List of community-contributed Apigee Java callouts

dchiesa1 · ‎06-15-2021

There are 30+ built-in policies available in Apigee gateways. You can enforce rate limits, populate or extract from cache, verify tokens including JWT, compute or verify HMACs, and do lots of other things. But sometimes, that list of policies is not enough.

To address needs outside those met by the built-in policies, Apigee API producers can build callouts, using JavaScript, Java, or Python. Usually the JavaScript or Python options are pretty simple. Often the callouts created with Java are more elaborate.

In many cases, the callouts are available as open source. The list below collects the ones we know of. Inclusion on this list does not imply a statement of explicit support or warranty by Google for any of these Java callouts.

name	Description
CSV Shredder	parses a CSV, creates a Java map object from that data, and stores the map into a context variable. It also stores a JSON version of that data into a different context variable.
AWS V4 Signature	generates a set of headers (Authorization, x-amz-date, and possibly others) on an existing Message in Apigee, suitable for use as an AWS v4 signature, OR, generates a "presigned URL" suitable for use with AWS.
AWS SNS Verifier	Verifies the signature on an AWS SNS message, when Apigee is the target (receiver).
JWE	Encrypts or decrypts a JWE, using RSA keys.
Google URL Signer	Generates a signed URL for Google Cloud Storage. Google Cloud Storage allows apps to create signed URLs with expiry, to allow third parties a time-limited access to a resource, like an object being stored by Google Cloud storage. This callout generates signed URLs that allow time-limited access to those resources.
Azure SAS token	Produces a SAS token for Azure Event Hubs. Also it includes a working sample proxy. "SAS" refers to Shared Access Signature, which is Microsoft's convention for applying HMAC, in other words a keyed-hash message authentication code, to produce a cryptographic signature for authentication purposes. HMAC is easy to compute in Apigee with the builtin features, like the HMAC policy and the hmac static function. But, the structure of Microsoft's token is not a simple HMAC. Instead it is a series of parameters (sr, se, skn, sig) encoded according to the x-www-form-urlencoded standard. While producing an HMAC is relatively straightforward in Apigee just using the builtin hmac capabilities and AssignMessage, assembling and encoding all of the pieces required by Microsoft for a SAS token can be sort of tedious. This callout simplifies the effort.
WS-Security Signature	Creates or validates a signed SOAP document that complies with the WS-Security standard.
Multipart Form	Creates a multipart form payload, from a single blob, or parses an inbound multipart form (multipart/form-data) payload.
Dynamic Delay	Delays for a designated or a random amount of time. This may help avert remote timing attacks or to tarpit bot requests.
Base64 Encoder/Decoder	Decode or Encode with Base64. This callout can treat the decoded data as a byte stream, not a string.
XML Cipher	Performs an XML encryption or decryption, according to https://www.w3.org/TR/xmlenc-core1/, via Apache XML Security for Java. This callout encrypts or decrypts one element within an XML document, and returns the resulting document.
XML Digital Signatures	Performs an XML Digital Signature signing or validation, via javax.xml.crypto.dsig.XMLSignature. When signing, this callout signs the entire document, and returns the resulting document. When validating, it verifies that the signature is valid.
AES Crypto	Performs AES Encryption and Decryption of data or message payloads.
SAML AuthnRequest	Creates a signed SAML AuthnRequest, for use in SP-initiated login, with HTTP-POST binding or HTTP Redirect binding. For signature algorithms, it supports rsa-sha1 and rsa-sha256.
XPath	Performs an XPath extraction. This works similarly to ExtractVariables, except: in this callout, the xpath itself can be specified in a variable, or a string that contains references to variables. in this callout, the source can be any XML string. Need not be a message object. in this callout, the XML can be version 1.1. It need not be XML version 1.0.
WS-Security RSA Encryption	Encrypts or decrypts the Body of a SOAP message per the WS-Security standard, using an RSA Key and an x509v3 certificate.
WS-Security Username Token	Inserts a username token that complies with WS-Security standard into a SOAP message.
RSA Cryptography	Performs RSA Encryption and Decryption of data or message payloads, or RSA signing of data or message payloads, or verification of such signatures. For encryption specifically, it can perform RSA encryption with PKCS1 padding, or RSA encryption with OAEP padding, using SHA-256 and MGF1 as the hash functions. For signing, this callout can use PKCS v1.5 padding or PSS padding.
XSLT	performs an XSLT transformation. There's a built-in policy that does XSLT; this callout is different in that it is a bit more flexible. the person configuring the policy can specify the XSLT sheet in a context variable. This is nice because it means the XSLT can be dynamically determined at runtime. Likewise, the input and output can be specified in a context variable. It is possible to specify an XSLT source available at an HTTP endpoint It is possible to specify parameters for the XSLT that are retrieved at an HTTP endpoint It is possible to specify saxon or xalan as the XSLT engine. You can use the data: URI scheme to instantiate a document in the XSL.
Edit XML Node	Adds a node to an XML document, replaces a node in a document, or removes a node from a document. You can do those jobs with XSLT, but sometimes XSLT is ... just not quite right.
XSD Validation	Validation of an XML document against an XSD. There's a built-in policy that does this; this callout is different in that it is a bit more flexible, in these ways: The person configuring the policy can specify the XSD in a context variable. This is nice because it means the XSD can be dynamically determined or loaded at runtime. It is possible to specify an XSD source available at an external HTTP endpoint. You can use a schema that uses xs:include or xs:import of other schema. You can configure the policy to require a particular root element. The error messages that get emitted are more verbose and informative. This helps people diagnose runtime problems, or provide feedback to API callers.
TOTP	Time-based One-Time Password generator and verifier. as described in IETF RFC 6238.
X509 Certificate Parser	Parses a certificate received from a client via mutual-TLS
ECDSA Signatures	ECDSA signature creation and verification of data or message payloads, using SHA256withECDSA. It can sign or verify with any EC curve supported by the JDK. This callout does not perform RSA signing, or ECDSA encryption. It does not sign with SHA1withECDSA.