Merge pull request #91 from camicroscope/develop

For 3.9.2
camicroscope · Apr 7, 2021 · 4bc8344 · 4bc8344
2 parents c223718 + 5adcfa6
commit 4bc8344
Show file tree

Hide file tree

Showing 8 changed files with 555 additions and 44 deletions.
diff --git a/.env.example b/.env.example
@@ -0,0 +1,46 @@
+#
+# REQUIRED fields
+#
+
+# jwks url for id provider
+JWK_URL=http://localhost:3000
+
+#
+# Optional Fields
+#
+
+# number of child processes
+WORKERS = 4
+
+# the port to use
+PORT = 4010
+
+# jwt audience to accept, (if unset, does not check)
+AUD = false
+
+# jwt issuer to accept, (if unset, does not check)
+ISS = true
+
+# expire in time for jwks
+EXPIRY = 1d
+
+# set truthy to disable permission and login handlers
+DISABLE_SEC = false
+
+# set truthy to allow public users | false |
+ALLOW_PUBLIC = false
+
+# IIP server location
+IIP_PATH = http://ca-iip
+
+# Database (mongo) connection uri
+MONGO_URI = mongodb://localhost
+
+# mongo db to use
+MONGO_DB = camic
+
+# automatic generate key in server in not found
+GENERATE_KEY_IF_MISSING = false
+
+# time at which to enable security, see parsable times at https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/parse
+ENABLE_SECURITY_AT = false
diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml
@@ -0,0 +1,29 @@
+# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: Node.js CI
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [10.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+    - run: npm ci
+    - run: npm install -g mocha
+    - run: npm install eslint
+    - run: npm install eslint-config-google
+    - run: npm run build --if-present
+    - run: npm run lint
diff --git a/README.md b/README.md
@@ -4,8 +4,7 @@
 
 # Caracal
 
-Conslidated Backend, Auth, and Security Services
-
+Conslidated Attribute Registry, Access Control, and Loader proxy
 
 ## routes
 The routes.json sets up each route functionally as a list, executed on startup in order.
@@ -15,17 +14,12 @@ Each handler should have args set to the initialization arguments for the handle
 
 Routes are setup in this method primarily so that caMicroscope deployments can be customized, but this means that caracal can be used for entirely different projects.
 
-### Default Route (routes.json) Rationale
-- camicroscope is served as static files on /
-- auth login and check are in /auth/
-- iip images are used within /iip/
-- mongo data interactions are within /data/
-
-
 ## Handlers
 Handlers are the specific functions designed for use by routes. They should have pattern `handler(...args) = function(req, res, next)`
 
 ## Environment variables Used
+All possible configuration variables are listed in `.env.example`. Renaming the file to `.env`  will inject all the environment variables.
+
 |variable | Description | default |
 |---|---|---|
 | WORKERS | number of child processes | 4 |
@@ -35,6 +29,7 @@ Handlers are the specific functions designed for use by routes. They should have
 |ISS | jwt issuer to accept |(if unset, does not check)|
 |EXPIRY | expire in time for jwks| 1d |
 |DISABLE_SEC | set truthy to disable permission and login handlers | false |
+|DISABLE_CSP | set truthy to disable content security policy headers | false |
 |ALLOW_PUBLIC | set truthy to allow public users | false |
 |IIP_PATH | IIP server location | http://ca-iip |
 |MONGO_URI | mongo connection uri | mongodb://localhost |
@@ -46,6 +41,7 @@ Handlers are the specific functions designed for use by routes. They should have
 ## files used
 `key/key` and `key/key.pub` are used for internal jwts for this service. You can use key/make_key.sh to generate these, or otherwise add your own.
 `./ssl/privatekey.pem` and `./ssl/certificate.pem` are used to enable SSL; if these are present, this application will start in SSL/HTTPS mode.
+The CSP headers are generated from `contentSecurityPolicy.json`.
 
 ## User property variables
 These are set in userFunction and injected into the token.

diff --git a/caracal.js b/caracal.js
@@ -1,10 +1,12 @@
+require('dotenv').config();
 const express = require('express');
 
 var proxy = require('http-proxy-middleware');
 const https = require('https');
 var cookieParser = require('cookie-parser');
 var throng = require('throng');
 var routeConfig = require("./routes.json");
+var cspConfig = require("./contentSecurityPolicy.json");
 var helmet = require('helmet');
 const fs = require('fs');
 
@@ -28,40 +30,16 @@ var PORT = process.env.PORT || 4010;
 
 var MONGO_URI = process.env.MONGO_URI || 'mongodb://localhost';
 
+var DISABLE_CSP = process.env.DISABLE_CSP || false;
+
 const app = express();
 app.use(cookieParser());
-/** app.use(helmet.contentSecurityPolicy({
-  directives: {
-    defaultSrc: [
-      "'self'",
-    ],
-    scriptSrc: [
-      "'self'",
-      "'unsafe-inline'",
-      "'unsafe-eval'",
-      'code.jquery.com',
-      'stackpath.bootstrapcdn.com',
-      'apis.google.com',
-      'ajax.googleapis.com',
-      'cdn.jsdelivr.net',
-    ],
-    styleSrc: [
-      "'self'",
-      "'unsafe-inline'",
-      'fonts.googleapis.com',
-      'use.fontawesome.com',
-      'stackpath.bootstrapcdn.com',
-      'cdnjs.cloudflare.com',
-    ],
-    fontSrc: [
-      "'self'",
-      'use.fontawesome.com',
-    ],
-    imgSrc: [
-      "'self'",
-    ],
-  },
-}));**/
+
+if (!DISABLE_CSP) {
+  app.use(helmet.contentSecurityPolicy({
+    directives: cspConfig,
+  }));
+}
 
 // handle non-json raw body for post
 app.use(function(req, res, next) {

diff --git a/contentSecurityPolicy.json b/contentSecurityPolicy.json
@@ -0,0 +1,38 @@
+{
+  "defaultSrc": [
+  "'self'"
+],
+"scriptSrc": [
+  "'self'",
+  "'unsafe-inline'",
+  "'unsafe-eval'",
+  "code.jquery.com",
+  "stackpath.bootstrapcdn.com",
+  "apis.google.com",
+  "ajax.googleapis.com",
+  "cdn.jsdelivr.net",
+  "unpkg.com",
+  "http://openseadragon.github.io"
+],
+"styleSrc": [
+  "'self'",
+  "'unsafe-inline'",
+  "fonts.googleapis.com",
+  "use.fontawesome.com",
+  "stackpath.bootstrapcdn.com",
+  "cdnjs.cloudflare.com"
+],
+"fontSrc": [
+  "'self'",
+  "use.fontawesome.com",
+  "fonts.gstatic.com",
+  "cdnjs.cloudflare.com"
+],
+"imgSrc": [
+  "'self'"
+],
+"frameSrc": [
+ "'self'",
+ "accounts.google.com"
+]
+}
diff --git a/keys/make_key.sh b/keys/make_key.sh
@@ -1 +1,6 @@
-openssl req -subj '/CN=www.camicroscope.com/O=caMicroscope Local Instance Key./C=US' -x509 -nodes -newkey rsa:2048 -keyout key -out key.pub
+#!/usr/bin/env bash
+
+# to generate keys only in the /keys directory.
+PWD="$(dirname "$0")"
+
+openssl req -subj '/CN=www.camicroscope.com/O=caMicroscope Local Instance Key./C=US' -x509 -nodes -newkey rsa:2048 -keyout $PWD/key -out $PWD/key.pub