From a200480780eef6d11a2d3ff3136e3bf427d25ed2 Mon Sep 17 00:00:00 2001 From: Euan Millar Date: Mon, 30 Oct 2023 09:52:10 +0000 Subject: [PATCH] Configurable whitelist (#773) * Pass whitelist as a string array from env vars * Docker compose env vars * Add env vars to workflow * Deprecate DOMAIN from compose * Fix bug * Add whitelist param * remove duplicate handlebars route * Add vars to deploy.sh * Add vars to deploy.sh * Test var * Strip https * Rename variable * No need to strip https * Fix typos --- .github/workflows/deploy-prod.yml | 1 + .github/workflows/deploy.yml | 2 +- infrastructure/deploy.sh | 8 +++++++- infrastructure/docker-compose.deploy.yml | 13 +++++++++++-- src/constants.ts | 5 ++++- src/index.ts | 23 ++++++++--------------- 6 files changed, 32 insertions(+), 20 deletions(-) diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index 175469c8d..909a759ef 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -110,6 +110,7 @@ jobs: INFOBIP_API_KEY: ${{ secrets.INFOBIP_API_KEY }} SENDER_EMAIL_ADDRESS: ${{ secrets.SENDER_EMAIL_ADDRESS }} SUPER_USER_PASSWORD: ${{ secrets.SUPER_USER_PASSWORD }} + CONTENT_SECURITY_POLICY_WILDCARD: ${{ vars.CONTENT_SECURITY_POLICY_WILDCARD }} run: | cd ./${{ github.event.repository.name }} yarn deploy --clear_data=no --environment=${{ github.event.inputs.deploy-script-environment }} --host=${{ env.DOMAIN }} --version=${{ github.event.inputs.core-image-tag }} --country_config_version=${{ github.event.inputs.countryconfig-image-tag }} --country_config_path=../${{ github.event.repository.name }} --replicas=${{ env.REPLICAS }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 28f333b9d..f6e669c28 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -86,7 +86,6 @@ jobs: fi sleep 10 done - - name: Deploy to ${{ github.event.inputs.environment }} id: deploy @@ -114,6 +113,7 @@ jobs: INFOBIP_API_KEY: ${{ secrets.INFOBIP_API_KEY }} SENDER_EMAIL_ADDRESS: ${{ secrets.SENDER_EMAIL_ADDRESS }} SUPER_USER_PASSWORD: ${{ secrets.SUPER_USER_PASSWORD }} + CONTENT_SECURITY_POLICY_WILDCARD: ${{ vars.CONTENT_SECURITY_POLICY_WILDCARD }} run: | cd ./${{ github.event.repository.name }} yarn deploy --clear_data=${{ github.event.inputs.reset }} --environment=${{ github.event.inputs.environment }} --host=${{ env.DOMAIN }} --version=${{ github.event.inputs.core-image-tag }} --country_config_version=${{ github.event.inputs.countryconfig-image-tag }} --country_config_path=../${{ github.event.repository.name }} --replicas=${{ env.REPLICAS }} diff --git a/infrastructure/deploy.sh b/infrastructure/deploy.sh index a91ccdf7a..e200e3e08 100755 --- a/infrastructure/deploy.sh +++ b/infrastructure/deploy.sh @@ -173,6 +173,11 @@ if [ -z "$DOCKERHUB_REPO" ] ; then print_usage_and_exit fi +if [ -z "$CONTENT_SECURITY_POLICY_WILDCARD" ] ; then + echo 'Error: Missing environment variable CONTENT_SECURITY_POLICY_WILDCARD.' + print_usage_and_exit +fi + if [ -z "$TOKENSEEDER_MOSIP_AUTH__PARTNER_MISP_LK" ] ; then echo 'Info: Missing optional MOSIP environment variable TOKENSEEDER_MOSIP_AUTH__PARTNER_MISP_LK.' TOKENSEEDER_MOSIP_AUTH__PARTNER_MISP_LK='' @@ -446,7 +451,8 @@ docker_stack_deploy() { NATIONAL_ID_OIDP_ESSENTIAL_CLAIMS=$NATIONAL_ID_OIDP_ESSENTIAL_CLAIMS NATIONAL_ID_OIDP_VOLUNTARY_CLAIMS=$NATIONAL_ID_OIDP_VOLUNTARY_CLAIMS NATIONAL_ID_OIDP_CLIENT_PRIVATE_KEY=$NATIONAL_ID_OIDP_CLIENT_PRIVATE_KEY - NATIONAL_ID_OIDP_JWT_AUD_CLAIM=$NATIONAL_ID_OIDP_JWT_AUD_CLAIM" + NATIONAL_ID_OIDP_JWT_AUD_CLAIM=$NATIONAL_ID_OIDP_JWT_AUD_CLAIM + CONTENT_SECURITY_POLICY_WILDCARD=$CONTENT_SECURITY_POLICY_WILDCARD" echo "Pulling all docker images. This might take a while" diff --git a/infrastructure/docker-compose.deploy.yml b/infrastructure/docker-compose.deploy.yml index 7378bc0c3..086bf31c7 100644 --- a/infrastructure/docker-compose.deploy.yml +++ b/infrastructure/docker-compose.deploy.yml @@ -470,7 +470,7 @@ services: client: environment: - COUNTRY_CONFIG_URL=https://countryconfig.{{hostname}} - - HOST={{hostname}} + - CONTENT_SECURITY_POLICY_WILDCARD=${CONTENT_SECURITY_POLICY_WILDCARD} - MINIO_URL=https://minio.{{hostname}} deploy: labels: @@ -549,6 +549,8 @@ services: - APN_SERVICE_URL=http://apm-server:8200 - COUNTRY_LOGO_URL=https://countryconfig.{{hostname}}/content/country-logo - LOGIN_URL=https://login.{{hostname}} + - CLIENT_APP_URL=https://register.{{hostname}} + - DOMAIN={{hostname}} networks: - overlay_net logging: @@ -559,7 +561,7 @@ services: login: environment: - COUNTRY_CONFIG_URL=https://countryconfig.{{hostname}} - - HOST={{hostname}} + - CONTENT_SECURITY_POLICY_WILDCARD=${CONTENT_SECURITY_POLICY_WILDCARD} deploy: labels: - 'traefik.enable=true' @@ -592,6 +594,9 @@ services: - APN_SERVICE_URL=http://apm-server:8200 - CERT_PRIVATE_KEY_PATH=/run/secrets/jwt-private-key.{{ts}} - CERT_PUBLIC_KEY_PATH=/run/secrets/jwt-public-key.{{ts}} + - LOGIN_URL=https://login.{{hostname}} + - COUNTRY_CONFIG_URL=https://countryconfig.{{hostname}} + - CLIENT_APP_URL=https://register.{{hostname}} - DOMAIN={{hostname}} deploy: labels: @@ -658,6 +663,8 @@ services: environment: - APN_SERVICE_URL=http://apm-server:8200 - CERT_PUBLIC_KEY_PATH=/run/secrets/jwt-public-key.{{ts}} + - LOGIN_URL=https://login.{{hostname}} + - CLIENT_APP_URL=https://register.{{hostname}} - DOMAIN={{hostname}} deploy: labels: @@ -786,6 +793,8 @@ services: - APN_SERVICE_URL=http://apm-server:8200 - CERT_PUBLIC_KEY_PATH=/run/secrets/jwt-public-key.{{ts}} - MONGO_URL=mongodb://config:${CONFIG_MONGODB_PASSWORD}@mongo1/application-config?replicaSet=rs0 + - LOGIN_URL=https://login.{{hostname}} + - CLIENT_APP_URL=https://register.{{hostname}} - DOMAIN={{hostname}} deploy: labels: diff --git a/src/constants.ts b/src/constants.ts index aca9a68c1..818c1c14b 100644 --- a/src/constants.ts +++ b/src/constants.ts @@ -9,7 +9,10 @@ * Copyright (C) The OpenCRVS Authors located at https://github.com/opencrvs/opencrvs-core/blob/master/AUTHORS. */ export const TEST_SOURCE = `${process.cwd()}/src/tests/` -export const HOSTNAME = process.env.HOSTNAME || '*' +export const HOSTNAME = process.env.DOMAIN || '*' +export const LOGIN_URL = process.env.LOGIN_URL || 'http://localhost:3020/' +export const CLIENT_APP_URL = + process.env.CLIENT_APP_URL || 'http://localhost:3000/' export const FHIR_URL = process.env.FHIR_URL || 'http://localhost:3447/fhir' export const OPENHIM_URL = process.env.OPENHIM_URL || 'http://localhost:5001/fhir' diff --git a/src/index.ts b/src/index.ts index 7c471f3db..768e1d8cf 100644 --- a/src/index.ts +++ b/src/index.ts @@ -16,13 +16,17 @@ import * as Pino from 'hapi-pino' import * as JWT from 'hapi-auth-jwt2' import * as inert from '@hapi/inert' import * as Sentry from 'hapi-sentry' -import { SENTRY_DSN } from '@countryconfig/constants' +import { + CLIENT_APP_URL, + HOSTNAME, + LOGIN_URL, + SENTRY_DSN +} from '@countryconfig/constants' import { COUNTRY_CONFIG_HOST, COUNTRY_CONFIG_PORT, CHECK_INVALID_TOKEN, AUTH_URL, - HOSTNAME, DEFAULT_TIMEOUT } from '@countryconfig/constants' import { statisticsHandler } from '@countryconfig/api/data-generator/handler' @@ -171,9 +175,9 @@ async function getPublicKey(): Promise { export async function createServer() { let whitelist: string[] = [HOSTNAME] if (HOSTNAME[0] !== '*') { - whitelist = [`https://login.${HOSTNAME}`, `https://register.${HOSTNAME}`] + whitelist = [LOGIN_URL, CLIENT_APP_URL] } - logger.info('Whitelist: ', JSON.stringify(whitelist)) + logger.info(`Whitelist: ${JSON.stringify(whitelist)}`) const server = new Hapi.Server({ host: COUNTRY_CONFIG_HOST, port: COUNTRY_CONFIG_PORT, @@ -316,17 +320,6 @@ export async function createServer() { } }) - server.route({ - method: 'GET', - path: '/handlebars.js', - handler: handlebarsHandler, - options: { - auth: false, - tags: ['api'], - description: 'Serves handlebars as JS' - } - }) - server.route({ method: 'GET', path: '/content/{application}',