From fb65369426866f04838a5edc92da660a0050196e Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 15 Aug 2023 16:20:28 +0930 Subject: [PATCH 1/6] chore: ignore from commit .tmp tmp. files !3 --- .gitignore | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 46806ff..726cf60 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ # Ignore Node-RED backups -*.backup \ No newline at end of file +*.backup + +# Ignore tmp files +*.tmp +tmp.* -- 2.49.0 From d001f36c6ba63e87add85fcc97b89d6292a7b2de Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 15 Aug 2023 16:21:30 +0930 Subject: [PATCH 2/6] feat(flows_cred): bash encryption script !3 #4 --- encrypt-flows-cred.sh | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100755 encrypt-flows-cred.sh diff --git a/encrypt-flows-cred.sh b/encrypt-flows-cred.sh new file mode 100755 index 0000000..cedc189 --- /dev/null +++ b/encrypt-flows-cred.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# +# Description: +# Encrypt flows_cred.json.tmp from the specified directory to flows_cred.json. You will be prompted for the encryption password. +# +# Usage: +# ./encrypt-flows-cred.sh {path to cred file, if PWD use '.'} +# +# Changelog: +# 2023-08-15: Script creation. +# + +echo -n "Please enter the flows_cred.json decryption key: "; +read -s PASSWORD; +echo; + +Rand=$(tr -dc 'A-Fa-f0-9' $1/flows_cred.json +{ + "$": "$Rand$EncryptedData" +} +EOF + +echo; + +rm $1/flows_cred.json.tmp; -- 2.49.0 From 93fad1368169a64a52e0f5f1b8603193fb22199e Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 15 Aug 2023 16:22:09 +0930 Subject: [PATCH 3/6] feat(flows_cred): bash decryption output to flows_cred.json.tmp !3 #4 --- decrypt-flows-cred.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) mode change 100644 => 100755 decrypt-flows-cred.sh diff --git a/decrypt-flows-cred.sh b/decrypt-flows-cred.sh old mode 100644 new mode 100755 index cc27f29..9129da0 --- a/decrypt-flows-cred.sh +++ b/decrypt-flows-cred.sh @@ -10,12 +10,16 @@ # 2023-08-14: Fetched script from original source # Credit to the original author/creator. # 2023-08-14: Adjusted to prompt for password when running command. +# 2023-08-14: Adjusted to output to a file called 'flows_cred.json.tmp' # echo -n "Please enter the flows_cred.json decryption key: "; read -s PASSWORD -echo. +echo; -jq '.["$"]' -j $1/flows_cred.json | \ +DecryptedData=$(jq '.["$"]' -j $1/flows_cred.json | \ cut -c 33- | \ - openssl enc -aes-256-ctr -d -base64 -A -iv `jq -r '.["$"]' $1/flows_cred.json | cut -c 1-32` -K `echo -n $PASSWORD | sha256sum | cut -c 1-64` + openssl enc -aes-256-ctr -d -base64 -A -iv `jq -r '.["$"]' $1/flows_cred.json | cut -c 1-32` -K `echo -n $PASSWORD | sha256sum | cut -c 1-64`) + +echo -n $DecryptedData > $1/flows_cred.json.tmp +#echo -n $DecryptedData -- 2.49.0 From 90bc0804b1e42b25e6d5ffea84875e76f9194f84 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 15 Aug 2023 16:36:17 +0930 Subject: [PATCH 4/6] feat(docker): add encrypt/decrypt scripts to /bin !3 #4 --- dockerfile | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/dockerfile b/dockerfile index 956b03e..21c8fc1 100644 --- a/dockerfile +++ b/dockerfile @@ -28,6 +28,11 @@ LABEL \ COPY includes/ / +COPY decrypt-flows-cred.sh /bin/decrypt-flows-cred.sh + +COPY encrypt-flows-cred.sh /bin/encrypt-flows-cred.sh + + COPY --from=CloneRepo /tmp/self_service/package.json /data/package.json RUN cd /data; \ @@ -39,7 +44,12 @@ COPY --from=CloneRepo /tmp/self_service/flows.json /data/flows.json USER root RUN chown node-red:node-red -R /data; \ - chown node-red:node-red -R /usr/src/node-red; + chown node-red:node-red -R /usr/src/node-red; \ + chomd +x /bin/decrypt-flows-cred.sh; \ + chmod +x /bin/encrypt-flows-cred.sh; \ + apk update; \ + apk add \ + jq; USER node-red -- 2.49.0 From 7824842cecba1bb102d04c0be33ecc1ed25360e2 Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 15 Aug 2023 16:36:45 +0930 Subject: [PATCH 5/6] fix(docker): npm permissions issue !3 --- dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dockerfile b/dockerfile index 21c8fc1..af436d6 100644 --- a/dockerfile +++ b/dockerfile @@ -35,9 +35,6 @@ COPY encrypt-flows-cred.sh /bin/encrypt-flows-cred.sh COPY --from=CloneRepo /tmp/self_service/package.json /data/package.json -RUN cd /data; \ - npm install --unsafe-perm --no-update-notifier --no-fund --only=production - COPY --from=CloneRepo /tmp/self_service/flows_cred.json /data/flows_cred.json COPY --from=CloneRepo /tmp/self_service/flows.json /data/flows.json @@ -53,6 +50,9 @@ RUN chown node-red:node-red -R /data; \ USER node-red +RUN cd /data; \ + npm install --unsafe-perm --no-update-notifier --no-fund --only=production + HEALTHCHECK CMD curl http://localhost:1880/admin || exit 1 VOLUME [ "/data", "/usr/src/node-red" ] -- 2.49.0 From 6c88529a73c477ea07d2637d9b26b067d60c48df Mon Sep 17 00:00:00 2001 From: Jon Date: Tue, 15 Aug 2023 16:53:51 +0930 Subject: [PATCH 6/6] docs(docker): added script docs !3 #4 #5 --- docs/projects/ldap_self_service/docker.md | 35 +++++++++++++++++++++++ docs/projects/ldap_self_service/index.md | 28 +++--------------- mkdocs.yml | 11 ++++--- 3 files changed, 46 insertions(+), 28 deletions(-) create mode 100644 docs/projects/ldap_self_service/docker.md diff --git a/docs/projects/ldap_self_service/docker.md b/docs/projects/ldap_self_service/docker.md new file mode 100644 index 0000000..314c9f8 --- /dev/null +++ b/docs/projects/ldap_self_service/docker.md @@ -0,0 +1,35 @@ +--- +title: LDAP Self Service Docker Image +description: How to use No Fuss Computings NodeRED LDAP Self Service Docker Image. +date: 2023-08-15 +template: project.html +about: https://gitlab.com/nofusscomputing/projects/nodered_ldap_self_service +--- + +[This docker image](https://hub.docker.com/r/nofusscomputing/ldap-selfservice) is designed to be behind a reverse-proxy. The proxy will be the service that provides ingress logging and `HTTPS` termination. NodeRED serves the the Self-Service site on `HTTP/80` at the `/` path with `/admin` path available for administering the flows. If when starting the docker container you specify an environmental variable of `NODE_RED_CREDENTIAL_SECRET` it will be used by NodeRED to decrypt your `flows_cred.json` file. + +Data for the container is stored in two volumes `/data` and `/usr/src/node-red`. The repo does contain a `flows_cred.json` file, however this is our credential file. It's recommended that you log into the flows admin and set the credentials to your desired values. Export it and as part of the deployment process, mount a read-only copy of your `flows_cred.json` file to path `/data/flows_cred.json` within the container. + +!!! danger "Security" + Path `/admin` should not be made publically available, as access to this path grants full access to the backend as well as access to passwords and secrets from your `flows_cred.json` file. + + +## Docker Hub + +!!! info + The docker image is available via `docker pull nofusscomputing/ldap-selfservice` available tags are detailed below + +Available tags for the docker image is as follows: + +- `dev` The current working head of the repositories `development` branch. + +- `{\d}.{\d}.{\d}rc{\d}` The tag on the repositories `development` branch. + +- `{\d}.{\d}.{\d}` The tag on the repositories `master` branch. _considered stable_ + +- `latest` The current working head of the repositories `master` branch. _considered stable_ + + +## Flow Credentials + +You can edit these from within the flow administration or use the included scripts and manually edit the `json` file. Within the container these scripts are stored in `/bin` as such can be called from any path. To decrypt `flows_cred,json` use `decrypt-flows-cred.sh /data` (you will be prompted for the decryption password) and this will output a file called `flows_cred.json.tmp` containing the decrypted `flows_cred.json`. to encrypt the temp `flows_cred.json.tmp` back into `flows_cred.json` use command `encrypt-flows-cred.sh /data`, (you will be prompted for the encryption password) diff --git a/docs/projects/ldap_self_service/index.md b/docs/projects/ldap_self_service/index.md index ca75782..fefa7c4 100644 --- a/docs/projects/ldap_self_service/index.md +++ b/docs/projects/ldap_self_service/index.md @@ -35,6 +35,8 @@ General Features: - Remove expired sessions +- scripts to (en/de)crypt the `flows_cred.json` + ## Usage @@ -42,30 +44,8 @@ There are two ways to use this NodeRed flow: 1. Clone to the data directory of your NodeRED insance -1. Use our pre-built docker image - - -### Docker Image - -!!! info - The docker image is available via `docker pull nofusscomputing/ldap-selfservice` available tags are detailed below - - -Available tags for the docker image is as follows: - -- `dev` The current working head of the repositories `development` branch. - -- `{\d}.{\d}.{\d}rc{\d}` The tag on the repositories `development` branch. - -- `{\d}.{\d}.{\d}` The tag on the repositories `master` branch. _considered stable_ - -- `latest` The current working head of the repositories `master` branch. _considered stable_ - - -[This docker image](https://hub.docker.com/r/nofusscomputing/ldap-selfservice) is designed to be behind a reverse-proxy. The proxy will be the service that provides ingress logging and `HTTPS` termination. NodeRED serves the the Self-Service site on `HTTP/80` at the `/` path with `/admin` path available for administering the flows. If when starting the docker container you specify an environmental variable of `NODE_RED_CREDENTIAL_SECRET` it will be used by NodeRED to decrypt your `flows_cred.json` file. - -Data for the container is stored in two volumes `/data` and `/usr/src/node-red`. The repo does contain a `flows_cred.json` file, however this is our credential file. It's recommended that you log into the flows admin and set the credentials to your desired values. Export it and as part of the deployment process, mount a read-only copy of your `flows_cred.json` file to path `/data/flows_cred.json` within the container. +1. [Use our pre-built docker image](docker.md) !!! danger "Security" - Path `/admin` should not be made publically available, as access to this path grants full access to the backend as well as access to passwords and secrets from your `flows_cred.json` file. + if you choose your own NodeRED instance to deploy LDAP Self-Service, Care must be taken to ensure that the path the flows admin is on not be publically available, as access to this path grants full access to the backend as well as access to passwords and secrets from your `flows_cred.json` file. diff --git a/mkdocs.yml b/mkdocs.yml index 0644a98..f24a44b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -9,19 +9,22 @@ edit_uri: '/-/ide/project/nofusscomputing/projects/nodered_ldap_self_service/edi nav: - Home: index.md -- Articles: +- Articles: - articles/index.md -- Projects: +- Projects: - projects/index.md - projects/ldap_self_service/index.md -- Operations: + - docker: + + - projects/ldap_self_service/docker.md + +- Operations: - operations/index.md - Contact Us: contact.md - -- 2.49.0