Configure an example service

Secure Example Service

Run example service

Execute the following command in standalone folder to run example service:

./example-service/bin/example-service.sh

You should get the following output:

INFO[0000] Starting credit card service with configuration {Port:8081 DBFilePath:./example-service/bin/db.json}

NOTE: The previous command won’t return a prompt input. The next steps should be executed in a separate terminal window.

Example service exposes several APIs, one of those APIs is a simple alive check. If you would like to call an example service alive endpoint you can use following curl command:

curl -i http://localhost:8081/alive
HTTP/1.1 200 OK
Date: Thu, 28 Feb 2019 16:10:51 GMT
Content-Length: 0

Configuration

In this section, we will use MicroPerimeter™ Dashboard to protect example service

Get host address

Run the following command to get host address where example service is running (all MicroPerimeter™ services are running in the separate network)

./bin/find_host_ip.sh

In MacOS you should get the following output

host.docker.internal

host.docker.internal is a special DNS name which resolves to the internal IP address used by the host

In case of Linux host.docker.internal won’t work, you should get IP address instead of DNS name

172.17.0.1

Copy and save this output somewhere, it should be used to replace all occurrences of PUT_YOUR_HOST_HERE in the next section.

Secure example service

In your browser go to MicroPerimeter™ Dashboard

http://localhost:8000/dashboard

Click on Services from the menu on the left. To add service click + Add service and then select Regular

Standalone services

Provide example-service as Service account name, click on green arrow to confirm.

Add service

Select example-service.default.cloudentity service that you have just added and then click Add instance

Provide the following details:

SSL: off
Hostname/IP: PUT_YOUR_HOST_HERE
Port: 8081
Healthcheck URL: http://PUT_YOUR_HOST_HERE:8081/alive
Interval: 5 seconds

Add instance

Click Save icon to save changes.

Click on API & Protection tab from the top menu and then click Import Open API SPEC. Confirm Yes, Import! and then select a file located in example-service/swagger.yaml

Import specification

Alternatively, you can add endpoints manually using + Add endpoint button

Method: GET, Path pattern: /alive
Method: GET, Path pattern: /transactions/list
Method: PUT, Path pattern: /transactions/{id}/dispute
Method: PUT, Path pattern: /transactions/{id}/undispute

Finally, you should get the following configuration

Import specification

Now let’s expose example service on MicroPerimeter™ Edge Gateway. Select Edge Gateway from the left menu and then click on the API & Protection tab.

Edge Gateway endpoints

Find your service and add path prefix /example

Service prefix

By default all rules are marked as Unpublished - endpoints with this access can’t be accessed from outside.

Let’s run a simulation script

while sleep 1; do echo "Call returned $(curl -s -i http://localhost:8000/example/transactions/list | grep HTTP)"; done

You should be getting the following output:

Call returned HTTP/1.1 404 Not Found
Call returned HTTP/1.1 404 Not Found
Call returned HTTP/1.1 404 Not Found

As you can see calls are rejected by MicroPerimeter™ Edge Gateway and don’t even hit an example service.

Let’s change Public access for the transactions list endpoint to Anonymous (don’t forget to click save). Observe the simulation script result:

Call returned HTTP/1.1 404 Not Found
Call returned HTTP/1.1 404 Not Found
Call returned HTTP/1.1 200 OK
Call returned HTTP/1.1 200 OK
Call returned HTTP/1.1 200 OK

Now MicroPerimeter™ Edge Gateway accepted the call and we can see the successful response from example service.

Finally, let’s change access to Authenticated and see the results:

Call returned HTTP/1.1 200 OK
Call returned HTTP/1.1 200 OK
Call returned HTTP/1.1 401 Unauthorized
Call returned HTTP/1.1 401 Unauthorized
Call returned HTTP/1.1 401 Unauthorized

As you can see MicroPerimeter™ Edge Gateway rejected the call with 401 status code as no authorization has been provided.