From e806d07099013cf5084f88752688c6c04ae74e60 Mon Sep 17 00:00:00 2001 From: cd-rite <61710958+cd-rite@users.noreply.github.com> Date: Wed, 31 Jan 2024 00:32:00 -0500 Subject: [PATCH 1/4] is it this simple? --- CONTRIBUTING.md | 2 +- lib/args.js | 2 ++ lib/auth.js | 16 +++++++++++++++- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ef5cdb5..d62ef62 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # Contributing to STIGMAN-Watcher -**NOTE: This CONTRIBUTING.md describes our software contribution policy. You do not need to follow the Developer's Certificate of Origin (DCO) process for commenting on the STIG Manager repository documentation, such as CONTRIBUTING.md, INTENT.md, etc. or for submitting issues. For more information about developing and contributing to the project, please see the [STIG Manager Contribution Guide](https://stig-manager.readthedocs.io/en/latest/the-project/contributing.html) that is part of our [overall documentation](https://stig-manager.readthedocs.io/en/latest/index.html)** +**NOTE: This CONTRIBUTING.md describes our software contribution policy. You do not need to follow the Developer's Certificate of Origin (DCO) process for commenting on the STIGMAN-Watcher repository documentation, such as CONTRIBUTING.md, INTENT.md, etc. or for submitting issues. For more information about developing and contributing to the project, please see the [STIG Manager Contribution Guide](https://stig-manager.readthedocs.io/en/latest/the-project/contributing.html) that is part of our [overall documentation](https://stig-manager.readthedocs.io/en/latest/index.html)** ## Policy diff --git a/lib/args.js b/lib/args.js index 383e4aa..3f8535e 100644 --- a/lib/args.js +++ b/lib/args.js @@ -71,6 +71,8 @@ program .requiredOption('--api ', 'Base URL of the STIG Manager API service (`WATCHER_API_BASE`).', pe.WATCHER_API_BASE) .requiredOption('--authority ', 'Base URL of the OIDC authentication service that issues OAuth2 tokens for the API (`WATCHER_AUTHORITY`)', pe.WATCHER_AUTHORITY) .requiredOption('--client-id ', 'OIDC clientId to authenticate (`WATCHER_CLIENT_ID`). You will be prompted for the client secret if `--client-key` is not present and `--prompt` is present, unless `WATCHER_CLIENT_SECRET` is set', pe.WATCHER_CLIENT_ID) +.option('--scope-prefix ', 'String used as a prefix for each scope when authenticating to the OIDC Provider.', pe.WATCHER_SCOPE_PREFIX) +.option('--extra-scopes ', 'OAuth2 scopes to request in addition to the default scopes.', pe.WATCHER_EXTRA_SCOPES) .option('--client-key ', 'Path to a PEM encoded private key (`WATCHER_CLIENT_KEY`). If the key is encrypted, you will be prompted for the passphrase if `--prompt` is present, unless `WATCHER_CLIENT_KEY_PASSPHRASE` is set.', pe.WATCHER_CLIENT_KEY) .option('--add-existing', 'For `--mode events`, existing files in the path will generate an `add` event (`WATCHER_ADD_EXISTING=1`). Ignored if `--mode scan`, negate with `--no-add-existing`.', getBoolean('WATCHER_ADD_EXISTING', false)) .option('--no-add-existing', 'Ignore existing files in the watched path (`WATCHER_ADD_EXISTING=0`).') diff --git a/lib/auth.js b/lib/auth.js index fdaebec..27903af 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -10,11 +10,25 @@ let self = this self.url = null self.threshold = 10 -self.scope = 'openid stig-manager:collection stig-manager:stig:read stig-manager:user:read' +// self.scope = 'openid stig-manager:collection stig-manager:stig:read stig-manager:user:read' self.key = config.clientKey self.authenticateFn = config.clientKey ? authenticateSignedJwt : authenticateClientSecret self.authentication = config.clientKey ? 'signed-jwt' : 'client-secret' +const scopePrefix = config.scopePrefix + +const scopeArray= [ + `${scopePrefix}openid`, + `${scopePrefix}stig-manager:stig:read`, + `${scopePrefix}stig-manager:collection`, + `${scopePrefix}stig-manager:user:read`, +] +if (config.extraScopes) { + scopeArray.push(...config.extraScopes.split(" ")) +} + +self.scope = scopeArray.join(" ") + /** * Fetches OpenID configuration from the specified authority URL. * @async From dd681475bf6da0c8d38d70cd4b5161b029f6132d Mon Sep 17 00:00:00 2001 From: cd-rite <61710958+cd-rite@users.noreply.github.com> Date: Mon, 5 Feb 2024 11:32:45 -0500 Subject: [PATCH 2/4] added clarifying comment --- lib/args.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/args.js b/lib/args.js index 3f8535e..ba4f745 100644 --- a/lib/args.js +++ b/lib/args.js @@ -81,10 +81,10 @@ program .option('--create-objects', 'Create Assets or STIG Assignments as needed (`WATCHER_CREATE_OBJECTS=1`). Negate with `--no-create-objects`.', getBoolean('WATCHER_CREATE_OBJECTS', true)) .option('--no-create-objects', 'Do not create Assets or STIG Assignments (`WATCHER_CREATE_OBJECTS=0`).') .option('--ignore-dir [name...]', 'DEPRECATED, use --ignore-glob. Sub-directory name to ignore. Can be invoked multiple times.(`WATCHER_IGNORE_DIRS=`)', pe.WATCHER_IGNORE_DIRS?.split(',')) -.option('--ignore-glob [glob...]', 'File or diectory glob(s) to ignore. Can be invoked multiple times.(`WATCHER_IGNORE_GLOBS=`)', pe.WATCHER_IGNORE_GLOBS?.split(',')) +.option('--ignore-glob [glob...]', 'File or directory glob(s) to ignore. Can be invoked multiple times.(`WATCHER_IGNORE_GLOBS=`)', pe.WATCHER_IGNORE_GLOBS?.split(',')) .option('--event-polling', 'Use polling with `--mode events`, necessary for watching network files (`WATCHER_EVENT_POLLING=1`). Ignored if `--mode scan`, negate with `--no-event-polling`.', getBoolean('WATCHER_EVENT_POLLING', true)) .option('--no-event-polling', 'Don\'t use polling with `--mode events`, reduces CPU usage (`WATCHER_EVENT_POLLING=0`).') -.option('--stability-threshold ', 'If `--mode events`, milliseconds to wait for file size to stabilize. May be helpful when watching network shares. (`WATCHER_STABILITY_THRESHOLD`). Igonred with `--mode scan`', parseIntegerArg, parseIntegerEnv(pe.WATCHER_STABILITY_THRESHOLD) ?? 0) +.option('--stability-threshold ', 'If `--mode events`, milliseconds to wait for file size to stabilize. May be helpful when watching network shares. (`WATCHER_STABILITY_THRESHOLD`). Ignored with `--mode scan`', parseIntegerArg, parseIntegerEnv(pe.WATCHER_STABILITY_THRESHOLD) ?? 0) .option('--one-shot', 'Process existing files in the path and exit. Sets `--add-existing`.', false) .option('--log-color', 'Colorize the console log output. Might confound downstream piped processes.', false) .option('-d, --debug', 'Shortcut for `--log-level debug --log-file-level debug`', false) @@ -95,6 +95,7 @@ program .option('--no-strict-revision-check', 'For CKL, allow checklist of uninstalled STIG revision (`WATCHER_STRICT_REVISION_CHECK=0`). This is the default behavior.') // Parse ARGV and get the parsed options object +// Options properties are created as camelCase versions of the long option name program.parse(process.argv) const options = program.opts() From 5b4b4a9e512cc35bc1da996e067562d056e75eb9 Mon Sep 17 00:00:00 2001 From: cd-rite <61710958+cd-rite@users.noreply.github.com> Date: Mon, 11 Mar 2024 16:00:03 -0400 Subject: [PATCH 3/4] don't add prefix to openid scope --- lib/auth.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/auth.js b/lib/auth.js index 9017b54..eb81673 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -16,7 +16,7 @@ self.authentication = options.clientKey ? 'signed-jwt' : 'client-secret' const scopePrefix = options.scopePrefix const scopeArray= [ - `${scopePrefix}openid`, + `openid`, `${scopePrefix}stig-manager:stig:read`, `${scopePrefix}stig-manager:collection`, `${scopePrefix}stig-manager:user:read`, From df9bb0d4b9e3f61f44f7857184b61202b9dda96b Mon Sep 17 00:00:00 2001 From: cd-rite <61710958+cd-rite@users.noreply.github.com> Date: Wed, 27 Mar 2024 13:32:17 -0400 Subject: [PATCH 4/4] tweaked args descriptions, added default value for WATCHER_SCOPE_PREFIX --- lib/args.js | 4 ++-- lib/auth.js | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/args.js b/lib/args.js index ff44bf7..9baca6a 100644 --- a/lib/args.js +++ b/lib/args.js @@ -88,8 +88,8 @@ program .requiredOption('--api ', 'Base URL of the STIG Manager API service (`WATCHER_API_BASE`).', pe.WATCHER_API_BASE) .requiredOption('--authority ', 'Base URL of the OIDC authentication service that issues OAuth2 tokens for the API (`WATCHER_AUTHORITY`)', pe.WATCHER_AUTHORITY) .requiredOption('--client-id ', 'OIDC clientId to authenticate (`WATCHER_CLIENT_ID`). You will be prompted for the client secret if `--client-key` is not present and `--prompt` is present, unless `WATCHER_CLIENT_SECRET` is set', pe.WATCHER_CLIENT_ID) -.option('--scope-prefix ', 'String used as a prefix for each scope when authenticating to the OIDC Provider.', pe.WATCHER_SCOPE_PREFIX) -.option('--extra-scopes ', 'OAuth2 scopes to request in addition to the default scopes.', pe.WATCHER_EXTRA_SCOPES) +.option('--scope-prefix ', 'String used as a prefix for default stig-manager scopes (except `openid`) when authenticating to the OIDC Provider.', pe.WATCHER_SCOPE_PREFIX ?? '') +.option('--extra-scopes ', 'Space separated OAuth2 scopes to request in addition to the default scopes. Will not be automatically prefixed with WATCHER_SCOPE_PREFIX value.', pe.WATCHER_EXTRA_SCOPES) .option('--client-key ', 'Path to a PEM encoded private key (`WATCHER_CLIENT_KEY`). If the key is encrypted, you will be prompted for the passphrase if `--prompt` is present, unless `WATCHER_CLIENT_KEY_PASSPHRASE` is set.', pe.WATCHER_CLIENT_KEY) .option('--add-existing', 'For `--mode events`, existing files in the path will generate an `add` event (`WATCHER_ADD_EXISTING=1`). Ignored if `--mode scan`, negate with `--no-add-existing`.', getBoolean('WATCHER_ADD_EXISTING', false)) .option('--no-add-existing', 'Ignore existing files in the watched path (`WATCHER_ADD_EXISTING=0`).') diff --git a/lib/auth.js b/lib/auth.js index eb81673..22859d6 100644 --- a/lib/auth.js +++ b/lib/auth.js @@ -105,11 +105,11 @@ async function getToken () { async function authenticateClientSecret () { const parameters = { form: { - grant_type: 'client_credentials' + grant_type: 'client_credentials', + scope: self.scope }, username: options.clientId, password: options.clientSecret, - scope: self.scope, responseType: 'json' }