Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/parlaynu/studio-api

Skeleton gRPC API server using mTLS for authentication and LDAP group membership for authorisation.
https://github.com/parlaynu/studio-api

ansible aws golang grpc mariadb mtls-authentication openldap python terraform

Last synced: 7 days ago
JSON representation

Skeleton gRPC API server using mTLS for authentication and LDAP group membership for authorisation.

Awesome Lists containing this project

README 

        
# Studio 1767 - Skeleton API Server



This project provides a skeleton API server using gRPC and mTLS for authentication.



The certificate subject common name is expected to be an email address which can be used to

identify the user in the LDAP directory.



Group membership for the user is determined from the certificate's SAN URI field and from the 

configured LDAP server.



Group membership is used for authorization of tasks. The implemented authorization is very simple

and for demonstration purposes only. It supports three groups with the following permissions:



    admins: create, read, update, delete

    operators: create, read, update

    users: read



A production authorization scheme would be more sophisticated, and consider project

related group membership.



## Quickstart



The test/build-aws directory uses terraform and ansible to build the necessary test environment

in AWS to run the server. It create a mariadb server and an OpenLDAP server in AWS, secured with

TLS and creates the configs needed to run the API server and client locally on your test machine.



All necessary certificates are created to secure the services and for users.



### AWS Infrastructure



Use terraform to create the VPC, subnets and servers:



    cd test/build-aws

    terraform init

    terraform apply



Verify the servers are ready for configuring by logging into one of them:



    ssh -F local/ssh.cfg db



Once that works and the server hostname is `s1767-db`, they are ready to be configured:



    ./local/ansible/run-ansible.sh



### API Server



Build the API server with the following:



    cd cmd/server

    go build



To run the server, use the configuration created when the AWS infrastructure was created:



    ./server ../../test/build-aws/local/configs/server.yaml



Once it is ready it prings out the address and port it is listening on.



### API Client



There is a very simple API test client in test/client. It exercises the basics of the API - creating

and retrieving the projects.



Build the virtual environment and install packages:



    cd test/client

    python3 -m venv pyenv

    source pyenv/bin/activate

    pip install -r requirements.txt



Run the client:



    ./client.py ../build-aws/local/configs/client.yaml



You can verify that TLS is working by using the bad client configurations. There are three of these

and are a combination of using a different CA certificate to the server and/or client certificates

generated by a different certificate authority.



    ./client.py ../build-aws/local/configs/bad-client-1.yaml



### Verifying



You can verify that entries are getting into the database by going directly to the DB server.



Log into the db server:



    cd test/build-aws

    ssh -F local/ssh.cfg db



Start the db cli:



    sudo -s

    cd /usr/local/admin/bin

    ./mariadb.sh



Read the contents of the projects table:



    use s1767;

    select * from project;



This should print out the projects that were created when running the client.py script.



## OpenSSL Commands



To decode a certificate:



    openssl x509 -noout -text -in 



## Reference



Most of the code here has been developed while following along with the book 

"[Distributed Services in Go](https://www.booktopia.com.au/distributed-services-with-go-travis-jeffrey/book/9781680507607.html)" 

by Travis Jeffrey.