Deny requests other than defined resources and request verbs

Google Cloud Apigee
1

Hi All,

I’m wondering if there is any solution to simply denying any request that doesnt adhere to the defined combination of the defined Resources and Request Verb.

Solutions I had in mind;

  1. Create a Routerule that triggers when one of the combinations are not found (please note that this will be difficult because the target endpoint is of type OData, so the proxy.pathsuffix becomes very long because the query is included. )
  2. Implement a threat protection policy that triggers when the pathsuffix doesnt start with the known resources.
  3. Only fill the endpoint url in case one of the resources were found in a Condition.

But I hope there is a better solution. Thanks in advance!

-Guy

2

Typically we recommend you have defined Flow definitions for each resource and verb supported in the default.xml. If that is the case, the last Flow step triggers a RaiseFault as in the example below:

<Flow name="Default">
    <Description>Catch any other access and throw a 404 Fault</Description>
    <Request>
        <Step>
            <Name>raiseUnknownResource</Name>
        </Step>
    </Request>
    <Response/>
</Flow>

The raiseUnknownResource is defined as follows:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RaiseFault async="false" continueOnError="false" enabled="true" name="raiseUnknownResource">
    <DisplayName>raiseUnknownResource</DisplayName>
    <FaultResponse>
        <Set>
            <StatusCode>404</StatusCode>
            <ReasonPhrase>Resource not found.</ReasonPhrase>
        </Set>
    </FaultResponse>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

Flows are evaluated top to bottom in a proxy or target definition. One and only one Flow is executed for each request.

3

I don’t think this will be difficult. Set wildcards to handle your OData bits, and use a catchall flow at the end of the proxy endpoint.. See below.

<ProxyEndpoint name="default">
    <Description/>
    <PreFlow name="PreFlow">
        <Request/>
        <Response/>
    </PreFlow>
    <Flows>
        <Flow name="Get item">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>ExtractId</Name>
                </Step>
            </Request>
            <Response/>
            <Condition>(proxy.pathsuffix MatchesPath "/{id}") and (request.verb = "GET")</Condition>
        </Flow>
        <Flow name="Get sub-item">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>ExtractId</Name>
                </Step>
            </Request>
            <Response>
                <Step>
                    <FaultRules/>
                    <Name>jsonPath</Name>
                </Step>
            </Response>
            <Condition>(proxy.pathsuffix MatchesPath "/{id}/**") and (request.verb = "GET")</Condition>
        </Flow>
        <Flow name="unhandled request">
            <Description/>
            <Request>
                <Step>
                    <FaultRules/>
                    <Name>404</Name>
                </Step>
            </Request>
            <Response/>
        </Flow>
    </Flows>
    <PostFlow name="PostFlow">
        <Request/>
        <Response/>
    </PostFlow>
1 Like