EFPF API Security Gateway

API Security Gateway Admin Guide

Local Installation and Deployment

The API Security Gateway is packaged and deployed as a Docker container, to deploy the API Security Gateway download the docker-compose.yml file and execute in a terminal the following command:

Docker-compose up -d
Resource source
docker-compose.yml https://gitlab.fit.fraunhofer.de/efpf-pilots/efpf-security-components/efpf_efs_srfg_components/-/blob/master/api-security-gateway/docker-compose.yml

Once the docker-compose has been executed, open a browser and access the following URL:

https://localhost:9080/apisix/admin/routes

Current Deployment in EFPF-Security Portal

Currently, the dev instance of API Security Gateway (APISIX) deployed in EFPF-Security-Portal. Registered routes can be found in the below path.

https://efpf-security-portal.salzburgresearch.at/apisix/admin/routes

Detailed Discussion on implmentation

The implementation details regarding the route persisting methodology extensively discussed in the below issue.

https://gitlab.fit.fraunhofer.de/efpf-pilots/t31-architecture/-/issues/31

Sync Service Registry registered routes to Secureity Gateway

The ​ ASG importer service runs on a cronjob basis and scans the service registry. Based on the services registered the ASG importer service will create routes in the API Security Gateway. In addition to the routes, the ASG Importer can also configure security plugins.

  1. Token Introspection Plugin

This plugin implements token verification with the identity server. The token introspected via providing the introspection endpoint of the Identity Server or the public key of the token can be used.

  1. Proxy rewrite Plugin

The proxy rewrite plugin performs two duties. Rewrite the prefix path: The API routes have prefixes based on the dataspine’s service registry. Therefore, the proxy rewrite plugin rewrites the paths when the request hits the gateway. In this manner, the request can be routed to the appropriate service. HTTPs proxy: APISIX by default proxies the upstream requested via the HTTP protocol. Hence if the upstream is hosted in an HTTPs environment the proxy rewrite plugin transforms the request to an SSL based connection.

  1. HTTP logger plugin

The HTTP logger will export the access logs of the API Security Gateway for further security analysis.

Accessing Service Registry via API Security Gateway

ASG Importer creates two routes for GET and other HTTP access to Service Registry. This can be accessed via the following URL:

https://efpf-security-portal.salzburgresearch.at/apis/sr/

In order to access the GET endpoint, the user should have sr_view scope, and for other HTTP methods, the user should have the sr_admin scope.

In the current implementation, users with ​ efpf_basic ​ role can view the service registry.

Users with the ​ EFPF_admin ​ role can perform the other admin operations (CRUD operations on Service Registry).

  1. View Service Registry

    • Get the token for the user

      curl ​ --location​ ​ --request​ ​ POST
      'https://efpf-security-portal.salzburgresearch.at/auth/realms/master/protocol/openid-con
      nect/token'​ \
      --header​ ​ 'Content-Type: application/x-www-form-urlencoded'​ \
      --data-urlencode​ ​ 'grant_type=password'​ \
      --data-urlencode​ ​ 'client_id=apisix'​ \
      --data-urlencode​ ​ 'client_secret=secret'​ \
      --data-urlencode​ ​ 'username=youreuser@gmail.com'​ \
      --data-urlencode​ ​ 'password=pwd'
      
    • Access the service registry

      curl ​ --location​ ​ --request​ ​ GET 'https://efpf-security-portal.salzburgresearch.at/apis/sr/'\
      --header​ ​ 'Content-Type: application/json'​ \
      --header​ ​ 'Authorization: bearer token'
      
      
  2. Create/Update/Delete route from Service Registry

    • Get the token for the user

      curl ​ --location​ ​ --request​ ​ POST
      'https://efpf-security-portal.salzburgresearch.at/auth/realms/master/protocol/openid-connect/token'​\
      --header​ ​ 'Content-Type: application/x-www-form-urlencoded'​ \
      --data-urlencode​ ​ 'grant_type=password'​ \
      --data-urlencode​ ​ 'client_id=apisix'​ \
      --data-urlencode​ ​ 'client_secret=secret'​ \
      --data-urlencode​ ​ 'username=youreuser@gmail.com'​ \
      --data-urlencode​ ​ 'password=pwd'
      
      
    • Create a route in the service registry

      curl ​ --location​ ​ --request​ ​ POST
      'https:​ //efpf-security-portal.salzburgresearch.at/apis/sr/'\
      --​ header​ 'Content-​ Type​ : application/json' \
      --​ header​ 'Authorization: bearer ​ token​ ' \
      --data-raw '{
          "description"​ : ​ "WASP Marketplace Services"​ ,
          "title"​ : ​ "WASP Services"​ ,
          "type"​ : ​ "efpf.service-registry"​ ,
          "apis"​ : [
              {
                  "id"​ : ​ "marketplace-all"​ ,
                  "title"​ : ​ "Marketplace services"​ ,
                  "description"​ : ​ "Get'\''s all public marketplace services"​ ,
                  "protocol"​ : ​ "HTTPS"​ ,
                  "endpoint"​ : ​ "https://icemain2.hopto.org:8079/o/marketplace/GetAllServices"​ ,
                  "spec"​ : {
                      "mediaType"​ : ​ ""​ ,
                      "url"​ : ​ ""​ ,
                      "schema"​ : ​ null
                  },
              "meta"​ : {}
              }
          ],
          "meta"​ : {},
          "doc"​ : ​ "https://docs.linksmart.eu/display/SC"​ ,
          "ttl"​ : ​ 2147483647​ ,
      }
      
Previous
Next