Merge pull request #31 from camicroscope/develop

For 3.7.3
camicroscope · May 1, 2020 · ef869eb · ef869eb
2 parents 08a3209 + 5338521
commit ef869eb
Show file tree

Hide file tree

Showing 8 changed files with 76 additions and 21 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,10 @@
 FROM node:12-alpine
 RUN apk add git
 RUN mkdir /root/src
-RUN npm install -g forever
 COPY . /root/src
 WORKDIR /root/src
 RUN npm install
 ARG viewer
 RUN if [ -z ${viewer} ]; then git clone https://github.com/camicroscope/camicroscope.git; else git clone https://github.com/camicroscope/camicroscope.git --branch=$viewer; fi
 EXPOSE 8010
-CMD forever caracal.js
+CMD node caracal.js
diff --git a/README.md b/README.md
@@ -30,6 +30,7 @@ Conslidated Backend, Auth, and Security Services
 |MONGO_URI | mongo connection uri | mongodb://localhost |
 |MONGO_DB | mongo db to use, default camic |
 |GENERATE_KEY_IF_MISSING | automatic generate key in server in not found | false |
+|ENABLE_SECURITY_AT| time at which to enable security; [see parsable times](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/parse)| (not active) |
 
 ## files used
 key/key and key/key.pub are used for internal jwts for this service. You can use key/make_key.sh to generate these, or otherwise add your own

diff --git a/caracal.js b/caracal.js
@@ -38,6 +38,8 @@ app.use(function(req, res, next) {
 // auth related services
 app.get('/auth/Token/check', auth.jwkTokenTrade(auth.CLIENT, auth.PRIKEY, userFunction));
 app.get('/auth/Token/renew', auth.tokenTrade(auth.PUBKEY, auth.PRIKEY, userFunction));
+app.get('/auth/Token/proto', auth.firstSetupUserSignupExists());
+
 
 // public files, don't use login handler here
 app.use(express.static('static'));
@@ -161,11 +163,13 @@ app.use('/data', function(req, res, next) {
 
 // error handler
 app.use(function(err, req, res, next) {
-  console.error(JSON.stringify(err));
   let statusCode = err.statusCode || 500;
   // wrap strings in a json
   if (typeof err === 'string' || err instanceof String) {
     err = {'error': err};
+    console.error(err)
+  } else {
+    console.error(err.error || err.message || err.toString());
   }
   res.status(statusCode).json(err);
 });

diff --git a/handlers/authHandlers.js b/handlers/authHandlers.js
@@ -9,14 +9,16 @@ const {execSync} = require('child_process');
 const preCommand = "openssl req -subj ";
 const postCommand = " -x509 -nodes -newkey rsa:2048 -keyout ./keys/key -out ./keys/key.pub";
 var JWK_URL = process.env.JWK_URL;
-var DISABLE_SEC = process.env.DISABLE_SEC || false;
+var DISABLE_SEC = (process.env.DISABLE_SEC === 'true') || false;
 var AUD = process.env.AUD || false;
 var ISS = process.env.ISS || false;
 var EXPIRY = process.env.EXPIRY || '1d';
 var DEFAULT_USER_TYPE = process.env.DEFAULT_USER_TYPE || 'Null';
 var PUBKEY;
 var PRIKEY;
-var GENERATE_KEY_IF_MISSING = process.env.GENERATE_KEY_IF_MISSING || false;
+var CLIENT;
+var GENERATE_KEY_IF_MISSING = (process.env.GENERATE_KEY_IF_MISSING === 'true') || false;
+var ENABLE_SECURITY_AT = (process.env.ENABLE_SECURITY_AT ? process.env.ENABLE_SECURITY_AT : "") || false;
 
 if (!fs.existsSync('./keys/key') && !fs.existsSync('./keys/key.pub') && GENERATE_KEY_IF_MISSING) {
   try {
@@ -31,7 +33,7 @@ try {
   if (fs.existsSync(prikeyPath)) {
     PRIKEY = fs.readFileSync(prikeyPath, 'utf8');
   } else {
-    if (DISABLE_SEC) {
+    if (DISABLE_SEC || ENABLE_SECURITY_AT && Date.parse(ENABLE_SECURITY_AT) > Date.now()) {
       PRIKEY = '';
       console.warn('prikey null since DISABLE_SEC and no prikey provided');
     } else {
@@ -47,7 +49,7 @@ try {
   if (fs.existsSync(prikeyPath)) {
     var PUBKEY = fs.readFileSync(prikeyPath, 'utf8');
   } else {
-    if (DISABLE_SEC) {
+    if (DISABLE_SEC || ENABLE_SECURITY_AT && Date.parse(ENABLE_SECURITY_AT) > Date.now()) {
       PUBKEY = '';
       console.warn('pubkey null since DISABLE_SEC and no prikey provided');
     } else {
@@ -57,18 +59,20 @@ try {
 } catch (err) {
   console.error(err);
 }
+
 if (DISABLE_SEC && !JWK_URL) {
-  var CLIENT = jwksClient({
+  CLIENT = jwksClient({
     jwksUri: 'https://www.googleapis.com/oauth2/v3/certs', // a default value
   });
 } else if (JWK_URL) {
-  var CLIENT = jwksClient({
+  CLIENT = jwksClient({
     jwksUri: JWK_URL,
   });
 } else {
   console.error('need JWKS URL (JWK_URL)');
   process.exit(1);
-}
+}  
+
 const getToken = function(req) {
   if (req.headers.authorization &&
     req.headers.authorization.split(' ')[0] === 'Bearer') { // Authorization: Bearer g1jipjgi1ifjioj
@@ -168,7 +172,7 @@ function tokenTrade(checkKey, signKey, userFunction) {
 
 function loginHandler(checkKey) {
   return function(req, res, next) {
-    if (DISABLE_SEC) {
+    if (DISABLE_SEC || ENABLE_SECURITY_AT && Date.parse(ENABLE_SECURITY_AT) > Date.now()) {
       let token = jwt.decode(getToken(req)) || {};
       req.tokenInfo = token;
       req.userType = token.userType || DEFAULT_USER_TYPE || 'Null';
@@ -240,12 +244,28 @@ function editHandler(dataField, filterField, attrField) {
   };
 }
 
+function firstSetupUserSignupExists() {
+  return function(req, res) {
+    if (ENABLE_SECURITY_AT && Date.parse(ENABLE_SECURITY_AT) > Date.now()) {
+      res.send({
+        'exists': true,
+      });
+    } else {
+      res.send({
+        'exists': false,
+      });
+    }
+  };
+}
+
+
 auth = {};
 auth.jwkTokenTrade = jwkTokenTrade;
 auth.tokenTrade = tokenTrade;
 auth.filterHandler = filterHandler;
 auth.loginHandler = loginHandler;
 auth.editHandler = editHandler;
+auth.firstSetupUserSignupExists = firstSetupUserSignupExists;
 auth.CLIENT = CLIENT;
 auth.PRIKEY = PRIKEY;
 auth.PUBKEY = PUBKEY;

diff --git a/handlers/dataHandlers.js b/handlers/dataHandlers.js
@@ -2,7 +2,8 @@ var mongo = require('mongodb');
 
 var MONGO_URI = process.env.MONGO_URI || 'mongodb://localhost';
 var MONGO_DB = process.env.MONGO_DB || 'camic';
-var DISABLE_SEC = process.env.DISABLE_SEC || false;
+var DISABLE_SEC = (process.env.DISABLE_SEC === 'true') || false;
+
 
 function mongoFind(collection, query) {
   return new Promise(function(res, rej) {

diff --git a/handlers/filterFunction.js b/handlers/filterFunction.js
@@ -1,18 +1,47 @@
 function filterFunction(filter, data, attr, wildcard) {
-  // make filter an array
-  if (!Array.isArray(filter)) {
-    filter = [filter];
+  if (typeof filter==="string") {
+    try {
+      filter = JSON.parse(filter.replace(/'/g, '"'));
+    } catch (err) {
+      filter=[filter]; // make an array of the filter
+    }
   }
   if (filter.indexOf(wildcard) == -1) {
     // is data an array?
     if (Array.isArray(data)) {
       // remove ones where does not match
-      data = data.filter((x) => (!x[attr] || filter.indexOf(x[attr]) >= 0) );
+      data = data.filter((x) => {
+        let list;
+        if (!x[attr]) {
+          return true;
+        }
+        try {
+          list=JSON.parse(x[attr].replace(/'/g, '"'));
+          return list.some((e) =>filter.indexOf(e) >= 0);
+        } catch (err) { // when list is not an array, but a string
+          list=x[attr];
+          return filter.indexOf(x[attr]) >= 0;
+        }
+      });
     } else {
-      if (!data[attr] || filter.indexOf(data[attr]) >= 0) {
+      if (!data[attr]) {
         data = data;
       } else {
-        data = {};
+        let list;
+        try {
+          list=JSON.parse(data[attr].replace(/'/g, '"'));
+          if (list.some((e) => filter.indexOf(e) >= 0)) {
+            return data;
+          } else {
+            return {};
+          }
+        } catch (err) { // when list is not an array, but a string
+          if (filter.indexOf(data[attr]) >= 0) {
+            return data;
+          } else {
+            return {};
+          }
+        }
       }
     }
   }

diff --git a/handlers/permssionHandler.js b/handlers/permssionHandler.js
@@ -1,8 +1,9 @@
-var DISABLE_SEC = process.env.DISABLE_SEC || false;
+var DISABLE_SEC = (process.env.DISABLE_SEC === 'true') || false;
+var ENABLE_SECURITY_AT = (process.env.ENABLE_SECURITY_AT ? process.env.ENABLE_SECURITY_AT : "") || false;
 
 function permissionHandler(permissionList, test=false) {
   return function(req, res, next) {
-    if (!test &&DISABLE_SEC) {
+    if (!test && DISABLE_SEC || ENABLE_SECURITY_AT && Date.parse(ENABLE_SECURITY_AT) > Date.now()) {
       req.permission_ok = true;
       next();
     } else {

diff --git a/handlers/userFunction.js b/handlers/userFunction.js
@@ -1,4 +1,4 @@
-var ALLOW_PUBLIC = process.env.ALLOW_PUBLIC;
+var ALLOW_PUBLIC = (process.env.ALLOW_PUBLIC === 'true');
 
 var dataHandlers = require('./dataHandlers.js');
 // userFunction -- used for login given id provider token