use jwt and not eas key for NodeRed credentials

skadefro · skadefro · commit 4464211af350 · 2019-06-18T20:13:31.000+02:00
diff --git a/OpenFlow/src/Config.ts b/OpenFlow/src/Config.ts
@@ -13,6 +13,7 @@ export class Config {
     public static auto_create_domains: string[] = Config.parseArray(Config.getEnv("auto_create_domains", ""));
     public static allow_user_registration: boolean = Config.parseBoolean(Config.getEnv("allow_user_registration", "false"));
     public static allow_personal_nodered: boolean = Config.parseBoolean(Config.getEnv("allow_personal_nodered", "false"));
+    public static force_queue_prefix: boolean = Config.parseBoolean(Config.getEnv("force_queue_prefix", "true"));
     public static saml_federation_metadata: string = Config.getEnv("saml_federation_metadata", "");
     public static api_ws_url: string = Config.getEnv("api_ws_url", "ws://localhost:3000");
 
diff --git a/OpenFlow/src/Crypt.ts b/OpenFlow/src/Crypt.ts
@@ -1,39 +1,39 @@
 import * as crypto from "crypto";
-import * as bcrypt  from "bcryptjs";
+import * as bcrypt from "bcryptjs";
 import * as jsonwebtoken from "jsonwebtoken";
 import { Base } from "./base";
 import { TokenUser } from "./TokenUser";
 import { User } from "./User";
 import { Config } from "./Config";
 
 export class Crypt {
-    static encryption_key:string = Config.aes_secret.substr(0,32); // must be 256 bytes (32 characters)
-    static iv_length:number = 16; // for AES, this is always 16
-    static bcrypt_salt_rounds:number = 12;
+    static encryption_key: string = Config.aes_secret.substr(0, 32); // must be 256 bytes (32 characters)
+    static iv_length: number = 16; // for AES, this is always 16
+    static bcrypt_salt_rounds: number = 12;
 
-    static encrypt(text:string):string {
-        let iv:Buffer = crypto.randomBytes(Crypt.iv_length);
-        let cipher:crypto.Cipher = crypto.createCipheriv("aes-256-cbc", Buffer.from(Crypt.encryption_key), iv);
-        let encrypted:Buffer = cipher.update((text as any));
+    static encrypt(text: string): string {
+        let iv: Buffer = crypto.randomBytes(Crypt.iv_length);
+        let cipher: crypto.Cipher = crypto.createCipheriv("aes-256-cbc", Buffer.from(Crypt.encryption_key), iv);
+        let encrypted: Buffer = cipher.update((text as any));
         encrypted = Buffer.concat([encrypted, cipher.final()]);
         return iv.toString("hex") + ":" + encrypted.toString("hex");
     }
 
-    static decrypt(text:string):string {
-        let textParts:string[] = text.split(":");
-        let iv:Buffer = Buffer.from(textParts.shift(), "hex");
-        let encryptedText:Buffer = Buffer.from(textParts.join(":"), "hex");
-        let decipher:crypto.Decipher = crypto.createDecipheriv("aes-256-cbc", Buffer.from(Crypt.encryption_key), iv);
-        let decrypted:Buffer = decipher.update(encryptedText);
+    static decrypt(text: string): string {
+        let textParts: string[] = text.split(":");
+        let iv: Buffer = Buffer.from(textParts.shift(), "hex");
+        let encryptedText: Buffer = Buffer.from(textParts.join(":"), "hex");
+        let decipher: crypto.Decipher = crypto.createDecipheriv("aes-256-cbc", Buffer.from(Crypt.encryption_key), iv);
+        let decrypted: Buffer = decipher.update(encryptedText);
         decrypted = Buffer.concat([decrypted, decipher.final()]);
         return decrypted.toString();
     }
 
-    static async hash(password: string):Promise<string> {
+    static async hash(password: string): Promise<string> {
         return new Promise<string>(async (resolve, reject) => {
             try {
-                bcrypt.hash(password, Crypt.bcrypt_salt_rounds, async (error, hash)=> {
-                    if(error) { return reject(error); }
+                bcrypt.hash(password, Crypt.bcrypt_salt_rounds, async (error, hash) => {
+                    if (error) { return reject(error); }
                     resolve(hash);
                 });
             } catch (error) {
@@ -42,11 +42,11 @@ export class Crypt {
         });
     }
 
-    static async compare(password: string, passwordhash:string):Promise<boolean> {
+    static async compare(password: string, passwordhash: string): Promise<boolean> {
         return new Promise<boolean>(async (resolve, reject) => {
             try {
-                bcrypt.compare(password, passwordhash, async (error, res)=> {
-                    if(error) { return reject(error); }
+                bcrypt.compare(password, passwordhash, async (error, res) => {
+                    if (error) { return reject(error); }
                     resolve(res);
                 });
             } catch (error) {
@@ -55,20 +55,20 @@ export class Crypt {
         });
     }
 
-    static createToken(item: User | TokenUser): string {
-        var user:TokenUser = new TokenUser(item);
-        var token:string = jsonwebtoken.sign({ data: user }, Crypt.encryption_key,
+    static createToken(item: User | TokenUser, expiresIn: string): string {
+        var user: TokenUser = new TokenUser(item);
+        var token: string = jsonwebtoken.sign({ data: user }, Crypt.encryption_key,
             { expiresIn: "1h" }); // 60 (seconds), "2 days", "10h", "7d"
         return token;
     }
 
     static verityToken(token: string): TokenUser {
-        var o:any = jsonwebtoken.verify(token, Crypt.encryption_key);
+        var o: any = jsonwebtoken.verify(token, Crypt.encryption_key);
         o.data = TokenUser.assign(o.data);
         return o.data;
     }
     static decryptToken(token: string): any {
-        var o:any = jsonwebtoken.verify(token, Crypt.encryption_key);
+        var o: any = jsonwebtoken.verify(token, Crypt.encryption_key);
         return o;
     }
 }
diff --git a/OpenFlow/src/LoginProvider.ts b/OpenFlow/src/LoginProvider.ts
@@ -114,7 +114,7 @@ export class LoginProvider {
             res.setHeader("Content-Type", "application/json");
             if (req.user) {
                 var user: TokenUser = new TokenUser(req.user);
-                res.end(JSON.stringify({ jwt: Crypt.createToken(user) }));
+                res.end(JSON.stringify({ jwt: Crypt.createToken(user, "1h") }));
             } else {
                 res.end(JSON.stringify({ jwt: "" }));
             }
@@ -126,7 +126,7 @@ export class LoginProvider {
                 var user: User = await LoginProvider.validateToken(rawAssertion);
                 var tuser: TokenUser = new TokenUser(user);
                 res.setHeader("Content-Type", "application/json");
-                res.end(JSON.stringify({ jwt: Crypt.createToken(tuser) }));
+                res.end(JSON.stringify({ jwt: Crypt.createToken(tuser, "1h") }));
             } catch (error) {
                 res.end(error);
                 console.error(error);
diff --git a/OpenFlow/src/Messages/Message.ts b/OpenFlow/src/Messages/Message.ts
@@ -452,7 +452,7 @@ export class Message {
                     user.device = msg.device;
                 }
                 Audit.LoginSuccess(tuser, type, "websocket", cli.remoteip);
-                msg.jwt = Crypt.createToken(user);
+                msg.jwt = Crypt.createToken(user, "1h");
                 msg.user = tuser;
                 if (msg.validate_only !== true) {
                     cli._logger.debug(tuser.username + " signed in using " + type);
@@ -518,6 +518,13 @@ export class Message {
             name = name.toLowerCase();
             var namespace = Config.namespace;
             var hostname = Config.nodered_domain_schema.replace("$nodered_id$", name);
+            var queue_prefix: string = "";
+            if (Config.force_queue_prefix) {
+                queue_prefix = cli.user.username;
+            }
+
+            var tuser: TokenUser = new TokenUser(cli.user);
+            var nodered_jwt: string = Crypt.createToken(tuser, "365d");
 
             // var noderedusers = await User.ensureRole(cli.jwt, name + "noderedusers", null);
             // noderedusers.addRight(cli.user._id, cli.user.username, [Rights.full_control]);
@@ -560,12 +567,13 @@ export class Message {
                                             { name: "saml_issuer", value: Config.saml_issuer },
                                             { name: "nodered_id", value: name },
                                             { name: "nodered_sa", value: cli.user.username },
+                                            { name: "jwt", value: nodered_jwt },
+                                            { name: "queue_prefix", value: queue_prefix },
                                             { name: "api_ws_url", value: Config.api_ws_url },
                                             { name: "amqp_url", value: Config.amqp_url },
                                             { name: "nodered_domain_schema", value: hostname },
                                             { name: "protocol", value: Config.protocol },
                                             { name: "port", value: Config.port.toString() },
-                                            { name: "aes_secret", value: Config.aes_secret },
                                             { name: "noderedusers", value: (name + "noderedusers") },
                                             { name: "noderedadmins", value: (name + "noderedadmins") },
                                         ]
diff --git a/OpenFlow/src/TokenUser.ts b/OpenFlow/src/TokenUser.ts
@@ -4,39 +4,39 @@ import { WellknownIds } from "./base";
 import { Crypt } from "./Crypt";
 
 export class TokenUser {
-    _type:string;
-    _id:string;
-    name:string;
-    username:string;
-    roles:Rolemember[] = [];
-    constructor(user:User | TokenUser) {
-        if(user===null || user===undefined) { return; }
+    _type: string;
+    _id: string;
+    name: string;
+    username: string;
+    roles: Rolemember[] = [];
+    constructor(user: User | TokenUser) {
+        if (user === null || user === undefined) { return; }
         this._type = user._type;
         this._id = user._id;
         this.name = user.name;
         this.username = user.username;
         this.roles = user.roles;
     }
-    static assign<T>(o:T): T {
-        var newo:TokenUser = new TokenUser(null);
+    static assign<T>(o: T): T {
+        var newo: TokenUser = new TokenUser(null);
         return Object.assign(newo, o);
     }
-    static rootUser():User {
-        var result:User = new User();
+    static rootUser(): User {
+        var result: User = new User();
         result._type = "user"; result.name = "root"; result.username = "root"; result._id = WellknownIds.root;
         result.roles = []; result.roles.push(new Rolemember("admins", WellknownIds.admins));
         return result;
     }
-    static rootToken():string {
-        return Crypt.createToken(TokenUser.rootUser());
+    static rootToken(): string {
+        return Crypt.createToken(TokenUser.rootUser(), "1h");
     }
-    hasrolename(name:string):Boolean {
-        var hits:Rolemember[] = this.roles.filter(member=>member.name===name);
-        return (hits.length===1);
+    hasrolename(name: string): Boolean {
+        var hits: Rolemember[] = this.roles.filter(member => member.name === name);
+        return (hits.length === 1);
     }
-    hasroleid(id:string):boolean {
-        var hits:Rolemember[] = this.roles.filter(member=>member._id===id);
-        return (hits.length===1);
+    hasroleid(id: string): boolean {
+        var hits: Rolemember[] = this.roles.filter(member => member._id === id);
+        return (hits.length === 1);
     }
 
 }
diff --git a/OpenFlow/src/WebSocketServer.ts b/OpenFlow/src/WebSocketServer.ts
@@ -45,7 +45,7 @@ export class WebSocketServer {
                     if ((clockTimestamp - payload.iat) > 180) {
                         WebSocketServer._logger.silly("Send new jwt to client");
                         var l: SigninMessage = new SigninMessage();
-                        cli.jwt = Crypt.createToken(tuser);
+                        cli.jwt = Crypt.createToken(tuser, "1h");
                         l.jwt = cli.jwt;
                         l.user = tuser;
                         var m: Message = new Message(); m.command = "refreshtoken";
diff --git a/OpenFlowNodeRED/src/Config.ts b/OpenFlowNodeRED/src/Config.ts
@@ -4,6 +4,7 @@ import { fetch, toPassportConfig } from "passport-saml-metadata";
 export class Config {
     public static nodered_id: string = Config.getEnv("nodered_id", "1");
     public static nodered_sa: string = Config.getEnv("nodered_sa", "");
+    public static queue_prefix: string = Config.getEnv("queue_prefix", "");
 
     public static consumer_key: string = Config.getEnv("consumer_key", "");
     public static consumer_secret: string = Config.getEnv("consumer_secret", "");
@@ -34,6 +35,8 @@ export class Config {
     public static api_allow_anonymous: boolean = Config.parseBoolean(Config.getEnv("api_allow_anonymous", "false"));
 
     public static aes_secret: string = Config.getEnv("aes_secret", "");
+    public static jwt: string = Config.getEnv("jwt", "");
+
 
     public static baseurl(): string {
         if (Config.nodered_sa === null || Config.nodered_sa === undefined || Config.nodered_sa === "") {
diff --git a/OpenFlowNodeRED/src/index.ts b/OpenFlowNodeRED/src/index.ts
@@ -18,18 +18,6 @@ const logger: winston.Logger = Logger.configure();
 
 Config.DumpConfig();
 
-
-var con: amqp_consumer = new amqp_consumer(logger, Config.amqp_url, "hello1");
-var pub: amqp_publisher = new amqp_publisher(logger, Config.amqp_url, "");
-var excon1: amqp_exchange_consumer = new amqp_exchange_consumer(logger, Config.amqp_url, "hello2");
-var excon2: amqp_exchange_consumer = new amqp_exchange_consumer(logger, Config.amqp_url, "hello2");
-var expub: amqp_exchange_publisher = new amqp_exchange_publisher(logger, Config.amqp_url, "hello2");
-
-var rpccon: amqp_rpc_consumer = new amqp_rpc_consumer(logger, Config.amqp_url, "rpchello", (msg: string): string => {
-    return "server response! " + msg;
-});
-var rpcpub: amqp_rpc_publisher = new amqp_rpc_publisher(logger, Config.amqp_url);
-
 process.on('unhandledRejection', up => {
     console.error(up);
     throw up
@@ -46,43 +34,30 @@ function isNumeric(num) {
         socket.events.on("onopen", async () => {
 
             var q: SigninMessage = new SigninMessage();
-            var user = new TokenUser();
-            console.log("nodered_id: " + Config.nodered_id + " nodered_sa: " + Config.nodered_sa);
-            if (NoderedUtil.IsNullEmpty(Config.nodered_sa)) {
-                user.name = "nodered" + Config.nodered_id;
+            if (Config.jwt !== "") {
+                q.jwt = Config.jwt;
+            } else if (Crypt.encryption_key !== "") {
+                var user = new TokenUser();
+                if (NoderedUtil.IsNullEmpty(Config.nodered_sa)) {
+                    user.name = "nodered" + Config.nodered_id;
+                } else {
+                    user.name = Config.nodered_sa;
+                }
+                user.username = user.name;
+                q.jwt = Crypt.createToken(user);
             } else {
-                user.name = Config.nodered_sa;
+                throw new Error("missing encryption_key and jwt, signin not possible!");
             }
-            user.username = user.name;
-            q.jwt = Crypt.createToken(user);
             var msg: Message = new Message(); msg.command = "signin"; msg.data = JSON.stringify(q);
             var result: SigninMessage = await socket.Send<SigninMessage>(msg);
             logger.info("signed in as " + result.user.name + " with id " + result.user._id);
 
             const server: http.Server = await WebServer.configure(logger, socket);
             logger.info("listening on " + Config.baseurl());
         });
-
-        // console.log("************************");
-        // await con.connect();
-        // await pub.connect();
-        // pub.SendMessage("pub/sub hi mom");
-        // console.log("************************");
-        // await excon1.connect();
-        // await excon2.connect();
-        // await expub.connect();
-        // expub.SendMessage("exchange/hi mom");
-        // console.log("************************");
-        // await rpccon.connect();
-        // await rpcpub.connect();
-        // console.log("************************");
-        // var rpcresult:string  = await rpcpub.SendMessage("Client says hi!", "rpchello");
-        // console.log("rpcresult: " + rpcresult);
-        // console.log("************************");
     } catch (error) {
         logger.error(error.message);
         console.error(error);
     }
-
 })();
 
diff --git a/OpenFlowNodeRED/src/nodered/nodes/NoderedUtil.ts b/OpenFlowNodeRED/src/nodered/nodes/NoderedUtil.ts
@@ -144,17 +144,23 @@ export class NoderedUtil {
         if (!NoderedUtil.IsNullEmpty(username) && !NoderedUtil.IsNullEmpty(password)) {
             q.username = username; q.password = password;
         } else {
-            if (Crypt.encryption_key === "") { throw new Error("root signin not allowed"); }
             var user = new TokenUser();
             Logger.instanse.debug("GetToken::nodered_id: " + Config.nodered_id);
             Logger.instanse.debug("GetToken::isNumeric: " + this.isNumeric(Config.nodered_id));
-            if (NoderedUtil.IsNullEmpty(Config.nodered_sa)) {
-                user.name = "nodered" + Config.nodered_id;
+            if (Config.jwt !== "") {
+                q.jwt = Config.jwt;
+            } else if (Crypt.encryption_key !== "") {
+                var user = new TokenUser();
+                if (NoderedUtil.IsNullEmpty(Config.nodered_sa)) {
+                    user.name = "nodered" + Config.nodered_id;
+                } else {
+                    user.name = Config.nodered_sa;
+                }
+                user.username = user.name;
+                q.jwt = Crypt.createToken(user);
             } else {
-                user.name = Config.nodered_sa;
+                throw new Error("root signin not allowed");
             }
-            user.username = user.name;
-            q.jwt = Crypt.createToken(user);
         }
         var _msg: Message = new Message();
         _msg.command = "signin"; _msg.data = JSON.stringify(q);
diff --git a/OpenFlowNodeRED/src/nodered/nodes/api_nodes.ts b/OpenFlowNodeRED/src/nodered/nodes/api_nodes.ts
@@ -65,15 +65,20 @@ export class api_get_jwt {
             if (!NoderedUtil.IsNullEmpty(username) && !NoderedUtil.IsNullEmpty(password)) {
                 q.username = username; q.password = password;
             } else {
-                if (Crypt.encryption_key === "") { return NoderedUtil.HandleError(this, "root signin not allowed"); }
-                var user = new TokenUser();
-                if (NoderedUtil.IsNullEmpty(Config.nodered_sa)) {
-                    user.name = "nodered" + Config.nodered_id;
+                if (Config.jwt !== "") {
+                    q.jwt = Config.jwt;
+                } else if (Crypt.encryption_key !== "") {
+                    var user = new TokenUser();
+                    if (NoderedUtil.IsNullEmpty(Config.nodered_sa)) {
+                        user.name = "nodered" + Config.nodered_id;
+                    } else {
+                        user.name = Config.nodered_sa;
+                    }
+                    user.username = user.name;
+                    q.jwt = Crypt.createToken(user);
                 } else {
-                    user.name = Config.nodered_sa;
+                    return NoderedUtil.HandleError(this, "root signin not allowed");
                 }
-                user.username = user.name;
-                q.jwt = Crypt.createToken(user);
             }
             this.node.status({ fill: "blue", shape: "dot", text: "Requesting token" });
             var _msg: Message = new Message();
diff --git a/OpenFlowNodeRED/src/nodered/nodes/rpa_nodes.ts b/OpenFlowNodeRED/src/nodered/nodes/rpa_nodes.ts
@@ -90,7 +90,9 @@ export class rpa_workflow_node {
     async connect() {
         try {
             this.node.status({ fill: "blue", shape: "dot", text: "Connecting..." });
-            this.con = new amqp_publisher(Logger.instanse, this.host, this.config.localqueue);
+            var localqueue = this.config.localqueue;
+            if (localqueue !== null && localqueue !== undefined && localqueue !== "") { localqueue = Config.queue_prefix + localqueue; }
+            this.con = new amqp_publisher(Logger.instanse, this.host, localqueue);
             this.con.OnMessage = this.OnMessage.bind(this);
             await this.con.connect();
             this.node.status({ fill: "green", shape: "dot", text: "Connected" });
diff --git a/OpenFlowNodeRED/src/nodered/nodes/workflow_nodes.ts b/OpenFlowNodeRED/src/nodered/nodes/workflow_nodes.ts
diff --git a/VERSION b/VERSION
