Fix #144 - Force Content Type to match proxied response.

ging · Nov 8, 2022 · bc4c072 · bc4c072
1 parent 863f114
commit bc4c072
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 20 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,25 +1,64 @@
-ARG NODE_VERSION=10
+ARG NODE_VERSION=14
 ARG GITHUB_ACCOUNT=ging
 ARG GITHUB_REPOSITORY=fiware-pep-proxy
+ARG DOWNLOAD=latest
+ARG SOURCE_BRANCH=master
+
+# Default Builder, distro and distroless build version
+ARG BUILDER=node:${NODE_VERSION}
+ARG DISTRO=node:${NODE_VERSION}-slim
+ARG DISTROLESS=gcr.io/distroless/nodejs:${NODE_VERSION}
+ARG PACKAGE_MANAGER=apt
+ARG USER=node
 
 ########################################################################################
 #
-# This build stage retrieves the source code and sets up node-SAAS
+# This build stage retrieves the source code from GitHub. The default download is the 
+# latest tip of the master of the named repository on GitHub.
+#
+# To obtain the latest stable release run this Docker file with the parameters:
+# --no-cache --build-arg DOWNLOAD=stable
+#
+# To obtain any specific version of a release run this Docker file with the parameters:
+# --no-cache --build-arg DOWNLOAD=1.7.0
+#
+# For development purposes, to create a development image including a running Distro, 
+# run this Docker file with the parameter:
+#
+# --target=builder
 #
 ######################################################################################## 
+FROM ${BUILDER} AS builder
+ARG TARGET
+ARG GITHUB_ACCOUNT
+ARG GITHUB_REPOSITORY
+ARG DOWNLOAD
+ARG SOURCE_BRANCH
+ARG PACKAGE_MANAGER
+
+# hadolint ignore=DL3002
+USER root
+# Ensure that the chosen package manger is supported by this Dockerfile
+# also ensure that unzip is installed prior to downloading sources
 
-FROM node:${NODE_VERSION} as builder
 COPY . /opt/fiware-pep-proxy
+
 WORKDIR /opt/fiware-pep-proxy
-RUN npm install --only=prod --no-package-lock --no-optional
+
+# hadolint ignore=DL3008
+RUN \
+  echo "INFO: npm install --production..." && \
+  npm install --only=prod --no-package-lock --no-optional --unsafe-perm
 
 ########################################################################################
 #
 # This build stage creates an anonymous user to be used with the distroless build
 # as defined below.
 #
 ########################################################################################
-FROM node:${NODE_VERSION} AS anon-user
+FROM ${BUILDER} AS anon-user
+# hadolint ignore=DL3002
+USER root
 RUN sed -i -r "/^(root|nobody)/!d" /etc/passwd /etc/shadow /etc/group \
     && sed -i -r 's#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
 
@@ -37,17 +76,21 @@ RUN sed -i -r "/^(root|nobody)/!d" /etc/passwd /etc/shadow /etc/group \
 #
 ########################################################################################
 
-FROM gcr.io/distroless/nodejs:${NODE_VERSION}
+FROM ${DISTROLESS} AS distroless
 ARG GITHUB_ACCOUNT
 ARG GITHUB_REPOSITORY
 ARG NODE_VERSION
 
 LABEL "maintainer"="FIWARE Identity Manager Team. DIT-UPM"
+LABEL "description"="Support for proxy functions within OAuth2-based authentication schemas. Also implements PEP functions within an XACML-based access control schema."
+LABEL "name"="pep-proxy"
+LABEL "summary"="PEP Proxy - Wilma (Distroless)"
+
 LABEL "org.opencontainers.image.authors"=""
 LABEL "org.opencontainers.image.documentation"="https://fiware-idm.readthedocs.io/"
 LABEL "org.opencontainers.image.vendor"="Universidad Politécnica de Madrid."
 LABEL "org.opencontainers.image.licenses"="MIT"
-LABEL "org.opencontainers.image.title"="PEP Proxy - Wilma"
+LABEL "org.opencontainers.image.title"="PEP Proxy - Wilma (Distroless)"
 LABEL "org.opencontainers.image.description"="Support for proxy functions within OAuth2-based authentication schemas. Also implements PEP functions within an XACML-based access control schema."
 LABEL "org.opencontainers.image.source"=https://github.com/${GITHUB_ACCOUNT}/${GITHUB_REPOSITORY}
 LABEL "org.nodejs.version"=${NODE_VERSION}
@@ -64,6 +107,55 @@ CMD ["./bin/www"]
 HEALTHCHECK  --interval=30s --timeout=3s --start-period=60s \
   CMD ["/nodejs/bin/node", "./bin/healthcheck"]
 
+
+########################################################################################
+#
+# This build stage creates a node-slim image for production.
+#
+# IMPORTANT: For production environments use Docker Secrets to protect values of the 
+# sensitive ENV variables defined below, by adding _FILE to the name of the relevant 
+# variable.
+#
+# -  PEP_PROXY_USERNAME
+# -  PEP_PASSWORD
+# -  PEP_TOKEN_SECRET
+#
+########################################################################################
+
+FROM ${DISTRO} AS slim
+ARG GITHUB_ACCOUNT
+ARG GITHUB_REPOSITORY
+ARG NODE_VERSION
+ARG USER
+
+
+LABEL "maintainer"="FIWARE Identity Manager Team. DIT-UPM"
+LABEL "description"="Support for proxy functions within OAuth2-based authentication schemas. Also implements PEP functions within an XACML-based access control schema."
+LABEL "name"="pep-proxy"
+LABEL "summary"="PEP Proxy - Wilma"
+
+LABEL "org.opencontainers.image.authors"=""
+LABEL "org.opencontainers.image.documentation"="https://fiware-idm.readthedocs.io/"
+LABEL "org.opencontainers.image.vendor"="Universidad Politécnica de Madrid."
+LABEL "org.opencontainers.image.licenses"="MIT"
+LABEL "org.opencontainers.image.title"="PEP Proxy - Wilma"
+LABEL "org.opencontainers.image.description"="Support for proxy functions within OAuth2-based authentication schemas. Also implements PEP functions within an XACML-based access control schema."
+LABEL "org.opencontainers.image.source"=https://github.com/${GITHUB_ACCOUNT}/${GITHUB_REPOSITORY}
+LABEL "org.nodejs.version"=${NODE_VERSION}
+
+COPY --from=builder /opt/fiware-pep-proxy /opt/fiware-pep-proxy
+COPY --from=builder /opt/fiware-pep-proxy/LICENSE /licenses/LICENSE
+WORKDIR /opt/fiware-pep-proxy
+
+# Node by default, use 406 for Alpine, 1001 for UBI,
+USER ${USER}
+ENV NODE_ENV=production
+# Ports used by application
+EXPOSE ${PEP_PROXY_PORT:-1027}
+CMD ["npm", "start"]
+HEALTHCHECK  --interval=30s --timeout=3s --start-period=60s \
+  CMD ["npm", "run", "healthcheck"]
+
 # 
 # ALL ENVIRONMENT VARIABLES
 #
@@ -84,20 +176,11 @@ HEALTHCHECK  --interval=30s --timeout=3s --start-period=60s \
 #    PEP_PROXY_TOKEN_SECRET
 #    PEP_PROXY_AUTH_ENABLED
 #    PEP_PROXY_PDP
-#    PEP_PROXY_PDP_PROTOCOL
-#    PEP_PROXY_PDP_HOST
-#    PEP_PROXY_PDP_PORT
-#    PEP_PROXY_PDP_PATH
 #    PEP_PROXY_TENANT_HEADER
+#    PEP_PROXY_AZF_PROTOCOL
+#    PEP_PROXY_AZF_HOST
+#    PEP_PROXY_AZF_PORT
 #    PEP_PROXY_AZF_CUSTOM_POLICY
 #    PEP_PROXY_PUBLIC_PATHS
-#    PEP_PROXY_CORS_ORIGIN
-#    PEP_PROXY_CORS_METHODS
-#    PEP_PROXY_CORS_OPTIONS_SUCCESS_STATUS
-#    PEP_PROXY_CORS_ALLOWED_HEADERS
-#    PEP_PROXY_CORS_CREDENTIALS
-#    PEP_PROXY_CORS_MAX_AGE
 #    PEP_PROXY_AUTH_FOR_NGINX
 #    PEP_PROXY_MAGIC_KEY
-#    PEP_PROXY_ERROR_TEMPLATE
-#    PEP_PROXY_ERROR_CONTENT_TYPE
diff --git a/extras/docker/Dockerfile b/extras/docker/Dockerfile
@@ -111,7 +111,7 @@ RUN sed -i -r "/^(root|nobody)/!d" /etc/passwd /etc/shadow /etc/group \
 # variable.
 #
 # -  PEP_PROXY_USERNAME
-# -  PEP_PROXY_ASSWORD
+# -  PEP_PROXY_PASSWORD
 # -  PEP_PROXY_TOKEN_SECRET
 #
 ########################################################################################

diff --git a/lib/access_functions.js b/lib/access_functions.js
@@ -139,6 +139,7 @@ function pepResponse(req, res) {
       debug(req.user ? 'Permitted.' : 'Public path.');
       res.statusCode = response.statusCode;
       res.headers = response.headers;
+      res.type(response.headers['content-type'])
       return response.body ? res.send(response.body) : res.send();
     })
     .catch((error) => {