diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0fa83a3..a57d518 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,10 +1,15 @@ +--- name: Test on: - config: + push: + +jobs: + test: runs-on: ubuntu-latest - if: github.event.pull_request.draft == false + if: ${{ github.event.pull_request.draft == false }} timeout-minutes: 60 + steps: - uses: actions/checkout@v4 with: @@ -20,4 +25,3 @@ on: - name: Lint run: npm run lint - diff --git a/.gitignore b/.gitignore index 2bc8587..e517462 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # TAK Specific Files *CoreConfig.xml +*UserAuthentication.xml tak-data/ # Logs diff --git a/CoreConfig.js b/CoreConfig.js index 52bd90d..a0e4c44 100644 --- a/CoreConfig.js +++ b/CoreConfig.js @@ -20,9 +20,13 @@ for (const env of [ } } -const LDAP_DN = process.env.LDAP_Domain.split('.').map((part) => { - return `dc=${part}`; -}).join(','); +console.log('HostedDomain:', process.env.HostedDomain); + +const LDAP_DN = process.env.LDAP_Domain.split('.') + .map((part) => { + return `dc=${part}`; + }) + .join(','); const Certificate = { O: process.env.ORGANIZATION || 'COTAK', @@ -51,25 +55,28 @@ const config = { coreVersion: '2' } }, - connector: [{ - _attributes: { - port: '8443', - _name: 'https', - keystore: 'JKS', - keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, - keystorePass: 'atakatak' - } - }, { - _attributes: { - port: '8446', - clientAuth: 'false', - _name: 'cert_https', - keystore: 'JKS', - keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, - keystorePass: 'atakatak', - enableNonAdminUI: 'false' + connector: [ + { + _attributes: { + port: '8443', + _name: 'https', + keystore: 'JKS', + keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, + keystorePass: 'atakatak' + } + }, + { + _attributes: { + port: '8446', + clientAuth: 'false', + _name: 'cert_https', + keystore: 'JKS', + keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, + keystorePass: 'atakatak', + enableNonAdminUI: 'false' + } } - }], + ], announce: { _attributes: {} } @@ -100,17 +107,17 @@ const config = { ldapsTruststorePass: 'INTENTIONALLY_NOT_SENSITIVE', enableConnectionPool: 'false' } - }, - File: { - _attributes: { - location: 'UserAuthenticationFile.xml' - } - }, - oauth: { - _attributes: { - oauthUseGroupCache: 'true' - } } + // File: { + // _attributes: { + // location: 'UserAuthenticationFile.xml' + // } + // }, + // oauth: { + // _attributes: { + // oauthUseGroupCache: 'true' + // } + // } }, submission: { _attributes: { @@ -144,31 +151,38 @@ const config = { periodMillis: '3000', staleDelayMillis: '15000' }, - repeatableType: [{ - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='911 Alert']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: '911' - } - },{ - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='Ring The Bell']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: 'RingTheBell' - } - },{ - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='Geo-fence Breached']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: 'GeoFenceBreach' - } - },{ - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='Troops In Contact']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: 'TroopsInContact' + repeatableType: [ + { + _attributes: { + 'initiate-test': "/event/detail/emergency[@type='911 Alert']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: '911' + } + }, + { + _attributes: { + 'initiate-test': "/event/detail/emergency[@type='Ring The Bell']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: 'RingTheBell' + } + }, + { + _attributes: { + 'initiate-test': + "/event/detail/emergency[@type='Geo-fence Breached']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: 'GeoFenceBreach' + } + }, + { + _attributes: { + 'initiate-test': + "/event/detail/emergency[@type='Troops In Contact']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: 'TroopsInContact' + } } - }] + ] }, filter: { _attributes: {} @@ -198,17 +212,20 @@ const config = { }, certificateConfig: { nameEntries: { - nameEntry: [{ - _attributes: { - name: 'O', - value: Certificate.O + nameEntry: [ + { + _attributes: { + name: 'O', + value: Certificate.O + } + }, + { + _attributes: { + name: 'OU', + value: Certificate.OU + } } - },{ - _attributes: { - name: 'OU', - value: Certificate.OU - } - }] + ] } }, TAKServerCAConfig: { @@ -260,11 +277,16 @@ const config = { if (config.Configuration.network.connector) { if (!config.Configuration.network.connector) { - config.Configuration.network.connector = [config.Configuration.network.connector]; + config.Configuration.network.connector = [ + config.Configuration.network.connector + ]; } for (const connector of config.Configuration.network.connector) { - validateKeystore(connector._attributes.keystoreFile, connector._attributes.keystorePass); + validateKeystore( + connector._attributes.keystoreFile, + connector._attributes.keystorePass + ); } } else { console.warn('No Network Connectors Found'); @@ -272,8 +294,10 @@ if (config.Configuration.network.connector) { if (config.Configuration.certificateSigning.TAKServerCAConfig) { validateKeystore( - config.Configuration.certificateSigning.TAKServerCAConfig._attributes.keystoreFile, - config.Configuration.certificateSigning.TAKServerCAConfig._attributes.keystorePass + config.Configuration.certificateSigning.TAKServerCAConfig._attributes + .keystoreFile, + config.Configuration.certificateSigning.TAKServerCAConfig._attributes + .keystorePass ); } diff --git a/Dockerfile b/Dockerfile index 6a00889..669a0d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,43 +1,54 @@ FROM eclipse-temurin:17-jammy RUN apt update \ - && apt-get install -y emacs-nox net-tools netcat vim certbot curl libxml2-utils unzip + && apt-get install -y emacs-nox net-tools netcat vim certbot curl libxml2-utils unzip ENV HOME=/home/server WORKDIR $HOME COPY ./ $HOME/ +# 80/443 currently unused EXPOSE 80 EXPOSE 443 +# streaming CoT enpoint +EXPOSE 8089 + +# webtak api & public CA api EXPOSE 8443 +# maybe for federation tak servers, not used currently EXPOSE 8444 +# probably WebTak on OAuth EXPOSE 8446 ENV NVM_DIR=/usr/local/nvm ENV NODE_VERSION=22 ENV TAK_VERSION=takserver-docker-5.2-RELEASE-43 +ENV PASSWORD=INTENTIONALLY_NOT_SENSITIVE + +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl -o- https://www.amazontrust.com/repository/AmazonRootCA1.pem > /tmp/AmazonRootCA1.pem \ - && openssl pkcs12 -export -nokeys -in /tmp/AmazonRootCA1.pem -out /tmp/intermediate.p12 -password pass:INTENTIONALLY_NOT_SENSITIVE \ - && keytool -importkeystore -srckeystore /tmp/intermediate.p12 -srcstoretype PKCS12 -destkeystore ./aws-acm-root.jks -deststoretype JKS \ - && rm /tmp/*.pem \ - && rm /tmp/*.p12 + && openssl pkcs12 -export -nokeys -in /tmp/AmazonRootCA1.pem -out /tmp/intermediate.p12 -password pass:${PASSWORD} \ + && keytool -importkeystore -srckeystore /tmp/intermediate.p12 -srcstoretype PKCS12 -destkeystore ./aws-acm-root.jks -deststoretype JKS \ + -srcstorepass $PASSWORD -deststorepass $PASSWORD -noprompt \ + && rm /tmp/*.pem \ + && rm /tmp/*.p12 RUN wget "http://tak-server-releases.s3-website.us-gov-east-1.amazonaws.com/${TAK_VERSION}.zip" \ - && unzip "./${TAK_VERSION}.zip" \ - && rm "./${TAK_VERSION}.zip" \ - && rm -rf "./${TAK_VERSION}/docker" \ - && mv ./${TAK_VERSION}/tak/* ./ \ - && rm -rf "./${TAK_VERSION}" + && unzip "./${TAK_VERSION}.zip" \ + && rm "./${TAK_VERSION}.zip" \ + && rm -rf "./${TAK_VERSION}/docker" \ + && mv ./${TAK_VERSION}/tak/* ./ \ + && rm -rf "./${TAK_VERSION}" RUN mkdir -p $NVM_DIR \ - && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash \ - && . $NVM_DIR/nvm.sh \ - && nvm install $NODE_VERSION \ - && nvm alias default $NODE_VERSION \ - && nvm use default \ - && npm install \ - && npm install --global http-server + && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash \ + && . $NVM_DIR/nvm.sh \ + && nvm install $NODE_VERSION \ + && nvm alias default $NODE_VERSION \ + && nvm use default \ + && npm install \ + && npm install --global http-server ENTRYPOINT ["/bin/bash", "-c", "./start"] diff --git a/package-lock.json b/package-lock.json index d9a35a1..edfb225 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,7 +14,6 @@ "xml-js": "^1.6.11" }, "devDependencies": { - "@aws-sdk/client-cloudformation": "^3.679.0", "@openaddresses/batch-alarms": "^4.1.0", "@openaddresses/deploy": "^9.0.0", "eslint": "^9.1.1", diff --git a/start b/start index a93d9e9..25701f3 100755 --- a/start +++ b/start @@ -3,69 +3,69 @@ # Build CoreConfig & Associated Cert Generation # -. $NVM_DIR/nvm.sh +. "$NVM_DIR/nvm.sh" set -x set -euo pipefail # Copy EFS Persisted certs to Let's Encrypt Dir if [ -d "/opt/tak/certs/${HostedDomain}" ]; then - mkdir -p "/etc/letsencrypt/live/${HostedDomain}" - ls "/opt/tak/certs/" - ls "/opt/tak/certs/${HostedDomain}/" - cp "/opt/tak/certs/${HostedDomain}/"* "/etc/letsencrypt/live/${HostedDomain}/" -fi; + mkdir -p "/etc/letsencrypt/live/${HostedDomain}" + ls "/opt/tak/certs/" + ls "/opt/tak/certs/${HostedDomain}/" + cp "/opt/tak/certs/${HostedDomain}/"* "/etc/letsencrypt/live/${HostedDomain}/" +fi # If no LetsEncrypt certs are present - generate a set if [ ! -d "/etc/letsencrypt/live/${HostedDomain}" ]; then - echo "No Certificates detected - $(ls /etc/letsencrypt/live/)" + echo "No Certificates detected - $(ls /etc/letsencrypt/live/)" - #TODO Remove Test Cert - Command="certbot certonly -v --test-cert --standalone -d ${HostedDomain} --email ${HostedEmail} --non-interactive --agree-tos" + #TODO Remove Test Cert + Command="certbot certonly -v --test-cert --standalone -d ${HostedDomain} --email ${HostedEmail} --non-interactive --agree-tos" - while ! $Command; do - echo "Command failed, retrying in 10 seconds..." - sleep 10 - done + while ! $Command; do + echo "Command failed, retrying in 10 seconds..." + sleep 10 + done - /opt/tak/certs/cert-metadata.sh + /opt/tak/certs/cert-metadata.sh - mkdir -p "/opt/tak/certs/${HostedDomain}/" + mkdir -p "/opt/tak/certs/${HostedDomain}/" - openssl x509 \ - -text \ - -in "/etc/letsencrypt/live/${HostedDomain}/fullchain.pem" \ - -noout + openssl x509 \ + -text \ + -in "/etc/letsencrypt/live/${HostedDomain}/fullchain.pem" \ + -noout - openssl pkcs12 \ - -export \ - -in "/etc/letsencrypt/live/${HostedDomain}/fullchain.pem" \ - -inkey "/etc/letsencrypt/live/${HostedDomain}/privkey.pem" \ - -out "/opt/tak/certs/${HostedDomain}/letsencrypt.p12" \ - -name "${HostedDomain}" \ - -password "pass:atakatak" + openssl pkcs12 \ + -export \ + -in "/etc/letsencrypt/live/${HostedDomain}/fullchain.pem" \ + -inkey "/etc/letsencrypt/live/${HostedDomain}/privkey.pem" \ + -out "/opt/tak/certs/${HostedDomain}/letsencrypt.p12" \ + -name "${HostedDomain}" \ + -password "pass:atakatak" fi if [ ! -f "/opt/tak/certs/${HostedDomain}/letsencrypt.jks" ]; then - cp "/etc/letsencrypt/live/${HostedDomain}/"* "/opt/tak/certs/${HostedDomain}/" - - keytool \ - -importkeystore \ - -srcstorepass "atakatak" \ - -deststorepass "atakatak" \ - -destkeystore "/opt/tak/certs/${HostedDomain}/letsencrypt.jks" \ - -srckeystore "/opt/tak/certs/${HostedDomain}/letsencrypt.p12" \ - -srcstoretype "pkcs12" + cp "/etc/letsencrypt/live/${HostedDomain}/"* "/opt/tak/certs/${HostedDomain}/" + + keytool \ + -importkeystore \ + -srcstorepass "atakatak" \ + -deststorepass "atakatak" \ + -destkeystore "/opt/tak/certs/${HostedDomain}/letsencrypt.jks" \ + -srckeystore "/opt/tak/certs/${HostedDomain}/letsencrypt.p12" \ + -srcstoretype "pkcs12" fi if [ ! -f "/opt/tak/certs/files/ca.pem" ]; then - CA_NAME="${StackName:-TAKServer}" ./certs/makeRootCa.sh + CA_NAME="${StackName:-TAKServer}" ./certs/makeRootCa.sh - ./certs/makeCert.sh ca intermediate-ca - yes | ./certs/makeCert.sh server takserver - yes | ./certs/makeCert.sh client admin + ./certs/makeCert.sh ca intermediate-ca + yes | ./certs/makeCert.sh server takserver + yes | ./certs/makeCert.sh client admin - cp ./certs/files/* /opt/tak/certs/files/ + cp ./certs/files/* /opt/tak/certs/files/ fi node --version