Transparent Gateway
For organizations whose security policies prevent them from granting direct data access to Leapfin, the transparent gateway is available as an intermediary between Leapfin and any of your data sources.
The transparent gateway can be deployed and fully controlled by your IT team. It generates pseudo credentials to connect with Leapfin while mask the actual credentials used to request data from sources.
Authentication
The Leapfin Transparent Gateway is provided as a docker-container image, made available through an AWS ECR repository. We will grant your AWS Account access to this repository. Please provide Leapfin with your AWS Account Number and the Leapfin team will provide the URL for the gateway repository.
Using the repository
AWS ECS
If you're utilizing AWS ECS to deploy the gateway, you can use the repository URL provided by the Leapfin team in your task/container definition.
Docker Client
If you wish to pull the image via a docker client. Please follow the below steps:
Authenticate your docker client
https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth
Pull the container-image
docker pull <image-repo-url>
Launch the container
docker run -- env "LEAPFIN_GATEWAY_CONFIG=$(cat./sample_configs/example1.json )" transparent-gateway
The required environment variables and their meaning is explained in the section “Runtime Environment Variables” below.
The gateway works on HTTP on Port 8080
Logging
The gateway-container routes all logs to the Docker log collector i.e to docker’s STDOUT and STDERR. The container outputs two types of logs:
Access Logs on STDOUT
[leapfin-transparent-gateway] $remote_addr [$time_local] $request $status $body_bytes_sent $request_time
e.g.
[leapfin-transparent-gateway] 248.67.233.131 [11/May/2020:05:27:48] "GET /v1/charges HTTP/1.1" 200 82 0.230
Error logs on STDERR
nginx: [error] <error-str>
e.g.
nginx: [error] utils.lua:28: load_json_from_env(): The env variable LEAPFIN_GATEWAY_CONFIG is not exported
Runtime Environment Variables
The gateway-docker-container is configured at boot time via a JSON-based configuration, which is passed through an environment variable named LEAPFIN_GATEWAY_CONFIG. Docker will read from this JSON configuration and convert inbound credentials (provided in Leapfin) to outbound credentials and forward the request to the 3rd party service.
There are two ways to pass the JSON through LEAPFIN_GATEWAY_CONFIG:
- Assign the JSON string to LEAPFIN_GATEWAY_CONFIG
- Please note that JSON would need to be appropriately escaped (i.e. escape the quotes and remove whitespace ), before assigning it to the environment variable
- Assign the path of the JSON file to LEAPFIN_GATEWAY_CONFIG
- This could be useful if you prefer to mount a volume to the container
The JSON configuration itself can refer to other environment variables for api-keys, passwords e.g. $(STRIPE_SECRET_KEY) as illustrated in the below example configuration. You can name those environment variables as per your own needs.
JSON Configuration
The transparent-gateway configuration is defined as a collection of integrations with respective unique inbound and outbound credentials.
The inbound-credentials are used only to authenticate API requests from Leapfin, after which they are swapped with outbound-credentials and the request is forwarded to the actual target e.g Stripe in the above example. Thus outbound credentials are your actual credentials associated with the target and inbound ones are generated by yourself to be used by Leapfin.
Leapfin will require the incoming pseudo credentials that will help connect with the Transparent Gateway. In the example of Stripe, Leapfin will need the LEAPFIN_STRIPE_INTEGRATION_KEY as defined within the example configuration below. This will need to be provided within the Integrations page within Leapfin: https://app.leapfin.com/integrations.
Here is the skeleton of how the configuration will look like:
{
"version": "1.0",
"dashboard": {
"user": "$(STATS_DASHBOARD_USER)",
"password": "$(STATS_DASHBOARD_PASSWORD)"
},
"integrations": [
{
"type": "name_of_integration",
"inbound": {
"auth": {
"type": "one of [bearer, http, oauth2, basic]",
"credentials": {
*include relevant credentials*
}
}
},
"outbound": {
"target": {
"hostname": URL or dynamic URLs defined via rules
},
"methods": {
"allow": {
*include methods allowed for outbound requests*
}
},
"auth": {
"type": one of [bearer, http, oauth2, basic],
"credentials": {
*include relevant credentials*
}
}
}
}
]
}
Example Configuration
Below is an example configuration specifying an integration with a test Stripe Account.
{
"version":"1.1",
"dashboard":{
"user":"$(STATS_DASHBOARD_USER)",
"password":"$(STATS_DASHBOARD_PASSWORD)"
},
"integrations":[
{
"type":"stripe",
"name":"stripe",
"inbound":{
"auth":{
"type":"bearer",
"credentials":{
"key":"$(LEAPFIN_STRIPE_INTEGRATION_KEY)"
}
}
},
"outbound":{
"target":{
"hostname":"api.stripe.com"
},
"methods":{
"allow":[
"GET"
]
},
"auth":{
"type":"bearer",
"credentials":{
"key":"$(STRIPE_SECRET_KEY)"
}
}
}
}
]
}
Validating your Deployment
You can use the above example configuration to test your initial deployment.
In addition to passing the above configuration via the fixed environment variable LEAPFIN_GATEWAY_CONFIG, please also pass the custom environment variables used in the example above, namely:
- STATS_DASHBOARD_USER
- STATS_DASHBOARD_PASSWORD
- LEAPFIN_STRIPE_INTEGRATION_KEY
- STRIPE_SECRET_KEY
After deployment, please try:
-
Check access to the below URL via your web browser:
http://<container-ip>:8080/dashboard or if you have setup an ssl proxy in front of the gateway https://<ssl-proxy-ip>:<ssl-proxy-port>/dashboardEnter the configured username and password e.g. foo and foobar respectively from the example configuration.
-
Check access to the linked test Stripe Account using curl (or another tool e.g. Postman):
curl http://<contianer-ip>:8080/v1/charges -H “Authorization:Bearer foobar”
or if you have set up an SSL proxy in front of the gateway
curl http://<ssl-proxy-ip>:<ssl-proxy-port>/v1/charges -H “Authorization:Bearer foobar”This should return a JSON response of the following form:
{ “object” : “list”, “data” : [ { ... } ] }
Updated 7 months ago