Merge branch 'master' into feature/ubi

ging · Feb 17, 2022 · 50b8f47 · 50b8f47
2 parents 48ba594 + 63e2d52
commit 50b8f47
Show file tree

Hide file tree

Showing 43 changed files with 4,157 additions and 2,190 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -58,7 +58,6 @@ jobs:
         strategy:
             matrix:
                 node-version:
-                    - 10.x
                     - 12.x
                     - 14.x
         steps:
@@ -70,10 +69,6 @@ jobs:
                   node-version: "${{ matrix.node-version }}"
             - name: "Unit Tests with Node.js ${{ matrix.node-version }}"
               run: |
-                  docker network create --driver=bridge my-network
-                  docker run -d -h mysql --net=my-network  -p 3306:3306 --name mysql -v $(pwd)/test/mysql-data:/docker-entrypoint-initdb.d/:ro -e MYSQL_ROOT_PASSWORD=test  mysql:5.7
-                  docker run -d --net=my-network -p 3000:3000 --name keyrock -e IDM_DB_USER=root -e IDM_DB_PASS=test -e IDM_DB_HOST=mysql -e IDM_DB_PORT=3306  fiware/idm:8.0.0
-
                   npm install
                   npm test
 
@@ -89,10 +84,6 @@ jobs:
               with:
                   node-version: 12.x
             - run: |
-                  docker network create --driver=bridge my-network
-                  docker run -d -h mysql --net=my-network  -p 3306:3306 --name mysql -v $(pwd)/test/mysql-data:/docker-entrypoint-initdb.d/:ro -e MYSQL_ROOT_PASSWORD=test  mysql:5.7
-                  docker run -d --net=my-network -p 3000:3000 --name keyrock -e IDM_DB_USER=root -e IDM_DB_PASS=test -e IDM_DB_HOST=mysql -e IDM_DB_PORT=3306  fiware/idm:8.0.0
-
                   npm install
                   npm run test:coverage
             - name: Push to Coveralls

diff --git a/Dockerfile b/Dockerfile
@@ -84,9 +84,11 @@ HEALTHCHECK  --interval=30s --timeout=3s --start-period=60s \
 #    PEP_PROXY_TOKEN_SECRET
 #    PEP_PROXY_AUTH_ENABLED
 #    PEP_PROXY_PDP
-#    PEP_PROXY_AZF_PROTOCOL
-#    PEP_PROXY_AZF_HOST
-#    PEP_PROXY_AZF_PORT
+#    PEP_PROXY_PDP_PROTOCOL
+#    PEP_PROXY_PDP_HOST
+#    PEP_PROXY_PDP_PORT
+#    PEP_PROXY_PDP_PATH
+#    PEP_PROXY_TENANT_HEADER
 #    PEP_PROXY_AZF_CUSTOM_POLICY
 #    PEP_PROXY_PUBLIC_PATHS
 #    PEP_PROXY_CORS_ORIGIN
@@ -97,3 +99,5 @@ HEALTHCHECK  --interval=30s --timeout=3s --start-period=60s \
 #    PEP_PROXY_CORS_MAX_AGE
 #    PEP_PROXY_AUTH_FOR_NGINX
 #    PEP_PROXY_MAGIC_KEY
+#    PEP_PROXY_ERROR_TEMPLATE
+#    PEP_PROXY_ERROR_CONTENT_TYPE
diff --git a/app.js b/app.js
@@ -0,0 +1,114 @@
+#!/usr/bin/env node
+const cors = require('cors');
+const config_service = require('./lib/config_service');
+
+const fs = require('fs');
+const https = require('https');
+const errorhandler = require('errorhandler');
+
+const logger = require('morgan');
+const debug = require('debug')('pep-proxy:app');
+const express = require('express');
+
+process.on('uncaughtException', function (err) {
+  debug('Caught exception: ' + err);
+});
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+
+/**
+ * Start the express server to listen to all requests. Whitelisted public paths are
+ * proxied directly, all other requests are restricted access and must either:
+ *
+ * - hold a bearer token from an authenticated user
+ * - hold a bearer token and the user must be authorized to perform the action
+ *
+ * @param an auth token representing the PEP
+ * @param the configuration to use within the app
+ *
+ * @return a running express server
+ */
+exports.start_server = function (token, config) {
+  config_service.set_config(config, true);
+  const Root = require('./controllers/root');
+  const Payload = require('./lib/payload_analyse');
+  const Authorize = require('./lib/authorization_functions');
+  const app = express();
+  let server;
+
+  // Set logs in development
+  if (config.debug) {
+    app.use(logger('dev'));
+  }
+
+  app.use(function (req, res, next) {
+    const bodyChunks = [];
+    req.on('data', function (chunk) {
+      bodyChunks.push(chunk);
+    });
+
+    req.on('end', function () {
+      if (bodyChunks.length > 0) {
+        req.body = Buffer.concat(bodyChunks);
+      }
+      next();
+    });
+  });
+
+  app.disable('x-powered-by');
+  app.use(errorhandler({ log: debug }));
+  app.use(cors(config.cors));
+
+  let port = config.pep_port || 80;
+  if (config.https.enabled) {
+    port = config.https.port || 443;
+  }
+  app.set('port', port);
+  app.set('pepToken', token);
+  app.set('trust proxy', '127.0.0.1');
+
+  // The auth mode (authorize or authenticate only) and PDP to adjudicate
+  // are set in the config.
+  debug(
+    'Starting PEP proxy on port ' +
+      port +
+      (config.authorization.enabled
+        ? '. PDP authorization via ' + config.authorization.pdp
+        : '. User authentication via IDM')
+  );
+
+  for (const p in config.public_paths) {
+    debug('Public paths', config.public_paths[p]);
+    app.all(config.public_paths[p], Root.open_access);
+  }
+
+  if (Authorize.checkPayload()) {
+    // Oddity for Subscriptions
+    app.post('/*/subscriptions', Payload.subscription, Root.restricted_access);
+    app.patch('/*/subscriptions/*', Payload.subscription, Root.restricted_access);
+    // Oddity for NGSI-v2
+    app.all('/*/op/*', Payload.v2batch, Root.restricted_access);
+    app.use(Payload.query);
+    app.use(Payload.body);
+    app.all('/*/entities/:id', Payload.params, Root.restricted_access);
+    app.all('/*/entities/:id/attrs', Payload.params, Root.restricted_access);
+    app.all('/*/entities/:id/attrs/:attr', Payload.params, Root.restricted_access);
+  }
+
+  app.all('/*', Root.restricted_access);
+
+  if (config.https.enabled === true) {
+    const options = {
+      key: fs.readFileSync(config.https.key_file),
+      cert: fs.readFileSync(config.https.cert_file)
+    };
+
+    server = https
+      .createServer(options, function (req, res) {
+        app.handle(req, res);
+      })
+      .listen(app.get('port'));
+  } else {
+    server = app.listen(app.get('port'));
+  }
+  return server;
+};
diff --git a/bin/healthcheck.js b/bin/healthcheck.js
@@ -1,5 +1,12 @@
 #!/usr/bin/env node
 
+/*
+ * Copyright 2021 -  Universidad Politécnica de Madrid.
+ *
+ * This file is part of PEP-Proxy
+ *
+ */
+
 const http = require('http');
 const config = require('../config');
 const http_code = process.env.HEALTHCHECK_CODE || 200;
@@ -8,19 +15,17 @@ function to_array(env, default_value) {
   return env !== undefined ? env.split(',') : default_value;
 }
 
-const public_paths = to_array(process.env.PEP_PROXY_PUBLIC_PATHS, [
-  '/iot/about',
-]);
+const public_paths = to_array(process.env.PEP_PROXY_PUBLIC_PATHS, ['/iot/about']);
 
 const options = {
   host: 'localhost',
   port: process.env.PEP_PROXY_PORT || config.port,
   timeout: 2000,
   method: 'GET',
-  path: public_paths[0] || '/',
+  path: public_paths[0] || '/'
 };
 
-const request = http.request(options, result => {
+const request = http.request(options, (result) => {
   // eslint-disable-next-line no-console
   console.info(`Performed health check, result ${result.statusCode}`);
   if (result.statusCode === http_code) {
@@ -30,11 +35,9 @@ const request = http.request(options, result => {
   }
 });
 
-request.on('error', err => {
+request.on('error', (err) => {
   // eslint-disable-next-line no-console
-  console.error(
-    `An error occurred while performing health check, error: ${err}`
-  );
+  console.error(`An error occurred while performing health check, error: ${err}`);
   process.exit(1);
 });