Merge pull request #88 from silinternational/develop

Release 2.3.0

Author: briskt

.gitignore

@@ -13,3 +13,18 @@ jspm_packages
 
 # Temporary copy of backups (used during Disaster Recovery)
 /recovery/TempCopyOfBackups
+
+# JS files generated or copied during local development (see Makefile)
+/development/site/client-bundle.js
+/development/site/psl.min.js
+/development/site/webauthn-client.js
+
+# Folder with cert files used for dev-server https-proxy / traefik
+development/cert
+
+# Local environment variables files, typically with secrets
+local.env
+*.local.env
+
+# Terraform
+.terraform/

.whitesource

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2017 SIL International
+Copyright (c) 2017-2022 SIL International
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Dockerfile

@@ -1,5 +1,17 @@
-start:
-	echo This Makefile has no default action. Be specific.
+dev-server:
+	node development/server
+
+dynamodb:
+	docker-compose up -d dynamodb
+
+dynamodb-tables: dynamodb
+	./development/create-tables.sh
+
+list-dev-api-keys:
+	./development/list-api-keys.sh
 
 do-full-recovery:
 	docker-compose run --rm do-full-recovery
+
+test:
+	npm test

LICENSE

@@ -15,7 +15,8 @@ For details about the various API endpoints, see
     must be provided as an `x-api-key` header in the HTTP request.
 - We create a new API Key and email it to that email address.
   * NOTE: At the moment, we do not actually send that email, since our use case
-    is so limited that we can simply look up the API Key in the database.
+    is so limited that we can simply look up the API Key in the database. For
+    local development, run `make list-dev-api-keys` to see it.
 - The consumer does a `POST` to `/api-key/activate`, providing the email address
   and the API Key.
 - We respond with an API Secret (which is actually an AES key, which we will use
@@ -261,6 +262,73 @@ gulp restore \
 ```
 (Note: The restore time is a JavaScript timestamp, in milliseconds.)
 
+## Running locally
+
+To run this locally (such as for development)...
+
+1. Open a terminal to **THIS** repo's root folder and run the following:
+   - `make dynamodb-tables`
+     * NOTE: You may need to run this twice. If it gives an error message,
+       trying again should work. I think it's a timing issue, where it tries to
+       create the dynamodb tables before the local dynamodb is _actually_ up
+       enough to be ready for interaction.
+   - `make dev-server`
+2. Add and activate api-key entry for yourself in your local serverless-mfa-api:
+   - Submit a `POST` to <https://localhost:8080/prod/api-key> with a JSON body
+     like the following:
+     ```json
+     { "email": "[email protected]" }
+     ```
+     It should return a `204 No Content` response.
+   - Run `make list-dev-api-keys`, and copy the "value" parameter's value.
+   - Do a `POST` to <https://localhost:8080/prod/api-key/activate>, with a JSON
+     body like the following:
+     ```json
+     {
+     "email": "[email protected]",
+     "apiKey": "the-value-parameter-from-the-dynamo-db-table"
+     }
+     ```
+     It should return a `200 OK` with a JSON body containing an apiSecret that
+     you will need. When copying that value, make sure you include any trailing
+     equals signs (`=`).
+3. Clone the <https://github.com/silinternational/idp-in-a-box> repo.
+4. Put the apiSecret returned (including any trailing `=` signs) and the apiKey
+   value you used in the JSON body into your local idp-in-a-box code's
+   `/docker-compose/broker/local.env` file, both for the `MFA_TOTP_*` and
+   `MFA_U2F_*` environment variables, something like this (but using **YOUR**
+   values for the apiKey and apiSecret entries, not these dummy/sample values):
+   ```
+   MFA_TOTP_apiBaseUrl=http://localhost:8080/
+   MFA_TOTP_apiKey=347a15dc60f014bdd93e4fc59aab607b022c8e19
+   MFA_TOTP_apiSecret=za3c5Op8XgQcWNK16Rg6Th3ndmJ2ZTGL4uEldAJxDes=
+   
+   MFA_U2F_apiBaseUrl=http://localhost:8080/
+   MFA_U2F_apiKey=347a15dc60f014bdd93e4fc59aab607b022c8e19
+   MFA_U2F_apiSecret=za3c5Op8XgQcWNK16Rg6Th3ndmJ2ZTGL4uEldAJxDes= 
+   ```
+5. Bring up the `idp-in-a-box` repo. See that repo's README.md for instructions.
+
+## Serverless
+
+To start a local container for development of Serverless configuration:
+
+```
+docker-compose run --rm dev bash
+```
+
+## Credential Rotation
+
+### AWS Serverless User
+
+1. Use the Terraform CLI to taint the old access key
+```
+terraform taint module.serverless-user.aws_iam_access_key.serverless
+```
+2. Run a new plan on Terraform Cloud
+3. Review the new plan and apply if it is correct
+4. Copy the new key and secret from the Terraform output into Codeship
+
 ## Glossary
 
 - `API Key`: A hex string used to identify calls to most of the endpoints on

Makefile

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# Exit script with error if any step fails.
+set -e
+
+# Print the Serverless version in the logs
+serverless --version
+
+echo "Deploying stage $1..."
+serverless deploy --verbose --stage "$1"

README.md

@@ -3,5 +3,5 @@
 # Exit script with error if any step fails.
 set -e
 
-npm install -g serverless
-npm install
+npm install --no-fund -g serverless@3
+npm install --no-fund