Cybercom API¶

Cybercomm API is based from open-source project. CU Boulder library modified the API using federated SSO and security groups merged from local and grouper groups.

Cybercommons

Containers¶

API django application dockerfile
Celery dockerfile
Docker Hub: RabbitMQ - rabbitmq:3.6
Docker Hub: Mongo - mongo:4.2.10
Docker Hub: Memcache - memcached:latest

Configuration¶

Refer to cybercommons for system configuration documentation. This documentation assumes you are not working in kubernetes.

Changes with Kubernetes:

Secret(cybercom) contains all secrets
Encrypted communication through self signed certificates stored in Secret(cybercom)
Within container certs are mounted from secret and located /ssl directory.

Certificates are valid

cat /ssl/server/mongodb.pem | openssl x509 -noout -enddate
notAfter=Sep 10 19:12:02 2029 GMT

Federated SSO certificates are stored in Secret(cybercom)
SAML Service Provider

Catalog and Data Store¶

The Catalog and Data Store are using MongoDB for the backend. The API leverages the pymongo query language, including aggregation and distinct queries. Documentation

Applications API SSO Authentication¶

Authentication configuration within Nginx conf file

LibBudget Example

server {
    listen 80;
    server_name libapps.colorado.edu;
    resolver 10.43.0.10;
    index index.php index.html;
    auth_request /user;

    location / {
    root /usr/share/nginx/html/;
    autoindex on;
    }

    location = /user {
        internal;
        set $upstream_user https://libapps.colorado.edu/api/user/;
        proxy_pass $upstream_user?app=libbudget;

        proxy_read_timeout 3600;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;
        proxy_set_header X-Original-METHOD $request_method;
    }

    error_page 401 = @error401;
    location @error401 {
        set_escape_uri $request_uri_encoded $request_uri;
        set $saml_sso https://libapps.colorado.edu/api/api-saml/sso/saml;
        return 302 $saml_sso?next=$request_uri_encoded;
    
    }

    # redirect server error pages to the static page /50x.html
    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
        root /usr/share/nginx/html/;
    }

    location ~\.php$ {
        root /usr/share/nginx/html/;

        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        if (!-f $document_root$fastcgi_script_name) {
        return 404;
        }
        fastcgi_param HTTP_PROXY "";

        fastcgi_pass libbudget-php-service:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_read_timeout 300s;
        fastcgi_send_timeout 300s;
        fastcgi_connect_timeout 70s;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

Possible Errors¶

Certificate Expiration: Will see logs with certificate expiration. Current certificates expiration Sep 10 19:12:02 2029 GMT
Upgrading dependencies: API <===> RabbitMQ <===> Celery(kombu)
Additionally, TSL arguments are changing on Mongo URI from ssl to tls
Mongo unable to connect to volume. Volume assigned to subnet. Spot instances occassional do not have capacity in specific subnet.
Celery Queue build missing requirement

Applications¶

Application	Auth	Django Apps	Celery	Mongo
LibBudget	Yes		emailCULibq
Print Purchase	Yes		emailCULibq,ppodq
Cloud Browser	Yes	cloud-browser-django-app	thumbnailq
Room Booking (tablet only)	Yes	Room Booking		Yes
Room Booking Admin	Yes	Room Booking		Yes
Survey	No			Yes
Counter	Yes	counter-django-app	counterq
ARK Server , info	Yes	ark-django-app		Yes
Static (NYTimes,thumbnails)	Yes
GeoLibrary Data Loader	Yes		geo-blacklightq	Yes
IR Scholar Export Report	Yes		ir-exportq
Email Service	Yes		emailCULibq
Thumbnail Creation	Yes		thumbnailq

Inactive Applications¶

Information Survey
Gate Count Celery Queue