Market Access API

Market Access API provides an API into Market Access frontend clients.

Installation with Docker (preferred)

Market Access API uses Docker compose to setup and run all the necessary components. The docker-compose.yml file provided is meant to be used for running tests and development.

Prerequisites

1. Install docker & docker compose - https://docs.docker.com/install/

2. Add the following to your hosts file:

    # Market Access API
    127.0.0.1               api.market-access.local
   

3. Clone the repository:

   git clone https://github.com/uktrade/market-access-api
   cd market-access-api

4. Copy the env file - cp docker-compose.local-template.env docker-compose.env

5. Set values for the env file variables indicated <<CHECK_VAULT>>, set FAKE_METADATA to True

6. Set MOCK_SSO_EMAIL_USER_ID in docker-compose.yml to the email you will use as superuser in Install step 3

7. Update Makefile so django-run command uses port 0:8883

Install

1. Build the images and spin up the containers by running - docker-compose up --build
2. Set up git hooks by running - make git-hooks
3. Enter bash within the django container using docker-compose exec web bash
4. Initialise DB by running the migrations using ./manage.py migrate
5. Then create a superuser py3 manage.py createsuperuser --email your@email.here then exit the container
6. To start the dev server run - make django-run
7. The API is now accessible via http://api.market-access.local:8880

Running in detached mode

The installation steps above will require 2 terminal windows to be open to run the processes. If desired this can be reduced to 0 via the following commands:

1. Start the containers in detached mode - docker-compose up -d
2. Start django in detached mode - make django-run-detached
3. The API is now accessible via http://api.market-access.local:8880

Now even if you closed your terminal, the server would be still running.

Make commands

There's a set of make commands that you can utilize straight away.
To list all available commands with help text type make help in terminal and hit Enter.

---

Native installation (without Docker)

Dependencies:

• Python 3.8
• PostgreSQL 10
• redis 3.2

1. Clone the repository:

   git clone https://github.com/uktrade/market-access-api
   cd market-access-api

2. Install Python 3.8

   See this guide for detailed instructions for different platforms.

3. Create and activate the virtualenv:

   python3.8 -m venv env
   source env/bin/activate
   pip install -U pip

4. Install the dependencies:

   pip install -r requirements.txt

5. Create an .env settings file (it’s gitignored by default):

   cp config/sample.env .env

The user authentication is handled by the DIT SSO where a token is stored and used for introspection of user and other end points. You can run a mock-sso client to run the app near a produciton mode without the hastle of logging in. Configure your .env file accordingly.

There are some machine to machine APIs that are called on the backend and we use Hawk to secure those calls. You can share Hawk Key and ID with frontend to work in hawk mode. Alternatively, in dev mode, you can turn off Hawk using the .env settings.

6. Create the db. By default, the dev version uses postgres:

   psql -p5432
   create database market_access;

7. Make sure you have redis running locally and that the REDIS_BASE_URL in your .env is up-to-date.

8. Apply migrations:

   ./manage.py migrate

9. Create a superuser:

   ./manage.py createsuperuser

10. Start the server:

    ./manage.py runserver

11. Start celery:

    celery worker -A config -l info -Q celery,long-running -B

    Note that in production the long-running queue is run in a separate worker with the -O fair --prefetch-multiplier 1 arguments for better fairness when long-running tasks are running or pending execution.

To run the tests:

pytest .

To run the linter:

flake8

Granting access to the front end

The internal front end uses single sign-on. You should configure backend API as follows to use with the front end:

• SSO_ENABLED: True
• RESOURCE_SERVER_INTROSPECTION_URL: URL of the RFC 7662 introspection endpoint (should be the same server the front end is using). This is provided by a Staff SSO instance.
• RESOURCE_SERVER_AUTH_TOKEN: Access token for the introspection server.
• RESOURCE_SERVER_USER_INFO_URL: URL of SSO endpoint to retreive logged in user information based on token provided in the header
• RESOURCE_SERVER_USER_INTROSPECT_URL: URL of SSO endpoint to retrieve user information based on query param

django-oauth-toolkit will create a user corresponding to the token if one does not already exist.

Machine to machine Hawk authentication between frontend and backend

In general, Hawk authentication hashing the HTTP payload and Content-Type header, and using a nonce.

There are some machine to machine APIs that are called on the backend and we use Hawk to secure those calls. You can share Hawk Key and ID with frontend to work in hawk mode. Alternatively, in dev mode, you can turn off Hawk using the .env settings.

Deployment

Market Access API can run on any Heroku-style platform. Configuration is performed via the following environment variables:

Variable name	Required	Description
ALLOWED_ADMIN_IPS	No	IP addresses (comma-separated) that can access the admin site when RESTRICT_ADMIN is True.
AV_V2_SERVICE_URL	Yes	URL for ClamAV V2 service. If not configured, virus scanning will fail.
AWS_ACCESS_KEY_ID	No	Used as part of boto3 auto-configuration.
AWS_DEFAULT_REGION	No	Default region used by boto3.
AWS_SECRET_ACCESS_KEY	No	Used as part of boto3 auto-configuration.
CELERY_TASK_ALWAYS_EAGER	No	Can be set to True when running the app locally to run Celery tasks started from the web process synchronously. Not for use in production.
DATABASE_URL	Yes	PostgreSQL server URL (with embedded credentials).
DEBUG	Yes	Whether Django's debug mode should be enabled.
SECRET_KEY	Yes
SENTRY_DSN	Yes
DEFAULT_BUCKET	Yes	S3 bucket for object storage.
DH_METADATA_URL	Yes	Data Hub metadata URL for shared metadata.
HAWK_ENABLED	No	To enable Hawk communication to access the Hawk-authenticated endpoints.
HAWK_KEY	No	Key to be shared with other party when HAWK_ENABLED is True
HAWK_ID	No	ID to be shared with other party when HAWK_ENABLED is True.
REDIS_BASE_URL	Yes	redis base URL for Celery functioning
RESOURCE_SERVER_INTROSPECTION_URL	If SSO enabled	RFC 7662 token introspection URL used for signle sign-on
RESOURCE_SERVER_AUTH_TOKEN	If SSO enabled	Access token for RFC 7662 token introspection server
RESOURCE_SERVER_USER_INFO_URL	URL of SSO endpoint to retreive logged in user information based on token provided in the header
RESOURCE_SERVER_USER_INTROSPECT_URL	URL of SSO endpoint to retrieve user information based on query param
RESTRICT_ADMIN	No	Whether to restrict access to the admin site by IP address.
SSO_ENABLED	Yes	Whether single sign-on via RFC 7662 token introspection is enabled
VCAP_SERVICES	No	Set by GOV.UK PaaS when using their backing services. Contains connection details for Postgres, Redis etc.

Management commands

TBD