Apigee - How to block access to paths that aren't explicitly defined as resources

Question

I have an Apigee proxy for a backend API. If I define no resources for the API, my proxy simply acts as a pass-through. How can I block all paths by default EXCEPT for those that I explicitly allow by defining as resources?

For example, I have 20 domain objects and 4 CRUD methods on each. That's 80 potential resources. I only want to allow my developer to access, say, 10 of these resources. How can I easily block access to the other 70?

I guess what I'm asking is how to take a least-privilege approach to exposing my backend services to my developer?

Answer 1

You should be able to do this through the use of API resources. Information for this can be found at: http://apigee.com/docs/gateway-services/content/uri-based-configurations .

Answer 2

Another approach is basically to control the access using API Product, Developer and Developer apps. Please follow this document to get the basic understanding: http://apigee.com/docs/gateway-services/content/overview-1 . Please let me know if you need any help.

Thanks, Archendra

Answer 3

Define an invalid path to trap those requests and raise a fault policy with the following definition:

<Flows>
    <Flow name="Purchase Item Details">
        <Description/>
        <Request>
            <Step>
            </Step>
        </Request>
        <Response/>
        <Condition>(proxy.pathsuffix MatchesPath "/{purchase_id}") and (request.verb = "GET")</Condition>
    </Flow>
    <Flow name="Invalid Path"> <!-- THE MAGIC STARTS HERE -->
        <Description>Invalid Path</Description>
        <Request>
            <Step>
                <Name>raisefault-invalidpath</Name> <!-- RIGHT HERE -->
                <FaultRules/>
            </Step>
        </Request>
        <Response/>
        <Condition>(proxy.pathsuffix MatchesPath "/**") and (request.verb = "GET") <!--*** RIGHT HERE *** --></Condition>
    </Flow>
</Flows>

The way it works is that it will try to catch the resources listed above from "Invalid Path" flow, in example above: it'll try to match /basepath/{purchase_id}, then if no resource is found, the second flow will act as a catch all by raising the fault and returning a response back to the client.

Answer 4

Without having to trouble yourself with products, you can create a conditional flow that listens on your root of your uri (typically this means there is no condition defined within the flow). That flow can have a single policy that raises a fault, typically you would set the response code of this fault to a 404 and a message that says the resource they are looking for does not exist.