PCI Vault Logo
Rule Engine

PCI Vault has a rule engine for transforming data on certain endpoints. This is very handy for sanitising input for the purpose of utilising the data later.

Each rule will have a list of one or more operations that are applied in the order that they have been specified in. Each operation must have an input field, an output field, and a name for specifying which operation to be applied. Some operations also have required or optional arguments to further control their behaviour.

One powerful feature is that the output of one operation can be used as the input to another, allowing us to chain operations. For example, use the template operation to generate a JSON string from your data and then generate an SHA256 checksum from that string

All Supported Operations
noop
stringify
substr
parse_float
parse_json
convert_to_int
replace
mask
format
template
hash
encode
nonce
encrypt

No-op

Operation Description
noop Does nothing but can be used to copy a value from one field to another.

Stringify

Operation Description
stringify Converts data of any type to a string.

Substring

Operation Description
substr Attempts to take a substring from a string. If taking the substring fails, the value is just copied.

Optional Fields:

  • start: The index on which to start the substring (default is 0).
  • end: The index on which to end the substring (default is 0).

Both start and end is 0-indexed, but if the end index is 0, it will be changed to the length of the input field. Negative indices will be subtracted from the length of the input.
E.g. for the string "012345", if start is -2, and end is 0. The substring will be "45".

Parse Float

Operation Description
parse_float Attempts to parse a float from a string. If the input value is not a string, or if parsing fails, the value is just copied.

Parse JSON

Operation Description
parse_json Attempts to parse a JSON object from a string. If the input value is not a string, or if parsing fails, the value is just copied. The parsed output can be used as input to other operations like template.

Convert To Int

Operation Description
convert_to_int Attempts to convert any input to an integer. If the input value is a string, the int will be parsed using the base specified. If the input value is a float, the fractional part will be discarded. If the input value is a boolean, true will resolve to 1 and false to 0. If conversion fails, the value is just copied.

Optional Fields:

  • base: For strings, try to parse integers in the specified base (default is 10).

Replace

Operation Description
replace Replaces all occurrences of the substr argument with new_str. Make new_str an empty string to effectively remove all occurrences of substr. If the input is not a string, the value is just copied.

Required Fields:

  • substr: The substring to replace.
  • new_str: The replacement string.

Mask

Operation Description
mask Masks the substring specified by start and end. If unspecified, start and end will default to 0 and the length of the input string, respectively. If the input is not a string, the value is just copied.

Optional Fields:

  • char: The character to use for masking (default is *).
  • start: The index on which to start the substring (default is 0).
  • end: The index on which to end the substring (default is 0).

Both start and end is 0-indexed, but if the end index is 0, it will be changed to the length of the input field. Negative indices will be subtracted from the length of the input.
E.g. for the string "012345", if start is -2, and end is 0. The masked output will be "0123**".

Format

Operation Description
format Can be used to embed values from the JSON in an arbitrary string, and also to concatenate fields.

The formatting rules applied are the same rules used by Golang's formatting library.

Required Fields:

  • format_string: The template string to format. Use the %v directive to insert a value into the string.
  • keys: The keys to insert into the format_string.

The format string can be any string. The "keys" argument must contain a list of strings, each string representing a key for the value to be formatted. If the operation fails, the return value will be the value of the input field, otherwise the input field is just ignored.

E.g. for a format string "%v/%v" with values "2024" and "12", the output will be "2024/12".

Template

Operation Description
template Can be used to generate a string from the current values. By using a mustache template, the current state of the values can be interpolated into a string. The placement of the operation in the rule is important as the input values will be used as they are at that moment, any operations following it would not have executed at the time of interpolation.

Required Fields:

  • template: The mustache template.

The mustache template must have any quotes escaped. If the operation fails, the return value will be an empty string.

E.g. for a template of "{"name": "{{name}}","value": "{{value}}"}" with values { "name": "John", "value": 38 }, the resulting string will be {"name": "John","value": "38"}

Hash

Operation Description
hash Can be used to compute a cryptographic hash from a string value. The string value can be generated by the template operation.

Required Fields:

  • algorithm: The hashing algorithm to use.

Required Fields for HMAC algorithms:

  • algorithm: The hashing algorithm to use.
  • key: The key to use when computing the HMAC (Hash-based Message Authentication Code).

Optional Fields:

  • hex_key: Default is false. Set to true if the key is made up of byte data which is not safe to post in a JSON object when encoded in UTF-8. The key parameter should then contain the hexadecimal string representing the raw data of the key. e.g. 1f874077e0ffc9a1c63a
  • base64_key: Default is false. Set to true if the key is made up of byte data encoded as base64. The key parameter should then contain the base64 string representing the raw data of the key. e.g. ZXhhbXBsZWtleQ==

The algorithm needs to be one of the currently supported algorithms listed below. The key is only required for HMAC algorithms where it is used to compute the Hash-based Message Authentication Code.

If the operation fails, the return value will be the value of the input field.

E.g. for an input value of "some_value", algorithm of "hmac-sha-256" and key of "secret", the computed hash value will be "1f874077e0ffc9a1c63fd4ba52046f2a342a9327872c84572933307d3ea40c0c"

Supported Algorithms

  • md5
  • sha-1
  • sha-256
  • sha-384
  • sha-512
  • hmac-sha-1
  • hmac-sha-256
  • hmac-sha-384
  • hmac-sha-512

Encode

Operation Description
encode Can be used to encode bytes as a string. The most popular encoding scheme is base64.

Required Fields:

  • scheme: The encoding scheme to use. Currently supported schemes are base64 and base32

Optional Fields:

  • hex_input: Default is false. Set to true when the string input is a hexadecimal string like "1f874077e0ffc9a1c63fd4ba52046f2a342a9327872c84572933307d3ea40c0c". Set to false when the input is a UTF-8 encoded string.

If the operation fails, the return value will be an empty string.

E.g. for an input value of "some_value" and scheme of "base64", the encoded value will be "c29tZV92YWx1ZQ=="

Nonce

Operation Description
nonce Can be used to generate a nonce (cryptographic number used only once) of a specified length.

Optional Fields:

  • length: The number of bytes to generate (default is 12).

This operation generates a random string to be used as a nonce in an encryption operation. It only uses byte values which do not correspond to special characters so that no escaping of characters is necessary when outputting the value to a template. Characters used are [0..9], [A..Z] and [a..z].

Encrypt

Operation Description
encrypt Can be used to encrypt a string value using a key.

Required Fields:

  • algorithm: The encryption algorithm to use.
  • key: The key value to use.

Required Fields for AES algorithms:

  • algorithm: The encryption algorithm to use.
  • key: The key value to use.
  • nonce_field: The field name of the previously computed nonce. (see nonce operation).

Optional Fields:

  • hex_key: Default is false. Set to true if the key is made up of byte data which is not safe to post in a JSON object when encoded in UTF-8. The key parameter should then contain the hexadecimal string representing the raw data of the key. e.g. 1f874077e0ffc9a1c63a
  • base64_key: Default is false. Set to true if the key is made up of byte data encoded as base64. The key parameter should then contain the base64 string representing the raw data of the key. e.g. ZXhhbXBsZWtleQ==

The algorithm needs to be one of the currently supported algorithms listed below. If the operation fails, the return value will be an empty string.

The output of the operation is a hexadecimal string.

Supported Algorithms

  • aes-gcm-256 AES 256 encryption with GCM
  • rsa RSA encryption with the padding scheme from PKCS #1 v1.5
  • 3des 3DES encryption with CBC using PKCS #5 padding