload:
{
    "policy": "payment",
    "authentication": {
        "endUserId": "ACR%p3NT0pMVNfciUdbJnqdC7H9AAIqp",
        "email": "john.doe@example.com",
        "password": "P4$$word"
    },
    "profile": {
        "displayname": "authoriseduser",
        "firstname": "John",
        "surname": "Doe",
        "isOver16": true,
        "dob": "1985-01-01"
    }
}

Response Payload:
{
  "amountTransaction": {
    "clientCorrelator": "uE5IRifPJEFQ1pvB0mtEU3zCspRGSJeb",
    "endUserId": "Bearer ra1iBFqC6pqGclNaleDmM92upywK",
    "paymentAmount": {
        "chargingInformation": {
            "amount": 10,
            "currency": "USD",
            "description": "AOL-App"
        },
        "totalAmountCharged": "$10"
    },
    "referenceCode": "REF-test_d9e05a4b-5fe3-46f6-bcdf-0a62a120639e",
    "serverReferenceCode": "ABC-test_d9e05a4b-5fe3-46f6-bcdf-0a62a120639e",
    "resourceURL": "http://example.com/1/payment/tel%3A%2B16309700001/transactions/amount/abc123",
    "transactionOperationStatus": "Charged"
    }
}

Now to mask such a payload you can do something like this:

<MaskDataConfiguration name="default"> 
<JSONPathsRequest> 
<JSONPathRequest>$.authentication.*</JSONPathRequest> 
<JSONPathRequest>$.profile.*</JSONPathRequest> 
</JSONPathsRequest> 
<JSONPathsResponse> 
<JSONPathResponse>$..*</JSONPathResponse> 
</JSONPathsResponse> 
</MaskDataConfiguration>

This would mask the json snippet for authentication and profile in the request and the entire response payload. Note that we only mask the RHS (value) not the element itself.

Report Inappropriate Content

Ya Arghya, this is fine. But it wont work since our content type is not application/json.

So, instead of masking json elements, I am trying to mask flow variables, as in the example below -

<Variables><Variable>request.header.user-agent</Variable><Variable>request.formparam.password</Variable>

The headers do get masked, but the variable "request.content" is not. It is just another flow variable, so we should be able to mask it also.

sarthak

One possible solution can be: to apply a javascript policy to change the content type from the vendor specific version to standard application/json . This will be the first policy when the request or response hits Apigee (whatever you want to mask).

You can change the content type with an AssignMessage policy but if you do that then the whole unmasked payload will be visible in Trace while executing the AssignMessage policy. When you change the Content-Type using javascript it will not show the payload in trace at all.

I havn't tried this yet , but ideally this should work. I will try to give it a shot later today. If @jaskaran.rm you can get it to work please let us know.

Report Inappropriate Content

Thanks Sarthak, but I can see the whole request content even before the first policy is executed.

Report Inappropriate Content

I guess mask configs don't work on variables like request.content and message.content . Not sure if this is a product bug .

imesh

This is an interesting requirement. As I found a workaround for this can be done as follows:

Create two API proxies A, B and forward API requests from proxy A to proxy B using proxy chaining.
In proxy A change the Content-Type header value to application/json using a JavaScript policy.
In proxy B implement required logic, change Content-Type header back to the original value and forward the request to target endpoint.
Create a custom user role and grant trace permission to proxy B.
Add above custom user role to relevant users and only allow proxy B to be traced.

According to this approach users having above created custom role would only be able to trace proxy B and will not be able to see masked values in the Trace UI.

Kindly note that with this approach, each API request sent to proxy A would make an additional API call to proxy B and as a result number of API requests served by Apigee will be doubled. As a result, it may affect the quota usage of the pricing model:
https://cloud.google.com/apigee/pricing/

Mask configurations for vnd specific JSON content type