Security gateway can be used to establish policy control over consumption of 3rd party software components. https://safedep.io to get started with usage.
This README is for Gateway developers. Refer to https://safedep.io for usage instructions for various environments and use-cases.
Ensure git submodules are updated locally
git submodule update --init --recursiveInitialize keys and certificates for mTLS
./bootstrap.shThis will generate root certificate, per service certificates in
pki/.
TLS SAN must be correctly set in the generated certificate for the mTLS to work correctly. Verify using:
openssl x509 -noout -text \
-in ./pki/nats-server/server.crt | grep "DNS:nats-server"Start the services using docker-compose
docker-compose up -dVerify all the services are active
docker-compose psUse the gateway using a demo-client
cd demo-clients/java-gradle && ./gradlew assemble --refresh-dependenciesAt this point, you should see logs generated by gateway and the policy decision service and multiple artefacts that are violating configured policy are blocked by the gateway
docker-compose logs envoy
docker-compose logs pdpThe gradle build should fail with an error message indicating a dependency was blocked by the gateway.
> Could not resolve all files for configuration ':app:compileClasspath'.
> Could not resolve org.apache.logging.log4j:log4j:2.16.0.
Required by:
project :app
> Could not resolve org.apache.logging.log4j:log4j:2.16.0.
> Could not get resource 'http://localhost:10000/maven2/org/apache/logging/log4j/log4j/2.16.0/log4j-2.16.0.pom'.
> Could not GET 'http://localhost:10000/maven2/org/apache/logging/log4j/log4j/2.16.0/log4j-2.16.0.pom'. Received status code 403 from server: ForbiddenRefer to
policies/example.regofor the policy that blocked this artefact
Edit config/gateway.json and set pdp.monitor_mode=true to enable only monitoring and disable policy enforcement. Restart the containers for the changes to take effect.
docker-compose up --force-recreate --remove-orphans --build -dRun the build again to see it compile successfully.
cd demo-clients/java-gradle && ./gradlew build --refresh-dependencies
If you are developing on any of the service and want to force re-create the containers with updated image:
docker-compose up --force-recreate --remove-orphans --build -dLook at Github issues