Merge pull request #27 from DBOMproject/feature/26-x509-auth-support

Add support for X509 mutual authentication/authorization

.gitignore

@@ -0,0 +1,6 @@
+# IDE Specific folders
+.idea
+.vscode
+
+# Key Storage
+.secrets

README.md

@@ -22,18 +22,25 @@ If you have configured a standalone installation of mongodb, follow [these instr
 
 ### Configuration
 
-| Environment Variable         | Default          | Description                                                                     |
-|------------------------------|------------------|---------------------------------------------------------------------------------|
-| LOG_LEVEL                    | `info`           | The verbosity of the logging                                                    |
-| PORT                         | `3000`           | Port on which the gateway listens                                               |
-| MONGO_URI                    | -                | A mongodb uri string. If this is specified, all other mongo args are overridden |
-| MONGO_HOST                   | `mongodb`        | The host on which mongodb is available                                          |
-| MONGO_PORT                   | `27017`          | Port on which mongodb's native driver api is available                          |
-| MONGO_PASS                   | `pass`           | Password for mongo host                                                         |
-| MONGO_REPLICA_SET_NAME       | ``               | Name of the mongo replicaset. Only required if connecting to an rs mongo        |
-| CHANNEL_DB                   | `primary`        | The database used as the channel collection                                     |
-| AUDIT_POSTFIX                | `_audit`         | The postfix added to the audit channel for any given channel                    |
-| PERSIST_PATH                 | `./persist`      | Path where the service can store the resume token over restarts                 |
+| Environment Variable           | Default                      | Description                                                                                                    |
+|--------------------------------|------------------------------|----------------------------------------------------------------------------------------------------------------|
+| LOG_LEVEL                      | `info`                       | The verbosity of the logging                                                                                   |
+| MONGO_URI                      | -                            | A mongodb uri string. If this is specified, all other mongo args are overridden                                |
+| MONGO_HOST                     | `mongodb`                    | The host on which mongodb is available                                                                         |
+| MONGO_PORT                     | `27017`                      | Port on which mongodb's native driver api is available                                                         |
+| MONGO_PASS                     | `pass`                       | Password for mongo host                                                                                        |
+| MONGO_REPLICA_SET_NAME         | ``                           | Name of the mongo replicaset. Only required if connecting to an rs mongo                                       |
+| MONGO_TLS_MODE_ENABLED         | `0`                          | If set to 1, enable TLS mongodb connections and present a client certificate for authorization                 |
+| MONGO_TLS_CLIENT_CERT_PATH     | ``                           | Path to client certificate as .PEM encoded file. Relative to launch directory. Required if TLS mode is enabled |
+| MONGO_TLS_CA_CERT_PATH         | ``                           | Path to CAs certificate as a .PEM encoded file. Relative to launch directory. Required if TLS mode is enabled  |
+| MONGO_TLS_CLIENT_CERT_PASS_KEY | `MONGO_TLS_CLIENT_CERT_PASS` | Environment variable key for client certificate password.                                                      |
+| MONGO_TLS_CLIENT_CERT_PASS     | ``                           | Key to decrypt client certificate. Required if client certificate is protected with a passphrase               |
+| MONGO_TLS_ALLOW_INVALID_HOST   | `0`                          | Allow use of server TLS certificates which do not have matching hostnames                                      |
+| MONGO_SERVER_SELECTION_TIMEOUT | `3000`                       | Timeout for mongodb server selection. In milliseconds                                                          |
+| MONGO_CONNECTION_TIMEOUT       | `3000`                       | Timeout for mongodb connection establishment. In milliseconds                                                  |
+| CHANNEL_DB                     | `primary`                    | The database used as the channel collection                                                                    |
+| AUDIT_POSTFIX                  | `_audit`                     | The postfix added to the audit channel for any given channel                                                   |
+| PERSIST_PATH                   | `./persist`                  | Path where the service can store the resume token over restarts                                                |
 
 ## Helm Deployment
 

src/app.js

@@ -14,51 +14,44 @@
  *   limitations under the License.
  */
 
-const mongoDB = require('mongodb');
-const log = require('winston');
-const persistence = require('./utils/persistence');
-const logging = require('./utils/logging');
-const env = require('./utils/environment');
-const watcher = require('./controller/watcher');
-const { logFatalError } = require('./utils/logging');
+const log = require('winston')
+const persistence = require('./utils/persistence')
+const logging = require('./utils/logging')
+const env = require('./utils/environment')
+const watcher = require('./controller/watcher')
+const {logFatalError} = require('./utils/logging')
 
-logging.setupLogs();
+logging.setupLogs()
 
-const client = new mongoDB.MongoClient(env.getMongoURI(),
-  {
-    numberOfRetries: 100,
-    useUnifiedTopology: true,
-    useNewUrlParser: true,
-  });
-
-log.info(`MongoDB: Trying to connect to ${env.getMongoURI()}`);
+const client = watcher.makeClientFromEnv()
 
 /**
  * Initiate the watcher after we connect to mongoDB
  * @param {MongoClient} connectedClient
  */
 const watchAfterConnect = async (connectedClient) => {
-  log.info('MongoDB Connected!');
-  const db = connectedClient.db(env.getChannelDB());
+  log.info('MongoDB Connected!')
+  const db = connectedClient.db(env.getChannelDB())
 
   // Get a resume token if there is one
-  const resumeToken = await persistence.getResumeToken();
+  const resumeToken = await persistence.getResumeToken()
 
   if (resumeToken == null) {
-    log.info('No resume token. Will start watching collections/channels from now');
+    log.info('No resume token. Will start watching collections/channels from now')
   } else {
-    log.info('A resume token was found. Attempting to resume from where I left off');
+    log.info('A resume token was found. Attempting to resume from where I left off')
   }
 
   watcher.initWatcher(db,
     resumeToken,
     watcher.makeChannelEventCommitter(db, env.getAuditCollectionPostfix()),
-    logFatalError);
-};
+    logFatalError)
+}
 
-client.connect()
-  .then(watchAfterConnect, logFatalError);
+log.info('Trying to connect to mongoDB using environment configuration')
+log.debug(`MongoDB: URI is  ${env.getMongoURIFromEnv()}`)
+client.connect().then(watchAfterConnect, logFatalError)
 
 module.exports = {
   watchAfterConnect,
-};
+}

src/controller/audit.js

@@ -14,7 +14,8 @@
  *   limitations under the License.
  */
 
-/** Handles the generation and commit for DBoM Audit Entries
+/**
+ * Handles the generation and commit for DBoM Audit Entries
  * @module audit
  */
 

src/controller/watcher.js

@@ -14,14 +14,49 @@
  *   limitations under the License.
  */
 
-/** Handles watching and acting on mongo change events
+/**
+ * Handles watching and acting on mongo change events
  * @module watcher
  */
 
 const log = require('winston');
+const mongodb = require('mongodb');
 const persistence = require('../utils/persistence');
+const env = require('../utils/environment');
 const audit = require('./audit');
 
+/**
+ * Creates an instance of the mongoDB client based on environment variables
+ * @func
+ * @return {MongoClient} - Client that is ready to connect to
+ */
+const makeClientFromEnv = () => {
+  let mongoClient;
+  const tlsParams = env.getTLSParams();
+  const defaultOptions = {
+    numberOfRetries: 5,
+    useNewUrlParser: true,
+    useUnifiedTopology: true,
+    connectTimeoutMS: env.getMongoConnectionTimeout(),
+    serverSelectionTimeoutMS: env.getMongoServerSelectionTimeout(),
+  };
+  if (tlsParams.enabled) {
+    log.info('Using mutual TLS authentication and X509 authorization');
+    mongoClient = new mongodb.MongoClient(env.getMongoURIFromEnv(),
+      {
+        ...tlsParams.mongoOptions,
+        ...defaultOptions,
+        tls: true,
+      });
+  } else {
+    mongoClient = new mongodb.MongoClient(env.getMongoURIFromEnv(),
+      {
+        ...defaultOptions,
+      });
+  }
+  return mongoClient;
+};
+
 /**
  * Takes a mongoDB change event and commits it to the audit channel
  * @param db
@@ -106,5 +141,5 @@ module.exports = {
   initWatcher,
   makeChannelEventCommitter,
   commitChannelEventToDB,
-
+  makeClientFromEnv
 };