refactor(auto): check for jwt secret and mps credentials

BREAKING CHANGES: db schema changed to accept mps username

.github/workflows/api-test.yml

@@ -24,5 +24,5 @@ jobs:
     - run: docker build -f Dockerfile -t mps:${GITHUB_SHA} .
     - run: docker-compose up -d
     - run: sleep 30
-    - run: docker run --network=host -v  /home/runner/work/mps/mps/test/collections/:/collections postman/newman run /collections/MPS.postman_collection.json -e /collections/MPS.postman_environment.json --insecure
+    - run: docker run --network=host -v  /home/runner/work/mps/mps/src/test/collections/:/collections postman/newman run /collections/MPS.postman_collection.json -e /collections/MPS.postman_environment.json --insecure
 

.gitignore

@@ -3,9 +3,9 @@ private/*.crt
 private/*.key
 private/*.cer
 mochawesome-report/
-test/private/*.cer
-test/private/*.crt
-test/private/*.key
+src/test/private/*.cer
+src/test/private/*.crt
+src/test/private/*.key
 
 # build output folder
 dist/

.mpsrc

@@ -1,9 +1,6 @@
 {
     "common_name": "localhost",
     "port": 4433,
-    "username": "standalone",
-    "pass": "G@ppm0ym",
-    "use_global_mps_credentials": true,
     "country": "US",
     "company": "NoCorp",
     "debug": true,
@@ -13,15 +10,15 @@
     "web_port" : 3000,
     "generate_certificates": true,
     "logger_off":false,
-    "web_admin_user": "standalone",
-    "web_admin_password": "G@ppm0ym",
+    "web_admin_user": "",
+    "web_admin_password": "",
     "vault_address": "http://localhost:8200",
     "vault_token": "myroot",
     "secrets_path": "secret/data/",
     "cert_format" : "file",
     "data_path" : "../private/data.json",
     "cert_path": "../private",
-    "jwt_secret": "supersecret",
+    "jwt_secret": "",
     "jwt_issuer": "9EmRJTbIiIb4bIeSsmgcWIjrR6HyETqc",
     "jwt_expiration": "1440",    
     "cors_origin":"*",

data/initMPS.sql

@@ -12,5 +12,6 @@ CREATE TABLE IF NOT EXISTS devices(
       hostname varchar(256),
       mpsinstance text, 
       connectionstatus boolean,
+      mpsusername text,
       CONSTRAINT device_guid UNIQUE(guid)
     ); 

docker-compose.yml

@@ -16,10 +16,15 @@ services:
     environment:
       MPS_CONNECTION_STRING: "postgresql://postgresadmin:admin123@db:5432/mpsdb"
       MPS_VAULT_ADDRESS: "http://vault:8200"
+      MPS_WEB_ADMIN_USER: "standalone"
+      MPS_WEB_ADMIN_PASSWORD: "G@ppm0ym"
+      MPS_JWT_SECRET: "mpssecret"
   db:
     image: postgres
     networks:
       - openamtnetwork
+    ports:
+      - 5432:5432
     restart: always
     environment:
       POSTGRES_USER: postgresadmin

src/db/device.ts

@@ -69,13 +69,14 @@ export class DeviceDb implements IDeviceDb {
    */
   async insert (device: Device): Promise<Device> {
     try {
-      const results = await this.db.query('INSERT INTO devices(guid, hostname, tags, mpsinstance, connectionstatus) values($1, $2, ARRAY(SELECT json_array_elements_text($3)), $4, $5)',
+      const results = await this.db.query('INSERT INTO devices(guid, hostname, tags, mpsinstance, connectionstatus, mpsusername) values($1, $2, ARRAY(SELECT json_array_elements_text($3)), $4, $5, $6)',
         [
           device.guid,
           device.hostname,
           JSON.stringify(device.tags),
           device.mpsInstance,
-          device.connectionStatus
+          device.connectionStatus,
+          device.mpsusername
         ])
       if (results.rowCount > 0) {
         return await this.getById(device.guid)
@@ -97,13 +98,14 @@ export class DeviceDb implements IDeviceDb {
   */
   async update (device: Device): Promise <Device> {
     try {
-      const results = await this.db.query('UPDATE devices SET tags=$2, hostname=$3, mpsinstance=$4, connectionstatus=$5 WHERE guid=$1',
+      const results = await this.db.query('UPDATE devices SET tags=$2, hostname=$3, mpsinstance=$4, connectionstatus=$5, mpsusername=$6 WHERE guid=$1',
         [
           device.guid,
           device.tags,
           device.hostname,
           device.mpsInstance,
-          device.connectionStatus
+          device.connectionStatus,
+          device.mpsusername
         ])
       if (results.rowCount > 0) {
         return await this.getById(device.guid)

src/db/mapToDevice.ts

@@ -10,6 +10,7 @@ export function mapToDevice (result): Device {
     hostname: result.hostname,
     tags: result.tags,
     mpsInstance: result.mpsinstance,
-    connectionStatus: result.connectionstatus
+    connectionStatus: result.connectionstatus,
+    mpsusername: result.mpsusername
   }
 }

src/index.ts

@@ -14,12 +14,12 @@ import { tlsConfig } from './utils/tlsConfiguration'
 import { IDbProvider } from './models/IDbProvider'
 
 import { SecretManagerService } from './utils/SecretManagerService'
-import { SecretsDbProvider } from './utils/vaultDbProvider'
 import { parseValue } from './utils/parseEnvValue'
 
 import rc from 'rc'
 import { Environment } from './utils/Environment'
 import { DeviceDb } from './db/device'
+import { AuthDbProvider } from './utils/AuthDbProvider'
 try {
   // To merge ENV variables. consider after lowercasing ENV since our config keys are lowercase
   process.env = Object.keys(process.env)
@@ -31,8 +31,8 @@ try {
   // build config object
   const config: configType = rc('mps')
 
-  if (!config.web_admin_password || !config.web_admin_user) {
-    log.error('Web admin username, password and API key are mandatory. Make sure to set values for these variables.')
+  if (!config.web_admin_password || !config.web_admin_user || !config.jwt_secret) {
+    log.error('Web admin username, password and jwt secret are mandatory. Make sure to set values for these variables.')
     process.exit(1)
   }
 
@@ -45,9 +45,8 @@ try {
   Environment.Config = config
 
   // DB initialization
-
-  const db: IDbProvider = new SecretsDbProvider(new SecretManagerService(config, log), log, config)
   const deviceDb = new DeviceDb()
+  const db: IDbProvider = new AuthDbProvider(new SecretManagerService(config, log), deviceDb, log, config)
 
   // Cleans the DB before exit when it listens to the signals
   const signals = ['SIGINT', 'exit', 'uncaughtException', 'SIGTERM', 'SIGHUP']

src/models/Config.d.ts

@@ -7,9 +7,6 @@
 export interface configType {
   common_name: string
   port: number
-  username: string
-  pass: string
-  use_global_mps_credentials: boolean
   country: string
   company: string
   listen_any: boolean

src/models/IDbProvider.ts

@@ -3,7 +3,7 @@
 * Copyright (c) Intel Corporation 2020
 * SPDX-License-Identifier: Apache-2.0
 **********************************************************************/
-export interface IDbProvider {
+export interface IDbProvider { // todo: change to auth provider?
   CIRAAuth: (guid: string, username: string, password: string, cb: any) => any
   getAmtPassword: (uuid: string) => any
   IsGUIDApproved: (guid: string, cb: any) => any

src/models/models.ts

@@ -7,6 +7,7 @@ export interface Device {
   mpsInstance: string
   hostname: string
   guid: string
+  mpsusername: string
   tags: string[]
 }
 export interface Credentials {

src/routes/auth/login.ts

@@ -1,23 +1,27 @@
 import jws from 'jws'
 export async function login (req, res): Promise<void> {
-  const username = req.body.username
-  const password = req.body.password
-  if (username && password) {
+  if (req.mpsService.config.jwt_secret && req.mpsService.config.web_admin_user && req.mpsService.config.web_admin_password) {
+    const username = req.body.username
+    const password = req.body.password
+    if (username && password) {
     // todo: implement a more advanced authentication system and RBAC
-    if (username === req.mpsService.config.web_admin_user && password === req.mpsService.config.web_admin_password) {
-      const expirationMinutes = Number(req.mpsService.config.jwt_expiration)
-      const expiration = Math.floor((Date.now() + (1000 * 60 * expirationMinutes)) / 1000)
-      const signature = jws.sign({
-        header: { alg: 'HS256', typ: 'JWT' },
-        payload: {
-          iss: req.mpsService.config.jwt_issuer,
-          exp: expiration
-        },
-        secret: req.mpsService.config.jwt_secret
-      })
-      res.status(200).send({ token: signature })
-    } else {
-      res.status(401).send({ message: 'Incorrect Username and/or Password!' })
+      if (username === req.mpsService.config.web_admin_user && password === req.mpsService.config.web_admin_password) {
+        const expirationMinutes = Number(req.mpsService.config.jwt_expiration)
+        const expiration = Math.floor((Date.now() + (1000 * 60 * expirationMinutes)) / 1000)
+        const signature = jws.sign({
+          header: { alg: 'HS256', typ: 'JWT' },
+          payload: {
+            iss: req.mpsService.config.jwt_issuer,
+            exp: expiration
+          },
+          secret: req.mpsService.config.jwt_secret
+        })
+        res.status(200).send({ token: signature })
+      } else {
+        res.status(401).send({ message: 'Incorrect Username and/or Password!' })
+      }
     }
+  } else {
+    res.status(401).send({ message: 'missing server configuration' })
   }
 }

src/routes/devices/create.ts

@@ -22,6 +22,7 @@ export async function insertDevice (req, res): Promise<void> {
       device.hostname = req.body.hostname ?? device.hostname
       device.tags = req.body.tags ?? device.tags
       device.connectionStatus = device.connectionStatus ?? false
+      device.mpsusername = req.body.mpsusername ?? device.mpsusername
       const results = await db.update(device)
       res.status(200).json(results)
     } else {
@@ -30,6 +31,7 @@ export async function insertDevice (req, res): Promise<void> {
         guid: req.body.guid,
         hostname: req.body.hostname ?? null,
         tags: req.body.tags ?? null,
+        mpsusername: req.body.mpsusername,
         mpsInstance: null
       }
       const results = await db.insert(device)

src/routes/devices/deviceValidator.ts

@@ -29,6 +29,9 @@ export const validator = (): any => {
     check('hostname')
       .optional({ nullable: true })
       .isString(),
+    check('mpsusername')
+      .optional({ nullable: true })
+      .isString(),
     check('tags')
       .optional()
       .isArray()

test/amt_xmlparser.spec.ts → src/test/amt_xmlparser.spec.ts

@@ -1,5 +1,5 @@
 
-import { ParseWsman } from '../src/amt_libraries/amt-xml'
+import { ParseWsman } from '../amt_libraries/amt-xml'
 
 describe('AMT related XML parser testing ', () => {
   // AMT_audilog

test/cim_xmlparser.spec.ts → src/test/cim_xmlparser.spec.ts

@@ -1,4 +1,4 @@
-import { ParseWsman } from '../src/amt_libraries/amt-xml'
+import { ParseWsman } from '../amt_libraries/amt-xml'
 
 describe('CIM related XML parser testing ', () => {
   // CIM_BIOSElement

test/common.spec.ts → src/test/common.spec.ts

@@ -1,5 +1,5 @@
 // Import all required methods from common.js file
-import { ReadInt, ShortToStr, ReadShort, ShortToStrX, ReadShortX, IntToStr, IntToStrX, ReadIntX, MakeToArray, SplitArray, Clone, IsFilenameValid, ArrayElementMove, rstr2hex, hex2rstr, char2hex, encode_utf8, decode_utf8, data2blob, quoteSplit, parseNameValueList, toNumber, escapeHtml, objKeysToLower, validateString, validateInt, validateArray, validateStrArray, validateObject, validateEmail, validateUsername } from '../src/utils/common'
+import { ReadInt, ShortToStr, ReadShort, ShortToStrX, ReadShortX, IntToStr, IntToStrX, ReadIntX, MakeToArray, SplitArray, Clone, IsFilenameValid, ArrayElementMove, rstr2hex, hex2rstr, char2hex, encode_utf8, decode_utf8, data2blob, quoteSplit, parseNameValueList, toNumber, escapeHtml, objKeysToLower, validateString, validateInt, validateArray, validateStrArray, validateObject, validateEmail, validateUsername } from '../utils/common'
 const v = 256
 const p = 0
 const s3 = '256'

test/helper/db.ts → src/test/helper/db.ts

@@ -12,10 +12,10 @@
  */
 
 import fs from 'fs'
-import { configType } from '../../src/models/Config'
-import { logger as log } from '../../src/utils/logger'
-import { IDbProvider } from '../../src/models/IDbProvider'
-import { Credentials } from '../../src/models/models'
+import { configType } from '../../models/Config'
+import { logger as log } from '../../utils/logger'
+import { IDbProvider } from '../../models/IDbProvider'
+import { Credentials } from '../../models/models'
 
 export class Database implements IDbProvider {
   private readonly config: configType
@@ -118,7 +118,6 @@ export class Database implements IDbProvider {
     try {
       let result = false
       const guids = this.getAllAmtCredentials()
-      console.log('test', guids[guid])
       if (guids[guid]) {
         result = true
         log.silly('Guid found.')
@@ -136,11 +135,10 @@ export class Database implements IDbProvider {
     try {
       let result = false
       const cred = this.getCredentialsForGuid(guid)
-      log.info(cred)
       if (cred && cred.mpsuser === username && cred.mpspass === password) {
         result = true
-      } else if (cred && this.config.use_global_mps_credentials) {
-        if (this.config.username === username && this.config.pass === password) {
+      } else if (cred) {
+        if (username === 'admin' && password === 'P@ssw0rd') {
           result = true
           log.silly(`CIRAAuth successful. ${username} ${password}`)
         }