@w3-commons/js-build-resources 0.0.1-security → 1.0.4

package/settings-service/src/__tests__/utils/test-utils.ts

@@ -0,0 +1,41 @@
+import { logger } from '../../logger/logger';
+import { ApiKey } from '../../types/ApiKey';
+
+export interface FakeUserInfo {
+  id: string;
+  email: string;
+}
+const CLASS_NAME = 'fn-tests-utils';
+
+export const sampleAuthorization: FakeUserInfo = {
+  email: 'ann-marie.kemp@us.ibm.com',
+  id: '5J1218897',
+};
+
+export const TEST_USER_ID = sampleAuthorization.id;
+export const TEST_API_KEY = 'soLTYIBqsR1Jb9foASn4paDUymBkGnvT4dtWjvL7PajCLmc8';
+export const mockApiKey: ApiKey = {
+  appId: 'w3notifications-test',
+  key: TEST_API_KEY,
+  createdBy: 'unit-test',
+  createdDate: new Date('2020-10-15T23:41:15.314Z'),
+  updatedDate: new Date(),
+};
+
+export const INVALID_APP_ID = 'invalidApp';
+export const TEST_APP_ID = 'w3notifications-test';
+
+export async function delay(ms: number): Promise<void> {
+  await new Promise<void>((resolve: (value?: void) => void): void => {
+    setTimeout(() => resolve(), ms);
+  });
+}
+
+export function getRestURL(path: string): string {
+  const url: string =
+    process.env.INGRESS_HOSTNAME !== undefined
+      ? `https://${process.env.INGRESS_HOSTNAME}/${path}`
+      : `http://localhost:8000/${path}`;
+  logger.info(`${CLASS_NAME} | ${getRestURL.name}() | Creating test REST url: ${url}`);
+  return url;
+}

package/settings-service/src/config/config.ts

@@ -0,0 +1,190 @@
+import * as dotenvconfig from 'dotenv';
+import * as fs from 'fs';
+
+const packageMetaData = JSON.parse(fs.readFileSync('package.json', 'utf8'));
+
+/**
+ * The configuration variables understood by the service.
+ *
+ * @export
+ * @interface Config
+ */
+export interface Config {
+  /**
+   * The port the rest service listens on.
+   *
+   * @type {number}
+   * @memberOf Config
+   */
+  apiPort: number;
+
+  /**
+   * The api version used by the process.
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  apiVersion: string;
+
+  /**
+   * Client id used by the authentication service to authenticate User token using IBM Security Verify.
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  isv_clientId: string;
+
+  /**
+   * Client secret used by the authentication service to authenticate User token using IBM Security Verify.
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  isv_clientSecret: string;
+
+  /**
+   * The w3id introspect URL used by the authentication service to authenticate User credential (token).
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  isv_introspectionUrl: string;
+
+  /**
+   * The logging level used by the process.
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  logLevel: string;
+
+  /**
+   * Comma separated User ids authorized to request api key
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  apiKeyAuthorizedUserIds: string;
+
+  /**
+   * Secret key for AES encryption of api key
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  aesEncryptionKey: string;
+
+  /**
+   * list of whitelisted appIds for restricted actions
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  restrictedAppIdWhitelist: string[];
+
+  /**
+   * list of valid onboarded appIds
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  settingsAppIds: string[];
+
+  /**
+   * cassandra username
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  cassandraUsername: string;
+
+  /**
+   * cassandra password
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  cassandraPassword: string;
+
+  /**
+   * cassandra certs path
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  cassandraCertsURL: string;
+
+  /**
+   * cassandra keyspace
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  cassandraKeyspace: string;
+
+  /**
+   * local file path to store cassandra zip file
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  cassandraCertsFilePath: string;
+
+  /**
+   * local host for cassandra database
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  cassandraLocalHost: string;
+
+  /**
+   * keyspace name for local cassandra database
+   *
+   * @type {string}
+   * @memberOf Config
+   */
+  cassandraLocalKeyspace: string;
+}
+
+dotenvconfig.config();
+/**
+ * Export the configuration.
+ */
+export const settings: Config = {
+  apiPort: process.env.APP_REST_PORT ? Number(process.env.APP_REST_PORT) : 8000,
+  apiVersion: process.env.APP_VERSION ? process.env.APP_VERSION : packageMetaData.version,
+  isv_clientId:
+    process.env.NODE_ENV === 'production'
+      ? process.env.ISV_CLIENT_ID_PRODUCTION || ''
+      : process.env.ISV_CLIENT_ID_STAGE || '',
+  isv_clientSecret:
+    process.env.NODE_ENV === 'production'
+      ? process.env.ISV_CLIENT_SECRET_PRODUCTION || ''
+      : process.env.ISV_CLIENT_SECRET_STAGE || '',
+  isv_introspectionUrl: process.env.ISV_INTROSPECTION_URL || '',
+  logLevel: process.env.APP_LOG_LEVEL || 'info',
+  apiKeyAuthorizedUserIds: process.env.API_KEY_AUTHORIZED_IDS || '',
+  aesEncryptionKey: process.env.AES_ENCRYPTION_KEY || '',
+  restrictedAppIdWhitelist: process.env.RESTRICTED_APP_ID_WHITELIST?.split(',') || [],
+  settingsAppIds: process.env.SETTINGS_APP_IDS?.split(',') || [],
+  cassandraUsername:
+    process.env.NODE_ENV === 'production'
+      ? process.env.CASSANDRA_USERNAME_PROD || ''
+      : process.env.CASSANDRA_USERNAME_PREPROD || '',
+  cassandraPassword:
+    process.env.NODE_ENV === 'production'
+      ? process.env.CASSANDRA_PASSWORD_PROD || ''
+      : process.env.CASSANDRA_PASSWORD_PREPROD || '',
+  cassandraCertsURL:
+    process.env.NODE_ENV === 'production'
+      ? process.env.CASSANDRA_CERTS_URL_PROD || ''
+      : process.env.CASSANDRA_CERTS_URL_PREPROD || '',
+  cassandraKeyspace:
+    process.env.NODE_ENV === 'production'
+      ? process.env.CASSANDRA_KEYSPACE_PROD || 'w3_settings_prod'
+      : process.env.CASSANDRA_KEYSPACE_PREPROD || 'w3_settings_preprod',
+  cassandraCertsFilePath: process.env.CASSANDRA_CERTS_FILE_PATH || '',
+  cassandraLocalHost: process.env.CASSANDRA_HOST || 'localhost:9042',
+  cassandraLocalKeyspace: process.env.CASSANDRA_LOCAL_KEYSPACE || 'w3_settings',
+};

package/settings-service/src/controller/ApiKeyController.ts

@@ -0,0 +1,114 @@
+import { Request, Response } from 'restify';
+import { ApiKeyRepoFactory } from '../repo/ApiKeyRepoFactory';
+import { settings } from '../config/config';
+import { logger } from '../logger/logger';
+import { ApiKeyRepo } from '../repo/ApiKeyRepo';
+
+const CLASS_NAME = 'ApiKeyController';
+const apiKeyRepo: ApiKeyRepo = ApiKeyRepoFactory.accessOrCreateSingleton();
+
+enum OperationType {
+  GET = 'GET',
+  POST = 'POST',
+  PUT = 'PUT',
+}
+
+/**
+ * This method validates required mandatory paramters.
+ *
+ * @param request
+ * @param type
+ */
+function validateApiKeyRequestParams(request: Request, type: OperationType): string | undefined {
+  const appId: string = request.params.appID;
+  const createdBy: string | undefined = request.username;
+  const updatedBy: string | undefined = request.username;
+  if (!appId) {
+    return 'Missing required query params.';
+  }
+  if (type === OperationType.POST && !createdBy) {
+    return 'Missing request username';
+  }
+  if (type === OperationType.PUT && !updatedBy) {
+    return 'Missing request username';
+  }
+  if (!settings.settingsAppIds.includes(appId)) {
+    logger.debug(`${CLASS_NAME} | ${validateApiKeyRequestParams.name}() | received appId: ${appId}}`);
+    return 'Invalid appID';
+  }
+  return undefined;
+}
+
+/**
+ *  This is the controller method to get an api key
+ *
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function fetchApiKey(request: Request, response: Response): Promise<Response> {
+  try {
+    const status: string | undefined = validateApiKeyRequestParams(request, OperationType.GET);
+    if (status === undefined) {
+      const appId: string = request.params.appID;
+
+      logger.debug(`${CLASS_NAME} | ${fetchApiKey.name}() | Getting Api Key...`);
+
+      const result = await apiKeyRepo.getApiKey(appId);
+      return response.send(200, result);
+    }
+    return response.send(400, { code: 400, message: status });
+  } catch (err) {
+    return response.send(500, { code: 500, message: 'Unable to fetch Api Key' });
+  }
+}
+
+/**
+ * This the controller method to create an api key
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function postApiKey(request: Request, response: Response): Promise<Response> {
+  try {
+    const status: string | undefined = validateApiKeyRequestParams(request, OperationType.POST);
+    if (status === undefined && request.username) {
+      const appId: string = request.params.appID;
+      const { username } = request;
+
+      logger.debug(`${CLASS_NAME} | ${postApiKey.name}() | create Api Key...`);
+
+      const result = await apiKeyRepo.createApiKey(appId, username);
+
+      return response.send(200, { key: result });
+    }
+    return response.send(400, { code: 400, message: status });
+  } catch (err) {
+    return response.send(500, { code: 500, message: 'Unable to create api key' });
+  }
+}
+
+/**
+ * This the controller method to create an api key
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function putApiKey(request: Request, response: Response): Promise<Response> {
+  try {
+    const status: string | undefined = validateApiKeyRequestParams(request, OperationType.PUT);
+    if (status === undefined && request.username) {
+      const appId: string = request.params.appID;
+      const { username } = request;
+
+      logger.debug(`${CLASS_NAME} | ${putApiKey.name}() | Updating Api Key...`);
+
+      const result = await apiKeyRepo.updateApiKey(appId, username);
+
+      return response.send(200, { key: result });
+    }
+    return response.send(400, { code: 400, message: status });
+  } catch (err) {
+    return response.send(500, { code: 500, message: 'Unable to update api key' });
+  }
+}

package/settings-service/src/controller/AppSettingsController.ts

@@ -0,0 +1,137 @@
+import { Request, Response } from 'restify';
+import { AppSettings } from '../types/settingsRepoTypes';
+import { settings } from '../config/config';
+import { logger } from '../logger/logger';
+import { SettingsRepo } from '../repo/settingsRepo';
+import { SettingsRepoFactory } from '../repo/settingsRepoFactory';
+
+const CLASS_NAME = 'AppSettingsController';
+const settingsRepo: SettingsRepo = SettingsRepoFactory.accessOrCreateSingleton();
+
+enum OperationType {
+  GET = 'GET',
+  POST = 'POST',
+  DELETE = 'DELETE',
+}
+
+/**
+ * This method validates required mandatory parameters.
+ *
+ * @param req
+ * @param res
+ */
+function validateRequestParams(request: Request, type: OperationType): string | undefined {
+  const appId: string = request.params.appID;
+  const { settingName } = request.params;
+  if (!appId || (type !== OperationType.GET && !settingName)) {
+    return 'Missing required query params.';
+  }
+  if (!settings.settingsAppIds.includes(appId)) {
+    return 'Invalid appID';
+  }
+  return undefined;
+}
+
+/**
+ * This is the controller method to get app settings.
+ *
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function getAppSettings(request: Request, response: Response): Promise<Response> {
+  try {
+    const status = validateRequestParams(request, OperationType.GET);
+    if (status === undefined) {
+      const appId: string = request.params.appID;
+      const { settingName } = request.params;
+
+      logger.debug(`${CLASS_NAME} | ${getAppSettings.name}() | Getting App Settings`);
+
+      const result = await settingsRepo.getAppSettings(appId, settingName);
+      return response.send(200, result);
+    }
+    return response.send(400, { code: 400, message: status });
+  } catch (err) {
+    return response.send(500, { code: 500, message: 'Unable to fetch app settings' });
+  }
+}
+
+/**
+ * This is the controller method to update app settings.
+ *
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function postAppSettings(request: Request, response: Response): Promise<Response> {
+  try {
+    const status = validateRequestParams(request, OperationType.POST);
+    if (status === undefined) {
+      const appId: string = request.params.appID;
+      const { settingName } = request.params;
+
+      const settingsPayload: AppSettings = request.body;
+      const {
+        default: settingDefault,
+        options: settingOptionsList,
+        deprecated_values: deprecatedValuesFromRequest,
+      } = settingsPayload;
+
+      if (settingOptionsList == null) {
+        return response.send(500, { code: 500, message: 'Invalid JSON body' });
+      }
+      if (settingDefault && !settingOptionsList.includes(settingDefault)) {
+        return response.send(500, { code: 500, message: 'Invalid Default Value' });
+      }
+      const settingType = settingsPayload.setting_type;
+      if (![null, 'array', 'string'].includes(settingType)) {
+        return response.send(400, { code: 400, message: 'Invalid setting_type' });
+      }
+      if (deprecatedValuesFromRequest && typeof deprecatedValuesFromRequest !== 'object') {
+        return response.send(400, { code: 400, message: 'deprecated values must be an object' });
+      }
+      const deprecatedValuesToUpdate = JSON.stringify(deprecatedValuesFromRequest);
+
+      logger.debug(`${CLASS_NAME} | ${postAppSettings.name}() | Updating App Settings`);
+      await settingsRepo.updateAppSettings({
+        appId,
+        settingName,
+        settingDefault,
+        settingType,
+        deprecatedValues: deprecatedValuesToUpdate,
+        settingOptions: settingOptionsList,
+      });
+      return response.send(200, 'Success');
+    }
+    return response.send(400, { code: 400, message: status });
+  } catch (err) {
+    return response.send(500, { code: 500, message: 'Unable to update app settings' });
+  }
+}
+
+/**
+ * This is the controller method to delete app settings.
+ *
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function deleteAppSettings(request: Request, response: Response): Promise<Response> {
+  try {
+    const status = validateRequestParams(request, OperationType.DELETE);
+    if (status === undefined) {
+      const appId: string = request.params.appID;
+      const { settingName } = request.params;
+
+      logger.debug(`${CLASS_NAME} | ${deleteAppSettings.name}() | Updating App Settings`);
+
+      await settingsRepo.deleteAppSettings(appId, settingName);
+
+      return response.send(200, 'Success');
+    }
+    return response.send(400, { code: 400, message: status });
+  } catch (err) {
+    return response.send(500, { code: 500, message: 'Unable to delete app settings' });
+  }
+}

package/settings-service/src/controller/UserSettingsController.ts

@@ -0,0 +1,202 @@
+import _ from 'lodash';
+import { Request, Response } from 'restify';
+import { UserSettingsResult } from 'types/UserSettingsControllerTypes';
+import { SettingsRepoFactory } from '../repo/settingsRepoFactory';
+import { settings } from '../config/config';
+import { logger } from '../logger/logger';
+import { SettingsRepo } from '../repo/settingsRepo';
+
+const CLASS_NAME = 'UserSettingsController';
+const settingsRepo: SettingsRepo = SettingsRepoFactory.accessOrCreateSingleton();
+
+/**
+ * This method validates required mandatory parameters.
+ *
+ * @param req
+ * @param res
+ */
+function validateRequestParams(request: Request): string | undefined {
+  const appId: string = request.params.appID;
+  const userId: string = request.params.userID;
+  if (!appId || !userId) {
+    return 'Missing required query params.';
+  }
+  if (!settings.settingsAppIds.includes(appId)) {
+    return 'Invalid appID';
+  }
+  return undefined;
+}
+
+/**
+ * This is the controller method to get user settings.
+ *
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function getUserSettings(request: Request, response: Response): Promise<Response> {
+  try {
+    const status = validateRequestParams(request);
+    if (status === undefined) {
+      const userId: string = request.params.userID;
+      const appId: string = request.params.appID;
+
+      logger.debug(`${CLASS_NAME} | ${getUserSettings.name}() | Getting User Settings`);
+      const authenticatedUser: string | undefined = _.toUpper(request.username);
+
+      if (authenticatedUser && userId && authenticatedUser !== _.toUpper(userId)) {
+        logger.warn(
+          `${CLASS_NAME} | ${getUserSettings.name}() | Authenticated user is trying to read other person details.`,
+        );
+        return response.send(403, {
+          code: 403,
+          message: `Forbidden: You are not allowed to read settings details of others.`,
+        });
+      }
+
+      const result: UserSettingsResult = {};
+      result.general = await settingsRepo.getUserSettings(userId, 'general');
+      if (appId !== 'general') {
+        result[appId] = await settingsRepo.getUserSettings(userId, appId);
+      }
+      return response.send(200, result);
+    }
+
+    return response.send(400, { code: 400, message: status });
+  } catch (err) {
+    return response.send(500, { code: 500, message: 'Unable to fetch user settings' });
+  }
+}
+
+/**
+ * This is the controller method to update user settings.
+ *
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function postUserSettings(request: Request, response: Response): Promise<Response> {
+  try {
+    const status = validateRequestParams(request);
+    if (status === undefined) {
+      const userId: string = request.params.userID;
+      const appId: string = request.params.appID;
+
+      const result = {};
+
+      logger.debug(`${CLASS_NAME} | ${postUserSettings.name}() | Updating User Settings`);
+      const authenticatedUser: string | undefined = _.toUpper(request.username);
+
+      if (authenticatedUser && userId && authenticatedUser !== _.toUpper(userId)) {
+        logger.warn(
+          `${CLASS_NAME} | ${postUserSettings.name}() | Authenticated user is trying to update other person details.`,
+        );
+        return response.send(403, {
+          code: 403,
+          message: `Forbidden: You are not allowed to update settings details of others.`,
+        });
+      }
+
+      const filter = await settingsRepo.getAppSettings(appId, undefined);
+      // const filter = { general: { theme: null, 'primary-language': null, gdprConsent: null }, w3homepage: { gdprConsentDisplay: null, usBetaSearch: null } };
+      const updateSettingsPromises: Promise<boolean>[] = [];
+
+      for (const setting in request.body) {
+        if (Object.prototype.hasOwnProperty.call(request.body, setting)) {
+          let updatedValue = request.body[setting];
+          if (
+            setting in filter &&
+            (updatedValue === null ||
+              settingsRepo.checkValueIsValidOption(updatedValue, filter[setting].options))
+          ) {
+            if (filter[setting].setting_type === 'array') {
+              if (Array.isArray(updatedValue)) {
+                updatedValue = updatedValue.join(',');
+              } else if (updatedValue != null) {
+                return response.send(400, {
+                  code: 400,
+                  message: `${setting} expects to receive an array value`,
+                });
+              }
+            }
+            if (Array.isArray(updatedValue)) {
+              return response.send(400, { code: 400, message: `${setting} should not be an array value` });
+            }
+            updateSettingsPromises.push(
+              settingsRepo.updateUserSettings(_.toUpper(userId), appId, setting, updatedValue),
+            );
+            result[setting] = updatedValue === null ? null : request.body[setting];
+          } else {
+            return response.send(400, { code: 400, message: 'Provided value includes an invalid option' });
+          }
+        }
+      }
+      try {
+        await Promise.all(updateSettingsPromises);
+        return response.send(200, result);
+      } catch (error) {
+        return response.send(500, { code: 500, message: `Unable to update user settings: ${error} ` });
+      }
+    }
+    return response.send(400, { code: 400, message: status });
+  } catch (err) {
+    return response.send(500, { code: 500, message: 'Unable to update user settings' });
+  }
+}
+
+/**
+ * This is the controller method to get all user settings from database.
+ *
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function getAllSettings(request: Request, response: Response): Promise<Response> {
+  try {
+    const { appId, settingName, pageState, fetchSize } = request.query;
+
+    if (settingName && !appId) {
+      return response.send(400, {
+        code: 400,
+        message: 'Must provide appId query parameter if filtering by settingName',
+      });
+    }
+
+    if (fetchSize > 1000) {
+      return response.send(400, {
+        code: 400,
+        message: 'Please provide fetch size value of 1000 or less',
+      });
+    }
+
+    logger.debug(`${CLASS_NAME} | ${getAllSettings.name}() | Getting All Settings`);
+
+    const result = await settingsRepo.getAllSettings({ pageState, appId, settingName, fetchSize });
+    return response.send(200, result);
+  } catch (err) {
+    return response.send(500, { code: 500, message: `Unable to fetch all settings:  ${err}` });
+  }
+}
+
+/**
+ * This is the controller method to delete user settings.
+ *
+ * @param request
+ * @param response
+ * @param next
+ */
+export async function deleteUserSettings(request: Request, response: Response): Promise<Response> {
+  if (!request.params.userId)
+    return response.send(400, { code: 400, message: 'userId is required to delete user settings' });
+
+  try {
+    const { userId } = request.params;
+    logger.debug(`${CLASS_NAME} | ${deleteUserSettings.name}() | Deleting User Settings`);
+
+    await settingsRepo.deleteUserSettings(userId);
+
+    return response.send(200, 'success');
+  } catch (err) {
+    return response.send(500, { code: 500, message: 'Unable to delete user settings' });
+  }
+}