Saturday, August 25, 2018

Docusign GO Live



Docusign go-live process is very confusing. Here are the steps below to make review pass using the JAVA SDK API calls.
Create a maven project with the following dependency.

import java.awt.Desktop;
import java.net.URI;
import java.util.List;

import org.apache.oltu.oauth2.common.token.BasicOAuthToken;

import com.docusign.esign.api.AuthenticationApi;
import com.docusign.esign.api.EnvelopesApi;
import com.docusign.esign.client.ApiClient;
import com.docusign.esign.client.Configuration;
import com.docusign.esign.client.auth.AccessTokenListener;
import com.docusign.esign.model.Envelope;
import com.docusign.esign.model.EnvelopesInformation;
import com.docusign.esign.model.LoginInformation;

public class DocusignTest {

    private static final String CODE = "";
    private static final String TOKEN = "";

    public static void main(String[] args) throws Exception {

        boolean getCode = false;
        boolean update = false;

        String integratorKey = "your integrator key which you want to promote ";
        String clientSecret = "your secret key";

        String redirectURL = "your redirect url";
        String authServerUrl = "https://account-d.docusign.com";
        String restApiUrl = "https://demo.docusign.net/restapi";

        ApiClient apiClient = new ApiClient(authServerUrl, "docusignAccessCode", integratorKey, clientSecret);
        apiClient.setBasePath(restApiUrl);
        apiClient.configureAuthorizationFlow(integratorKey, clientSecret, redirectURL);
        Configuration.setDefaultApiClient(apiClient);

        if (getCode) {
            String oauthLoginUrl = apiClient.getAuthorizationUri();
            Desktop.getDesktop().browse(URI.create(oauthLoginUrl));
        } else {

            apiClient.getTokenEndPoint().setCode(CODE);
            apiClient.registerAccessTokenListener(new AccessTokenListener() {
                @Override
                public void notify(BasicOAuthToken token) {
                    System.out.println("Got a fresh token: " + token.getAccessToken());
                }
            });

            if (update) {
                apiClient.updateAccessToken();
                System.out.println(apiClient.getAccessToken());
            } else {
                apiClient.setAccessToken(TOKEN, 28800l);
                String accountId = getBaseUri(apiClient);

                EnvelopesApi envelopesApi = new EnvelopesApi(apiClient);
                EnvelopesApi.ListStatusChangesOptions options = envelopesApi.new ListStatusChangesOptions();
                String date = "May 22, 2018";
                options.setFromDate(date);
                EnvelopesInformation envelopes = envelopesApi.listStatusChanges(accountId, options);

                List<Envelope> envelopes1 = envelopes.getEnvelopes();
                for (Envelope envelope : envelopes1) {
                    EnvelopesApi envelopesApi1 = new EnvelopesApi();
                    Envelope env = envelopesApi1.getEnvelope(accountId, envelope.getEnvelopeId());
                    System.out.println(env.getEnvelopeId());
                    Thread.sleep(2000);
                }
            }

        }

    }

    public static String getBaseUri(ApiClient apiClient) {
        try {
            AuthenticationApi authApi = new AuthenticationApi(apiClient);
            LoginInformation loginInfo = authApi.login();
            String accountId = loginInfo.getLoginAccounts().get(0).getAccountId();
            String baseUrl = loginInfo.getLoginAccounts().get(0).getBaseUrl();
            String[] accountDomain = baseUrl.split("/v2");
            apiClient.setBasePath(accountDomain[0]);
            Configuration.setDefaultApiClient(apiClient);
            return accountId;
        } catch (Exception ex) {
            System.out.println("Error: " + ex);
            return null;
        }
    }
}
Fill all the fields "redirectURL", "integratorKey" and "clientSecret".

First, run the program by setting getCode=true;

Now copy the code from your redirect URL in the browser and assign it to "CODE" constant field.

Now make getCode = false and make update=true;

Now run and you see the "token" in the console. Copy that and assign it to the TOKEN constant field.

Now run the Program again by making update=false. If you make 20+ successful transactions ( like getting the 20+ different envelopes), your review should pass.


Wednesday, August 15, 2018

Enabling HTTPS for your Angular-Spring Website




To enable HTTPS for your website you’ll need to get and configure the required SSL/TLS certificates on your server. Start with choosing a trusted certificate provider. There are many authorities who give certificate free for 90 days. "Let’s Encrypt" is most popular open Certificate Authority. "SSL for free" issues certificates using "Let’s Encrypt"


1. Go to SSL FOR FREE

2. Enter your website to secure ( IP address do not work, you have to enter a registered domain name )

3. Select Manual Verification ( DNS ) option



4. Manually verify Domain



5. Go into the DNS management page that your domain and add TXT records with given key and value.



6. Now download SSL certificate.



The downloaded archive will have a certificate, bundle, and key. Extract the zip file and copy certificate and key to your ubuntu server.

Now you have to install this certificate in client and server.

Client Installation.

For the angular client, you need to add the following options to ng serve command in the package.json

--port 443 --disableHostCheck true --ssl --ssl-cert /home/ubuntu/certificate.crt --ssl-key /home/ubuntu/private.key

Note that port is 443. You have to open the port 443 in your security Group/ Firewall.
"scripts": { "ng": "ng", "start": "ng serve --host 0.0.0.0", "build": "ng build --prod", "test": "ng test", "lint": "ng lint", "e2e": "ng e2e" }

Restart client.

Server Installation.

This tutorial assumes that your server is Java Spring Boot.
You need to generate a key store for the server.
openssl pkcs12 -export -in certificate.crt -inkey private.key -out keystore.p12 -name server

This above step will ask for a password. Please enter the password and remember it.

Go to application.properties file and add following key value pairs.
server.port: 8443 server.ssl.key-store: keystore.p12 server.ssl.key-store-password: <your_password> server.ssl.keyStoreType: PKCS12 server.ssl.keyAlias: server Now clean buid and restart the server.

For python Flask Server.

from flask import Flask app = Flask(__name__) @app.route("/") def hello(): return "Hello World!" if __name__ == "__main__": app.run(host='0.0.0.0',ssl_context=('/home/ubuntu/certificate.crt', '/home/ubuntu/private.key')) port is 5000 by default.

Now you can access your website using https://your-domain.com

Also, import the certificate to java trust store.

Import to trust store :
keytool -import -alias server -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -file /home/ubuntu/certificate.crt

To know your java home on ubuntu

readlink -f /usr/bin/java | sed "s:bin/java::"

$(readlink -f /usr/bin/java | sed "s:bin/java::")lib/security/cacerts

Wednesday, February 14, 2018

Container Orchestration using OpenShift.

Login/Signup OpenShift Online ( free ) https://www.openshift.com/



Download the command line OpenShift client from HERE.

Extract the archive and go the directory.
Add current directory to path
export PATH=$(pwd):$PATH

narayan@ubuntu:~/Downloads/openshift-origin-client-tools-v3.9.0-alpha.3-78ddc10-linux-64bit$ oc login
Authentication required for https://api.starter-us-west-1.openshift.com:443 (openshift)
Username: #your username#
Password: #your password#
Login successful
.

You can create a new project using the GUI or command line, let us create a project using commandline tool for the purpose of this tutorial.
Use a unique name for the project.





narayan@ubuntu:~/Downloads/openshift-origin-client-tools-v3.9.0-alpha.3-78ddc10-linux-64bit$ oc new-project test-templates

Now using project "test-templates" on server "https://api.starter-us-west-1.openshift.com:443".
You can add applications to this project with the 'new-app' command. For example, try:
oc new-app centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git
to build a new example application in Ruby.

You can see that the project is created in the GUI.



Go inside project, you see that there are no applications deployed.



Now let us deploy a simple hello-world-web docker image on the cluster

narayan@ubuntu:~/Downloads/openshift-origin-client-tools-v3.9.0-alpha.3-78ddc10-linux-64bit$ oc new-app narayan1ap/hello-world-web

--> Found Docker image 5c64ec0 (39 minutes old) from Docker Hub for "narayan1ap/hello-world-web"
* An image stream will be created as "hello-world-web:latest" that will track this image
* This image will be deployed in deployment config "hello-world-web"
* Port 5000/tcp will be load balanced by service "hello-world-web"
* Other containers can access this service through the hostname "hello-world-web"

--> Creating resources ...
imagestream "hello-world-web" created
deploymentconfig "hello-world-web" created
service "hello-world-web" created
--> Success
Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
'oc expose svc/hello-world-web'
Run 'oc status' to view your app.

Note that the docker image should not run as a root user otherwise you will get a warning message like below.

[WARNING] Image "example" runs as the 'root' user which may not be permitted by your cluster administrator.

By default, all containers that we try and launch within OpenShift, are set blocked from “RunAsAny” which basically means that they are not allowed to use a root user within the container. This prevents root actions such as chown or chmod from being run and is a sensible security precaution as should a user be able to perform a local exploit to break out of the container, then they would not be running as root on the underlying container host.

Refer this article: How to enable docker image to run as non-root user.

After successful deploy, GUI looks like below. You can see that there is no route associated with the deploy.



Lets associate route.

narayan@ubuntu:~/Downloads/openshift-origin-client-tools-v3.9.0-alpha.3-78ddc10-linux-64bit$ oc expose svc/hello-world-web
route "hello-world-web" exposed



Now you can click on the route and access the APP.


Monday, February 12, 2018

Tectonic on AWS with Terraform - PART II

Deploying a simple application on AWS Tectonic Cluster

We have created Tectonic cluster and accessed it with kubectl command in Part I
Now we will try to deploy a simple application on this cluster.

Deployments: Run multiple copies of a container across multiple nodes
Services: Endpoint that load balances traffic to containers run by a deployment

Copy the following YAML into a file named simple-deployment.yaml. apiVersion: extensions/v1beta1 kind: Deployment metadata: name: simple-deployment namespace: default labels: k8s-app: simple spec: replicas: 3 template: metadata: labels: k8s-app: simple spec: containers: - name: nginx image: quay.io/coreos/example-app:v1.0 ports: - name: http containerPort: 80 The parameter replicas: 3, will create 3 running copies.
Image: quay.io/coreos/example-app:v1.0 defines the container image to run, hosted on Quay.io.

Then, copy the following YAML into a file named simple-service.yaml.

kind: Service apiVersion: v1 metadata: name: simple-service namespace: default spec: selector: k8s-app: simple ports: - protocol: TCP port: 80 type: LoadBalancer
$ kubectl create -f simple-deployment.yaml
$ kubectl get deployments
$ kubectl create -f simple-service.yaml
$ kubectl get services -o wide

Get the EXTERNAL-IP URL and access the Application. The application will be up in few minutes.








Tectonic (Enterprise Kubernetes) on AWS with Terraform - PART 1

Create a CoreOS account here : https://account.coreos.com/login
You can use your Gmail to sign in and get a free license for 10 nodes.



Create a t2 small ec2 ubuntu 64 bit machine and login

$sudo apt-get update

$sudo apt install gnupg2
$sudo apt install unzip
$sudo apt install awscli




$curl -O https://releases.tectonic.com/releases/tectonic_1.8.4-tectonic.3.zip
$curl -O https://releases.tectonic.com/releases/tectonic_1.8.4-tectonic.3.zip.sig
$gpg2 --keyserver pgp.mit.edu --recv-key 18AD5014C99EF7E3BA5F6CE950BDD3E0FC8A365E
$gpg2 --verify tectonic_1.8.4-tectonic.3.zip.sig tectonic_1.8.4-tectonic.3.zip

$unzip tectonic_1.8.4-tectonic.3.zip
$cd tectonic_1.8.4-tectonic.3

$export PATH=$(pwd)/tectonic-installer/linux:$PATH
$terraform init platforms/aws

$mkdir -p build/${CLUSTER}
$export CLUSTER=my-cluster
$cp examples/terraform.tfvars.aws build/${CLUSTER}/terraform.tfvars



vi build/${CLUSTER}/terraform.tfvars

Make sure you set these properties

tectonic_aws_region = "ap-south-1"
tectonic_base_domain = "yourdomain.com" // your base domain from Rout53
tectonic_license_path = "/home/ubuntu/license.txt"
tectonic_pull_secret_path = "/home/ubuntu/pullsecret.json"
tectonic_cluster_name = "test" // your cluster name



Note: Pull secret and license files are available in your core os account.

save changes wq!

$aws configure

AWS Access Key ID : Enter Access Key ID here
AWS Secret Access Key :Enter Secret Key here
Default region name: ap-south-1
Default output format: Leave Empty

$export TF_VAR_tectonic_admin_email="your google email used for CoreOS"
$export TF_VAR_tectonic_admin_password="your password"

$ terraform plan -var-file=build/${CLUSTER}/terraform.tfvars platforms/aws
$ terraform apply -var-file=build/${CLUSTER}/terraform.tfvars platforms/aws

After few minutes ( 5 to 10 ) , cluster will be up and you can access it here :
https://test.yourdomain.com

The username password is same as your CoreOS account.

Accessing Cluster with kubectl commandline :



Now download kubectl-config and kubectl files from your cluster.

$ chmod +x kubectl
$ mv kubectl /usr/local/bin/kubectl
$ mkdir -p ~/.kube/ # create the directory
$ cp path/to/file/kubectl-config-test $HOME/.kube/config # rename the file and copy it into the directory
$ export KUBECONFIG=$HOME/.kube/config

Try to get nodes and see if you can see the nodes.

$ kubectl get nodes

In next entry, we will see how to Deploy a simple Application with kubectl commandline


Monday, February 5, 2018

Static Code Analysis with Sonarqube docker image.

sudo apt-get update
sudo apt-get install default-jdk
sudo apt install docker.io
sudo usermod -aG docker $USER
logout

// login again

docker pull sonarqube
docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 sonarqube

Sonar server has been started on this machine. Now you can login in to http://ip_address:9000 with admin/admin

Analyse a project.

sudo apt-get install maven
cd your_project_pom_directory
mvn sonar:sonar -Dsonar.host.url=http://ip_address:9000 -Dsonar.login=your_sonar_token




Increasing ssh timeout

sudo vi /etc/ssh/sshd_config

Make sure it has following two properties at the end.

ClientAliveInterval 120
ClientAliveCountMax 720

Restart ssh daemon.

sudo service ssh restart

The first one configures the server to send null packets to clients every 120 seconds and the second one configures the server to close the connection if the client has been inactive for 720 intervals that are 720*120 = 86400 seconds = 24 hours

Tuesday, January 16, 2018

How to enable docker image to run as non-root user

The principle of least authority is an important concept in computer security, promoting minimal user profile privileges on computers, based on users' job necessities. It can also be applied to processes on the computer; each system component or process should have the least authority necessary to perform its duties. This helps reduce the "attack surface" of the computer by eliminating unnecessary privileges that can result in network exploits and computer compromises.

Containers of most of the images available in the docker hub, by default, run as the root user. This is bad because:
1) You're more likely to modify up settings that you shouldn't be
2) If an attacker gets access to your container, that's bad if they're root.

Most containerized processes are application services and therefore don’t require root access. The docker daemon currently requires root privileges but containers themselves do not. Well written, secure and reusable Docker images should not expect to be run as root and should provide a predictable and easy method to limit access. To ensure this, some of the container orchestration frameworks force the docker container to run as non-root like OpenShift.



Here's how you can change a Docker container to run as a non-root user

FROM <base image> RUN groupadd -g 1009 appg && \ useradd -r -u 1009 -g appg appuser USER appuser ... <rest of Dockerfile> ...