Skip to content
This repository has been archived by the owner on Sep 11, 2019. It is now read-only.

Commit

Permalink
rm API_HOST, WHITELISTED_IPS, and assoc code
Browse files Browse the repository at this point in the history
  • Loading branch information
James Seppi committed Apr 13, 2018
1 parent 3d947ad commit ac4a69a
Show file tree
Hide file tree
Showing 15 changed files with 24 additions and 255 deletions.
29 changes: 0 additions & 29 deletions api/permissions.py
View file

This file was deleted.

64 changes: 0 additions & 64 deletions api/tests/test_permissions.py
View file

This file was deleted.

4 changes: 0 additions & 4 deletions data_explorer/templates/base.html
View file
Expand Up @@ -33,10 +33,6 @@
<link rel="stylesheet" href="{% static 'frontend/built/style/main.min.css' %}"/>

<![if gt IE 8]>
<script {{ csp_nonce }}>
var API_HOST = "{{ API_HOST }}";
</script>

<script src="{% static 'frontend/built/js/common.js' %}"></script>

<![endif]>
Expand Down
43 changes: 17 additions & 26 deletions docs/api.md
View file
Expand Up @@ -2,34 +2,25 @@

CALC's back end exposes a public API for its labor rates data. This API is used by CALC's front end Data Explorer application, and can also be accessed by any third-party application over the public internet.

# Local development vs. deployed instances

When developing CALC locally, the API is served from the relative URL prefix `/api/` (for example `http://localhost:8000/api/rates`).

In its deployed instances (development, staging, and production), CALC's public API is fronted by an [API Umbrella][] instance on [api.data.gov](https://api.data.gov) which proxies all API requests to CALC. This allows CALC to not have to concern itself with details like rate limiting. The production CALC API is available at `https://api.data.gov/gsa/calc/`.

In order to ensure that API requests work both in local development and in deployed instances, CALC's front end code should not simply make requests against the relative `/api/` URLs. Instead, a global JavaScript variable called `API_HOST` is available for use as a prefix to requests. When developing locally, it will be set to `/api/`, but on CALC's development, staging, and production deployments it will be an absolute URL.

[API Umbrella]: https://apiumbrella.io/

## API endpoints

The following documentation assumes you're trying to access the API from the production instance via a tool like `curl` at `https://api.data.gov/gsa/calc/`. In development, use `http://localhost:8000/api/` or rely on the `API_HOST` variable.
The following documentation assumes you're trying to access the API from the production instance via a tool like `curl` at `https://calc.gsa.gov/api/`.
In development, use `http://localhost:8000/api/`.

### `/rates/`

You can access labor rate information at `/rates/`.

```
https://api.data.gov/gsa/calc/rates/
https://calc.gsa.gov/api/rates/
```

#### Labor Categories

You can search for prices of specific labor categories by using the `q` parameter. For example:

```
https://api.data.gov/gsa/calc/rates/?q=accountant
https://calc.gsa.gov/api/rates/?q=accountant
```

You can change the way that labor categories are searched by using the `query_type` parameter, which can be either:
Expand All @@ -41,13 +32,13 @@ You can change the way that labor categories are searched by using the `query_ty
You can search for multiple labor categories separated by a comma.

```
https://api.data.gov/gsa/calc/rates/?q=trainer,instructor
https://calc.gsa.gov/api/rates/?q=trainer,instructor
```

If any of the labor categories you'd like included in your search has a comma, you can surround that labor category with quotation marks:

```
https://api.data.gov/gsa/calc/rates/?q="engineer, senior",instructor
https://calc.gsa.gov/api/rates/?q="engineer, senior",instructor
```

All of the query types are case-insensitive.
Expand All @@ -59,14 +50,14 @@ All of the query types are case-insensitive.
You can also filter by the minimum years of experience and maximum years of experience. For example:

```
https://api.data.gov/gsa/calc/rates/?&min_experience=5&max_experience=10&q=technical
https://calc.gsa.gov/api/rates/?&min_experience=5&max_experience=10&q=technical
```

Or, you can filter with a single, comma-separated range.
For example, if you wanted results with more than five years and less than ten years of experience:

```
https://api.data.gov/gsa/calc/rates/?experience_range=5,10
https://calc.gsa.gov/api/rates/?experience_range=5,10
```

##### Education
Expand All @@ -82,44 +73,44 @@ These filters accept one or more (comma-separated) education values:
* `PHD` (Ph.D).

```
https://api.data.gov/gsa/calc/rates/?education=AA,BA
https://calc.gsa.gov/api/rates/?education=AA,BA
```

Use `min_education` to get all results that meet and exceed the selected education.
The following example will return results that have an education level of `MA` or `PHD`:

```
https://api.data.gov/gsa/calc/rates/?min_education=MA
https://calc.gsa.gov/api/rates/?min_education=MA
```

The default pagination is set to 200. You can paginate using the `page` parameter:

```
https://api.data.gov/gsa/calc/rates/?q=translator&page=2
https://calc.gsa.gov/api/rates/?q=translator&page=2
```

#### Price Filters

You can filter by price with any of the `price` (exact match), `price__lte` (price is less than or equal to) or `price__gte` (price is greater than or equal to) parameters:

```
https://api.data.gov/gsa/calc/rates/?price=95
https://api.data.gov/gsa/calc/rates/?price__lte=95
https://api.data.gov/gsa/calc/rates/?price__gte=95
https://calc.gsa.gov/api/rates/?price=95
https://calc.gsa.gov/api/rates/?price__lte=95
https://calc.gsa.gov/api/rates/?price__gte=95
```

The `price__lte` and `price__gte` parameters may be used together to search for a price range:

```
https://api.data.gov/gsa/calc/rates/?price__gte=95&price__lte=105
https://calc.gsa.gov/api/rates/?price__gte=95&price__lte=105
```

#### Excluding Records

You can also exclude specific records from the results by passing in an `exclude` parameter and a comma-separated list of ids:

```
https://api.data.gov/gsa/calc/rates/?q=environmental+technician&exclude=875173,875749
https://calc.gsa.gov/api/rates/?q=environmental+technician&exclude=875173,875749
```

#### Other Filters
Expand All @@ -134,7 +125,7 @@ Other parameters allow you to filter by:
Here is an example with all four parameters (`schedule`, `sin`, `site`, and `business_size`) included:

```
https://api.data.gov/gsa/calc/rates/?schedule=mobis&sin=874&site=customer&business_size=s
https://calc.gsa.gov/api/rates/?schedule=mobis&sin=874&site=customer&business_size=s
```

For schedules, there are 8 different values that will return results (case-insensitive):
Expand Down
49 changes: 0 additions & 49 deletions docs/deploy.md
View file
Expand Up @@ -249,55 +249,6 @@ cd /home/vcap/app
source /home/vcap/app/.profile.d/python.sh
```

### Setting up the API

As mentioned in the [API documentation](api.md), CALC's public API
is actually proxied by api.data.gov.

In order to configure the proxying between api.data.gov and CALC,
you will need to obtain an administrative account on api.data.gov.
For more information on doing this, see the [api.data.gov User Manual][].

You'll then want to tell api.data.gov what host it will listen for, and
what host your API backend is listening on. For example:

<table border="1" class="docutils">
<tr>
<th>Frontend Host</th>
<th>Backend Host</th>
</tr>
<tr>
<td>api.data.gov</td>
<td>calc-prod.app.cloud.gov</td>
</tr>
</table>

You will also want to configure your API backend on
api.data.gov with one **Matching URL Prefixes** entry.
The **Backend Prefix** should always be `/api/`, while the
**Frontend Prefix** is up to you. Here's an example:

<table border="1" class="docutils">
<tr>
<th>Frontend Prefix</th>
<th>Backend Prefix</th>
</tr>
<tr>
<td>/gsa/calc/</td>
<td>/api/</td>
</tr>
</table>

Now you'll need to configure `API_HOST` on your CALC instance to be
the combination of your **Frontend Host** and **Frontend Prefix**.
For example, given the earlier examples listed above, your
`API_HOST` setting on CALC would be `https://api.data.gov/gsa/calc/`.

Finally, as mentioned in the [Securing your API backend][] section of the
user manual, you will likely need to configure `WHITELISTED_IPS` on
your CALC instance to ensure that clients can't bypass rate limiting by
directly contacting your CALC instance.

### Testing production deployments

Because reverse proxies like CloudFront can be misconfigured to prevent
Expand Down
11 changes: 0 additions & 11 deletions docs/environment.md
View file
Expand Up @@ -80,17 +80,6 @@ string), the boolean is true; otherwise, it's false.
If this is undefined and `DEBUG` is true, then a built-in Fake UAA Provider
will be used to "simulate" cloud.gov login.

* `WHITELISTED_IPS` is a comma-separated string of IP addresses that specifies
IPs that the REST API will accept requests from. Any IPs not in the list
attempting to access the API will receive a 403 Forbidden response.
Example: `127.0.0.1,192.168.1.1`.

* `API_HOST` is the relative or absolute URL used to access the
API hosted by CALC. It defaults to `/api/` but may need to be changed
if the API has a proxy in front of it, as it likely will be if deployed
on government infrastructure. For more information, see
the [API documentation](api.md).

* `SECURITY_HEADERS_ON_ERROR_ONLY` is a boolean value that indicates whether
security-related response headers (such as `X-XSS-Protection`)
should only be added on error (status code >= 400) responses. This setting
Expand Down
4 changes: 2 additions & 2 deletions frontend/source/js/data-explorer/api.js
View file
Expand Up @@ -3,8 +3,8 @@ import xhr from 'xhr';
import * as qs from 'querystring';

export default class API {
constructor(basePath = '') {
this.basePath = window.API_HOST || basePath;
constructor(basePath = '/api/') {
this.basePath = basePath;
if (this.basePath.charAt(this.basePath.length - 1) !== '/') {
this.basePath += '/';
}
Expand Down
4 changes: 1 addition & 3 deletions frontend/source/js/data-explorer/constants.js
View file
Expand Up @@ -125,6 +125,4 @@ export const QUERY_TYPE_LABELS = {

export const MAX_QUERY_LENGTH = 255;

export const API_HOST = window.API_HOST;

export const API_RATES_CSV = `${API_HOST}rates/csv/`;
export const API_RATES_CSV = '/rates/csv/';
6 changes: 0 additions & 6 deletions frontend/source/js/data-explorer/tests/api.test.js
View file
Expand Up @@ -18,12 +18,6 @@ describe('API constructor', () => {
const api2 = new API('/api2/');
expect(api2.basePath).toMatch('/api2/');
});

it('uses window.API_HOST if defined', () => {
window.API_HOST = 'whatever';
const api = new API();
expect(api.basePath).toMatch('whatever/');
});
});

describe('API get', () => {
Expand Down
3 changes: 0 additions & 3 deletions frontend/templates/tests.html
View file
Expand Up @@ -9,9 +9,6 @@
<script src="{% static 'frontend/js/vendor/aight.v2.min.js' %}"></script>
<![endif]-->
<link rel="stylesheet" href="{% static 'frontend/style/vendor/qunit-1.16.0.css' %}">
<script>
var API_HOST = "{{ API_HOST }}";
</script>
</head>
<body>
<div id="qunit"></div>
Expand Down
5 changes: 0 additions & 5 deletions hourglass/context_processors.py
View file
Expand Up @@ -9,11 +9,6 @@ def canonical_url(request):
return {'canonical_url': get_canonical_url(request)}


def api_host(request):
'''Include API_HOST in all request contexts'''
return {'API_HOST': settings.API_HOST}


def show_debug_ui(request):
'''Include show_debug_ui in all request contexts'''
return {'show_debug_ui': settings.DEBUG and not settings.HIDE_DEBUG_UI}
Expand Down

0 comments on commit ac4a69a

Please sign in to comment.