From cb017456dbe09fc8f3e5270e641ab8f323ecde76 Mon Sep 17 00:00:00 2001 From: Alex Shatov Date: Mon, 17 Sep 2018 16:21:53 -0400 Subject: 3.0.2 tls web-server under k8s - external version 3.0.2 - internal version 5.0.2 for code change - no API change - https server is enabled when either of the following pairs are found in fs: 1. etc/cert/cert and etc/cert/pass (old behavior) 2. etc/cert/cert.p12 and etc/cert/p12.pass - added alternative - hide secrets when logging the config - changed Dockerfile to copy the whole etc/ folder that might contain etc/cert/* files - easier to test - replaced CRLF with LF in swagger-ui.js - no code change - unit tested Coverage summary Statements : 77.45% ( 910/1175 ) Branches : 53.7% ( 283/527 ) Functions : 79.9% ( 159/199 ) Lines : 77.85% ( 900/1156 ) Change-Id: I921e0d6ac9573f60fa98910f799f9d034b573542 Signed-off-by: Alex Shatov Issue-ID: DCAEGEN2-780 --- lib/config.js | 44 +++++++++++++++++++++++++-------------- lib/swagger-ui.js | 62 +++++++++++++++++++++++++++---------------------------- lib/utils.js | 19 ++++++++++------- 3 files changed, 71 insertions(+), 54 deletions(-) (limited to 'lib') diff --git a/lib/config.js b/lib/config.js index fd7d38c..8daa87f 100644 --- a/lib/config.js +++ b/lib/config.js @@ -52,10 +52,12 @@ See the License for the specific language governing permissions and limitations * Basic authentication and supply "admin" as a user name with "admin123" as the password or * supply "other" as the user name with "other123" as the password. * - * The dispatcher will attempt to run using TLS (i.e., as an HTTPS server) if a certificate - * file in pkcs12 format is stored at etc/cert/cert and a file containing the corresponding - * passphrase is stored at etc/cert/pass. These files can be made available to the container - * running the dispatcher by mounting a volume to the container. + * The deployment-handler will attempt to run its web-server using TLS (i.e., as an HTTPS server) + * if a certificate file in pkcs12 format is stored at etc/cert/cert and a file containing the + * corresponding passphrase is stored at etc/cert/pass. + * - alternative files can be at etc/cert/cert.p12 and etc/cert/p12.pass, respectively. + * These files can be made available to the container running the deployment-handler by + * mounting a volume to the container. */ "use strict"; @@ -65,6 +67,9 @@ const consul = require("./consul"); const SSL_CERT_FILE = "etc/cert/cert"; const SSL_PASS_FILE = "etc/cert/pass"; +const SSL_CERT_P12_FILE = "etc/cert/cert.p12"; +const SSL_P12_PASS_FILE = "etc/cert/p12.pass"; + const PACKAGE_JSON_FILE = "./package.json"; const CONFIG_KEY = "deployment_handler"; /* Configuration is stored under the name "deployment_handler" */ @@ -120,21 +125,21 @@ const getFileContents = function(path) { else { resolve(data); } - }) - }) + }); + }); }; /* Check for a TLS cert file and passphrase */ -const getTLSCredentials = function() { - var ssl = {}; +const getTLSCredentials = function(ssl_pass_file, ssl_cert_file) { + const ssl = {}; /* Get the passphrase */ - return getFileContents(SSL_PASS_FILE) + return getFileContents(ssl_pass_file) .then(function(phrase) { ssl.passphrase = phrase.toString('utf8').trim(); /* Get the cert */ - return getFileContents(SSL_CERT_FILE); + return getFileContents(ssl_cert_file); }) .then(function(cert) { @@ -143,9 +148,10 @@ const getTLSCredentials = function() { }) .catch(function(err) { - return {}; + console.log((new Date()) + ": getTLSCredentials", err.toString()); + return; }); -} +}; exports.configure = function() { const config = {}; @@ -202,11 +208,17 @@ exports.configure = function() { .then(function(invService) { config.inventory.url = config.inventory.protocol + "://" + invService.address + ":" + invService.port + INV_API_PATH; - /* Get TLS credentials, if they exist */ - return getTLSCredentials(); + console.log((new Date()) + ": looking for tls files", SSL_PASS_FILE, SSL_CERT_FILE); + return getTLSCredentials(SSL_PASS_FILE, SSL_CERT_FILE); + }) + .then(function(tls) { + if (tls) {return tls;} + + console.log((new Date()) + ": looking for alternative tls files", SSL_P12_PASS_FILE, SSL_CERT_P12_FILE); + return getTLSCredentials(SSL_P12_PASS_FILE, SSL_CERT_P12_FILE); }) .then(function(tls) { - config.ssl = tls; + if (tls) {config.ssl = tls;} /* Check for missing required configuration parameters */ const missing = findMissingConfig(config); @@ -214,7 +226,7 @@ exports.configure = function() { throw new Error ("Required configuration elements missing: " + missing.join(',')); config = null; } - console.log( (new Date()) + ": config -> " + JSON.stringify(config, undefined, 2)); + console.log((new Date()) + ": config -> " + JSON.stringify(config, utils.hideSecrets, 2)); return config; }); }; diff --git a/lib/swagger-ui.js b/lib/swagger-ui.js index 8c50255..e397c75 100644 --- a/lib/swagger-ui.js +++ b/lib/swagger-ui.js @@ -1,31 +1,31 @@ -/* -Copyright(c) 2017 AT&T Intellectual Property. All rights reserved. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. - -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, -software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and limitations under the License. -*/ - -/** - * swagger-ui for deployment-handler API - */ - -"use strict"; - -// ======================================================== - -const app = require('express')(); -const swaggerUi = require('swagger-ui-express'); -const YAML = require('yamljs'); -const swaggerDocument = YAML.load('./deployment-handler-API.yaml'); -app.use("/", swaggerUi.serve, swaggerUi.setup(swaggerDocument)); - -module.exports = app; +/* +Copyright(c) 2017 AT&T Intellectual Property. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. + +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and limitations under the License. +*/ + +/** + * swagger-ui for deployment-handler API + */ + +"use strict"; + +// ======================================================== + +const app = require('express')(); +const swaggerUi = require('swagger-ui-express'); +const YAML = require('yamljs'); +const swaggerDocument = YAML.load('./deployment-handler-API.yaml'); +app.use("/", swaggerUi.serve, swaggerUi.setup(swaggerDocument)); + +module.exports = app; diff --git a/lib/utils.js b/lib/utils.js index 70146e3..8caf280 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -1,16 +1,16 @@ /* -Copyright(c) 2017 AT&T Intellectual Property. All rights reserved. +Copyright(c) 2017-2018 AT&T Intellectual Property. All rights reserved. -Licensed under the Apache License, Version 2.0 (the "License"); +Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 -Unless required by applicable law or agreed to in writing, +Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR -CONDITIONS OF ANY KIND, either express or implied. +CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ @@ -26,14 +26,19 @@ exports.hasProperty = function(o, key) { if (typeof(o) === 'object' && o !== null && (e in o) && (typeof o[e] !== 'undefined')) { o = o[e]; return true; - } + } else { return false; - } + } }); }; /* Generate a random ID string */ exports.generateId = function() { - return uuid(); + return uuid(); +}; + +const hide_fields = ["passphrase", "pfx"]; +exports.hideSecrets = function(key, value) { + return (key && hide_fields.includes(key) && "*") || value; }; -- cgit