Creating and Sharing Custom API Governance Rulesets

API Governance with MuleSoft Anypoint Platform (Part 3/4)

In the first post of this four-part series, we provided an overview of what API governance is in MuleSoft. In the second post, we discussed API governance workflow and how to apply rulesets to APIs (via API governance profiles). We also reviewed the conformance dashboards, and where to see where an API is conformant in Exchange when a profile is applied to it. This third post will focus on how to create and share custom rulesets for API governance in Anypoint Platform.

How do we create and share custom API Governance Rulesets?

Step 1

Navigate to an existing ruleset set in Exchange as shown below (the HTTPS Enforcement ruleset in this example). You can then download the ruleset and modify it.

Step 2

The HTTPS Enforcement ruleset that you downloaded is shown below.

#%Validation Profile 1.0
profile: HTTPS enforcement
description: |
This ruleset helps ensure the use of HTTPS across URLs in API definitions, both in the base server URL and in any callbacks optionally defined.
tags:
 - security
violation:
 - use-https-for-urls
 - use-https-for-callbacks
 - use-https-for-scheme-protocol
validations:
 use-https-for-urls:
   message: Always use https forURLs
   targetClass: apiContract.Server
   propertyConstraints:
      core.urlTemplate:
        pattern: "^https://"
  use-https-for-callbacks:
    message: Always use https for call backs
    targetClass: apiContract.Callback
    propertyConstraints:
      apiContract.expression:
        pattern:"^https://"
use-https-for-scheme-protocol:
  message: Only use https protocol scheme
  targetClass: apiContract.WebAPI
  not:
    propertyConstraints:
      apiContract.scheme:
        containsSome:
          - HTTP

Step 3

For simplicity in this example, we will only change the profile name and description of the HTTPS Enforcement ruleset. The modified ruleset is shown below.

#%Validation Profile 1.0
profile: API People HTTPS enforcement
description: |
This ruleset helps ensure the use of HTTPS across URLs in API People's API definitions, both in the base server URL and in any callbacks optionally defined.
tags:
  - security
violation:
  - use-https-for-urls
  - use-https-for-callbacks
  - use-https-for-scheme-protocol
validations:
  use-https-for-urls:
    message:Always use https forURLs
    targetClass: apiContract.Server
    propertyConstraints:
      core.urlTemplate:
        pattern: "^https://"
  use-https-for-callbacks:
    message:Always use https for callbacks
    targetClass: apiContract.Callback
    propertyConstraints:
      apiContract.expression:
        pattern: "^https://"
use-https-for-scheme-protocol:
  message: Only use https protocol scheme
  targetClass: apiContract.WebAPI
  not:
    propertyConstraints:
      apiContract.scheme:
        containsSome:
          - HTTP
          - http
‍

Step 4

We can then upload and publish a new asset as a custom ruleset into Anypoint Exchange as shown below. This ruleset can now be used in a governance profile.

Step 5

Once we publish this custom ruleset, the new ruleset can be seen in Anypoint Exchange…

…and when defining a governance profile.

Summary

We have seen how easy it is to create (in this example, we used an existing ruleset), upload, and apply a custom ruleset. The fourth part of this series provides more advanced details on how to create, test, build, and deploy custom API governance rulesets with the ruleset-development-cli tool.