REST API Configuration¶
REST API configuration options passed to the rest Docker service
found in the rest_config.pyfile.
Variable |
Type |
Set Value |
Description |
|---|---|---|---|
REST_LOG_LEVEL |
str |
os.environ.get(“REST_LOG_LEVEL”,str(logging.info)) |
REST API log-level pulled from the environment; set by the log.env file |
API_V1_STR |
str |
“/api/v1” |
REST API version 1 URL path |
DIGEST_COMPARE_TO_FILE |
bool |
True |
Toggle wether to compare keying material HMAC digest to the one previously written out to file by either watcher or previous request |
DIGEST_COMPARE |
bool |
True |
Toggle wether to compare keying material to HMAC digest either written to file or also within the Vault epoch file entry |
KEY_ID_MAX_LENGTH |
int |
128 # Number of characters |
Max length of key ID – usually associated with a UUID |
KEY_ID_MIN_LENGTH |
int |
16 # Number of characters |
Min length of a key ID – usually associated with a UUID |
KEY_SIZE |
int |
32 # Bits |
Default key size in bits to serve if a key requested |
KME_ID_MAX_LENGTH |
int |
32 # Number of characters |
Max length of KME ID string |
KME_ID_MIN_LENGTH |
int |
3 # Number of characters |
Min length of KME ID string |
MAX_EX_MANADATORY_COUNT |
int |
2 |
Max number of ‘exten sion_mandatory’ entries; see ETSI document |
MAX_EX_OPTIONAL_COUNT |
int |
2 |
Max number of ‘exte nsion_optional’ entries; see ETSI document |
MAX_KEY_COUNT |
int |
1048576 |
Max key count that can be stored in the back end Vault instance; currently arbitrarly set |
MAX_KEY_PER_REQUEST |
int |
100 |
Max number of keys per key request; currently arbitrarily set |
MAX_KEY_SIZE |
int |
65536 # Bits |
Max size in bits of one key; currently arbitrarily set |
MAX_SAE_ID_COUNT |
int |
0 |
Max number of additional SAEs to send keyig material to; NOTE: no key relay is currently built into guardian |
MIN_KEY_SIZE |
int |
8 # Bits |
Min key size in bits; this is specifically set with Base64 and bit/byte storage in mind |
SAE_ID_MAX_LENGTH |
int |
32 # Number of characters |
Max length of SAE ID |
SAE_ID_MIN_LENGTH |
int |
3 # Number of characters |
Min length of SAE ID |
STATUS_MIN_LENGTH |
int |
8 # Number of characters |
Currently limited to the sizes of ‘consumed’ and ‘available’ strings used in KeyIDLedgers |
STATUS_MAX_LENGTH |
int |
9 # Number of characters |
Currenlty limited to the sizes of ‘consumed’ and ‘available’ strings used in KeyIDLedgers |
VALID_HOSTNAME_REGEX |
str |
r“^(([a-zA-Z0-9]|[a-zA-Z0-9]…” |
A regular expression to limit a string to a hostname |
VALID_IP_ADDRESS_REGEX |
str |
r“^(([0-9]|[1-9][0-9]…” |
A regular expression to limit a string to an IP address |
VALID_SAE_REGEX |
str |
f“{VALID_HOSTNAME_REGEX}|{VALID_IP_ADDRESS_REGEX}” |
Full regular expression limitation used for SAE IDs |
VALID_KME_REGEX |
str |
f“{VALID_HOSTNAME_REGEX}|{VALID_IP_ADDRESS_REGEX}” |
Full regular expression limitation used for KME IDs |
VALID_STATUS_REGEX |
str |
r“^consumed$|^available$” |
Full regular expression limitation for KeyIDLedger statuses in the Vault back end |
MAX_NUM_RESERVE_ATTEMPTS |
int |
50 |
Max number of rconsecutive Vault back end epoch file reservation attempts before erroring with a 503/504 HTTP status code |
RESERVE_SLEEP_TIME |
float |
0.05 # seconds |
Time to wait in seconds between reservation attempts if a Vault back end epoch file is not currently available |
CLIENT_NAME |
str |
“rest” |
Name of the Docker service |
VAULT_CLIENT_CERT_FILEPATH |
str |
f“{GLOBAL.CERT_DIRPATH}/{GLOBAL.LOCAL_KME_ID}/{CLIENT_NAME}/{CLIENT_NAME}{GLOBAL.CA_CHAIN_SUFFIX}” |
In-container file path to the rest certificate chain file to use when connecting to the local Vault instance; must match docker-compose yaml file volume locations |
VAULT_CLIENT_KEY_FILEPATH |
str |
f“{GLOBAL.CERT_DIRPATH}/{GLOBAL.LOCAL_KME_ID}/{CLIENT_NAME}/{CLIENT_NAME}{GLOBAL.KEY_SUFFIX}” |
In-container file path to the rest private key file to use when connecting to the local Vault instance; must match docker-compose yaml file volume locations |
VAULT_SERVER_CERT_FILEPATH |
str |
f“{GLOBAL.CERT_DIRPATH}/{GLOBAL.LOCAL_KME_ID}/{GLOBAL.VAULT_NAME}/{GLOBAL.VAULT_NAME}{GLOBAL.CA_CHAIN_SUFFIX}” |
In-container file path to the Vault back end server certificate chain file to use in server vertification; must match docker-compose file volume locations |
REMOTE_KME_CERT_FILEPATH |
str |
f“{GLOBAL.CERT_DIRPATH}{/ GLOBAL.REMOTE_KME_ID}/{CLIENT_NAME}/{CLIENT_NAME}{GLOBAL.CA_CHAIN_SUFFIX}” |
In-container file path to the remote KME certificate chain file to use in client vertification; must match docker-compose file volume locations |
VAULT_TLS_AUTH_MOUNT_POINT |
str |
“cert” |
Vault back end instance certificate authentication mount point |
REMOTE_KME_URL |
str |
f“https://{GLOBAL.REMOTE_KME_ID}{API_V1_STR}/ledger/{GLOBAL.LOCAL_KME_ID}/key_ids” |
URL to the remote KME host |
REMOTE_KME_RESPONSE_TIMEOUT |
float |
10.0 # seconds |
Time in seconds to wait for remote KME host response before timeout occurs |
VAULT_MAX_CONN_ATTEMPTS |
int |
10 |
Max number of Vault back end connection attempts before failing |
BACKOFF_FACTOR |
float |
1.0 |
Back off factor used for connection attempts |
BACKOFF_MAX |
float |
8.0 # seconds |
Max backoff time when attempting connection in seconds |