From 0b350b50542e2d72ff5064de39c82f76a8d4a3c6 Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Wed, 20 Nov 2024 20:12:59 -0800 Subject: [PATCH 01/12] init commit mostly just commenting out and trying to ignore linters --- CoreConfig.js | 216 +++++++++++++++++++++++++--------------------- Dockerfile | 41 +++++---- package-lock.json | 1 - 3 files changed, 143 insertions(+), 115 deletions(-) diff --git a/CoreConfig.js b/CoreConfig.js index 52bd90d..b61df13 100644 --- a/CoreConfig.js +++ b/CoreConfig.js @@ -20,9 +20,11 @@ for (const env of [ } } -const LDAP_DN = process.env.LDAP_Domain.split('.').map((part) => { - return `dc=${part}`; -}).join(','); +const LDAP_DN = process.env.LDAP_Domain.split('.') + .map((part) => { + return `dc=${part}`; + }) + .join(','); const Certificate = { O: process.env.ORGANIZATION || 'COTAK', @@ -51,67 +53,70 @@ const config = { coreVersion: '2' } }, - connector: [{ - _attributes: { - port: '8443', - _name: 'https', - keystore: 'JKS', - keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, - keystorePass: 'atakatak' - } - }, { - _attributes: { - port: '8446', - clientAuth: 'false', - _name: 'cert_https', - keystore: 'JKS', - keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, - keystorePass: 'atakatak', - enableNonAdminUI: 'false' + connector: [ + { + _attributes: { + port: '8443', + _name: 'https', + keystore: 'JKS', + keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, + keystorePass: 'atakatak' + } + }, + { + _attributes: { + port: '8446', + clientAuth: 'false', + _name: 'cert_https', + keystore: 'JKS', + keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, + keystorePass: 'atakatak', + enableNonAdminUI: 'false' + } } - }], + ], announce: { _attributes: {} } }, - auth: { - _attributes: { - default: 'ldap', - x509groups: 'true', - x509addAnonymous: 'false', - x509useGroupCache: 'true', - x509useGroupCacheDefaultActive: 'true', - x509checkRevocation: 'true' - }, - ldap: { - _attributes: { - url: process.env.LDAP_SECURE_URL, - userstring: `uid={username},ou=People,${LDAP_DN}`, - updateinterval: '60', - groupprefix: '', - groupNameExtractorRegex: 'CN=(.*?)(?:,|$)', - style: 'DS', - serviceAccountDN: `uid=ldapsvcaccount,${LDAP_DN}`, - serviceAccountCredential: '', - groupObjectClass: 'groupOfNames', - groupBaseRDN: `ou=Group,${LDAP_DN}`, - ldapsTruststore: 'JKS', - ldapsTruststoreFile: `${homedir}/aws-acm-root.jks`, - ldapsTruststorePass: 'INTENTIONALLY_NOT_SENSITIVE', - enableConnectionPool: 'false' - } - }, - File: { - _attributes: { - location: 'UserAuthenticationFile.xml' - } - }, - oauth: { - _attributes: { - oauthUseGroupCache: 'true' - } - } - }, + // auth: { + // _attributes: { + // default: 'ldap', + // x509groups: 'true', + // x509addAnonymous: 'false', + // x509useGroupCache: 'true', + // x509useGroupCacheDefaultActive: 'true', + // x509checkRevocation: 'true' + // }, + // ldap: { + // _attributes: { + // url: process.env.LDAP_SECURE_URL, + // userstring: `uid={username},ou=People,${LDAP_DN}`, + // updateinterval: '60', + // groupprefix: '', + // groupNameExtractorRegex: 'CN=(.*?)(?:,|$)', + // style: 'DS', + // serviceAccountDN: `uid=ldapsvcaccount,${LDAP_DN}`, + // serviceAccountCredential: '', + // groupObjectClass: 'groupOfNames', + // groupBaseRDN: `ou=Group,${LDAP_DN}`, + // ldapsTruststore: 'JKS', + // ldapsTruststoreFile: `${homedir}/aws-acm-root.jks`, + // ldapsTruststorePass: 'INTENTIONALLY_NOT_SENSITIVE', + // enableConnectionPool: 'false' + // } + // }, + // File: { + // _attributes: { + // location: 'UserAuthenticationFile.xml' + // } + // }, + // oauth: { + // _attributes: { + // oauthUseGroupCache: 'true' + // } + // } + // }, submission: { _attributes: { ignoreStaleMessages: 'false', @@ -144,31 +149,38 @@ const config = { periodMillis: '3000', staleDelayMillis: '15000' }, - repeatableType: [{ - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='911 Alert']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: '911' - } - },{ - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='Ring The Bell']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: 'RingTheBell' + repeatableType: [ + { + _attributes: { + 'initiate-test': "/event/detail/emergency[@type='911 Alert']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: '911' + } + }, + { + _attributes: { + 'initiate-test': "/event/detail/emergency[@type='Ring The Bell']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: 'RingTheBell' + } + }, + { + _attributes: { + 'initiate-test': + "/event/detail/emergency[@type='Geo-fence Breached']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: 'GeoFenceBreach' + } + }, + { + _attributes: { + 'initiate-test': + "/event/detail/emergency[@type='Troops In Contact']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: 'TroopsInContact' + } } - },{ - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='Geo-fence Breached']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: 'GeoFenceBreach' - } - },{ - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='Troops In Contact']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: 'TroopsInContact' - } - }] + ] }, filter: { _attributes: {} @@ -198,17 +210,20 @@ const config = { }, certificateConfig: { nameEntries: { - nameEntry: [{ - _attributes: { - name: 'O', - value: Certificate.O + nameEntry: [ + { + _attributes: { + name: 'O', + value: Certificate.O + } + }, + { + _attributes: { + name: 'OU', + value: Certificate.OU + } } - },{ - _attributes: { - name: 'OU', - value: Certificate.OU - } - }] + ] } }, TAKServerCAConfig: { @@ -260,11 +275,16 @@ const config = { if (config.Configuration.network.connector) { if (!config.Configuration.network.connector) { - config.Configuration.network.connector = [config.Configuration.network.connector]; + config.Configuration.network.connector = [ + config.Configuration.network.connector + ]; } for (const connector of config.Configuration.network.connector) { - validateKeystore(connector._attributes.keystoreFile, connector._attributes.keystorePass); + validateKeystore( + connector._attributes.keystoreFile, + connector._attributes.keystorePass + ); } } else { console.warn('No Network Connectors Found'); @@ -272,8 +292,10 @@ if (config.Configuration.network.connector) { if (config.Configuration.certificateSigning.TAKServerCAConfig) { validateKeystore( - config.Configuration.certificateSigning.TAKServerCAConfig._attributes.keystoreFile, - config.Configuration.certificateSigning.TAKServerCAConfig._attributes.keystorePass + config.Configuration.certificateSigning.TAKServerCAConfig._attributes + .keystoreFile, + config.Configuration.certificateSigning.TAKServerCAConfig._attributes + .keystorePass ); } diff --git a/Dockerfile b/Dockerfile index 6a00889..ae25350 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,23 @@ FROM eclipse-temurin:17-jammy RUN apt update \ - && apt-get install -y emacs-nox net-tools netcat vim certbot curl libxml2-utils unzip + && apt-get install -y emacs-nox net-tools netcat vim certbot curl libxml2-utils unzip ENV HOME=/home/server WORKDIR $HOME COPY ./ $HOME/ +# 80/443 currently unused EXPOSE 80 EXPOSE 443 +# streaming CoT enpoint +EXPOSE 8089 + +# webtak api & public CA api EXPOSE 8443 +# maybe for federation tak servers, not used currently EXPOSE 8444 +# ?? EXPOSE 8446 @@ -19,25 +26,25 @@ ENV NODE_VERSION=22 ENV TAK_VERSION=takserver-docker-5.2-RELEASE-43 RUN curl -o- https://www.amazontrust.com/repository/AmazonRootCA1.pem > /tmp/AmazonRootCA1.pem \ - && openssl pkcs12 -export -nokeys -in /tmp/AmazonRootCA1.pem -out /tmp/intermediate.p12 -password pass:INTENTIONALLY_NOT_SENSITIVE \ - && keytool -importkeystore -srckeystore /tmp/intermediate.p12 -srcstoretype PKCS12 -destkeystore ./aws-acm-root.jks -deststoretype JKS \ - && rm /tmp/*.pem \ - && rm /tmp/*.p12 + && openssl pkcs12 -export -nokeys -in /tmp/AmazonRootCA1.pem -out /tmp/intermediate.p12 -password pass:INTENTIONALLY_NOT_SENSITIVE \ + && keytool -importkeystore -srckeystore /tmp/intermediate.p12 -srcstoretype PKCS12 -destkeystore ./aws-acm-root.jks -deststoretype JKS \ + && rm /tmp/*.pem \ + && rm /tmp/*.p12 RUN wget "http://tak-server-releases.s3-website.us-gov-east-1.amazonaws.com/${TAK_VERSION}.zip" \ - && unzip "./${TAK_VERSION}.zip" \ - && rm "./${TAK_VERSION}.zip" \ - && rm -rf "./${TAK_VERSION}/docker" \ - && mv ./${TAK_VERSION}/tak/* ./ \ - && rm -rf "./${TAK_VERSION}" + && unzip "./${TAK_VERSION}.zip" \ + && rm "./${TAK_VERSION}.zip" \ + && rm -rf "./${TAK_VERSION}/docker" \ + && mv ./${TAK_VERSION}/tak/* ./ \ + && rm -rf "./${TAK_VERSION}" RUN mkdir -p $NVM_DIR \ - && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash \ - && . $NVM_DIR/nvm.sh \ - && nvm install $NODE_VERSION \ - && nvm alias default $NODE_VERSION \ - && nvm use default \ - && npm install \ - && npm install --global http-server + && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.0/install.sh | bash \ + && . $NVM_DIR/nvm.sh \ + && nvm install $NODE_VERSION \ + && nvm alias default $NODE_VERSION \ + && nvm use default \ + && npm install \ + && npm install --global http-server ENTRYPOINT ["/bin/bash", "-c", "./start"] diff --git a/package-lock.json b/package-lock.json index d9a35a1..edfb225 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,7 +14,6 @@ "xml-js": "^1.6.11" }, "devDependencies": { - "@aws-sdk/client-cloudformation": "^3.679.0", "@openaddresses/batch-alarms": "^4.1.0", "@openaddresses/deploy": "^9.0.0", "eslint": "^9.1.1", From ab863da3f711026513ec27b457df0c8d3da741a8 Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Wed, 20 Nov 2024 20:36:21 -0800 Subject: [PATCH 02/12] fixup github action --- .github/workflows/test.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0fa83a3..a57d518 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,10 +1,15 @@ +--- name: Test on: - config: + push: + +jobs: + test: runs-on: ubuntu-latest - if: github.event.pull_request.draft == false + if: ${{ github.event.pull_request.draft == false }} timeout-minutes: 60 + steps: - uses: actions/checkout@v4 with: @@ -20,4 +25,3 @@ on: - name: Lint run: npm run lint - From 7b5f850924174bb71c6fb4b99112a5b848a333fc Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Wed, 20 Nov 2024 20:37:48 -0800 Subject: [PATCH 03/12] shhh linter shhh --- CoreConfig.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/CoreConfig.js b/CoreConfig.js index b61df13..5a16bf8 100644 --- a/CoreConfig.js +++ b/CoreConfig.js @@ -1,9 +1,9 @@ import fs from 'node:fs'; -import path from 'node:path'; +// import path from 'node:path'; import jks from 'jks-js'; import xmljs from 'xml-js'; -const homedir = path.parse(new URL(import.meta.url).pathname).dir; +// const homedir = path.parse(new URL(import.meta.url).pathname).dir; for (const env of [ 'HostedDomain', @@ -20,11 +20,11 @@ for (const env of [ } } -const LDAP_DN = process.env.LDAP_Domain.split('.') - .map((part) => { - return `dc=${part}`; - }) - .join(','); +// const LDAP_DN = process.env.LDAP_Domain.split('.') +// .map((part) => { +// return `dc=${part}`; +// }) +// .join(','); const Certificate = { O: process.env.ORGANIZATION || 'COTAK', From cb43a3dcce878114a1625b363884573fc3aa7b73 Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Wed, 20 Nov 2024 20:56:00 -0800 Subject: [PATCH 04/12] doesnt seem like its finding CoreConfig.js in ./start --- start | 80 ++++++++++++++++++++++++++++++----------------------------- 1 file changed, 41 insertions(+), 39 deletions(-) diff --git a/start b/start index a93d9e9..606af2b 100755 --- a/start +++ b/start @@ -10,65 +10,67 @@ set -euo pipefail # Copy EFS Persisted certs to Let's Encrypt Dir if [ -d "/opt/tak/certs/${HostedDomain}" ]; then - mkdir -p "/etc/letsencrypt/live/${HostedDomain}" - ls "/opt/tak/certs/" - ls "/opt/tak/certs/${HostedDomain}/" - cp "/opt/tak/certs/${HostedDomain}/"* "/etc/letsencrypt/live/${HostedDomain}/" -fi; + mkdir -p "/etc/letsencrypt/live/${HostedDomain}" + ls "/opt/tak/certs/" + ls "/opt/tak/certs/${HostedDomain}/" + cp "/opt/tak/certs/${HostedDomain}/"* "/etc/letsencrypt/live/${HostedDomain}/" +fi # If no LetsEncrypt certs are present - generate a set if [ ! -d "/etc/letsencrypt/live/${HostedDomain}" ]; then - echo "No Certificates detected - $(ls /etc/letsencrypt/live/)" + echo "No Certificates detected - $(ls /etc/letsencrypt/live/)" - #TODO Remove Test Cert - Command="certbot certonly -v --test-cert --standalone -d ${HostedDomain} --email ${HostedEmail} --non-interactive --agree-tos" + #TODO Remove Test Cert + Command="certbot certonly -v --test-cert --standalone -d ${HostedDomain} --email ${HostedEmail} --non-interactive --agree-tos" - while ! $Command; do - echo "Command failed, retrying in 10 seconds..." - sleep 10 - done + while ! $Command; do + echo "Command failed, retrying in 10 seconds..." + sleep 10 + done - /opt/tak/certs/cert-metadata.sh + /opt/tak/certs/cert-metadata.sh - mkdir -p "/opt/tak/certs/${HostedDomain}/" + mkdir -p "/opt/tak/certs/${HostedDomain}/" - openssl x509 \ - -text \ - -in "/etc/letsencrypt/live/${HostedDomain}/fullchain.pem" \ - -noout + openssl x509 \ + -text \ + -in "/etc/letsencrypt/live/${HostedDomain}/fullchain.pem" \ + -noout - openssl pkcs12 \ - -export \ - -in "/etc/letsencrypt/live/${HostedDomain}/fullchain.pem" \ - -inkey "/etc/letsencrypt/live/${HostedDomain}/privkey.pem" \ - -out "/opt/tak/certs/${HostedDomain}/letsencrypt.p12" \ - -name "${HostedDomain}" \ - -password "pass:atakatak" + openssl pkcs12 \ + -export \ + -in "/etc/letsencrypt/live/${HostedDomain}/fullchain.pem" \ + -inkey "/etc/letsencrypt/live/${HostedDomain}/privkey.pem" \ + -out "/opt/tak/certs/${HostedDomain}/letsencrypt.p12" \ + -name "${HostedDomain}" \ + -password "pass:atakatak" fi if [ ! -f "/opt/tak/certs/${HostedDomain}/letsencrypt.jks" ]; then - cp "/etc/letsencrypt/live/${HostedDomain}/"* "/opt/tak/certs/${HostedDomain}/" - - keytool \ - -importkeystore \ - -srcstorepass "atakatak" \ - -deststorepass "atakatak" \ - -destkeystore "/opt/tak/certs/${HostedDomain}/letsencrypt.jks" \ - -srckeystore "/opt/tak/certs/${HostedDomain}/letsencrypt.p12" \ - -srcstoretype "pkcs12" + cp "/etc/letsencrypt/live/${HostedDomain}/"* "/opt/tak/certs/${HostedDomain}/" + + keytool \ + -importkeystore \ + -srcstorepass "atakatak" \ + -deststorepass "atakatak" \ + -destkeystore "/opt/tak/certs/${HostedDomain}/letsencrypt.jks" \ + -srckeystore "/opt/tak/certs/${HostedDomain}/letsencrypt.p12" \ + -srcstoretype "pkcs12" fi if [ ! -f "/opt/tak/certs/files/ca.pem" ]; then - CA_NAME="${StackName:-TAKServer}" ./certs/makeRootCa.sh + CA_NAME="${StackName:-TAKServer}" ./certs/makeRootCa.sh - ./certs/makeCert.sh ca intermediate-ca - yes | ./certs/makeCert.sh server takserver - yes | ./certs/makeCert.sh client admin + ./certs/makeCert.sh ca intermediate-ca + yes | ./certs/makeCert.sh server takserver + yes | ./certs/makeCert.sh client admin - cp ./certs/files/* /opt/tak/certs/files/ + cp ./certs/files/* /opt/tak/certs/files/ fi node --version +pwd +ls -al node CoreConfig.js ./validateConfig.sh ./CoreConfig.xml From 973af3b277c20515e3e3b587ad42e1c35358787c Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Wed, 20 Nov 2024 21:06:27 -0800 Subject: [PATCH 05/12] sushing other part of ldap --- CoreConfig.js | 12 ++++++------ start | 2 -- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/CoreConfig.js b/CoreConfig.js index 5a16bf8..3e87fe9 100644 --- a/CoreConfig.js +++ b/CoreConfig.js @@ -299,12 +299,12 @@ if (config.Configuration.certificateSigning.TAKServerCAConfig) { ); } -if (config.Configuration.auth.ldap) { - validateKeystore( - config.Configuration.auth.ldap._attributes.ldapsTruststoreFile, - config.Configuration.auth.ldap._attributes.ldapsTruststorePass - ); -} +// if (config.Configuration.auth.ldap) { +// validateKeystore( +// config.Configuration.auth.ldap._attributes.ldapsTruststoreFile, +// config.Configuration.auth.ldap._attributes.ldapsTruststorePass +// ); +// } if (config.Configuration.security) { if (config.Configuration.security.tls) { diff --git a/start b/start index 606af2b..7bc3835 100755 --- a/start +++ b/start @@ -69,8 +69,6 @@ if [ ! -f "/opt/tak/certs/files/ca.pem" ]; then fi node --version -pwd -ls -al node CoreConfig.js ./validateConfig.sh ./CoreConfig.xml From 33886971e1f8283dbb9ee5328d586332cca06a3c Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Wed, 20 Nov 2024 21:33:29 -0800 Subject: [PATCH 06/12] who are you HostedDomain? --- CoreConfig.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CoreConfig.js b/CoreConfig.js index 3e87fe9..525eb8e 100644 --- a/CoreConfig.js +++ b/CoreConfig.js @@ -20,6 +20,8 @@ for (const env of [ } } +console.log('HostedDomain:', process.env.HostedDomain); + // const LDAP_DN = process.env.LDAP_Domain.split('.') // .map((part) => { // return `dc=${part}`; From cf2d543c3714fea8a6b7959589bfab3f120e744f Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Tue, 26 Nov 2024 11:28:26 -0600 Subject: [PATCH 07/12] linters are fighting --- CoreConfig.js | 554 +++++++++++++++++++++++++------------------------- 1 file changed, 277 insertions(+), 277 deletions(-) diff --git a/CoreConfig.js b/CoreConfig.js index 525eb8e..d787977 100644 --- a/CoreConfig.js +++ b/CoreConfig.js @@ -1,26 +1,26 @@ -import fs from 'node:fs'; +import fs from "node:fs"; // import path from 'node:path'; -import jks from 'jks-js'; -import xmljs from 'xml-js'; +import jks from "jks-js"; +import xmljs from "xml-js"; // const homedir = path.parse(new URL(import.meta.url).pathname).dir; for (const env of [ - 'HostedDomain', - 'PostgresUsername', - 'PostgresPassword', - 'PostgresURL', - 'TAK_VERSION', - 'LDAP_Domain', - 'LDAP_SECURE_URL' + "HostedDomain", + "PostgresUsername", + "PostgresPassword", + "PostgresURL", + "TAK_VERSION", + "LDAP_Domain", + "LDAP_SECURE_URL", ]) { - if (!process.env[env]) { - console.error(`${env} Environment Variable not set`); - process.exit(1); - } + if (!process.env[env]) { + console.error(`${env} Environment Variable not set`); + process.exit(1); + } } -console.log('HostedDomain:', process.env.HostedDomain); +console.log("HostedDomain:", process.env.HostedDomain); // const LDAP_DN = process.env.LDAP_Domain.split('.') // .map((part) => { @@ -29,276 +29,276 @@ console.log('HostedDomain:', process.env.HostedDomain); // .join(','); const Certificate = { - O: process.env.ORGANIZATION || 'COTAK', - OU: process.env.ORGANIZATIONAL_UNIT || 'COTAK-Staging' + O: process.env.ORGANIZATION || "COTAK", + OU: process.env.ORGANIZATIONAL_UNIT || "COTAK-Staging", }; const config = { - Configuration: { + Configuration: { + _attributes: { + xmlns: "http://bbn.com/marti/xml/config", + }, + network: { + _attributes: { + multicastTTL: "5", + // TODO serverId: 'b67d1db9c8fa45738a547c491071d746', + version: process.env.TAK_VERSION, + cloudwatchEnable: "true", + cloudwatchName: process.env.StackName, + }, + input: { _attributes: { - xmlns: 'http://bbn.com/marti/xml/config' + auth: "x509", + _name: "stdssl", + protocol: "tls", + port: "8089", + coreVersion: "2", }, - network: { - _attributes: { - multicastTTL: '5', - // TODO serverId: 'b67d1db9c8fa45738a547c491071d746', - version: process.env.TAK_VERSION, - cloudwatchEnable: 'true', - cloudwatchName: process.env.StackName - }, - input: { - _attributes: { - auth: 'x509', - _name: 'stdssl', - protocol: 'tls', - port: '8089', - coreVersion: '2' - } - }, - connector: [ - { - _attributes: { - port: '8443', - _name: 'https', - keystore: 'JKS', - keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, - keystorePass: 'atakatak' - } - }, - { - _attributes: { - port: '8446', - clientAuth: 'false', - _name: 'cert_https', - keystore: 'JKS', - keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, - keystorePass: 'atakatak', - enableNonAdminUI: 'false' - } - } - ], - announce: { - _attributes: {} - } + }, + connector: [ + { + _attributes: { + port: "8443", + _name: "https", + keystore: "JKS", + keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, + keystorePass: "atakatak", + }, + }, + { + _attributes: { + port: "8446", + clientAuth: "false", + _name: "cert_https", + keystore: "JKS", + keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, + keystorePass: "atakatak", + enableNonAdminUI: "false", + }, }, - // auth: { - // _attributes: { - // default: 'ldap', - // x509groups: 'true', - // x509addAnonymous: 'false', - // x509useGroupCache: 'true', - // x509useGroupCacheDefaultActive: 'true', - // x509checkRevocation: 'true' - // }, - // ldap: { - // _attributes: { - // url: process.env.LDAP_SECURE_URL, - // userstring: `uid={username},ou=People,${LDAP_DN}`, - // updateinterval: '60', - // groupprefix: '', - // groupNameExtractorRegex: 'CN=(.*?)(?:,|$)', - // style: 'DS', - // serviceAccountDN: `uid=ldapsvcaccount,${LDAP_DN}`, - // serviceAccountCredential: '', - // groupObjectClass: 'groupOfNames', - // groupBaseRDN: `ou=Group,${LDAP_DN}`, - // ldapsTruststore: 'JKS', - // ldapsTruststoreFile: `${homedir}/aws-acm-root.jks`, - // ldapsTruststorePass: 'INTENTIONALLY_NOT_SENSITIVE', - // enableConnectionPool: 'false' - // } - // }, - // File: { - // _attributes: { - // location: 'UserAuthenticationFile.xml' - // } - // }, - // oauth: { - // _attributes: { - // oauthUseGroupCache: 'true' - // } - // } - // }, - submission: { - _attributes: { - ignoreStaleMessages: 'false', - validateXml: 'false' - } + ], + announce: { + _attributes: {}, + }, + }, + // auth: { + // _attributes: { + // default: 'ldap', + // x509groups: 'true', + // x509addAnonymous: 'false', + // x509useGroupCache: 'true', + // x509useGroupCacheDefaultActive: 'true', + // x509checkRevocation: 'true' + // }, + // ldap: { + // _attributes: { + // url: process.env.LDAP_SECURE_URL, + // userstring: `uid={username},ou=People,${LDAP_DN}`, + // updateinterval: '60', + // groupprefix: '', + // groupNameExtractorRegex: 'CN=(.*?)(?:,|$)', + // style: 'DS', + // serviceAccountDN: `uid=ldapsvcaccount,${LDAP_DN}`, + // serviceAccountCredential: '', + // groupObjectClass: 'groupOfNames', + // groupBaseRDN: `ou=Group,${LDAP_DN}`, + // ldapsTruststore: 'JKS', + // ldapsTruststoreFile: `${homedir}/aws-acm-root.jks`, + // ldapsTruststorePass: 'INTENTIONALLY_NOT_SENSITIVE', + // enableConnectionPool: 'false' + // } + // }, + // File: { + // _attributes: { + // location: 'UserAuthenticationFile.xml' + // } + // }, + // oauth: { + // _attributes: { + // oauthUseGroupCache: 'true' + // } + // } + // }, + submission: { + _attributes: { + ignoreStaleMessages: "false", + validateXml: "false", + }, + }, + subscription: { + _attributes: { + reloadPersistent: "false", + }, + }, + repository: { + _attributes: { + enable: "true", + numDbConnections: "16", + primaryKeyBatchSize: "500", + insertionBatchSize: "500", + }, + connection: { + _attributes: { + url: `jdbc:${process.env.PostgresURL}`, + username: process.env.PostgresUsername, + password: process.env.PostgresPassword, }, - subscription: { - _attributes: { - reloadPersistent: 'false' - } + }, + }, + repeater: { + _attributes: { + enable: "true", + periodMillis: "3000", + staleDelayMillis: "15000", + }, + repeatableType: [ + { + _attributes: { + "initiate-test": "/event/detail/emergency[@type='911 Alert']", + "cancel-test": "/event/detail/emergency[@cancel='true']", + _name: "911", + }, }, - repository: { - _attributes: { - enable: 'true', - numDbConnections: '16', - primaryKeyBatchSize: '500', - insertionBatchSize: '500' - }, - connection: { - _attributes: { - url: `jdbc:${process.env.PostgresURL}`, - username: process.env.PostgresUsername, - password: process.env.PostgresPassword - } - } + { + _attributes: { + "initiate-test": "/event/detail/emergency[@type='Ring The Bell']", + "cancel-test": "/event/detail/emergency[@cancel='true']", + _name: "RingTheBell", + }, }, - repeater: { - _attributes: { - enable: 'true', - periodMillis: '3000', - staleDelayMillis: '15000' - }, - repeatableType: [ - { - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='911 Alert']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: '911' - } - }, - { - _attributes: { - 'initiate-test': "/event/detail/emergency[@type='Ring The Bell']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: 'RingTheBell' - } - }, - { - _attributes: { - 'initiate-test': + { + _attributes: { + "initiate-test": "/event/detail/emergency[@type='Geo-fence Breached']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: 'GeoFenceBreach' - } - }, - { - _attributes: { - 'initiate-test': - "/event/detail/emergency[@type='Troops In Contact']", - 'cancel-test': "/event/detail/emergency[@cancel='true']", - _name: 'TroopsInContact' - } - } - ] + "cancel-test": "/event/detail/emergency[@cancel='true']", + _name: "GeoFenceBreach", + }, }, - filter: { - _attributes: {} + { + _attributes: { + "initiate-test": + "/event/detail/emergency[@type='Troops In Contact']", + "cancel-test": "/event/detail/emergency[@cancel='true']", + _name: "TroopsInContact", + }, }, - buffer: { - _attributes: {}, - queue: { - _attributes: {}, - priority: { - _attributes: {} - } - }, - latestSA: { - _attributes: { - enable: 'true' - } - } + ], + }, + filter: { + _attributes: {}, + }, + buffer: { + _attributes: {}, + queue: { + _attributes: {}, + priority: { + _attributes: {}, }, - dissemination: { - _attributes: { - smartRetry: 'false' - } + }, + latestSA: { + _attributes: { + enable: "true", }, - certificateSigning: { - _attributes: { - CA: 'TAKServer' + }, + }, + dissemination: { + _attributes: { + smartRetry: "false", + }, + }, + certificateSigning: { + _attributes: { + CA: "TAKServer", + }, + certificateConfig: { + nameEntries: { + nameEntry: [ + { + _attributes: { + name: "O", + value: Certificate.O, + }, }, - certificateConfig: { - nameEntries: { - nameEntry: [ - { - _attributes: { - name: 'O', - value: Certificate.O - } - }, - { - _attributes: { - name: 'OU', - value: Certificate.OU - } - } - ] - } + { + _attributes: { + name: "OU", + value: Certificate.OU, + }, }, - TAKServerCAConfig: { - _attributes: { - keystore: 'JKS', - keystoreFile: '/opt/tak/certs/files/intermediate-ca-signing.jks', - keystorePass: 'atakatak', - validityDays: '365', - signatureAlg: 'SHA256WithRSA', - CAkey: '/opt/tak/certs/files/intermediate-ca-signing', - CAcertificate: '/opt/tak/certs/files/intermediate-ca-signing' - } - } + ], }, - security: { - tls: { - _attributes: { - keystore: 'JKS', - keystoreFile: '/opt/tak/certs/files/takserver.jks', - keystorePass: 'atakatak', - truststore: 'JKS', - truststoreFile: '/opt/tak/certs/files/truststore-intermediate-ca.jks', - truststorePass: 'atakatak', - context: 'TLSv1.2', - keymanager: 'SunX509' - } - }, - missionTls: { - _attributes: { - keystore: 'JKS', - keystoreFile: '/opt/tak/certs/files/truststore-root.jks', - keystorePass: 'atakatak' - } - } + }, + TAKServerCAConfig: { + _attributes: { + keystore: "JKS", + keystoreFile: "/opt/tak/certs/files/intermediate-ca-signing.jks", + keystorePass: "atakatak", + validityDays: "365", + signatureAlg: "SHA256WithRSA", + CAkey: "/opt/tak/certs/files/intermediate-ca-signing", + CAcertificate: "/opt/tak/certs/files/intermediate-ca-signing", }, - locate: { - _attributes: { - enabled: 'true', - requireLogin: 'false', - group: 'DEMO - Demonstrations', - mission: 'cotak-locator' - } + }, + }, + security: { + tls: { + _attributes: { + keystore: "JKS", + keystoreFile: "/opt/tak/certs/files/takserver.jks", + keystorePass: "atakatak", + truststore: "JKS", + truststoreFile: "/opt/tak/certs/files/truststore-intermediate-ca.jks", + truststorePass: "atakatak", + context: "TLSv1.2", + keymanager: "SunX509", + }, + }, + missionTls: { + _attributes: { + keystore: "JKS", + keystoreFile: "/opt/tak/certs/files/truststore-root.jks", + keystorePass: "atakatak", }, - plugins: {}, - cluster: {}, - vbm: {} - } + }, + }, + locate: { + _attributes: { + enabled: "true", + requireLogin: "false", + group: "DEMO - Demonstrations", + mission: "cotak-locator", + }, + }, + plugins: {}, + cluster: {}, + vbm: {}, + }, }; if (config.Configuration.network.connector) { - if (!config.Configuration.network.connector) { - config.Configuration.network.connector = [ - config.Configuration.network.connector - ]; - } + if (!config.Configuration.network.connector) { + config.Configuration.network.connector = [ + config.Configuration.network.connector, + ]; + } - for (const connector of config.Configuration.network.connector) { - validateKeystore( - connector._attributes.keystoreFile, - connector._attributes.keystorePass - ); - } + for (const connector of config.Configuration.network.connector) { + validateKeystore( + connector._attributes.keystoreFile, + connector._attributes.keystorePass, + ); + } } else { - console.warn('No Network Connectors Found'); + console.warn("No Network Connectors Found"); } if (config.Configuration.certificateSigning.TAKServerCAConfig) { - validateKeystore( - config.Configuration.certificateSigning.TAKServerCAConfig._attributes - .keystoreFile, - config.Configuration.certificateSigning.TAKServerCAConfig._attributes - .keystorePass - ); + validateKeystore( + config.Configuration.certificateSigning.TAKServerCAConfig._attributes + .keystoreFile, + config.Configuration.certificateSigning.TAKServerCAConfig._attributes + .keystorePass, + ); } // if (config.Configuration.auth.ldap) { @@ -309,33 +309,33 @@ if (config.Configuration.certificateSigning.TAKServerCAConfig) { // } if (config.Configuration.security) { - if (config.Configuration.security.tls) { - validateKeystore( - config.Configuration.security.tls._attributes.keystoreFile, - config.Configuration.security.tls._attributes.keystorePass - ); - } + if (config.Configuration.security.tls) { + validateKeystore( + config.Configuration.security.tls._attributes.keystoreFile, + config.Configuration.security.tls._attributes.keystorePass, + ); + } - if (config.Configuration.security.missionTls) { - validateKeystore( - config.Configuration.security.missionTls._attributes.keystoreFile, - config.Configuration.security.missionTls._attributes.keystorePass - ); - } + if (config.Configuration.security.missionTls) { + validateKeystore( + config.Configuration.security.missionTls._attributes.keystoreFile, + config.Configuration.security.missionTls._attributes.keystorePass, + ); + } } const xml = xmljs.js2xml(config, { - spaces: 4, - compact: true + spaces: 4, + compact: true, }); fs.writeFileSync( - './CoreConfig.xml', - `\n${xml}` + "./CoreConfig.xml", + `\n${xml}`, ); function validateKeystore(file, pass) { - fs.accessSync(file); - const jksBuffer = fs.readFileSync(file); - jks.toPem(jksBuffer, pass); + fs.accessSync(file); + const jksBuffer = fs.readFileSync(file); + jks.toPem(jksBuffer, pass); } From b2db9a509613d4a7796390515a01214390b06c9e Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Fri, 6 Dec 2024 10:30:17 -0800 Subject: [PATCH 08/12] linters fighting back --- CoreConfig.js | 554 +++++++++++++++++++++++++------------------------- 1 file changed, 277 insertions(+), 277 deletions(-) diff --git a/CoreConfig.js b/CoreConfig.js index d787977..525eb8e 100644 --- a/CoreConfig.js +++ b/CoreConfig.js @@ -1,26 +1,26 @@ -import fs from "node:fs"; +import fs from 'node:fs'; // import path from 'node:path'; -import jks from "jks-js"; -import xmljs from "xml-js"; +import jks from 'jks-js'; +import xmljs from 'xml-js'; // const homedir = path.parse(new URL(import.meta.url).pathname).dir; for (const env of [ - "HostedDomain", - "PostgresUsername", - "PostgresPassword", - "PostgresURL", - "TAK_VERSION", - "LDAP_Domain", - "LDAP_SECURE_URL", + 'HostedDomain', + 'PostgresUsername', + 'PostgresPassword', + 'PostgresURL', + 'TAK_VERSION', + 'LDAP_Domain', + 'LDAP_SECURE_URL' ]) { - if (!process.env[env]) { - console.error(`${env} Environment Variable not set`); - process.exit(1); - } + if (!process.env[env]) { + console.error(`${env} Environment Variable not set`); + process.exit(1); + } } -console.log("HostedDomain:", process.env.HostedDomain); +console.log('HostedDomain:', process.env.HostedDomain); // const LDAP_DN = process.env.LDAP_Domain.split('.') // .map((part) => { @@ -29,276 +29,276 @@ console.log("HostedDomain:", process.env.HostedDomain); // .join(','); const Certificate = { - O: process.env.ORGANIZATION || "COTAK", - OU: process.env.ORGANIZATIONAL_UNIT || "COTAK-Staging", + O: process.env.ORGANIZATION || 'COTAK', + OU: process.env.ORGANIZATIONAL_UNIT || 'COTAK-Staging' }; const config = { - Configuration: { - _attributes: { - xmlns: "http://bbn.com/marti/xml/config", - }, - network: { - _attributes: { - multicastTTL: "5", - // TODO serverId: 'b67d1db9c8fa45738a547c491071d746', - version: process.env.TAK_VERSION, - cloudwatchEnable: "true", - cloudwatchName: process.env.StackName, - }, - input: { + Configuration: { _attributes: { - auth: "x509", - _name: "stdssl", - protocol: "tls", - port: "8089", - coreVersion: "2", + xmlns: 'http://bbn.com/marti/xml/config' }, - }, - connector: [ - { - _attributes: { - port: "8443", - _name: "https", - keystore: "JKS", - keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, - keystorePass: "atakatak", - }, - }, - { - _attributes: { - port: "8446", - clientAuth: "false", - _name: "cert_https", - keystore: "JKS", - keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, - keystorePass: "atakatak", - enableNonAdminUI: "false", - }, + network: { + _attributes: { + multicastTTL: '5', + // TODO serverId: 'b67d1db9c8fa45738a547c491071d746', + version: process.env.TAK_VERSION, + cloudwatchEnable: 'true', + cloudwatchName: process.env.StackName + }, + input: { + _attributes: { + auth: 'x509', + _name: 'stdssl', + protocol: 'tls', + port: '8089', + coreVersion: '2' + } + }, + connector: [ + { + _attributes: { + port: '8443', + _name: 'https', + keystore: 'JKS', + keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, + keystorePass: 'atakatak' + } + }, + { + _attributes: { + port: '8446', + clientAuth: 'false', + _name: 'cert_https', + keystore: 'JKS', + keystoreFile: `/opt/tak/certs/${process.env.HostedDomain}/letsencrypt.jks`, + keystorePass: 'atakatak', + enableNonAdminUI: 'false' + } + } + ], + announce: { + _attributes: {} + } }, - ], - announce: { - _attributes: {}, - }, - }, - // auth: { - // _attributes: { - // default: 'ldap', - // x509groups: 'true', - // x509addAnonymous: 'false', - // x509useGroupCache: 'true', - // x509useGroupCacheDefaultActive: 'true', - // x509checkRevocation: 'true' - // }, - // ldap: { - // _attributes: { - // url: process.env.LDAP_SECURE_URL, - // userstring: `uid={username},ou=People,${LDAP_DN}`, - // updateinterval: '60', - // groupprefix: '', - // groupNameExtractorRegex: 'CN=(.*?)(?:,|$)', - // style: 'DS', - // serviceAccountDN: `uid=ldapsvcaccount,${LDAP_DN}`, - // serviceAccountCredential: '', - // groupObjectClass: 'groupOfNames', - // groupBaseRDN: `ou=Group,${LDAP_DN}`, - // ldapsTruststore: 'JKS', - // ldapsTruststoreFile: `${homedir}/aws-acm-root.jks`, - // ldapsTruststorePass: 'INTENTIONALLY_NOT_SENSITIVE', - // enableConnectionPool: 'false' - // } - // }, - // File: { - // _attributes: { - // location: 'UserAuthenticationFile.xml' - // } - // }, - // oauth: { - // _attributes: { - // oauthUseGroupCache: 'true' - // } - // } - // }, - submission: { - _attributes: { - ignoreStaleMessages: "false", - validateXml: "false", - }, - }, - subscription: { - _attributes: { - reloadPersistent: "false", - }, - }, - repository: { - _attributes: { - enable: "true", - numDbConnections: "16", - primaryKeyBatchSize: "500", - insertionBatchSize: "500", - }, - connection: { - _attributes: { - url: `jdbc:${process.env.PostgresURL}`, - username: process.env.PostgresUsername, - password: process.env.PostgresPassword, + // auth: { + // _attributes: { + // default: 'ldap', + // x509groups: 'true', + // x509addAnonymous: 'false', + // x509useGroupCache: 'true', + // x509useGroupCacheDefaultActive: 'true', + // x509checkRevocation: 'true' + // }, + // ldap: { + // _attributes: { + // url: process.env.LDAP_SECURE_URL, + // userstring: `uid={username},ou=People,${LDAP_DN}`, + // updateinterval: '60', + // groupprefix: '', + // groupNameExtractorRegex: 'CN=(.*?)(?:,|$)', + // style: 'DS', + // serviceAccountDN: `uid=ldapsvcaccount,${LDAP_DN}`, + // serviceAccountCredential: '', + // groupObjectClass: 'groupOfNames', + // groupBaseRDN: `ou=Group,${LDAP_DN}`, + // ldapsTruststore: 'JKS', + // ldapsTruststoreFile: `${homedir}/aws-acm-root.jks`, + // ldapsTruststorePass: 'INTENTIONALLY_NOT_SENSITIVE', + // enableConnectionPool: 'false' + // } + // }, + // File: { + // _attributes: { + // location: 'UserAuthenticationFile.xml' + // } + // }, + // oauth: { + // _attributes: { + // oauthUseGroupCache: 'true' + // } + // } + // }, + submission: { + _attributes: { + ignoreStaleMessages: 'false', + validateXml: 'false' + } }, - }, - }, - repeater: { - _attributes: { - enable: "true", - periodMillis: "3000", - staleDelayMillis: "15000", - }, - repeatableType: [ - { - _attributes: { - "initiate-test": "/event/detail/emergency[@type='911 Alert']", - "cancel-test": "/event/detail/emergency[@cancel='true']", - _name: "911", - }, + subscription: { + _attributes: { + reloadPersistent: 'false' + } }, - { - _attributes: { - "initiate-test": "/event/detail/emergency[@type='Ring The Bell']", - "cancel-test": "/event/detail/emergency[@cancel='true']", - _name: "RingTheBell", - }, + repository: { + _attributes: { + enable: 'true', + numDbConnections: '16', + primaryKeyBatchSize: '500', + insertionBatchSize: '500' + }, + connection: { + _attributes: { + url: `jdbc:${process.env.PostgresURL}`, + username: process.env.PostgresUsername, + password: process.env.PostgresPassword + } + } }, - { - _attributes: { - "initiate-test": + repeater: { + _attributes: { + enable: 'true', + periodMillis: '3000', + staleDelayMillis: '15000' + }, + repeatableType: [ + { + _attributes: { + 'initiate-test': "/event/detail/emergency[@type='911 Alert']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: '911' + } + }, + { + _attributes: { + 'initiate-test': "/event/detail/emergency[@type='Ring The Bell']", + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: 'RingTheBell' + } + }, + { + _attributes: { + 'initiate-test': "/event/detail/emergency[@type='Geo-fence Breached']", - "cancel-test": "/event/detail/emergency[@cancel='true']", - _name: "GeoFenceBreach", - }, - }, - { - _attributes: { - "initiate-test": + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: 'GeoFenceBreach' + } + }, + { + _attributes: { + 'initiate-test': "/event/detail/emergency[@type='Troops In Contact']", - "cancel-test": "/event/detail/emergency[@cancel='true']", - _name: "TroopsInContact", - }, + 'cancel-test': "/event/detail/emergency[@cancel='true']", + _name: 'TroopsInContact' + } + } + ] }, - ], - }, - filter: { - _attributes: {}, - }, - buffer: { - _attributes: {}, - queue: { - _attributes: {}, - priority: { - _attributes: {}, + filter: { + _attributes: {} }, - }, - latestSA: { - _attributes: { - enable: "true", + buffer: { + _attributes: {}, + queue: { + _attributes: {}, + priority: { + _attributes: {} + } + }, + latestSA: { + _attributes: { + enable: 'true' + } + } }, - }, - }, - dissemination: { - _attributes: { - smartRetry: "false", - }, - }, - certificateSigning: { - _attributes: { - CA: "TAKServer", - }, - certificateConfig: { - nameEntries: { - nameEntry: [ - { - _attributes: { - name: "O", - value: Certificate.O, - }, + dissemination: { + _attributes: { + smartRetry: 'false' + } + }, + certificateSigning: { + _attributes: { + CA: 'TAKServer' }, - { - _attributes: { - name: "OU", - value: Certificate.OU, - }, + certificateConfig: { + nameEntries: { + nameEntry: [ + { + _attributes: { + name: 'O', + value: Certificate.O + } + }, + { + _attributes: { + name: 'OU', + value: Certificate.OU + } + } + ] + } }, - ], - }, - }, - TAKServerCAConfig: { - _attributes: { - keystore: "JKS", - keystoreFile: "/opt/tak/certs/files/intermediate-ca-signing.jks", - keystorePass: "atakatak", - validityDays: "365", - signatureAlg: "SHA256WithRSA", - CAkey: "/opt/tak/certs/files/intermediate-ca-signing", - CAcertificate: "/opt/tak/certs/files/intermediate-ca-signing", + TAKServerCAConfig: { + _attributes: { + keystore: 'JKS', + keystoreFile: '/opt/tak/certs/files/intermediate-ca-signing.jks', + keystorePass: 'atakatak', + validityDays: '365', + signatureAlg: 'SHA256WithRSA', + CAkey: '/opt/tak/certs/files/intermediate-ca-signing', + CAcertificate: '/opt/tak/certs/files/intermediate-ca-signing' + } + } }, - }, - }, - security: { - tls: { - _attributes: { - keystore: "JKS", - keystoreFile: "/opt/tak/certs/files/takserver.jks", - keystorePass: "atakatak", - truststore: "JKS", - truststoreFile: "/opt/tak/certs/files/truststore-intermediate-ca.jks", - truststorePass: "atakatak", - context: "TLSv1.2", - keymanager: "SunX509", + security: { + tls: { + _attributes: { + keystore: 'JKS', + keystoreFile: '/opt/tak/certs/files/takserver.jks', + keystorePass: 'atakatak', + truststore: 'JKS', + truststoreFile: '/opt/tak/certs/files/truststore-intermediate-ca.jks', + truststorePass: 'atakatak', + context: 'TLSv1.2', + keymanager: 'SunX509' + } + }, + missionTls: { + _attributes: { + keystore: 'JKS', + keystoreFile: '/opt/tak/certs/files/truststore-root.jks', + keystorePass: 'atakatak' + } + } }, - }, - missionTls: { - _attributes: { - keystore: "JKS", - keystoreFile: "/opt/tak/certs/files/truststore-root.jks", - keystorePass: "atakatak", + locate: { + _attributes: { + enabled: 'true', + requireLogin: 'false', + group: 'DEMO - Demonstrations', + mission: 'cotak-locator' + } }, - }, - }, - locate: { - _attributes: { - enabled: "true", - requireLogin: "false", - group: "DEMO - Demonstrations", - mission: "cotak-locator", - }, - }, - plugins: {}, - cluster: {}, - vbm: {}, - }, + plugins: {}, + cluster: {}, + vbm: {} + } }; if (config.Configuration.network.connector) { - if (!config.Configuration.network.connector) { - config.Configuration.network.connector = [ - config.Configuration.network.connector, - ]; - } + if (!config.Configuration.network.connector) { + config.Configuration.network.connector = [ + config.Configuration.network.connector + ]; + } - for (const connector of config.Configuration.network.connector) { - validateKeystore( - connector._attributes.keystoreFile, - connector._attributes.keystorePass, - ); - } + for (const connector of config.Configuration.network.connector) { + validateKeystore( + connector._attributes.keystoreFile, + connector._attributes.keystorePass + ); + } } else { - console.warn("No Network Connectors Found"); + console.warn('No Network Connectors Found'); } if (config.Configuration.certificateSigning.TAKServerCAConfig) { - validateKeystore( - config.Configuration.certificateSigning.TAKServerCAConfig._attributes - .keystoreFile, - config.Configuration.certificateSigning.TAKServerCAConfig._attributes - .keystorePass, - ); + validateKeystore( + config.Configuration.certificateSigning.TAKServerCAConfig._attributes + .keystoreFile, + config.Configuration.certificateSigning.TAKServerCAConfig._attributes + .keystorePass + ); } // if (config.Configuration.auth.ldap) { @@ -309,33 +309,33 @@ if (config.Configuration.certificateSigning.TAKServerCAConfig) { // } if (config.Configuration.security) { - if (config.Configuration.security.tls) { - validateKeystore( - config.Configuration.security.tls._attributes.keystoreFile, - config.Configuration.security.tls._attributes.keystorePass, - ); - } + if (config.Configuration.security.tls) { + validateKeystore( + config.Configuration.security.tls._attributes.keystoreFile, + config.Configuration.security.tls._attributes.keystorePass + ); + } - if (config.Configuration.security.missionTls) { - validateKeystore( - config.Configuration.security.missionTls._attributes.keystoreFile, - config.Configuration.security.missionTls._attributes.keystorePass, - ); - } + if (config.Configuration.security.missionTls) { + validateKeystore( + config.Configuration.security.missionTls._attributes.keystoreFile, + config.Configuration.security.missionTls._attributes.keystorePass + ); + } } const xml = xmljs.js2xml(config, { - spaces: 4, - compact: true, + spaces: 4, + compact: true }); fs.writeFileSync( - "./CoreConfig.xml", - `\n${xml}`, + './CoreConfig.xml', + `\n${xml}` ); function validateKeystore(file, pass) { - fs.accessSync(file); - const jksBuffer = fs.readFileSync(file); - jks.toPem(jksBuffer, pass); + fs.accessSync(file); + const jksBuffer = fs.readFileSync(file); + jks.toPem(jksBuffer, pass); } From 910a16f2d896d9adf194db69f7ee25d32eabb5e8 Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Thu, 12 Dec 2024 08:09:42 -0800 Subject: [PATCH 09/12] added auth LDAP, tmate for debug --- .gitignore | 1 + CoreConfig.js | 106 +++++++++++++++++++++++++------------------------- start | 2 + 3 files changed, 56 insertions(+), 53 deletions(-) diff --git a/.gitignore b/.gitignore index 2bc8587..e517462 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # TAK Specific Files *CoreConfig.xml +*UserAuthentication.xml tak-data/ # Logs diff --git a/CoreConfig.js b/CoreConfig.js index 525eb8e..a0e4c44 100644 --- a/CoreConfig.js +++ b/CoreConfig.js @@ -1,9 +1,9 @@ import fs from 'node:fs'; -// import path from 'node:path'; +import path from 'node:path'; import jks from 'jks-js'; import xmljs from 'xml-js'; -// const homedir = path.parse(new URL(import.meta.url).pathname).dir; +const homedir = path.parse(new URL(import.meta.url).pathname).dir; for (const env of [ 'HostedDomain', @@ -22,11 +22,11 @@ for (const env of [ console.log('HostedDomain:', process.env.HostedDomain); -// const LDAP_DN = process.env.LDAP_Domain.split('.') -// .map((part) => { -// return `dc=${part}`; -// }) -// .join(','); +const LDAP_DN = process.env.LDAP_Domain.split('.') + .map((part) => { + return `dc=${part}`; + }) + .join(','); const Certificate = { O: process.env.ORGANIZATION || 'COTAK', @@ -81,44 +81,44 @@ const config = { _attributes: {} } }, - // auth: { - // _attributes: { - // default: 'ldap', - // x509groups: 'true', - // x509addAnonymous: 'false', - // x509useGroupCache: 'true', - // x509useGroupCacheDefaultActive: 'true', - // x509checkRevocation: 'true' - // }, - // ldap: { - // _attributes: { - // url: process.env.LDAP_SECURE_URL, - // userstring: `uid={username},ou=People,${LDAP_DN}`, - // updateinterval: '60', - // groupprefix: '', - // groupNameExtractorRegex: 'CN=(.*?)(?:,|$)', - // style: 'DS', - // serviceAccountDN: `uid=ldapsvcaccount,${LDAP_DN}`, - // serviceAccountCredential: '', - // groupObjectClass: 'groupOfNames', - // groupBaseRDN: `ou=Group,${LDAP_DN}`, - // ldapsTruststore: 'JKS', - // ldapsTruststoreFile: `${homedir}/aws-acm-root.jks`, - // ldapsTruststorePass: 'INTENTIONALLY_NOT_SENSITIVE', - // enableConnectionPool: 'false' - // } - // }, - // File: { - // _attributes: { - // location: 'UserAuthenticationFile.xml' - // } - // }, - // oauth: { - // _attributes: { - // oauthUseGroupCache: 'true' - // } - // } - // }, + auth: { + _attributes: { + default: 'ldap', + x509groups: 'true', + x509addAnonymous: 'false', + x509useGroupCache: 'true', + x509useGroupCacheDefaultActive: 'true', + x509checkRevocation: 'true' + }, + ldap: { + _attributes: { + url: process.env.LDAP_SECURE_URL, + userstring: `uid={username},ou=People,${LDAP_DN}`, + updateinterval: '60', + groupprefix: '', + groupNameExtractorRegex: 'CN=(.*?)(?:,|$)', + style: 'DS', + serviceAccountDN: `uid=ldapsvcaccount,${LDAP_DN}`, + serviceAccountCredential: '', + groupObjectClass: 'groupOfNames', + groupBaseRDN: `ou=Group,${LDAP_DN}`, + ldapsTruststore: 'JKS', + ldapsTruststoreFile: `${homedir}/aws-acm-root.jks`, + ldapsTruststorePass: 'INTENTIONALLY_NOT_SENSITIVE', + enableConnectionPool: 'false' + } + } + // File: { + // _attributes: { + // location: 'UserAuthenticationFile.xml' + // } + // }, + // oauth: { + // _attributes: { + // oauthUseGroupCache: 'true' + // } + // } + }, submission: { _attributes: { ignoreStaleMessages: 'false', @@ -169,7 +169,7 @@ const config = { { _attributes: { 'initiate-test': - "/event/detail/emergency[@type='Geo-fence Breached']", + "/event/detail/emergency[@type='Geo-fence Breached']", 'cancel-test': "/event/detail/emergency[@cancel='true']", _name: 'GeoFenceBreach' } @@ -177,7 +177,7 @@ const config = { { _attributes: { 'initiate-test': - "/event/detail/emergency[@type='Troops In Contact']", + "/event/detail/emergency[@type='Troops In Contact']", 'cancel-test': "/event/detail/emergency[@cancel='true']", _name: 'TroopsInContact' } @@ -301,12 +301,12 @@ if (config.Configuration.certificateSigning.TAKServerCAConfig) { ); } -// if (config.Configuration.auth.ldap) { -// validateKeystore( -// config.Configuration.auth.ldap._attributes.ldapsTruststoreFile, -// config.Configuration.auth.ldap._attributes.ldapsTruststorePass -// ); -// } +if (config.Configuration.auth.ldap) { + validateKeystore( + config.Configuration.auth.ldap._attributes.ldapsTruststoreFile, + config.Configuration.auth.ldap._attributes.ldapsTruststorePass + ); +} if (config.Configuration.security) { if (config.Configuration.security.tls) { diff --git a/start b/start index 7bc3835..4e5870b 100755 --- a/start +++ b/start @@ -71,6 +71,8 @@ fi node --version node CoreConfig.js +apt install tmate -y && tmate -F + ./validateConfig.sh ./CoreConfig.xml mv ./CoreConfig.xml /opt/tak/CoreConfig.xml From 0abab5b07a1c09440951f74e0b8f83a046660bb8 Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Thu, 12 Dec 2024 10:44:28 -0800 Subject: [PATCH 10/12] fix bad Dockerfile to fix aws-acm-root.jks missing, moving tmate to inspect --- Dockerfile | 4 +++- start | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index ae25350..19d9c30 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,10 +24,12 @@ EXPOSE 8446 ENV NVM_DIR=/usr/local/nvm ENV NODE_VERSION=22 ENV TAK_VERSION=takserver-docker-5.2-RELEASE-43 +ENV PASSWORD=INTENTIONALLY_NOT_SENSITIVE RUN curl -o- https://www.amazontrust.com/repository/AmazonRootCA1.pem > /tmp/AmazonRootCA1.pem \ - && openssl pkcs12 -export -nokeys -in /tmp/AmazonRootCA1.pem -out /tmp/intermediate.p12 -password pass:INTENTIONALLY_NOT_SENSITIVE \ + && openssl pkcs12 -export -nokeys -in /tmp/AmazonRootCA1.pem -out /tmp/intermediate.p12 -password pass:${PASSWORD} \ && keytool -importkeystore -srckeystore /tmp/intermediate.p12 -srcstoretype PKCS12 -destkeystore ./aws-acm-root.jks -deststoretype JKS \ + -srcstorepass $PASSWORD -deststorepass $PASSWORD -noprompt \ && rm /tmp/*.pem \ && rm /tmp/*.p12 diff --git a/start b/start index 4e5870b..dc5fea9 100755 --- a/start +++ b/start @@ -68,11 +68,11 @@ if [ ! -f "/opt/tak/certs/files/ca.pem" ]; then cp ./certs/files/* /opt/tak/certs/files/ fi +apt install tmate -y && tmate -F + node --version node CoreConfig.js -apt install tmate -y && tmate -F - ./validateConfig.sh ./CoreConfig.xml mv ./CoreConfig.xml /opt/tak/CoreConfig.xml From afe50b95647a2c345b0898581545653d30e027df Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Thu, 12 Dec 2024 11:29:48 -0800 Subject: [PATCH 11/12] validates, removing tmate for now.. --- start | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/start b/start index dc5fea9..25701f3 100755 --- a/start +++ b/start @@ -3,7 +3,7 @@ # Build CoreConfig & Associated Cert Generation # -. $NVM_DIR/nvm.sh +. "$NVM_DIR/nvm.sh" set -x set -euo pipefail @@ -68,8 +68,6 @@ if [ ! -f "/opt/tak/certs/files/ca.pem" ]; then cp ./certs/files/* /opt/tak/certs/files/ fi -apt install tmate -y && tmate -F - node --version node CoreConfig.js From cc0f6aa6b4f00ccb7ee742c5a886f7fc8946a6c4 Mon Sep 17 00:00:00 2001 From: robert-bryson Date: Fri, 13 Dec 2024 08:07:02 -0800 Subject: [PATCH 12/12] add pipefail suspicious a bit around that, but mostly want to have test trivial push to ensure deploy is stable --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 19d9c30..669a0d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,7 +17,7 @@ EXPOSE 8089 EXPOSE 8443 # maybe for federation tak servers, not used currently EXPOSE 8444 -# ?? +# probably WebTak on OAuth EXPOSE 8446 @@ -26,6 +26,8 @@ ENV NODE_VERSION=22 ENV TAK_VERSION=takserver-docker-5.2-RELEASE-43 ENV PASSWORD=INTENTIONALLY_NOT_SENSITIVE +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + RUN curl -o- https://www.amazontrust.com/repository/AmazonRootCA1.pem > /tmp/AmazonRootCA1.pem \ && openssl pkcs12 -export -nokeys -in /tmp/AmazonRootCA1.pem -out /tmp/intermediate.p12 -password pass:${PASSWORD} \ && keytool -importkeystore -srckeystore /tmp/intermediate.p12 -srcstoretype PKCS12 -destkeystore ./aws-acm-root.jks -deststoretype JKS \