Merge pull request #2 from dod-advana/updates-to-use-tls

Updates to use tls (based on advana api auth 2.7)

README.md

@@ -1,32 +1,38 @@
-## Env Variables
-* REDIS_URL
+## Configuration
 
-* PG_USER
-* PG_PASSWORD
-* PG_HOST
-* PG_UM_DB
+**NOTE: For working with encrypted TLS/SSL connections to RDS (PostgreSQL) and ElastiCache (Redis) in the AWS dev and test environments, you will need to include the Amazon Root CA and RDS certificates in your CA bundle (`TLS_CERT_CA` or `TLS_CERT_CA_FILEPATH`)**
 
-* TLS_KEY_FILEPATH
-* TLS_KEY_PASSPHRASE
-* APPROVED_API_CALLERS
-* COOKIE_DOMAIN
-* SECURE_SESSION
-* DISABLE_SSO
-* EXPRESS_SESSION_SECRET JSON array of strings used as secrets like
-```
-'["new secret first", "older secrets later"]'
-```
-* EXPRESS_SESSION_MAX_AGE session cookie max age in seconds
-* SAML_ISSUER
-* SAML_CALLBACK_URL
-* SAML_ENTRYPOINT
-* SAML_LOGOUT_URL
-* SAML_LOGOUT_CALLBACK_URL
-* SAML_CERT
-
-* AD_ENABLED (true/false) This one turns on and off pulling permissions from AD.
-* LDAP_URL (ldaps://ldap.example.com)
-* LDAP_USERNAME (dev.team.da@DRCED)
-* LDAP_PASSWORD (password)
-* LDAP_CERT (Cert for LDAP)
-* LDAP_USER_FOLDER_CN (DC=drced,DC=local)
+| Environment Variable | Default Value | Description |
+| ---                  | ---           | ---         |
+| `AD_ENABLED` | | Set to `true` to query Active Directory for user permissions. |
+| `API_AUTH_LOG_LEVEL` | `${LOG_LEVEL}` or `info` | The name of the lowest level of log messages to record from the module in development/testing environments. If this value is not set, it will inherit the value of the `LOG_LEVEL` setting if available or fall back to `info`. To disable log messages from the module, set this variable to `silent`.
+| `APPROVED_API_CALLERS` | | A space-delimited list of URLs to use in generating the [`Access-Control-Allow-Origin` HTTP response header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) in the `getAllowedOriginMiddleware`, also used to enforce safe client redirection in the SSO workflow. |
+| `COOKIE_DOMAIN` | | The session cookie's [`Domain` attribute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value) in the `redisSession` middleware. |
+| `DISABLE_SSO` | | Set to `true` to disable SSO in development/testing environments. When `true`, the user will be defined by the value of the `SSL_CLIENT_S_DN_CN` HTTP request header. |
+| `EXPRESS_SESSION_MAX_AGE` | `43200000` (12 hours) | The maximum session age (in milliseconds) allowed by the `redisSession` middleware. |
+| `EXPRESS_SESSION_SECRET` | | A string that can be parsed as a JSON array for values to be used as the session secret for the `redisSession` middleware. |
+| `LDAP_CERT` | | The certificate for the Active Directory server. |
+| `LDAP_PASSWORD` | | The password for authenticating to the Active Directory server. |
+| `LDAP_URL` | | The URL of the Active Directory server. |
+| `LDAP_USER_FOLDER_CN` | | The root DN to search for users on the Active Directory server. |
+| `LDAP_USERNAME` | | The username for authenticating to the Active Directory server. |
+| `PG_HOST` | | The host name of the PostgreSQL database server where user data is stored. |
+| `PG_PASSWORD` | | The password for authenticating to the PostgreSQL database server. |
+| `PG_SSL_REQUIRE` | `true` | Set to `false` to connect to a local PostgreSQL server without SSL. Setting this to false will log a warning message when connecting to the `PG_UM_DB` database. |
+| `PG_UM_DB` | | The name of the PostgreSQL database where user data is stored. |
+| `PG_USER` | | The username for authenticating to the PostgreSQL database server. |
+| `REDIS_PASSWORD` | | The password to use for authenticating to the Redis server. |
+| `REDIS_URL` | `redis://localhost` | The URL of the Redis server that stores user session data by the `redisSession` middleware. |
+| `REDIS_USER` | | The username to use for authenticating to the Redis server. |
+| `SAML_CALLBACK_URL` | | The full callback URL for the identity provider's single sign-on (SSO) service. |
+| `SAML_CERT` | | The public signing certificate for the identity provider used to validate signatures of incoming SAML responses. |
+| `SAML_ENTRYPOINT` | | The identity provider's single sign-on (SSO) service entrypoint. |
+| `SAML_ISSUER` | | The issuer string for the identity provider. |
+| `SAML_LOGOUT_CALLBACK_URL` | | The value for the `Location` attribute in the identity provider's single logout (SLO) service configuration. |
+| `SAML_LOGOUT_URL` | | The full URL for the identity provider's single logout (SLO) service). |
+| `SECURE_SESSION` | | Boolean value determining how to secure the session cookie in the `redisSession` middleware. Set to *true* to set the session cookie's [`Secure` attibute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#secure) to `true` and the [`SameSite` attibute](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#samesitesamesite-value) to `none`. Otherwise, these attributes will be set to `false` and `lax`, respectively. |
+| `TLS_CERT_CA` | | The serialized certificate authority bundle for establishing encrypted TLS/SSL connections to PostgreSQL and Redis. |
+| `TLS_CERT_CA_FILEPATH` | | The file path of the certificate authority bundle for establishing encrypted TLS/SSL connections to PostgreSQL and Redis, if `TLS_CERT_CA` is not defined. |
+| `TLS_KEY` | | The private certificate for signing JWT tokens for client-side session management. |
+| `TLS_KEY_FILEPATH` | | The file path of the private certificate for signing JWT tokens, if `TLS_KEY` is not defined. |
+| `TLS_KEY_PASSPHRASE` | | The passphrase for decrypting the private certificate for signing JWT tokens. |

environment.js

@@ -0,0 +1,59 @@
+const fs = require('fs');
+const RSAkeyDecrypt = require('ssh-key-decrypt');
+
+/**
+ * The log level for the api-auth library to use.
+ * @since 2.6.0
+ * @internal
+ */
+const API_AUTH_LOG_LEVEL = process.env.API_AUTH_LOG_LEVEL;
+
+const PG_HOST = process.env.PG_UOT_HOST || process.env.PG_HOST;
+const PG_DATABASE = process.env.PG_UM_DB;
+const PG_USERNAME = process.env.PG_UOT_USER || process.env.PG_USER;
+const PG_PASSWORD = process.env.PG_UOT_PASSWORD || process.env.PG_PASSWORD;
+
+/**
+ * Boolean flag indicating whether SSL/TLS should be used for connecting to
+ * PostgreSQL. The default value is `true`.
+ * @since 2.7.0
+ * @internal
+ */
+const PG_SSL_REQUIRE = process.env.PG_SSL_REQUIRE !== 'false';
+
+const SSO_DISABLED = process.env.DISABLE_SSO === 'true';
+
+const readCert = (value, filePath) => {
+	if (value) {
+		return value.replace(/\\n/g, '\n');
+	} else {
+		// eslint-disable-next-line security/detect-non-literal-fs-filename
+		return fs.readFileSync(filePath, 'ascii');
+	}
+};
+
+const TLS_CERT_CA = readCert(
+	process.env.TLS_CERT_CA,
+	process.env.TLS_CERT_CA_FILEPATH
+);
+
+const TLS_KEY = readCert(process.env.TLS_KEY, process.env.TLS_KEY_FILEPATH);
+
+const TLS_PRIVATE_KEY =
+	'-----BEGIN RSA PRIVATE KEY-----\n' +
+	RSAkeyDecrypt(TLS_KEY, process.env.TLS_KEY_PASSPHRASE, 'base64')
+		.match(/.{1,64}/g)
+		.join('\n') +
+	'\n-----END RSA PRIVATE KEY-----';
+
+module.exports = {
+	API_AUTH_LOG_LEVEL,
+	PG_DATABASE,
+	PG_HOST,
+	PG_PASSWORD,
+	PG_SSL_REQUIRE,
+	PG_USERNAME,
+	SSO_DISABLED,
+	TLS_CERT_CA,
+	TLS_PRIVATE_KEY,
+};