Applying datamasking configuration to ServiceCallout request body

Google Cloud Apigee
1

Hi,

Is it possible to apply the datamasking configuration to the request body of a ServiceCallout policy?

The documentation states that this should be possible, however after adding ServiceCallout.request to the list of variables, it masks everything and not just the elements matched by the JSON path like in the main request body.

https://docs.apigee.com/api-platform/security/data-masking

Tip: If you use ServiceCallout to make a request, the information in that request is not masked with the normal mask configuration. If you wish to mask ServiceCallout request information, add the flow variable ServiceCallout.request to the element of the configuration.

Here’s my test configuration:

{
  "jSONPathsRequest": [
    "$..password"
  ],
  "jSONPathsResponse": [
    "$..password"
  ],
  "name": "default",
  "variables": [
    "request.header.password",
    "request.formparam.password",
    "response.header.password",
    "response.formparam.password",
    "message.header.password",
    "message.formparam.password",
    "ServiceCallout.request"
  ],
  "xPathsRequest": [
    "//password"
  ],
  "xPathsResponse": [
    "//password"
  ]
}

This ServiceCallout request body:

{"password":"test"}

Is blanked completely like this:

10868-screenshot-from-2021-03-16-10-09-50.png

Whereas, the main request body masking works as expected:

10869-screenshot-from-2021-03-16-10-12-36.png

This older question states that is not possible, however I’m wondering if this is still the case? We’re running Apigee 4.19.06 on premise.

https://community.apigee.com/questions/8933/how-to-data-mask-servicecalloutrequest-elements.html

Any help would be appreciated.

Thanks!

2

after adding ServiceCallout.request to the list of variables, it masks everything and not just the elements matched by the JSON path like in the main request body.

I think your mask configuration uses “ServiceCallout.request” as one of the masked variables. That tells the datamasking system to mask… the variable… named “ServiceCallout.request”. So it masks that variable, which includes everything within the request: headers, payload, etc. Everything. The jSONPathsRequest thing does not apply to that variable.

I believe you cannot apply a jsonpath to mask specific subsets of a servicecallout request. I think that the design of the datamasking system is limited: with things like jSONPathsRequest and xPathsResponse, you can configure jsonpath and xpath to apply to the “request” and “response” message variables, but it is not possible to provide jsonpath or xpath to apply masking to arbitrary variables.

1 Like
3

Thanks for your answer. That makes sense, I was hoping that ServiceCallout.request would be processed differently by the data masker in this case. Oh well, never mind.