Configurable whitelist (#773)

* Pass whitelist as a string array from env vars * Docker compose env vars * Add env vars to workflow * Deprecate DOMAIN from compose * Fix bug * Add whitelist param * remove duplicate handlebars route * Add vars to deploy.sh * Add vars to deploy.sh * Test var * Strip https * Rename variable * No need to strip https * Fix typos
opencrvs · Oct 30, 2023 · a200480 · a200480
1 parent 9e4fd25
commit a200480
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 20 deletions.
diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml
@@ -110,6 +110,7 @@ jobs:
           INFOBIP_API_KEY: ${{ secrets.INFOBIP_API_KEY }}
           SENDER_EMAIL_ADDRESS: ${{ secrets.SENDER_EMAIL_ADDRESS }}
           SUPER_USER_PASSWORD: ${{ secrets.SUPER_USER_PASSWORD }}
+          CONTENT_SECURITY_POLICY_WILDCARD: ${{ vars.CONTENT_SECURITY_POLICY_WILDCARD }}
         run: |
           cd ./${{ github.event.repository.name }}
           yarn deploy --clear_data=no --environment=${{ github.event.inputs.deploy-script-environment }} --host=${{ env.DOMAIN }} --version=${{ github.event.inputs.core-image-tag }} --country_config_version=${{ github.event.inputs.countryconfig-image-tag }} --country_config_path=../${{ github.event.repository.name }} --replicas=${{ env.REPLICAS }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -86,7 +86,6 @@ jobs:
             fi
             sleep 10
           done
-  
 
       - name: Deploy to ${{ github.event.inputs.environment }}
         id: deploy
@@ -114,6 +113,7 @@ jobs:
           INFOBIP_API_KEY: ${{ secrets.INFOBIP_API_KEY }}
           SENDER_EMAIL_ADDRESS: ${{ secrets.SENDER_EMAIL_ADDRESS }}
           SUPER_USER_PASSWORD: ${{ secrets.SUPER_USER_PASSWORD }}
+          CONTENT_SECURITY_POLICY_WILDCARD: ${{ vars.CONTENT_SECURITY_POLICY_WILDCARD }}
         run: |
           cd ./${{ github.event.repository.name }}
           yarn deploy --clear_data=${{ github.event.inputs.reset }} --environment=${{ github.event.inputs.environment }} --host=${{ env.DOMAIN }} --version=${{ github.event.inputs.core-image-tag }} --country_config_version=${{ github.event.inputs.countryconfig-image-tag }} --country_config_path=../${{ github.event.repository.name }} --replicas=${{ env.REPLICAS }}

diff --git a/infrastructure/deploy.sh b/infrastructure/deploy.sh
@@ -173,6 +173,11 @@ if [ -z "$DOCKERHUB_REPO" ] ; then
     print_usage_and_exit
 fi
 
+if [ -z "$CONTENT_SECURITY_POLICY_WILDCARD" ] ; then
+    echo 'Error: Missing environment variable CONTENT_SECURITY_POLICY_WILDCARD.'
+    print_usage_and_exit
+fi
+
 if [ -z "$TOKENSEEDER_MOSIP_AUTH__PARTNER_MISP_LK" ] ; then
     echo 'Info: Missing optional MOSIP environment variable TOKENSEEDER_MOSIP_AUTH__PARTNER_MISP_LK.'
     TOKENSEEDER_MOSIP_AUTH__PARTNER_MISP_LK=''
@@ -446,7 +451,8 @@ docker_stack_deploy() {
   NATIONAL_ID_OIDP_ESSENTIAL_CLAIMS=$NATIONAL_ID_OIDP_ESSENTIAL_CLAIMS
   NATIONAL_ID_OIDP_VOLUNTARY_CLAIMS=$NATIONAL_ID_OIDP_VOLUNTARY_CLAIMS
   NATIONAL_ID_OIDP_CLIENT_PRIVATE_KEY=$NATIONAL_ID_OIDP_CLIENT_PRIVATE_KEY
-  NATIONAL_ID_OIDP_JWT_AUD_CLAIM=$NATIONAL_ID_OIDP_JWT_AUD_CLAIM"
+  NATIONAL_ID_OIDP_JWT_AUD_CLAIM=$NATIONAL_ID_OIDP_JWT_AUD_CLAIM
+  CONTENT_SECURITY_POLICY_WILDCARD=$CONTENT_SECURITY_POLICY_WILDCARD"
 
   echo "Pulling all docker images. This might take a while"
 

diff --git a/infrastructure/docker-compose.deploy.yml b/infrastructure/docker-compose.deploy.yml
@@ -470,7 +470,7 @@ services:
   client:
     environment:
       - COUNTRY_CONFIG_URL=https://countryconfig.{{hostname}}
-      - HOST={{hostname}}
+      - CONTENT_SECURITY_POLICY_WILDCARD=${CONTENT_SECURITY_POLICY_WILDCARD}
       - MINIO_URL=https://minio.{{hostname}}
     deploy:
       labels:
@@ -549,6 +549,8 @@ services:
       - APN_SERVICE_URL=http://apm-server:8200
       - COUNTRY_LOGO_URL=https://countryconfig.{{hostname}}/content/country-logo
       - LOGIN_URL=https://login.{{hostname}}
+      - CLIENT_APP_URL=https://register.{{hostname}}
+      - DOMAIN={{hostname}}
     networks:
       - overlay_net
     logging:
@@ -559,7 +561,7 @@ services:
   login:
     environment:
       - COUNTRY_CONFIG_URL=https://countryconfig.{{hostname}}
-      - HOST={{hostname}}
+      - CONTENT_SECURITY_POLICY_WILDCARD=${CONTENT_SECURITY_POLICY_WILDCARD}
     deploy:
       labels:
         - 'traefik.enable=true'
@@ -592,6 +594,9 @@ services:
       - APN_SERVICE_URL=http://apm-server:8200
       - CERT_PRIVATE_KEY_PATH=/run/secrets/jwt-private-key.{{ts}}
       - CERT_PUBLIC_KEY_PATH=/run/secrets/jwt-public-key.{{ts}}
+      - LOGIN_URL=https://login.{{hostname}}
+      - COUNTRY_CONFIG_URL=https://countryconfig.{{hostname}}
+      - CLIENT_APP_URL=https://register.{{hostname}}
       - DOMAIN={{hostname}}
     deploy:
       labels:
@@ -658,6 +663,8 @@ services:
     environment:
       - APN_SERVICE_URL=http://apm-server:8200
       - CERT_PUBLIC_KEY_PATH=/run/secrets/jwt-public-key.{{ts}}
+      - LOGIN_URL=https://login.{{hostname}}
+      - CLIENT_APP_URL=https://register.{{hostname}}
       - DOMAIN={{hostname}}
     deploy:
       labels:
@@ -786,6 +793,8 @@ services:
       - APN_SERVICE_URL=http://apm-server:8200
       - CERT_PUBLIC_KEY_PATH=/run/secrets/jwt-public-key.{{ts}}
       - MONGO_URL=mongodb://config:${CONFIG_MONGODB_PASSWORD}@mongo1/application-config?replicaSet=rs0
+      - LOGIN_URL=https://login.{{hostname}}
+      - CLIENT_APP_URL=https://register.{{hostname}}
       - DOMAIN={{hostname}}
     deploy:
       labels:

diff --git a/src/constants.ts b/src/constants.ts
@@ -9,7 +9,10 @@
  * Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS.
  */
 export const TEST_SOURCE = `${process.cwd()}/src/tests/`
-export const HOSTNAME = process.env.HOSTNAME || '*'
+export const HOSTNAME = process.env.DOMAIN || '*'
+export const LOGIN_URL = process.env.LOGIN_URL || 'http://localhost:3020/'
+export const CLIENT_APP_URL =
+  process.env.CLIENT_APP_URL || 'http://localhost:3000/'
 export const FHIR_URL = process.env.FHIR_URL || 'http://localhost:3447/fhir'
 export const OPENHIM_URL =
   process.env.OPENHIM_URL || 'http://localhost:5001/fhir'

diff --git a/src/index.ts b/src/index.ts
@@ -16,13 +16,17 @@ import * as Pino from 'hapi-pino'
 import * as JWT from 'hapi-auth-jwt2'
 import * as inert from '@hapi/inert'
 import * as Sentry from 'hapi-sentry'
-import { SENTRY_DSN } from '@countryconfig/constants'
+import {
+  CLIENT_APP_URL,
+  HOSTNAME,
+  LOGIN_URL,
+  SENTRY_DSN
+} from '@countryconfig/constants'
 import {
   COUNTRY_CONFIG_HOST,
   COUNTRY_CONFIG_PORT,
   CHECK_INVALID_TOKEN,
   AUTH_URL,
-  HOSTNAME,
   DEFAULT_TIMEOUT
 } from '@countryconfig/constants'
 import { statisticsHandler } from '@countryconfig/api/data-generator/handler'
@@ -171,9 +175,9 @@ async function getPublicKey(): Promise<string> {
 export async function createServer() {
   let whitelist: string[] = [HOSTNAME]
   if (HOSTNAME[0] !== '*') {
-    whitelist = [`https://login.${HOSTNAME}`, `https://register.${HOSTNAME}`]
+    whitelist = [LOGIN_URL, CLIENT_APP_URL]
   }
-  logger.info('Whitelist: ', JSON.stringify(whitelist))
+  logger.info(`Whitelist: ${JSON.stringify(whitelist)}`)
   const server = new Hapi.Server({
     host: COUNTRY_CONFIG_HOST,
     port: COUNTRY_CONFIG_PORT,
@@ -316,17 +320,6 @@ export async function createServer() {
     }
   })
 
-  server.route({
-    method: 'GET',
-    path: '/handlebars.js',
-    handler: handlebarsHandler,
-    options: {
-      auth: false,
-      tags: ['api'],
-      description: 'Serves handlebars as JS'
-    }
-  })
-
   server.route({
     method: 'GET',
     path: '/content/{application}',