This simple service is used by X-tee self-service portal to store user rights. You can use Docker to test service locally.
Python virtual environment is an easy way to manage application dependencies. You will need to install support for python venv:
sudo apt-get install python3-venvApplication uses PostgreSQL as a database and Nginx for securing connections with TLS. Install them with a command:
sudo apt-get install postgresql nginxsudo useradd xtss-rightsCreate an application directory /opt/xtss-rights:
sudo mkdir -p /opt/xtss-rights
sudo chown -R xtss-rights:xtss-rights /opt/xtss-rightsCopy application files rights.py, server.py to directory /opt/xtss-rights.
Create a directory for logs:
sudo mkdir -p /var/log/xtss-rights
sudo chown -R xtss-rights:xtss-rights /var/log/xtss-rightsInstall required python modules into venv using user xtss-rights:
sudo su - xtss-rights
cd /opt/xtss-rights
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtCreate a configuration file /opt/xtss-rights/config.json using an example configuration file example-config.yaml.
Configuration parameters:
db_host- database address or comma separated list of addresses for client-side DB HA;db_port- database port;db_db- database name;db_user- database user name;db_pass- (optional) database user password;db_ssl_mode- (optional) determines if SSL connection will be used;db_ssl_root_cert- (optional) trusted root CA of database certificate;db_ssl_cert- (optional) client SSL certificate;db_ssl_key- (optional) client SSL key;db_connect_timeout- (optional) database connection timeout;allow_all- (optional) if "true" then disable certificate DN check, default value: "false";allowed- (optional) list of allowed certificate DN's;log_file- (optional) log to file instead of stdout iflog_fileis set andlogging_configis not provided;logging_config- (optional) python logging configuration, overrideslog_fileparameter.
Additional information about db configuration parameters: https://www.postgresql.org/docs/current/libpq-connect.html Additional information about python logging: https://docs.python.org/3/library/logging.config.html#logging.config.dictConfig
Create database:
sudo -u postgres createdb db_rightsCreate application user "rights_app" and make sure in can connect to DB
sudo -u postgres psql -c "CREATE ROLE rights_app WITH LOGIN" db_rights
sudo -u postgres psql -c "ALTER USER rights_app WITH PASSWORD '<PASSWORD>'" db_rights
sudo -u postgres psql -c "GRANT CONNECT ON DATABASE db_rights TO rights_app" db_rightsCreate liquibase configurations file liquibase/liquibase.properties using an example file liquibase/example_liquibase.properties.
Apply liquibase changes by running the following command in project folder (using liquibase docker image in this example):
docker run --rm -v $(pwd)/liquibase:/liquibase/changelog liquibase/liquibase --defaultsFile=/liquibase/changelog/liquibase.properties update
Add service description systemd/xtss-rights.service to /lib/systemd/system/xtss-rights.service.
Then start service and enable automatic startup:
sudo systemctl daemon-reload
sudo systemctl start xtss-rights
sudo systemctl enable xtss-rightsCopy nginx/xtss-rights.conf under /etc/nginx/sites-available/
Create a certificate for Nginx:
sudo mkdir -p /etc/nginx/xtss-rights
cd /etc/nginx/xtss-rights
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout rights.key -out rights.crtMake sure key is accessible to nginx:
sudo chmod 640 /etc/nginx/xtss-rights/rights.key
sudo chgrp www-data /etc/nginx/xtss-rights/rights.keyOn client side (XTSS app):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout client.key -out client.crt Note that client DN should be added to the list of allowed DN's in the /opt/xtss-rights/config.json configuration file.
Copy client.crt to Rights service machine: /etc/nginx/xtss-rights/client.crt
Note that you can allow multiple clients (or nodes) by creating certificate bundle. That can be done by concatenating multiple client certificates into single client.crt file.
And restart Nginx:
sudo systemctl startCopy nginx rights.crt to client machine. Then issue command to add sample data:
curl --cert client.crt --key client.key --cacert rights.crt -i -XPOST -d '{"organization":{"code":"00000000","name":"Org 0"},"person":{"code":"12345678901","first_name":"Firstname","last_name":"Lastname"},"right":{"right_type":"RIGHT1"}}' https://<xtss-rights.hostname>:5443/set-right
And then to read sample data:
curl --cert client.crt --key client.key --cacert rights.crt -i -XPOST -d '{}' https://<xtss-rights.hostname>:5443/rights
API Status is available on /status endpoint. You can test that with curl:
curl -k https://<xtss-rights.hostname>:5443/status