topic Re: Python API: Add Compliance Standard to Policy in Prisma Cloud Discussions

Python API: Add Compliance Standard to Policy

JBox — Wed, 02 Sep 2020 17:16:02 GMT

Hi all,

I'm having trouble adding a Compliance Standard to an existing Policy via the API.

In essence my code looks like:

import requests

url = https://api2.redlock.io/policy/{policy_id}

header = {'Content-Type': 'application/json', 'x-redlock-auth': 'token'}

payload = {
    'name': 'policy_name',
    'policyType': 'policy_type',
    'severity': 'policy_severity',
    'complianceMetadata': [
        {
            'standardName': 'standard_name',
            'requirementId': 'requirement_ID',
            'sectionId': 'section_id'
        }
    ]
}

response = requests.request('PUT', url, json=payload, header=header)

However, everytime I send the request, I'm returned with a 500 Server Error (and, unfortunately, the API documentation is super unhelpful with this). I'm not sure if I'm sending the right information to add a compliance standard as the API documentation doesn't show what info needs to be sent. If I leave out required fields (name, policyType, and severity), I'm returned a 400 error (bad request, which makes sense). But I can't figure out why I keep getting the 500 Server Error.

Any ideas here would be much appreciated! Thanks!

Re: Python API: Add Compliance Standard to Policy

kchen — Thu, 13 Jun 2019 00:53:13 GMT

At first glance, you are likely missing some required fields that is necessary when PUT-ing a policy. What I would recommend is do a GET on the policy, use the returned payload as base, update the complianceMetadata field with what you want to include, then PUT the entire thing back into Prisma Public Cloud.

I agree that the error message is super unhelpful; you might get more information by checking the response header. The error message is included in there, and it might provide some hints.

Hope this helps.

Re: Python API: Add Compliance Standard to Policy

JBox — Fri, 17 May 2019 02:53:48 GMT

Thanks, @kchen.

The response header is this:

x-redlock-status →[{"i18nKey":"internal_error","severity":"error","subject":null}]

Your approach is something that I actually implemented as a workaround, but no bueno. The work around looks like this:

req_header = {'Content-Type':'application/json','x-redlock-auth':jwt_token}

# This is a small function to get a policy by ID
policy = get_redlock_policy_by_ID(req_header, 'policy_ID')

    new_std = {
        'standardName': 'standard_name',
        'standardDescription': '',
        'requirementId': 'req_ID',
        'requirementName': 'req_name',
        'sectionId': 'section_ID',
        'sectionDescription': '',
        'policyId': '',
        'complianceId': 'compliance_ID',
        'systemDefault': False,
        'customAssigned': True
        }

    standards = policy['complianceMetadata']

    for standard in standards:
        if not 'standard_name' in standard['standardName']:
            new_std['policyId'] = policy['policyId']
            policy['complianceMetadata'].append(new_std)

            try:
                response = requests.request('PUT', '{}/policy/{}'.format(REDLOCK_API_URL, policy['policyId']), json=policy, headers=req_header)

                if response.status_code == 200:
                    print('Successful push ---- YA BOI DID IT')
                else:
                    logging.error(' HTTPStatus: ' + str(response.status_code) + ' ' + response.reason)
                    sys.exit(1)
            except requests.exceptions.RequestException as e:
                logging.error(' Data Push -- Function: update_redlock_compliance_details: {}'.format(e))
                break

And it still returns:

>> ERROR:root: HTTPStatus: 500 Server Error

Re: Python API: Add Compliance Standard to Policy

ebeuerlein — Fri, 17 May 2019 15:46:37 GMT

The bare minimum needed in compliance metadata is:

"complianceMetadata":[ 
      { 
         "standardName":"Eddie",
         "requirementId":"1.1",
         "sectionId":"1.1.1",
         "customAssigned":true,
         "complianceId":"46e6887f-ba66-43f3-aaeb-9af56c1cc546",
         "requirementName":"Eddie req"
      }
   ],

You shouldn't need to include anything else in the metadata...

Re: Python API: Add Compliance Standard to Policy

kchen — Fri, 17 May 2019 17:54:26 GMT

@JBox I get error 500s if the format of my JSON is incorrect. Can you try to perform a GET then immediately PUT it back without modifying the payload? If that still gives a 500, it's likely because you need to json.dumps the payload before sending it back.

Another thing, the "complianceId" field is very confusing. That refers to the Compliance Section GUID. It is not easy to get this ID number. You will have to do a GET on the compliance standard, to find the requirements GUID, then you can GET the list of sections and section GUIDs. Example, my compliance standard ID is 052009c7-7640-436c-bcde-69846acf73e8, so I have to

GET https://api.redlock.io/compliance/052009c7-7640-436c-bcde-69846acf73e8/requirement

Then in the response, I can find the requirements ID, which I can do:

GET https://api.redlock.io/compliance/f2cf9fe2-1007-48b7-b5bb-1f24e8535953/section

Then within that response, I can find the "id" of the section that I want to use, which is the value for the "complianceId" field in the complianceMetadata object.

Re: Python API: Add Compliance Standard to Policy

JBox — Thu, 13 Jun 2019 00:52:17 GMT

Thanks, @kchen. and @ebeuerlein.

It ended up working for all but 2 policies with the work-around on GET-requesting the entire policy, appending the "complianceMetadata" array and PUT-requesting the whole policy back.

The issue now is the two that it didn't update for (Prisma Public Cloud default policies). The first one is a known bug that the internal engineering team are working on. However, the second that didn't work is returning another 500 error. It is an old policy that hasn't been converted to RQL yet. If 500 errors are usually bad JSON, is there a difference in a RQL Policy JSON vs Non-RQL Policy JSON? Pulling the data from the server and having a look at it, it doesn't seem so but I can't get this one to update via the API. Otherwise, I can't figure out why it would work on all RQL policies and not this one non-RQL policy.

Any further suggestions would be awesome!

Re: Python API: Add Compliance Standard to Policy

kchen — Mon, 20 May 2019 18:40:36 GMT

Got it to work. For these policies without RQL, you need to include this field within the "rule" field:

      "parameters":{
         "savedSearch":"false"
      },

One way to find out if you need the above is to check for the rule -> parameters -> savedSearch field after you GET the policy. I think all default policies with RQL will have "savedSearch" = "true", so if that field/value combo isn't in the returned JSON, you know you need to add "savedSearch": "false" to the payload before returning.

Re: Python API: Add Compliance Standard to Policy

JBox — Wed, 22 May 2019 04:29:01 GMT

Worked perfectly, thanks @kchen!