API Reference

python-rasenmaeher-api

python-rasenmaeher-api

Configuration

This application can be configured with environment variables. Below is a example list of available variables. You can find all available variables here https://github.com/pvarki/python-rasenmaeher-api/blob/main/src/rasenmaeher_api/settings.py.

Container Variables

ENV VAR

Default value

Info / Usage

RM_PORT

8000

Docker API listen port

RM_WORKERS_COUNT

2

Number of uvicorn workers

RM_RELOAD

False

Reload service on code change

RM_ENVIRONMENT

dev

Run dev / prod environment

RM_CFSSL_HOST

None

CFSSL host url

RM_CFSSL_PORT

None

CFSSL service port

RM_KEYCLOAK_SERVER_URL

None

Keycloak server url (http://1234:8080/auth)

RM_KEYCLOAK_CLIENT_ID

None

Keycloak client id

RM_KEYCLOAK_REALM_NAME

None

Keycloak realm name

RM_KEYCLOAK_CLIENT_SECRET

None

Keycloak secert

RM_LDAP_CONN_STRING

None

LDAP conn string

RM_LDAP_USERNAME

None

LDAP username

RM_LDAP_CLIENT_SECRET

None

LDAP connection secret

RM_SQLITE_FILEPATH_PROD

/opt/rasenmaher/persistent/sqlite/rm_db.sql

location for sqlite database file in “prod”

RM_SQLITE_FILEPATH_DEV

/tmp/rm_db.sql

location for sqlite database file in “dev”, local development

You can create .env file in the root directory and place all environment variables here.

All environment variables should start with RM_ prefix.

For example if you see in your “rasenmaeher_api/settings.py” a variable named like random_parameter, you should provide the “RM_RANDOM_PARAMETER” variable to configure the value. This behaviour can be changed by overriding env_prefix property in rasenmaeher_api.settings.Settings.Config.

An example of .env file: `bash RM_RELOAD="True" RM_PORT="8000" RM_ENVIRONMENT="dev" `

You can read more about BaseSettings class here: https://pydantic-docs.helpmanual.io/usage/settings/

Backend services manifest

Integration APIs are always https in port 4625. Default location for the manifest is /pvarki/kraftwerk-rasenmaeher-init.json

`json { "dns": "sleepy-sloth.pvarki.fi", "products": { "tak": "tak.sleepy-sloth.pvarki.fi", "ptt": "ptt.sleepy-sloth.pvarki.fi" } } `

Api endpoints and usage

API vimpain

State

Method

URI

Request JSON

Response JSON

Api description .

Dummy

GET

/api/v1/enroll/status/{work_id}

NA

{‘status’:’None/Processing/Denied/WaitingForAcceptance/ReadyForDelivery/Delivered’}

Check the situation of enrollment process, None = no enrollment started, this work_id is free to use.

Dummy

POST

/api/v1/enroll/init

{‘work_id’:’{work_id}’}

{‘work_id’:’{work_id}’, ‘id_hash’:{id_string} }

Start service access enrollment for given {work_id}

Dummy

GET

/api/v1/enroll/deliver/{id_string}

NA

{‘dl_link’:”{http://here.be/zip}”}

Deliver download link for enrollment zip

Dummy

POST

/api/v1/enroll/accept

{ ‘permit_string’:’{permit_string}, ‘id_hash’:’{id_hash}’ ‘}

{ ‘access’:’granted/denied/None’, ‘work_id’:’{work_id}’ }

Accept the enrollment request

Testing

POST

/api/v1/product/sign_csr

{ ‘TO’:’DO’}

{ ‘TO’:’DO’}

Accept the enrollment request

Testing

POST

/api/v1/enroll/accept

{ ‘permit_string’:’{permit_string}, ‘id_hash’:’{id_hash}’ ‘}

{ ‘access’:’granted/denied/None’, ‘work_id’:’{work_id}’ }

Accept the enrollment request

Example usage

# REQUEST A NEW CERTIFICATE USING CSR (requires cfssl backend for the api container)

`curl -L -H "Content-Type: application/json" -d '{"csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBUjCB+QIBADBqMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLZXhhbXBsZS5jb20x\nFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAgTCkNhbGlmb3JuaWExGDAW\nBgNVBAMTD3d3dy5leGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK/CtZaQ4VliKE+DLIVGLwtSxJgtUKRzGvN1EwI3HRgKDQ3l3urBIzHtUcdMq6HZ\nb8jX0O9fXYUOf4XWggrLk1agLTArBgkqhkiG9w0BCQ4xHjAcMBoGA1UdEQQTMBGC\nD3d3dy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAcvfhXnsLtzep2sKSa\n36W7G9PRbHh8zVGlw3Hph8jR1QIhAKfrgplKwXcUctU5grjQ8KXkJV8RxQUo5KKs\ngFnXYtkb\n-----END CERTIFICATE REQUEST-----\n"}' 127.0.0.1:8000/api/v1/takreg | jq`

# REQUEST A NEW CERTIFICATE WITHOUT CSR (requires cfssl backend for the api container)

`curl  -L -H "Content-Type: application/json" -d '{ "request": {"hosts":["harjoitus1.pvarki.fi"], "names":[{"C":"FI", "ST":"Jyvaskyla", "L":"KeskiSuomi", "O":"harjoitus1.pvarki.fi"}], "CN": "harjoitus1.pvarki.fi"}, "bundle":true, "profile":"client"}' 127.0.0.1:8000/takreg | jq`

# LIST CFSSL CRL LIST

`curl  -L -H "Content-Type: application/json" -d '{ "request": {"hosts":["harjoitus1.pvarki.fi"], "names":[{"C":"FI", "ST":"Jyvaskyla", "L":"KeskiSuomi", "O":"harjoitus1.pvarki.fi"}], "CN": "harjoitus1.pvarki.fi"}, "bundle":true, "profile":"client"}' 127.0.0.1:8000/takreg | jq`

The cfssl used behind API listents this kind of stuff https://github.com/cloudflare/cfssl/blob/master/doc/api/endpoint_newcert.txt

# Enrollment - Enroll a new work_id

`curl -H "Content-Type: application/json" -d '{"work_id":"porakoira666"}' http://127.0.0.1:8000/api/v1/enrollment/init`

# Enrollment - Check the status and availability of work_id

`curl http://127.0.0.1:8000/api/v1/enrollment/status/koira`

# Enrollment - Request the download link using the provided work_id_hash

`curl http://127.0.0.1:8000/api/v1/enrollment/deliver/zxzxzxzxzxzxzxxzzx`

# Enrollment - Accept enrollment using permit_str

`curl -H "Content-Type: application/json" -d '{"enroll_str":"zxzxzxzxzxzxzxxzzx", "permit_str":"PaulinTaikaKaulinOnKaunis_PaulisMagicPinIsBuuutiful!11!1"}' http://127.0.0.1:8000/api/v1/enrollment/accept`

# Enrollment - Set download link for enrollment

`curl -H "Content-Type: application/json" -d '{"download_link":"https://kuvaton.com","enroll_str":"zxzxzxzxzxzxzxxzzx", "permit_str":"PaulinTaikaKaulinOnKaunis_PaulisMagicPinIsBuuutiful!11!1"}' http://127.0.0.1:8000/api/v1/enrollment/config/set-dl-link`

# Enrollment - Set state for enrollment

`curl -H "Content-Type: application/json" -d '{"state":"ReadyForDelivery","enroll_str":"zxzxzxzxzxzxzxxzzx", "permit_str":"PaulinTaikaKaulinOnKaunis_PaulisMagicPinIsBuuutiful!11!1"}' http://127.0.0.1:8000/api/v1/enrollment/config/set-state`

# Enrollment - Add new permit_str

`curl -H "Content-Type: application/json" -d '{"permissions_str":"all", "new_permit_hash":"too_short","permit_str":"PaulinTaikaKaulinOnKaunis_PaulisMagicPinIsBuuutiful!11!1"}' http://127.0.0.1:8000/api/v1/enrollment/config/add-manager`

Docker

For more controlled deployments and to get rid of “works on my computer” -syndrome, we always make sure our software works under docker.

It’s also a quick way to get started with a standard development environment.

SSH agent forwarding

We need buildkit:

export DOCKER_BUILDKIT=1

And also the exact way for forwarding agent to running instance is different on OSX:

export DOCKER_SSHAGENT="-v /run/host-services/ssh-auth.sock:/run/host-services/ssh-auth.sock -e SSH_AUTH_SOCK=/run/host-services/ssh-auth.sock"

and Linux:

export DOCKER_SSHAGENT="-v $SSH_AUTH_SOCK:$SSH_AUTH_SOCK -e SSH_AUTH_SOCK"

Creating a development container

Build image, create container and start it:

docker build --ssh default --target devel_shell -t rasenmaeher_api:devel_shell .
docker create --name rasenmaeher_api_devel -v `pwd`":/app" -it `echo $DOCKER_SSHAGENT` rasenmaeher_api:devel_shell
docker start -i rasenmaeher_api_devel

pre-commit considerations

If working in Docker instead of native env you need to run the pre-commit checks in docker too:

docker exec -i rasenmaeher_api_devel /bin/bash -c "pre-commit install"
docker exec -i rasenmaeher_api_devel /bin/bash -c "pre-commit run --all-files"

You need to have the container running, see above. Or alternatively use the docker run syntax but using the running container is faster:

docker run --rm -it -v `pwd`":/app" rasenmaeher_api:devel_shell -c "pre-commit run --all-files"

Test suite

You can use the devel shell to run py.test when doing development, for CI use the “tox” target in the Dockerfile:

docker build --ssh default --target tox -t rasenmaeher_api:tox .
docker run --rm -it --network host -v /var/run/docker.sock:/var/run/docker.sock -v `pwd`":/app" `echo $DOCKER_SSHAGENT` rasenmaeher_api:tox

NOTE: This will not work from the git submodule directory in the integration repo, docker tests must be run from the original repo.

Production docker

There’s a “production” target as well for running the application, remember to change that architecture tag to arm64 if building on ARM:

docker build --ssh default --target production -t rasenmaeher_api:amd64-latest .
docker run --rm -it --name rasenmaeher_openapijson rasenmaeher_api:amd64-latest rasenmaeher_api openapi
docker run -it --name rasenmaeher_api rasenmaeher_api:amd64-latest

There is also a specific target for just dumping the openapi.json:

docker build --ssh default --target openapi -t rasenmaeher_api:amd64-openapi .
docker run --rm -it --name rasenmaeher_openapijson rasenmaeher_api:amd64-openapi

Development

TLDR:

  • Create and activate a Python 3.11 virtualenv (assuming virtualenvwrapper):

    mkvirtualenv -p `which python3.11` my_virtualenv

  • change to a branch:

    git checkout -b my_branch

  • install Poetry: https://python-poetry.org/docs/#installation

  • Install project deps and pre-commit hooks:

    poetry install
pre-commit install
pre-commit run --all-files

  • Ready to go.

Remember to activate your virtualenv whenever working on the repo, this is needed because pylint and mypy pre-commit hooks use the “system” python for now (because reasons).