Merge pull request #214 from OWASP/develop

v1.1.3
OWASP · Aug 30, 2023 · 09fd20c · 09fd20c
2 parents f8dedff + d8b6ba9
commit 09fd20c
Show file tree

Hide file tree

Showing 63 changed files with 5,391 additions and 7,751 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -246,3 +246,7 @@ jobs:
           cache-from: type=gha,scope=mailhog-service
           cache-to: type=gha,mode=max,scope=mailhog-service
 
+      - name: Dump docker logs on failure
+        if: failure()
+        uses: jwalton/gh-docker-logs@v2
+
diff --git a/deploy/docker/docker-compose.yml b/deploy/docker/docker-compose.yml
@@ -40,14 +40,20 @@ services:
       - SMTP_AUTH=true
       - SMTP_STARTTLS=true
       - ENABLE_LOG4J=${ENABLE_LOG4J:-false}
-      - API_GATEWAY_URL=https://api.crapi.io
+      - API_GATEWAY_URL=https://api.mypremiumdealership.com
+      - TLS_ENABLED=${TLS_ENABLED:-false}
+      - TLS_KEYSTORE_TYPE=PKCS12
+      - TLS_KEYSTORE=classpath:certs/server.p12
+      - TLS_KEYSTORE_PASSWORD=passw0rd
+      - TLS_KEY_PASSWORD=passw0rd
+      - TLS_KEY_ALIAS=identity
     depends_on:
       postgresdb:
         condition: service_healthy
       mongodb:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:${IDENTITY_SERVER_PORT:-8080}/identity/health_check
+        test: /app/health.sh
         interval: 15s
         timeout: 15s
         retries: 15
@@ -75,6 +81,9 @@ services:
       - MONGO_DB_USER=admin
       - MONGO_DB_PASSWORD=crapisecretpassword
       - MONGO_DB_NAME=crapi
+      - TLS_ENABLED=${TLS_ENABLED:-false}
+      - TLS_CERTIFICATE=certs/server.crt
+      - TLS_KEY=certs/server.key
     depends_on:
       postgresdb:
         condition: service_healthy
@@ -83,7 +92,7 @@ services:
       crapi-identity:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:${COMMUNITY_SERVER_PORT:-8087}/community/home
+        test: /app/health.sh
         interval: 15s
         timeout: 15s
         retries: 15
@@ -112,7 +121,10 @@ services:
       - MONGO_DB_PASSWORD=crapisecretpassword
       - MONGO_DB_NAME=crapi
       - SECRET_KEY=crapi
-      - API_GATEWAY_URL=https://api.crapi.io
+      - API_GATEWAY_URL=https://api.mypremiumdealership.com
+      - TLS_ENABLED=${TLS_ENABLED:-false}
+      - TLS_CERTIFICATE=certs/server.crt
+      - TLS_KEY=certs/server.key
     depends_on:
       postgresdb:
         condition: service_healthy
@@ -123,7 +135,7 @@ services:
       crapi-community:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:${WORKSHOP_SERVER_PORT:-8000}/workshop/health_check/
+        test: /app/health.sh
         interval: 15s
         timeout: 15s
         retries: 15
@@ -138,10 +150,12 @@ services:
     image: crapi/crapi-web:${VERSION:-latest}
     ports:
       - "${LISTEN_IP:-127.0.0.1}:8888:80"
+      - "${LISTEN_IP:-127.0.0.1}:8443:443"
     environment:
       - COMMUNITY_SERVICE=crapi-community:${COMMUNITY_SERVER_PORT:-8087}
       - IDENTITY_SERVICE=crapi-identity:${IDENTITY_SERVER_PORT:-8080}
       - WORKSHOP_SERVICE=crapi-workshop:${WORKSHOP_SERVER_PORT:-8000}
+      - TLS_ENABLED=${TLS_ENABLED:-false}
     depends_on:
       crapi-community:
         condition: service_healthy
@@ -225,8 +239,8 @@ services:
           cpus: '0.3'
           memory: 128M
 
-  api.crapi.io:
-    container_name: api.crapi.io
+  api.mypremiumdealership.com:
+    container_name: api.mypremiumdealership.com
     image: crapi/gateway-service:${VERSION:-latest}
     #ports:
     #  - "${LISTEN_IP:-127.0.0.1}:8443:443" # https
@@ -235,6 +249,7 @@ services:
         interval: 15s
         timeout: 15s
         retries: 15
+        start_period: 15s
     deploy:
       resources:
         limits:

diff --git a/deploy/helm/templates/community/config.yaml b/deploy/helm/templates/community/config.yaml
@@ -22,3 +22,4 @@ data:
     MONGO_DB_PASSWORD: {{ .Values.mongodb.config.mongoPassword }}
     MONGO_DB_NAME: {{ .Values.mongodb.config.mongoDbName }}
     SERVER_PORT: {{ .Values.community.port | quote }}
+    TLS_ENABLED: {{ .Values.tlsEnabled | quote }}
diff --git a/deploy/helm/templates/identity/config.yaml b/deploy/helm/templates/identity/config.yaml
@@ -30,3 +30,9 @@ data:
   SMTP_STARTTLS: {{ .Values.identity.config.smtpStartTLS | quote }}
   SERVER_PORT: {{ .Values.identity.port | quote }}
   API_GATEWAY_URL: {{ if .Values.apiGatewayServiceInstall }}"https://{{ .Values.apiGatewayService.service.name }}"{{ else }}{{ .Values.apiGatewayServiceUrl }}{{ end }}
+  TLS_ENABLED: {{ .Values.tlsEnabled | quote }}
+  TLS_KEYSTORE_TYPE: {{ .Values.identity.config.keyStoreType }}
+  TLS_KEYSTORE: {{ .Values.identity.config.keyStore }}
+  TLS_KEYSTORE_PASSWORD: {{ .Values.identity.config.keyStorePassword }}
+  TLS_KEY_PASSWORD: {{ .Values.identity.config.keyPassword }}
+  TLS_KEY_ALIAS: {{ .Values.identity.config.keyAlias }}
diff --git a/deploy/helm/templates/web/configmap.yaml b/deploy/helm/templates/web/configmap.yaml
@@ -9,3 +9,4 @@ data:
   COMMUNITY_SERVICE: {{ .Values.community.service.name }}:{{ .Values.community.port }}
   IDENTITY_SERVICE: {{ .Values.identity.service.name }}:{{ .Values.identity.port }}
   WORKSHOP_SERVICE: {{ .Values.workshop.service.name }}:{{ .Values.workshop.port }}
+  TLS_ENABLED: {{ .Values.tlsEnabled | quote }}
diff --git a/deploy/helm/templates/web/deployment.yaml b/deploy/helm/templates/web/deployment.yaml
@@ -23,6 +23,7 @@ spec:
           image: {{ .Values.web.image }}:{{ .Chart.AppVersion }}
           imagePullPolicy: {{ .Values.imagePullPolicy }}
           ports:
+            - containerPort: 443
             - containerPort: 80
           {{- if .Values.web.resources }}
           resources:

diff --git a/deploy/helm/templates/web/ingress.yaml b/deploy/helm/templates/web/ingress.yaml
@@ -11,6 +11,10 @@ spec:
     targetPort: 80
     nodePort: {{ .Values.web.service.nodePort }}
     name: nginx
+  - port: {{ .Values.web.sslPort }}
+    targetPort: 443
+    nodePort: {{ .Values.web.service.sslNodePort }}
+    name: nginx-ssl
   type: LoadBalancer
   selector:
     {{- toYaml .Values.web.serviceSelectorLabels | nindent 4 }}
diff --git a/deploy/helm/templates/workshop/config.yaml b/deploy/helm/templates/workshop/config.yaml
@@ -22,3 +22,4 @@ data:
     MONGO_DB_NAME: {{ .Values.mongodb.config.mongoDbName }}
     SERVER_PORT: {{ .Values.workshop.port | quote }}
     API_GATEWAY_URL: {{ if .Values.apiGatewayServiceInstall }}"https://{{ .Values.apiGatewayService.service.name }}"{{ else }}{{ .Values.apiGatewayServiceUrl }}{{ end }}
+    TLS_ENABLED: {{ .Values.tlsEnabled | quote }}
diff --git a/deploy/helm/values-tls.yaml b/deploy/helm/values-tls.yaml
@@ -0,0 +1,32 @@
+# Default values for crapi.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+replicaCount: 1
+imagePullPolicy: Always
+apiGatewayServiceUrl: https://api.mypremiumdealership.com
+apiGatewayServiceInstall: false
+enableLog4j: true
+enableShellInjection: true
+tlsEnabled: true
+
+web:
+  image: crapi/crapi-web
+  port: 80
+  sslPort: 443
+identity:
+  image: crapi/crapi-identity
+  port: 8080
+community:
+  image: crapi/crapi-community
+  port: 8087
+workshop:
+  image: crapi/crapi-workshop
+  port: 8000
+mailhog:
+  image: crapi/mailhog
+mongodb:
+  image: mongo
+  version: 5.0
+postgresdb:
+  image: postgres
+  version: 14
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -6,9 +6,10 @@ jwtSecret: crapi
 enableLog4j: false
 enableShellInjection: true
 imagePullPolicy: Always
-apiGatewayServiceUrl: https://api.crapi.io
+apiGatewayServiceUrl: https://api.mypremiumdealership.com
 apiGatewayServiceInstall: true
 apiGatewayPassword: 
+tlsEnabled: false
 
 waitForK8sResources:
   image: groundnuty/k8s-wait-for:v1.3
@@ -19,11 +20,13 @@ web:
   image: crapi/crapi-web
   replicaCount: 1
   port: 80
+  sslPort: 443
   service:
     name: crapi-web
     labels:
       app: crapi-web
     nodePort: 30080
+    sslNodePort: 30443
   config:
     name: crapi-web-configmap
     labels:
@@ -70,6 +73,11 @@ identity:
     smtpFrom: "no-reply@example.com"
     smtpAuth: true
     smtpStartTLS: true
+    keyStoreType: PKCS12
+    keyStore: classpath:certs/server.p12
+    keyStorePassword: passw0rd
+    keyPassword: passw0rd
+    keyAlias: identity
   resources:
     limits:
       cpu: "500m"
@@ -278,4 +286,4 @@ apiGatewayService:
   deploymentSelectorMatchLabels:
     app: gateway-service
   serviceSelectorLabels:
-    app: gateway-service
+    app: gateway-service
diff --git a/deploy/vagrant/provisioner.sh b/deploy/vagrant/provisioner.sh
@@ -41,8 +41,7 @@ mkdir /opt/crapi
 
 cp "$MOUNT_DIR/deploy/docker/docker-compose.yml" /opt/crapi \
     && sed -i /opt/crapi/docker-compose.yml \
-        -e "s/127.0.0.1:8888:80/80:80/" \
-        -e "s/127.0.0.1:8025:8025/8025:8025/"
+    -e 's/${LISTEN_IP:-127\.0\.0\.1}:8888:80/80:80/; s/${LISTEN_IP:-127\.0\.0\.1}:8025:8025/8025:8025/'
 cp "$MOUNT_DIR/deploy/vagrant/crapi.service" /etc/systemd/system/ \
     && systemctl daemon-reload \
     && systemctl enable crapi.service

diff --git a/postman_collections/crAPI.postman_collection.json b/postman_collections/crAPI.postman_collection.json
@@ -33,7 +33,7 @@
           }
         ],
         "request": {
-          "method": "GET",
+          "method": "POST",
           "header": [
             {
               "key": "User-Agent",

diff --git a/services/community/Dockerfile b/services/community/Dockerfile
@@ -24,16 +24,19 @@ COPY ./api ./api
 RUN go mod vendor
 RUN ls -al
 RUN go build -o main .
+RUN go test -v ./...
 WORKDIR /dist
 RUN cp /build/main .
 
 # Main Image
 FROM alpine:3
 
 # go
-RUN mkdir /app
+WORKDIR /app
 RUN apk update && apk add --no-cache curl
 COPY --from=builder /dist/main /app/main
+COPY certs /app/certs
+COPY health.sh /app/health.sh
 RUN ls -al /app
 
 ARG SERVER_PORT 

diff --git a/services/community/api/auth/token.go b/services/community/api/auth/token.go
@@ -16,6 +16,7 @@ package auth
 
 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -25,6 +26,7 @@ import (
 	"strings"
 
 	"crapi.proj/goservice/api/models"
+	"crapi.proj/goservice/api/utils"
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/jinzhu/gorm"
 )
@@ -33,7 +35,7 @@ type Token struct {
 	Token string `json:"token"`
 }
 
-//ExtractToken return token from Authorization Bearer
+// ExtractToken return token from Authorization Bearer
 func ExtractToken(r *http.Request) string {
 	keys := r.URL.Query()
 	token := keys.Get("token")
@@ -47,11 +49,16 @@ func ExtractToken(r *http.Request) string {
 	return ""
 }
 
-//ExtractTokenID Verify token either it's valid or not.
-//If token is valid we extract username from token Claims.
-//Then check that username in postgres database.
+// ExtractTokenID Verify token either it's valid or not.
+// If token is valid we extract username from token Claims.
+// Then check that username in postgres database.
 func ExtractTokenID(r *http.Request, db *gorm.DB) (uint32, error) {
+	http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	tokenVerifyURL := fmt.Sprintf("http://%s/identity/api/auth/verify", os.Getenv("IDENTITY_SERVICE"))
+	tls_enabled, is_tls := os.LookupEnv("TLS_ENABLED")
+	if is_tls && utils.IsTrue(tls_enabled) {
+		tokenVerifyURL = fmt.Sprintf("https://%s/identity/api/auth/verify", os.Getenv("IDENTITY_SERVICE"))
+	}
 	tokenString := ExtractToken(r)
 	tokenJSON, err := json.Marshal(Token{Token: tokenString})
 	if err != nil {
@@ -90,7 +97,7 @@ func ExtractTokenID(r *http.Request, db *gorm.DB) (uint32, error) {
 	return 0, errors.New("Unauthorized")
 }
 
-//CheckTokenInDB call FindUserByEmail and check that email in postgres database
+// CheckTokenInDB call FindUserByEmail and check that email in postgres database
 func CheckTokenInDB(username string, db *gorm.DB) error {
 	email := fmt.Sprintf("%v", username)
 	//Calling user model for database query
@@ -106,7 +113,7 @@ func CheckTokenInDB(username string, db *gorm.DB) error {
 
 }
 
-//Pretty display the claims licely in the terminal
+// Pretty display the claims licely in the terminal
 func Pretty(data interface{}) {
 	b, err := json.MarshalIndent(data, "", " ")
 	if err != nil {

diff --git a/services/community/api/router/routes.go b/services/community/api/router/routes.go
@@ -18,17 +18,19 @@ import (
 	"fmt"
 	"net/http"
 	"os"
-	"github.com/gorilla/mux"
+
 	"crapi.proj/goservice/api/config"
 	"crapi.proj/goservice/api/controllers"
 	"crapi.proj/goservice/api/middlewares"
+	"crapi.proj/goservice/api/utils"
+	"github.com/gorilla/mux"
 )
 
 type Server config.Server
 
 var controller = controllers.Server{}
 
-//initializeRoutes initialize routes of url with Authentication or without Authentication
+// initializeRoutes initialize routes of url with Authentication or without Authentication
 func (server *Server) InitializeRoutes() *mux.Router {
 
 	controller.DB = server.DB
@@ -55,8 +57,27 @@ func (server *Server) InitializeRoutes() *mux.Router {
 	return server.Router
 }
 
-//
 func (server *Server) Run(addr string) {
-	fmt.Println("Listening to port "+ os.Getenv("SERVER_PORT"))
-	fmt.Println(http.ListenAndServe(addr, server.Router))
+	fmt.Println("Listening to port " + os.Getenv("SERVER_PORT"))
+	if utils.IsTLSEnabled() {
+		// Check if env variable TLS_CERTIFICATE is set then use it as certificate else default to certs/server.crt
+		certificate, is_cert := os.LookupEnv("TLS_CERTIFICATE")
+		if !is_cert || certificate == "" {
+			certificate = "certs/server.crt"
+		}
+		// Check if env variable TLS_KEY is set then use it as key else default to certs/server.key
+		key, is_key := os.LookupEnv("TLS_KEY")
+		if !is_key || key == "" {
+			key = "certs/server.key"
+		}
+		err := http.ListenAndServeTLS(addr, certificate, key, server.Router)
+		if err != nil {
+			fmt.Println(err)
+		}
+	} else {
+		err := http.ListenAndServe(addr, server.Router)
+		if err != nil {
+			fmt.Println(err)
+		}
+	}
 }