3.2.1 disto release

Deps/Bindaas/Dockerfile

@@ -14,8 +14,8 @@ WORKDIR /root/src
 
 RUN apk --no-cache add openjdk8-jre
 WORKDIR /root/bindaas/
-RUN wget https://github.com/sharmalab/bindaas/releases/download/v3.3.5/bindaas-dist-3.3.5.tar.gz
-RUN tar -xvf bindaas-dist-3.3.5.tar.gz && rm bindaas-dist-3.3.5.tar.gz
+RUN wget https://github.com/sharmalab/bindaas/releases/download/v3.3.8/bindaas-dist-3.3.8.tar.gz
+RUN tar -xvf bindaas-dist-3.3.8.tar.gz && rm bindaas-dist-3.3.8.tar.gz
 COPY bindaas.config.json /root/bindaas/bin/
 COPY run.sh /root/bindaas/bin/
 

Deps/auth_service/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:8
+FROM node:8-alpine
 RUN mkdir /root/src
 COPY . /root/src
 WORKDIR /root/src

Deps/auth_service/app.js

@@ -1,9 +1,40 @@
 const express = require('express')
 const rp = require('request-promise');
 const app = express();
+const fs = require("fs");
 var jwt = require('jsonwebtoken');
+var jwkToPem = require('jwk-to-pem');
 var PORT = process.env.PORT || 8010
 var BASE_USER_URL = "http://ca-data:9099/services/caMicroscope/Authorization/query/getAuth?name="
+var SECRET = process.env.SECRET
+var EXPIRY = process.env.EXPIRY || "1h"
+
+try {
+  let prikey_path = "/keys/key"
+  if(fs.existsSync(prikey_path)){
+    var PRIKEY = fs.readFileSync(prikey_path, 'utf8')
+  }
+} catch (err){
+  console.error(err)
+}
+
+try {
+  let cert_path = "/keys/certificate"
+  if(fs.existsSync(cert_path)){
+    var SECRET = fs.readFileSync(cert_path, 'utf8')
+  }
+} catch (err){
+  console.error(err)
+}
+// jwks
+try {
+  let jwk_path = "/keys/jwk.json"
+  if(fs.existsSync(jwk_path)){
+    var SECRET = jwkToPem(JSON.parse(fs.readFileSync(jwk_path, 'utf8')))
+  }
+} catch (err){
+  console.error(err)
+}
 
 const getToken = function(req) {
     if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') { // Authorization: Bearer g1jipjgi1ifjioj
@@ -19,25 +50,27 @@ const getToken = function(req) {
 }
 
 app.get("/check", async function(req,res){
-  var token = jwt.decode(getToken(req))
+  var token = jwt.verify(getToken(req), SECRET)
   if (!(token && (token.email || token.sub))){
     // jwt doesn't say who you are, so bye
     res.sendStatus(401)
   } else {
     var name = token.email || token.sub
-    var attr = req.query.attr
     user_detail = rp({
       uri: BASE_USER_URL + name,
       json: true
     })
     user_detail.then(x=>{
       console.log(x)
-      if (x.length >= 1){
-        if (!attr || x[0].attrs.includes(attr)){
-          res.sendStatus(200)
-        } else {
-          res.sendStatus(401)
+      if (x.length >= 1 && x[0].hasOwnProperty('name')){
+        let attrs = x[0].attrs || []
+        data = {
+          'name':x[0].name,
+          'attrs':attrs
         }
+        // sign using the mounted key
+        var token = jwt.sign(data, PRIKEY, {algorithm:"RS256", expiresIn: EXPIRY})
+        res.send({'token':token})
       } else {
         res.sendStatus(401)
       }

Deps/auth_service/package.json

@@ -12,6 +12,7 @@
     "express": "^4.16.4",
     "express-promise": "^0.4.0",
     "jsonwebtoken": "^8.4.0",
+    "jwk-to-pem": "^2.0.1",
     "request": "^2.88.0",
     "request-promise": "^4.2.4"
   }

Deps/auth_service/readme.md

@@ -0,0 +1,10 @@
+# Auth Service for Elevate
+
+
+Uses bindaas endpoint to determine users and their permissions.
+
+Set SECRET to the jwt secret, or use /keys/certificate with a certificate, or /keys/jwk.json with a jwk.
+
+Use EXPIRY to set a token expiration other than the default one hour.
+
+This tool needs key and key.pub mounted to /keys to sign JWTs to elevate. In this distribution, run jwt_keys/make_keys.sh to do so.

README.md

@@ -1,7 +1,4 @@
 # caMicroscope Distribution
-
-[![Build Status](https://travis-ci.org/camicroscope/Distro.svg?branch=master)](https://travis-ci.org/camicroscope/Distro)
-
 caMicroscope 3.X distribution
 
 
@@ -13,7 +10,7 @@ Use `docker-compose -f caMicroscope.yml build` to rebuild the services.
 Once everything is up, go to <the host this is running on>:4010/ to see the landing page.
 
 ## SSL
-To enable ssl, mount the private key and certificate files to elevate in /root/src/ssl/privatekey.pem and /root/src/ssl/certificate.pem respectively. HTTPS mode will only be enabled if both of these files are present. 
+To enable ssl, mount the private key and certificate files to elevate in /root/src/ssl/privatekey.pem and /root/src/ssl/certificate.pem respectively. HTTPS mode will only be enabled if both of these files are present.
 
 ## Component Services
 mongo - vanilla mongo container
@@ -39,5 +36,9 @@ Image Volume - This is, by default, the images directory in this directory. If t
 
 Packages - Packages are built in the viewer service using parcel, mount a different directory with packages.js to the package directory to overwrite or add functionality.
 
+## PathDB
+
+To use pathdb, use pathDbCamic.yml instead of caMicroscope.yml, and replace routes.json with pathdb_routes.json. This deployment does not include the auth and loader as separate services, as this PathDB provides that functionality.
+
 ## Support
 Feel free to add any support inquiry as a github issue to this repository.

auth_without_pathdb.md

@@ -0,0 +1,33 @@
+# QUIP Auth Without PathDB
+
+## About this Method and Guide
+
+PathDB is used as both authentication and authorization. In instances where PathDB is not desired, we use a combination of an external identity provider and an internal authorization service. The authorization service consumes Json Web Tokens (JWTs) from the identity provider, and then will issue JWTs which convey both authentication and authorization, which are consumed by the application.
+
+This guide aims to explain how to make a deployment use this method.
+
+## Getting an Identity Provider and Setting up Login
+
+There are many identity providers, but for testing and examples, we have been using auth0.
+
+When selecting, an identity provider, note that we expect it to provide a JWT, and to have a certificate/public key/secret which can be used to verify such JWTs.
+
+The example given in the Distro within config/login.html is set up for auth0; simply change the corresponding variables for your auth0 application if auth0 is used. If using another identity provider, then login.html, or equivalent, needs to, at least, set the JWT to a cookie called "token", and call the auth service's 'check' route, and save a successful result as the token. Follow the guide which your identity provider uses for further guidance.
+
+## Keys/Certificates
+
+Add the following files; by default, they are mounted:
+
+- --./jwt\_keys/certificate or ./jwt\_keys/jwk.json is the certificate/public key/secret or jwk (respectively) from the **identity provider**. (If both are included, the jwk takes precedence).
+- --./jwt\_keys/key and ./jwt\_keys/key.pub are used as the signing and check keys for the **auth service**
+  - --These can (and should) be generated with ./kwt\_keys/make\_keys.sh
+
+## Deployment Configuration
+
+Turn off disable security under the elevate service to block routes.
+
+## Adding Users to Database
+
+Add users as in ./config/add\_mongo\_users.js. Attributes can be added to deny access to routes (e.g. allow only some users to post and delete)
+
+The name field is the email field (or failing that, sub field) in that priority from the identity provider.

caMicroscope.yml

@@ -2,15 +2,17 @@ version: '3'
 
 services:
   mongo:
-    image: mongo
+    image: mongo:3.4.19-jessie
     container_name: ca-mongo
     volumes:
       - ./db:/data/db
     logging:
       driver: none
   idxMongo:
-    image: mongo
+    image: mongo:3.4.19-jessie
     container_name: ca-idx
+    logging:
+      driver: none
     links:
       - mongo
     volumes:
@@ -30,36 +32,37 @@ services:
       - ./config/bindaas_projects/:/root/bindaas/bin/projects/
       - ./config/bindaas.config.json:/root/bindaas/bin/bindaas.config.json
   iip:
-    build: "https://github.com/camicroscope/iipImage.git#v3.1.0"
+    build: "https://github.com/camicroscope/iipImage.git#develop"
     container_name: ca-iip
-    logging:
-      driver: none
     volumes:
       - ./images/:/images/
   viewer:
-    build: "https://github.com/camicroscope/caMicroscope.git#v3.1.0"
+    build: "https://github.com/camicroscope/caMicroscope.git#develop"
     container_name: ca-front
+    volumes:
+      - ./config/login.html:/var/www/html/login.html
     logging:
       driver: none
   loader:
-    build: "https://github.com/camicroscope/SlideLoader.git#v3.1.0"
+    build: "https://github.com/camicroscope/SlideLoader.git#develop"
     container_name: ca-load
     logging:
       driver: none
     volumes:
       - ./images/:/images/
   elevate:
-    build: "https://github.com/camicroscope/Security.git#v3.1.0"
+    build: "https://github.com/camicroscope/Security.git#develop"
     container_name: ca-security
     ports: ["4010:4010"]
     volumes:
       - ./config/routes.json:/root/src/routes.json
+      - ./jwt_keys/:/keys/
     environment:
       - DISABLE_SEC=true
-    logging:
-      driver: none
   auth:
     build: "./Deps/auth_service/"
+    volumes:
+      - ./jwt_keys/:/keys/
     container_name: ca-auth
     logging:
       driver: none

config/default_data.js

@@ -0,0 +1,26 @@
+let defaultTemplate = {
+    "_id": "0",
+    "type": "object",
+    "id": "annotation-form",
+    "name": "AnnotSchema",
+    "description": "",
+    "links": [],
+    "additionalProperties": false,
+    "properties": {
+        "name": {
+            "id": "a0",
+            "title": "Identity Name",
+            "type": "string",
+            "required": true,
+            "description": "note name"
+            },"notes": {
+            "id": "a1",
+            "title": "Notes: ",
+            "type": "string",
+            "format":"textarea",
+            "maxLength": 128
+        }
+    }
+}
+
+db.template.insert(defaultTemplate)