coolaj86/walnut.js
1
1
Fork 1
Code Issues Pull Requests Releases Activity

Compare commits

base: coolaj86:master
Branches Tags
coolaj86:master
coolaj86:v1
coolaj86:v1.2
coolaj86:installer-v2
coolaj86:v1.0
coolaj86:native-random
coolaj86:prefix-fix
coolaj86:v1-normal
coolaj86:master-normal
coolaj86:fs-nosql
coolaj86:letsencrypt
coolaj86:master-2016-03-29
coolaj86:v1.2.4
coolaj86:v1.2.3
coolaj86:v1.2.2
coolaj86:v1.2.1
coolaj86:pre-issuer-rewrite
coolaj86:v1.2.0
..
compare: coolaj86:pre-issuer-rewrite
Branches Tags
coolaj86:master
coolaj86:v1
coolaj86:v1.2
coolaj86:installer-v2
coolaj86:v1.0
coolaj86:native-random
coolaj86:prefix-fix
coolaj86:v1-normal
coolaj86:master-normal
coolaj86:fs-nosql
coolaj86:letsencrypt
coolaj86:master-2016-03-29
coolaj86:v1.2.4
coolaj86:v1.2.3
coolaj86:v1.2.2
coolaj86:v1.2.1
coolaj86:pre-issuer-rewrite
coolaj86:v1.2.0

No commits in common. "master" and "pre-issuer-rewrite" have entirely different histories.
master ... pre-issuer

26 changed files with 1025 additions and 1722 deletions
Show Stats Expand all files Collapse all files

4
CHANGELOG
View File

@ -1,4 +0,0 @@
v1.2.5 - Beginning of CHANGELOG
* has semi-functional launchpad
* OAuth3 with issuer-rewrite merged in
* capabilities API

2
INSTALL.md
View File

@ -192,7 +192,7 @@ For the APIs for that we'll install the `issuer@oauth3.org` API package and enab
```bash ```bash
# API packaged for walnut # API packaged for walnut
git clone https://git.daplie.com/OAuth3/issuer_oauth3.org.git /srv/walnut/packages/rest/issuer@oauth3.org git clone https://git.daplie.com/OAuth3/org.oauth3.provider.git /srv/walnut/packages/rest/issuer@oauth3.org
pushd /srv/walnut/packages/rest/issuer@oauth3.org/ pushd /srv/walnut/packages/rest/issuer@oauth3.org/
git checkout v1.2 git checkout v1.2
npm install npm install

42
LICENSE
View File

@ -1,41 +1,3 @@
Copyright 2017 Daplie, Inc Copyright 2017 Daplie Inc.
This is open source software; you can redistribute it and/or modify it under the All Rights Reserved
terms of either:
a) the "MIT License"
b) the "Apache-2.0 License"
MIT License
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Apache-2.0 License Summary
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

48
README.md
View File

@ -19,7 +19,7 @@ Security Features
* disallows cookies, except for protected static assets * disallows cookies, except for protected static assets
* api.* subdomain for apis * api.* subdomain for apis
* assets.* subdomain for protected assets * assets.* subdomain for protected assets
* *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.coolaj86.com/coolaj86/goldilocks.js)) * *must* sit behind a trusted https proxy (such as [Goldilocks](https://git.daplie.com/Daplie/goldilocks.js))
* HTTPS-only (checks for X-Forwarded-For) * HTTPS-only (checks for X-Forwarded-For)
* AES, RSA, and ECDSA encryption and signing * AES, RSA, and ECDSA encryption and signing
* Safe against CSRF, XSS, and SQL injection * Safe against CSRF, XSS, and SQL injection
@ -34,14 +34,14 @@ Application Features
* JSON-only expressjs APIs * JSON-only expressjs APIs
* Capability-based permissions system for (oauth3-discoverable) packages such as * Capability-based permissions system for (oauth3-discoverable) packages such as
* large file access (files@oauth3.org) * large file access (files@daplie.com)
* database access (data@oauth3.org) * database access (data@daplie.com)
* scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@oauth3.org) * scheduling (for background tasks, alerts, alarms, calendars, reminders, etc) (events@daplie.com)
* payments (credit card) (payments@oauth3.org) * payments (credit card) (payments@daplie.com)
* email (email@oauth3.org) * email (email@daplie.com)
* SMS (texting) (tel@oauth3.org) * SMS (texting) (tel@daplie.com)
* voice (calls and answering machine) (tel@oauth3.org) * voice (calls and answering machine) (tel@daplie.com)
* lamba-style functions (functions@oauth3.org) * lamba-style functions (functions@daplie.com)
* Per-app, per-site, and per-user configurations * Per-app, per-site, and per-user configurations
* Multi-Tentated Application Management * Multi-Tentated Application Management
* Built-in OAuth2 & OAuth3 support * Built-in OAuth2 & OAuth3 support
@ -53,18 +53,8 @@ Installation
We're still in a stage where the installation generally requires many manual steps. We're still in a stage where the installation generally requires many manual steps.
```bash
curl https://git.coolaj86.com/coolaj86/walnut.js/raw/v1.2/installer/get.sh | bash
```
See [INSTALL.md](/INSTALL.md) See [INSTALL.md](/INSTALL.md)
### Uninstall
```bash
rm -rf /srv/walnut/ /var/walnut/ /etc/walnut/ /opt/walnut/ /var/log/walnut/ /etc/systemd/system/walnut.service /etc/tmpfiles.d/walnut.conf
```
Usage Usage
----- -----
@ -131,7 +121,7 @@ Initialization
needs to know its primary domain needs to know its primary domain
``` ```
POST https://api.<domain.tld>/api/walnut@oauth3.org/init POST https://api.<domain.tld>/api/walnut@daplie.com/init
{ "domain": "<domain.tld>" } { "domain": "<domain.tld>" }
``` ```
@ -153,18 +143,18 @@ api.<domain.tld>
assets.<domain.tld> assets.<domain.tld>
``` ```
The domains can be setup through the OAuth3 Desktop App or with `oauth3-tools` The domains can be setup through the Daplie Desktop App or with `daplie-tools`
```bash ```bash
# set device address and attach primary domain # set device address and attach primary domain
oauth3 devices:attach -d foodevice -n example.com -a 127.0.0.1 daplie devices:attach -d foodevice -n example.com -a 127.0.0.1
# attach all other domains with same device/address # attach all other domains with same device/address
oauth3 devices:attach -d foodevice -n www.example.com daplie devices:attach -d foodevice -n www.example.com
oauth3 devices:attach -d foodevice -n api.example.com daplie devices:attach -d foodevice -n api.example.com
oauth3 devices:attach -d foodevice -n assets.example.com daplie devices:attach -d foodevice -n assets.example.com
oauth3 devices:attach -d foodevice -n cloud.example.com daplie devices:attach -d foodevice -n cloud.example.com
oauth3 devices:attach -d foodevice -n api.cloud.example.com daplie devices:attach -d foodevice -n api.cloud.example.com
``` ```
Example `/etc/goldilocks/goldilocks.yml`: Example `/etc/goldilocks/goldilocks.yml`:
@ -194,7 +184,7 @@ Resetting the Initialization
Once you run the app the initialization files will appear in these locations Once you run the app the initialization files will appear in these locations
``` ```
/srv/walnut/var/walnut+config@oauth3.org.sqlite3 /srv/walnut/var/walnut+config@daplie.com.sqlite3
/srv/walnut/config/<domain.tld>/config.json /srv/walnut/config/<domain.tld>/config.json
``` ```
@ -290,7 +280,7 @@ The permissions:
``` ```
/srv/walnut/var/ /srv/walnut/var/
└── sites └── sites
└── example.com └── daplie.me
''' '''
seed@example.com # refers to /srv/walnut/packages/pages/seed@example.com seed@example.com # refers to /srv/walnut/packages/pages/seed@example.com
''' '''

7
boot/worker.js
View File

@ -149,10 +149,9 @@ module.exports.create = function () {
process.on('unhandledRejection', function (err) { process.on('unhandledRejection', function (err) {
// this should always throw // this should always throw
// (it means somewhere we're not using bluebird by accident) // (it means somewhere we're not using bluebird by accident)
console.error('[caught unhandledRejection]:', err.message || ''); console.error('[caught] [unhandledRejection]');
Object.keys(err).forEach(function (key) { console.error(Object.keys(err));
console.log('\t'+key+': '+err[key]); console.error(err);
});
console.error(err.stack); console.error(err.stack);
}); });
process.on('rejectionHandled', function (msg) { process.on('rejectionHandled', function (msg) {

10
dist/etc/systemd/system/walnut.service vendored
View File

@ -19,15 +19,15 @@ StartLimitBurst=3
# User and group the process will run as # User and group the process will run as
# (www-data is the de facto standard on most systems) # (www-data is the de facto standard on most systems)
User=MY_USER User=www-data
Group=MY_GROUP Group=www-data
# If we need to pass environment variables in the future # If we need to pass environment variables in the future
; Environment=GOLDILOCKS_PATH=/opt/walnut ; Environment=GOLDILOCKS_PATH=/opt/walnut
# Set a sane working directory, sane flags, and specify how to reload the config file # Set a sane working directory, sane flags, and specify how to reload the config file
WorkingDirectory=/opt/walnut WorkingDirectory=/srv/www
ExecStart=/opt/walnut/bin/node /opt/walnut/core/bin/walnut.js --config=/etc/walnut/walnut.yml ExecStart=/opt/walnut/bin/node /srv/walnut/core/bin/walnut.js --config=/etc/walnut/walnut.yml
ExecReload=/bin/kill -USR1 $MAINPID ExecReload=/bin/kill -USR1 $MAINPID
# Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings. # Limit the number of file descriptors and processes; see `man systemd.exec` for more limit settings.
@ -46,7 +46,7 @@ ProtectSystem=full
# … except TLS/SSL, ACME, and Let's Encrypt certificates # … except TLS/SSL, ACME, and Let's Encrypt certificates
# and /var/log/, because we want a place where logs can go. # and /var/log/, because we want a place where logs can go.
# This merely retains r/w access rights, it does not add any new. Must still be writable on the host! # This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/walnut /var/log/walnut /var/walnut /opt/walnut /srv/walnut ReadWriteDirectories=/etc/walnut /var/log/walnut /var/walnut /opt/walnut /srv/www
# Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories # Note: in v231 and above ReadWritePaths has been renamed to ReadWriteDirectories
; ReadWritePaths=/etc/walnut /var/log/walnut ; ReadWritePaths=/etc/walnut /var/log/walnut

11
dist/etc/tmpfiles.d/walnut.conf vendored
View File

@ -1,5 +1,12 @@
# /etc/tmpfiles.d/goldilocks.conf # /etc/tmpfiles.d/walnut.conf
# See https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html # See https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
# Type Path Mode UID GID Age Argument # Type Path Mode UID GID Age Argument
d /run/goldilocks 0755 MY_USER MY_GROUP - - d /etc/walnut 0755 www-data www-data - -
d /etc/ssl/walnut 0750 www-data www-data - -
d /srv/walnut 0775 www-data www-data - -
d /srv/www 0775 www-data www-data - -
d /opt/walnut 0775 www-data www-data - -
d /var/walnut 0775 www-data www-data - -
d /var/log/walnut 0750 www-data www-data - -
#d /run/walnut 0755 www-data www-data - -

0
dist/etc/walnut/walnut.example.yml vendored
View File

300
install-helper.sh Executable file
View File

@ -0,0 +1,300 @@
#!/bin/bash
set -e
set -u
# something or other about android and tmux using PREFIX
#: "${PREFIX:=''}"
MY_ROOT=""
if [ -z "${PREFIX-}" ]; then
MY_ROOT=""
else
MY_ROOT="$PREFIX"
fi
# Not every platform has or needs sudo, gotta save them O(1)s...
sudo_cmd=""
((EUID)) && [[ -z "${ANDROID_ROOT-}" ]] && sudo_cmd="sudo"
###############################
# #
# http_get #
# boilerplate for curl / wget #
# #
###############################
# See https://git.daplie.com/Daplie/daplie-snippets/blob/master/bash/http-get.sh
http_curl_opts="-fsSL"
http_wget_opts="--quiet"
http_bin=""
http_opts=""
http_out=""
detect_http_bin()
{
if type -p curl >/dev/null 2>&1; then
http_bin="curl"
http_opts="$http_curl_opts"
http_out="-o"
#curl -fsSL "$url" -o "$PREFIX/tmp/$pkg"
elif type -p wget >/dev/null 2>&1; then
http_bin="wget"
http_opts="$http_wget_opts"
http_out="-O"
#wget --quiet "$url" -O "$PREFIX/tmp/$pkg"
else
echo "Aborted, could not find curl or wget"
return 7
fi
}
http_get()
{
if [ -e "$1" ]; then
rsync -a "$1" "$2"
elif type -p curl >/dev/null 2>&1; then
$http_bin $http_curl_opts $http_out "$2" "$1"
elif type -p wget >/dev/null 2>&1; then
$http_bin $http_wget_opts $http_out "$2" "$1"
else
echo "Aborted, could not find curl or wget"
return 7
fi
}
dap_dl()
{
http_get "$1" "$2"
}
dap_dl_bash()
{
dap_url=$1
#dap_args=$2
rm -rf /tmp/dap-tmp-runner.sh
$http_bin $http_opts $http_out /tmp/dap-tmp-runner.sh "$dap_url"; bash /tmp/dap-tmp-runner.sh; rm /tmp/dap-tmp-runner.sh
}
detect_http_bin
## END HTTP_GET ##
mvdir_backward_compat()
{
old_dir=$1
new_dir=$2
# The symlink has already been set up, so no need to do anything.
if [ -L $old_dir ] && [ $(readlink $old_dir) == "$new_dir" ]; then
return 0
fi
if [ -d $old_dir ]; then
if [ $(ls $old_dir | wc -l) -gt 0 ]; then
mv ${old_dir}/* ${new_dir}/
fi
rm -r ${old_dir}
#rmdir ${old_dir}
fi
ln -snf $new_dir $old_dir
}
###################
# #
# Install service #
# #
###################
install_for_systemd()
{
echo ""
echo "Installing as systemd service"
echo ""
mkdir -p $(dirname "$my_app_dir/$my_app_systemd_service")
dap_dl "$installer_base/$my_app_systemd_service" "$my_app_dir/$my_app_systemd_service"
$sudo_cmd mv "$my_app_dir/$my_app_systemd_service" "$MY_ROOT/$my_app_systemd_service"
$sudo_cmd chown -R root:root "$MY_ROOT/$my_app_systemd_service"
$sudo_cmd chmod 644 "$MY_ROOT/$my_app_systemd_service"
mkdir -p $(dirname "$my_app_dir/$my_app_systemd_tmpfiles")
dap_dl "$installer_base/$my_app_systemd_tmpfiles" "$my_app_dir/$my_app_systemd_tmpfiles"
$sudo_cmd mv "$my_app_dir/$my_app_systemd_tmpfiles" "$MY_ROOT/$my_app_systemd_tmpfiles"
$sudo_cmd chown -R root:root "$MY_ROOT/$my_app_systemd_tmpfiles"
$sudo_cmd chmod 644 "$MY_ROOT/$my_app_systemd_tmpfiles"
$sudo_cmd systemctl stop "${my_app_name}.service" >/dev/null 2>/dev/null
$sudo_cmd systemctl daemon-reload
$sudo_cmd systemctl start "${my_app_name}.service"
$sudo_cmd systemctl enable "${my_app_name}.service"
echo "$my_app_name started with systemctl, check its status like so"
echo " $sudo_cmd systemctl status $my_app_name"
echo " $sudo_cmd journalctl -xe -u $my_app_name"
}
install_for_launchd()
{
echo ""
echo "Installing as launchd service"
echo ""
# See http://www.launchd.info/
mkdir -p $(dirname "$my_app_dir/$my_app_launchd_service")
dap_dl "$installer_base/$my_app_launchd_service" "$my_app_dir/$my_app_launchd_service"
$sudo_cmd mv "$my_app_dir/$my_app_launchd_service" "$MY_ROOT/$my_app_launchd_service"
$sudo_cmd chown root:wheel "$MY_ROOT/$my_app_launchd_service"
$sudo_cmd chmod 0644 "$MY_ROOT/$my_app_launchd_service"
$sudo_cmd launchctl unload -w "$MY_ROOT/$my_app_launchd_service" >/dev/null 2>/dev/null
$sudo_cmd launchctl load -w "$MY_ROOT/$my_app_launchd_service"
echo "$my_app_name started with launchd"
}
install_etc_config()
{
#echo "install etc config $MY_ROOT / $my_app_etc_config"
if [ ! -e "$MY_ROOT/$my_app_etc_config" ]; then
$sudo_cmd mkdir -p $(dirname "$MY_ROOT/$my_app_etc_config")
mkdir -p $(dirname "$my_app_dir/$my_app_etc_config")
dap_dl "$installer_base/$my_app_etc_config" "$my_app_dir/$my_app_etc_config"
$sudo_cmd mv "$my_app_dir/$my_app_etc_config" "$MY_ROOT/$my_app_etc_config"
fi
$sudo_cmd chown -R www-data:www-data $(dirname "$MY_ROOT/$my_app_etc_config") || true
$sudo_cmd chown -R _www:_www $(dirname "$MY_ROOT/$my_app_etc_config") || true
$sudo_cmd chmod 775 $(dirname "$MY_ROOT/$my_app_etc_config")
$sudo_cmd chmod 664 "$MY_ROOT/$my_app_etc_config"
}
install_service()
{
install_etc_config
#echo "install service"
installable=""
if [ -d "$MY_ROOT/etc/systemd/system" ]; then
install_for_systemd
installable="true"
fi
if [ -d "/Library/LaunchDaemons" ]; then
install_for_launchd
installable="true"
fi
if [ -z "$installable" ]; then
echo ""
echo "Unknown system service init type. You must install as a system service manually."
echo '(please file a bug with the output of "uname -a")'
echo ""
fi
echo ""
}
## END SERVICE_INSTALL ##
# Create dirs, set perms
create_skeleton()
{
$sudo_cmd mkdir -p /srv/www
$sudo_cmd mkdir -p /var/log/$my_app_name
$sudo_cmd mkdir -p /etc/$my_app_name
$sudo_cmd mkdir -p /var/$my_app_name
$sudo_cmd mkdir -p /srv/$my_app_name
$sudo_cmd mkdir -p /opt/$my_app_name
}
# Unistall
install_uninstaller()
{
#echo "install uninstaller"
dap_dl "https://git.daplie.com/Daplie/walnut.js/raw/master/uninstall.sh" "./walnut-uninstall"
$sudo_cmd chmod 755 "./walnut-uninstall"
$sudo_cmd chown root:root "./walnut-uninstall"
$sudo_cmd mv "./walnut-uninstall" "/usr/local/bin/uninstall-walnut"
}
# Dependencies
export NODE_PATH=/opt/walnut/lib/node_modules
export NPM_CONFIG_PREFIX=/opt/walnut
$sudo_cmd mkdir -p $NODE_PATH
$sudo_cmd chown -R $(whoami) /opt/walnut
dap_dl_bash "https://git.daplie.com/coolaj86/node-install-script/raw/master/setup-min.sh"
# Install
# npm install -g 'git+https://git@git.daplie.com/Daplie/walnut.js.git#v1'
my_app_name=walnut
my_app_pkg_name=com.daplie.walnut.web
my_app_dir=$(mktemp -d)
#installer_base="https://git.daplie.com/Daplie/walnut.js/raw/master/dist"
#installer_base="$( dirname "${BASH_SOURCE[0]}" )/dist"
installer_base="/srv/walnut/core/dist"
my_app_etc_config="etc/${my_app_name}/${my_app_name}.yml"
my_app_systemd_service="etc/systemd/system/${my_app_name}.service"
my_app_systemd_tmpfiles="etc/tmpfiles.d/${my_app_name}.conf"
my_app_launchd_service="Library/LaunchDaemons/${my_app_pkg_name}.plist"
# Install
install_my_app()
{
# This function shouldn't need to use $sudo_cmd because it is called immediately after
# /srv/walnut is chown-ed and we only mess with things in that directory.
#git clone git@git.daplie.com:Daplie/walnut.js.git
#git clone https://git.daplie.com/Daplie/walnut.js.git /srv/walnut/core
mkdir -p /srv/walnut/{core,lib,var,etc,config,node_modules}
rm -rf /srv/walnut/core/node_modules
ln -sf ../node_modules /srv/walnut/core/node_modules
mkdir -p /srv/walnut/var/sites
mkdir -p /srv/walnut/etc/org.oauth3.consumer
mkdir -p /srv/walnut/etc/org.oauth3.provider
mkdir -p /srv/walnut/etc/client-api-grants
mkdir -p /srv/walnut/packages/{rest,api,pages,services}
# backwards compat
mvdir_backward_compat /srv/walnut/packages/client-api-grants /srv/walnut/etc/client-api-grants
mvdir_backward_compat /srv/walnut/packages/sites /srv/walnut/var/sites
if [ ! -d "/srv/walnut/core/lib/walnut@daplie.com/setup" ]; then
git clone https://git.daplie.com/Daplie/walnut_launchpad.git /srv/walnut/core/lib/walnut@daplie.com/setup
fi
pushd /srv/walnut/core/lib/walnut@daplie.com/setup
if [ ! -d "./.git/" ]; then
echo "'/srv/walnut/core/lib/walnut@daplie.com/setup' exists but is not a git repository... not sure what to do here..."
fi
git checkout master
git pull
popd
pushd /srv/walnut/core
export NODE_PATH=/opt/walnut/lib/node_modules
export NPM_CONFIG_PREFIX=/opt/walnut
/opt/walnut/bin/npm install
popd
}
$sudo_cmd mkdir -p /srv/walnut
$sudo_cmd chown -R $(whoami) /srv/walnut
install_my_app
create_skeleton
install_uninstaller
install_service
$sudo_cmd chown -R www-data:www-data /opt/walnut || true
$sudo_cmd chown -R _www:_www /opt/walnut || true
$sudo_cmd chown -R www-data:www-data /srv/walnut || true
$sudo_cmd chown -R _www:_www /srv/walnut || true
$sudo_cmd chmod -R ug+rwX /srv/walnut
$sudo_cmd chmod -R ug+rwX /opt/walnut
# +s sets the setuid/setgid bit, which when set on directories makes it so anything
# created inside the directory maintains the same user/group (depending on the bits
# set). Any directory created within a directory with those bits set will also have
# those bits set. When setuid or setgid bits are set on a file however it means that
# if the file is executed it will run with the permissions of the user/group no matter
# who actually runs it (see the ping executable for example).
# I'm not sure that all systems actually support the use of these bits.
find /srv/walnut -type d -exec $sudo_cmd chmod ug+s {} \; || true
find /opt/walnut -type d -exec $sudo_cmd chmod ug+s {} \; || true

121
install.sh Normal file
View File

@ -0,0 +1,121 @@
#!/bin/bash
# Not every platform has or needs sudo, gotta save them O(1)s...
sudo_cmd=""
((EUID)) && [[ -z "$ANDROID_ROOT" ]] && sudo_cmd="sudo"
set -e
set -u
###############################
# #
# boilerplate for curl / wget #
# #
###############################
http_get=""
http_opts=""
http_out=""
detect_http_get()
{
if type -p curl >/dev/null 2>&1; then
http_get="curl"
http_opts="-fsSL"
http_out="-o"
#curl -fsSL "$caddy_url" -o "$PREFIX/tmp/$caddy_pkg"
elif type -p wget >/dev/null 2>&1; then
http_get="wget"
http_opts="--quiet"
http_out="-O"
#wget --quiet "$caddy_url" -O "$PREFIX/tmp/$caddy_pkg"
else
echo "Aborted, could not find curl or wget"
return 7
fi
}
dap_dl()
{
$http_get $http_opts $http_out "$2" "$1"
}
dap_dl_bash()
{
dap_url=$1
#dap_args=$2
rm -rf dap-tmp-runner.sh
$http_get $http_opts $http_out dap-tmp-runner.sh "$dap_url"; bash dap-tmp-runner.sh; rm dap-tmp-runner.sh
}
detect_http_get
###############################
# #
# actual script continues... #
# #
###############################
install_walnut()
{
$sudo_cmd mkdir -p /srv/walnut/{var,etc,packages,node_modules}
# www-data exists on linux, _www exists on mac OS
$sudo_cmd chown -R $(whoami):www-data /srv/walnut || $sudo_cmd chown -R $(whoami):_www /srv/walnut
if [ ! -d "/srv/walnut/core/" ]; then
git clone https://git.daplie.com/Daplie/walnut.js.git /srv/walnut/core
fi
pushd /srv/walnut/core
if [ ! -d "./.git/" ]; then
echo "'/srv/walnut/core' exists but is not a git repository... not sure what to do here..."
fi
git checkout master
git pull
popd
rm -rf /srv/walnut/core/node_modules
ln -sf ../node_modules /srv/walnut/core/node_modules
/srv/walnut/core/install-helper.sh /srv/walnut
# Now that the install is finished we need to set the owner to the user that will actually
# be running the walnut server.
$sudo_cmd chown -R www-data:www-data /srv/walnut || $sudo_cmd chown -R _www:_www /srv/walnut
}
# Install node
echo "----Installing Nodejs and NPM----"
echo "v8.2.1" > /tmp/NODEJS_VER
daplie-install-node-dev
npm install -g npm@4
# Install goldilocks
echo "----Installing goldilocks.js----"
daplie-install-goldilocks
echo "----Installing walnut.js----"
#$sudo_cmd mkdir -p /opt/goldilocks/{lib,bin,etc}
#export NODE_PATH=/opt/walnut/lib/node_modules
#export NPM_CONFIG_PREFIX=/opt/walnut
old_PATH=$PATH
export PATH=/opt/walnut/bin:$PATH
# Install walnut
install_walnut
# Install bower, some systems may be missing it, and it is a dependency
/opt/walnut/bin/npm install -g bower
touch /.bowerrc
echo '{ "allow_root": true }' > /.bowerrc
# Restore PATH to original value
export PATH=$old_PATH
echo ""
echo "You must have some set of domain set up to properly use goldilocks+walnut:"
echo ""
echo " example.com"
echo " www.example.com"
echo " api.example.com"
echo " assets.example.com"
echo " cloud.example.com"
echo " api.cloud.example.com"
echo ""
echo "Check the WALNUT README.md for more info and how to set up /etc/goldilocks/goldilocks.yml"
echo ""

20
installer/get.sh
View File

@ -1,20 +0,0 @@
set -e
set -u
my_name=walnut
# TODO provide an option to supply my_ver and my_tmp
my_ver=master
my_tmp=$(mktemp -d)
mkdir -p $my_tmp/opt/$my_name/lib/node_modules/$my_name
git clone https://git.coolaj86.com/coolaj86/walnut.js.git $my_tmp/opt/$my_name/core
echo "Installing to $my_tmp (will be moved after install)"
pushd $my_tmp/opt/$my_name/core
git checkout $my_ver
source ./installer/install.sh
popd
echo "Installation successful, now cleaning up $my_tmp ..."
rm -rf $my_tmp
echo "Done"

48
installer/http-get.sh
View File

@ -1,48 +0,0 @@
###############################
# #
# http_get #
# boilerplate for curl / wget #
# #
###############################
# See https://git.coolaj86.com/coolaj86/snippets/blob/master/bash/http-get.sh
_h_http_get=""
_h_http_opts=""
_h_http_out=""
detect_http_get()
{
set +e
if type -p curl >/dev/null 2>&1; then
_h_http_get="curl"
_h_http_opts="-fsSL"
_h_http_out="-o"
elif type -p wget >/dev/null 2>&1; then
_h_http_get="wget"
_h_http_opts="--quiet"
_h_http_out="-O"
else
echo "Aborted, could not find curl or wget"
return 7
fi
set -e
}
http_get()
{
$_h_http_get $_h_http_opts $_h_http_out "$2" "$1"
touch "$2"
}
http_bash()
{
_http_url=$1
#dap_args=$2
rm -rf dap-tmp-runner.sh
$_h_http_get $_h_http_opts $_h_http_out dap-tmp-runner.sh "$_http_url"; bash dap-tmp-runner.sh; rm dap-tmp-runner.sh
}
detect_http_get
## END HTTP_GET ##

17
installer/install-for-launchd.sh
View File

@ -1,17 +0,0 @@
set -u
my_app_launchd_service="Library/LaunchDaemons/${my_app_pkg_name}.plist"
echo ""
echo "Installing as launchd service"
echo ""
# See http://www.launchd.info/
safe_copy_config "$my_app_dist/$my_app_launchd_service" "$my_root/$my_app_launchd_service"
$sudo_cmd chown root:wheel "$my_root/$my_app_launchd_service"
$sudo_cmd launchctl unload -w "$my_root/$my_app_launchd_service" >/dev/null 2>/dev/null
$sudo_cmd launchctl load -w "$my_root/$my_app_launchd_service"
echo "$my_app_name started with launchd"

35
installer/install-for-systemd.sh
View File

@ -1,35 +0,0 @@
set -u
my_app_systemd_service="etc/systemd/system/${my_app_name}.service"
my_app_systemd_tmpfiles="etc/tmpfiles.d/${my_app_name}.conf"
echo ""
echo "Installing as systemd service"
echo ""
sed "s/MY_USER/$my_user/g" "$my_app_dist/$my_app_systemd_service" > "$my_app_dist/$my_app_systemd_service.2"
sed "s/MY_GROUP/$my_group/g" "$my_app_dist/$my_app_systemd_service.2" > "$my_app_dist/$my_app_systemd_service"
rm "$my_app_dist/$my_app_systemd_service.2"
safe_copy_config "$my_app_dist/$my_app_systemd_service" "$my_root/$my_app_systemd_service"
sed "s/MY_USER/$my_user/g" "$my_app_dist/$my_app_systemd_tmpfiles" > "$my_app_dist/$my_app_systemd_tmpfiles.2"
sed "s/MY_GROUP/$my_group/g" "$my_app_dist/$my_app_systemd_tmpfiles.2" > "$my_app_dist/$my_app_systemd_tmpfiles"
rm "$my_app_dist/$my_app_systemd_tmpfiles.2"
safe_copy_config "$my_app_dist/$my_app_systemd_tmpfiles" "$my_root/$my_app_systemd_tmpfiles"
$sudo_cmd systemctl stop "${my_app_name}.service" >/dev/null 2>/dev/null || true
$sudo_cmd systemctl daemon-reload
$sudo_cmd systemctl start "${my_app_name}.service"
$sudo_cmd systemctl enable "${my_app_name}.service"
echo ""
echo ""
echo "Fun systemd commands to remember:"
echo " $sudo_cmd systemctl daemon-reload"
echo " $sudo_cmd systemctl restart $my_app_name.service"
echo ""
echo "$my_app_name started with systemctl, check its status like so:"
echo " $sudo_cmd systemctl status $my_app_name"
echo " $sudo_cmd journalctl -xefu $my_app_name"
echo ""
echo ""

37
installer/install-system-service.sh
View File

@ -1,37 +0,0 @@
safe_copy_config()
{
src=$1
dst=$2
$sudo_cmd mkdir -p $(dirname "$dst")
if [ -f "$dst" ]; then
$sudo_cmd rsync -a "$src" "$dst.latest"
# TODO edit config file with $my_user and $my_group
if [ "$(cat $dst)" == "$(cat $dst.latest)" ]; then
$sudo_cmd rm $dst.latest
else
echo "MANUAL INTERVENTION REQUIRED: check the systemd script update and manually decide what you want to do"
echo "diff $dst $dst.latest"
$sudo_cmd chown -R root:root "$dst.latest"
fi
else
$sudo_cmd rsync -a --ignore-existing "$src" "$dst"
fi
$sudo_cmd chown -R root:root "$dst"
$sudo_cmd chmod 644 "$dst"
}
installable=""
if [ -d "$my_root/etc/systemd/system" ]; then
source ./installer/install-for-systemd.sh
installable="true"
fi
if [ -d "/Library/LaunchDaemons" ]; then
source ./installer/install-for-launchd.sh
installable="true"
fi
if [ -z "$installable" ]; then
echo ""
echo "Unknown system service init type. You must install as a system service manually."
echo '(please file a bug with the output of "uname -a")'
echo ""
fi

195
installer/install.sh
View File

@ -1,195 +0,0 @@
#!/bin/bash
set -e
set -u
### IMPORTANT ###
### VERSION ###
my_name=walnut
my_app_pkg_name=org.oauth3.walnut.web
my_app_ver="v1.2"
my_azp_oauth3_ver="v1.2"
# is the old version still needed in launchpad?
#my_azp_oauth3_ver="v1.1.3"
export NODE_VERSION="v8.9.0"
if [ -z "${my_tmp-}" ]; then
my_tmp="$(mktemp -d)"
mkdir -p $my_tmp/opt/$my_name/core
echo "Installing to $my_tmp (will be moved after install)"
git clone ./ $my_tmp/opt/$my_name/core
pushd $my_tmp/opt/$my_name/core
fi
#################
### IMPORTANT ###
### VERSION ###
#my_app_ver="v1.1"
my_app_ver="v1.2"
my_launchpad_ver="v1.2"
my_iss_oauth3_rest_ver="v1.2.0"
my_iss_oauth3_pages_ver="v1.2.1"
my_www_ppl_ver=v1.0.15
export NODE_VERSION="v8.9.0"
#################
export NODE_PATH=$my_tmp/opt/$my_name/lib/node_modules
export PATH=$my_tmp/opt/$my_name/bin/:$PATH
export NPM_CONFIG_PREFIX=$my_tmp/opt/$my_name
my_npm="$NPM_CONFIG_PREFIX/bin/npm"
#################
# TODO un-hardcode core at al
#my_app_dist=$my_tmp/opt/$my_name/lib/node_modules/$my_name/dist
my_app_dist=$my_tmp/opt/$my_name/core/dist
installer_base="https://git.coolaj86.com/coolaj86/goldilocks.js/raw/$my_app_ver"
# Backwards compat
# some scripts still use the old names
my_app_dir=$my_tmp
my_app_name=$my_name
git checkout $my_app_ver
mkdir -p $my_tmp/{etc,opt,srv,var}/$my_name
mkdir -p "$my_tmp/var/log/$my_name"
mkdir -p "$my_tmp/opt/$my_name"/{bin,config,core,etc,lib,node_modules,var}
ln -s ../core/bin/$my_name.js $my_tmp/opt/$my_name/bin/$my_name
ln -s ../core/bin/$my_name.js $my_tmp/opt/$my_name/bin/$my_name.js
#ln -s ../lib/node_modules/$my_name/bin/$my_name.js $my_tmp/opt/$my_name/bin/$my_name
#ln -s ../lib/node_modules/$my_name/bin/$my_name.js $my_tmp/opt/$my_name/bin/$my_name.js
mkdir -p "$my_tmp/opt/$my_name"/packages/{api,pages,rest,services}
mkdir -p "$my_tmp/opt/$my_name"/etc/client-api-grants
# TODO move packages and sites to /srv, grants to /etc
ln -s ../etc/client-api-grants "$my_tmp/opt/$my_name"/packages/client-api-grants
mkdir -p "$my_tmp/opt/$my_name"/var/sites
ln -s ../var/sites "$my_tmp/opt/$my_name"/packages/sites
mkdir -p "$my_tmp/etc/$my_name"
chmod 775 "$my_tmp/etc/$my_name"
cat "$my_app_dist/etc/$my_name/$my_name.example.yml" > "$my_tmp/etc/$my_name/$my_name.example.yml"
chmod 664 "$my_tmp/etc/$my_name/$my_name.example.yml"
mkdir -p $my_tmp/var/log/$my_name
#
# Helpers
#
source ./installer/sudo-cmd.sh
source ./installer/http-get.sh
#
# Dependencies
#
echo $NODE_VERSION > /tmp/NODEJS_VER
# This will read the NODE_* and PATH variables set previously, as well as /tmp/NODEJS_VER
http_bash "https://git.coolaj86.com/coolaj86/node-installer.sh/raw/v1.1/install.sh"
$my_npm install -g npm@4
$my_npm install -g bower
touch $my_tmp/opt/$my_name/.bowerrc
echo '{ "allow_root": true }' > $my_tmp/opt/$my_name/.bowerrc
#pushd $my_tmp/opt/$my_name/lib/node_modules/$my_name
pushd $my_tmp/opt/$my_name/core
mkdir -p ../node_modules
ln -s ../node_modules node_modules
$my_npm install
popd
git clone https://git.coolaj86.com/coolaj86/walnut_launchpad.html.git $my_tmp/opt/$my_name/core/lib/walnut@oauth3.org/setup
pushd $my_tmp/opt/$my_name/core/lib/walnut@oauth3.org/setup
git pull
git checkout $my_launchpad_ver
git clone https://git.oauth3.org/OAuth3/oauth3.js.git ./assets/oauth3.org
pushd assets/oauth3.org
git checkout $my_azp_oauth3_ver
popd
popd
pushd $my_tmp/opt/$my_name/packages
git clone https://git.oauth3.org/OAuth3/issuer.rest.walnut.js.git rest/issuer@oauth3.org
pushd rest/issuer@oauth3.org/
git checkout $my_iss_oauth3_rest_ver
$my_npm install
popd
git clone https://git.oauth3.org/OAuth3/issuer.html.git pages/issuer@oauth3.org
pushd pages/issuer@oauth3.org
git checkout $my_iss_oauth3_pages_ver
bash ./install.sh
pushd ./assets/oauth3.org
git checkout $my_azp_oauth3_ver
popd
popd
git clone https://git.coolaj86.com/coolaj86/walnut_rest_www_oauth3.org.js.git rest/www@oauth3.org
pushd rest/www@oauth3.org
git checkout $my_www_ppl_ver
$my_npm install
popd
popd
#
# System Service
#
source ./installer/my-root.sh
echo "Pre-installation to $my_tmp complete, now installing to $my_root/ ..."
set +e
if type -p tree >/dev/null 2>/dev/null; then
#tree -I "node_modules|include|share" $my_tmp
tree -L 6 -I "include|share|npm" $my_tmp
else
ls $my_tmp
fi
set -e
source ./installer/my-user-my-group.sh
echo "User $my_user Group $my_group"
$sudo_cmd chown -R $my_user:$my_group $my_tmp
$sudo_cmd chown root:root $my_tmp/*
$sudo_cmd chown root:root $my_tmp
$sudo_cmd chmod 0755 $my_tmp
$sudo_cmd rsync -a --ignore-existing $my_tmp/ $my_root/
$sudo_cmd rsync -a --ignore-existing $my_app_dist/etc/$my_name/$my_name.yml $my_root/etc/$my_name/$my_name.yml
source ./installer/install-system-service.sh
# Change to admin perms
$sudo_cmd chown -R $my_user:$my_group $my_root/opt/$my_name
$sudo_cmd chown -R $my_user:$my_group $my_root/var/www $my_root/srv/www
# make sure the files are all read/write for the owner and group, and then set
# the setuid and setgid bits so that any files/directories created inside these
# directories have the same owner and group.
$sudo_cmd chmod -R ug+rwX $my_root/opt/$my_name
find $my_root/opt/$my_name -type d -exec $sudo_cmd chmod ug+s {} \;
echo ""
echo "You must have some set of domain set up to properly use goldilocks+walnut:"
echo ""
echo " example.com"
echo " www.example.com"
echo " api.example.com"
echo " assets.example.com"
echo " cloud.example.com"
echo " api.cloud.example.com"
echo ""
echo "Check the WALNUT README.md for more info and how to set up /etc/goldilocks/goldilocks.yml"
echo ""
echo "Unistall: rm -rf /srv/walnut/ /var/walnut/ /etc/walnut/ /opt/walnut/ /var/log/walnut/ /etc/systemd/system/walnut.service /etc/tmpfiles.d/walnut.conf"
rm -rf $my_tmp

8
installer/my-root.sh
View File

@ -1,8 +0,0 @@
# something or other about android and tmux using PREFIX
#: "${PREFIX:=''}"
my_root=""
if [ -z "${PREFIX-}" ]; then
my_root=""
else
my_root="$PREFIX"
fi

19
installer/my-user-my-group.sh
View File

@ -1,19 +0,0 @@
if type -p adduser >/dev/null 2>/dev/null; then
if [ -z "$(cat $my_root/etc/passwd | grep $my_app_name)" ]; then
$sudo_cmd adduser --home $my_root/opt/$my_app_name --gecos '' --disabled-password $my_app_name
fi
my_user=$my_app_name
my_group=$my_app_name
elif [ -n "$(cat /etc/passwd | grep www-data:)" ]; then
# Linux (Ubuntu)
my_user=www-data
my_group=www-data
elif [ -n "$(cat /etc/passwd | grep _www:)" ]; then
# Mac
my_user=_www
my_group=_www
else
# Unsure
my_user=$(whoami)
my_group=$(id -g -n)
fi

7
installer/sudo-cmd.sh
View File

@ -1,7 +0,0 @@
# Not every platform has or needs sudo, gotta save them O(1)s...
sudo_cmd=""
set +e
if type -p sudo >/dev/null 2>/dev/null; then
((EUID)) && [[ -z "${ANDROID_ROOT-}" ]] && sudo_cmd="sudo"
fi
set -e

1357
lib/apis.js
View File

File diff suppressed because it is too large Load Diff

21
lib/common.js
View File

@ -1,21 +1,20 @@
'use strict'; 'use strict';
function rejectableRequest(req, res, promise, msg) { module.exports.rejectableRequest = function rejectableRequest(req, res, promise, msg) {
return promise.error(function (err) { return promise.error(function (err) {
res.error(err); res.error(err);
}).catch(function (err) { }).catch(function (err) {
console.error('[ERROR] \'' + msg + '\''); console.error('[ERROR] \'' + msg + '\'');
// The stack contains the message as well, so no need to log the message when we log the stack console.error(err.message);
console.error(err.stack || err.message || JSON.stringify(err)); console.error(err.stack);
res.error(err); res.error(err);
}); });
} };
module.exports.rejectableRequest = rejectableRequest;
module.exports.promisableRequest = module.exports.promisableRequest =
module.exports.promiseRequest = function promiseRequest(req, res, promise, msg) { module.exports.promiseRequest = function promiseRequest(req, res, promise, msg) {
promise = promise.then(function (result) { return promise.then(function (result) {
if (result._cache) { if (result._cache) {
res.setHeader('Cache-Control', 'public, max-age=' + (result._cache / 1000)); res.setHeader('Cache-Control', 'public, max-age=' + (result._cache / 1000));
res.setHeader('Expires', new Date(Date.now() + result._cache).toUTCString()); res.setHeader('Expires', new Date(Date.now() + result._cache).toUTCString());
@ -27,7 +26,13 @@ module.exports.promiseRequest = function promiseRequest(req, res, promise, msg)
result = result._value; result = result._value;
} }
res.send(result); res.send(result);
}); }).error(function (err) {
res.error(err);
}).catch(function (err) {
console.error('[ERROR] \'' + msg + '\'');
console.error(err.message);
console.error(err.stack);
return rejectableRequest(req, res, promise, msg); res.error(err);
});
}; };

26
lib/main.js
View File

@ -1,6 +1,6 @@
'use strict'; 'use strict';
module.exports.create = function (app, xconfx, apiFactories, apiDeps, errorIfApi, errorIfAssets) { module.exports.create = function (app, xconfx, apiFactories, apiDeps, errorIfApi) {
var PromiseA = require('bluebird'); var PromiseA = require('bluebird');
var path = require('path'); var path = require('path');
var fs = PromiseA.promisifyAll(require('fs')); var fs = PromiseA.promisifyAll(require('fs'));
@ -293,27 +293,10 @@ module.exports.create = function (app, xconfx, apiFactories, apiDeps, errorIfApi
// TODO handle assets.example.com/sub/assets/com.example.xyz/ // TODO handle assets.example.com/sub/assets/com.example.xyz/
app.use('/api', require('connect-send-error').error()); app.use('/api', require('connect-send-error').error());
app.use('/assets', require('connect-send-error').error());
app.use('/', function (req, res, next) { app.use('/', function (req, res, next) {
// If this doesn't look like an API or assets we can move along // If this doesn't look like an API we can move along
if (!/\/api(\/|$)/.test(req.url)) {
/* // /^api\./.test(req.hostname) &&
console.log('.');
console.log('[main.js] req.url, req.hostname');
console.log(req.url);
console.log(req.hostname);
console.log('.');
*/
if (!/\/(api|assets)(\/|$)/.test(req.url)) {
//console.log('[main.js] api|assets');
next();
return;
}
// keep https://assets.example.com/assets but skip https://example.com/assets
if (/\/assets(\/|$)/.test(req.url) && !/(^|\.)(api|assets)(\.)/.test(req.hostname) && !/^[0-9\.]+$/.test(req.hostname)) {
//console.log('[main.js] skip');
next(); next();
return; return;
} }
@ -342,7 +325,6 @@ module.exports.create = function (app, xconfx, apiFactories, apiDeps, errorIfApi
return; return;
}); });
app.use('/', errorIfApi); app.use('/', errorIfApi);
app.use('/', errorIfAssets);
app.use('/', serveStatic); app.use('/', serveStatic);
app.use('/', serveApps); app.use('/', serveApps);

306
lib/oauth3.js
View File

@ -1,306 +0,0 @@
'use strict';
var PromiseA = require('bluebird');
function generateRescope(req, Models, decoded, fullPpid, ppid) {
return function (/*sub*/) {
// TODO: this function is supposed to convert PPIDs of different parties to some account
// ID that allows application to keep track of permisions and what-not.
console.log('[rescope] Attempting ', fullPpid);
return Models.IssuerOauth3OrgGrants.find({ azpSub: fullPpid }).then(function (results) {
if (results[0]) {
console.log('[rescope] lukcy duck: got it on the 1st try');
return PromiseA.resolve(results);
}
// XXX BUG XXX
// should be able to distinguish between own ids and 3rd party via @whatever.com
return Models.IssuerOauth3OrgGrants.find({ azpSub: ppid });
}).then(function (results) {
var result = results[0];
if (!result || !result.sub || !decoded.iss) {
// XXX BUG XXX TODO swap this external ppid for an internal (and ask user to link with existing profile)
//req.oauth3.accountIdx = fullPpid;
throw new Error("internal / external ID swapping not yet implemented. TODO: "
+ "No profile found with that credential. Would you like to create a new profile or link to an existing profile?");
}
// XXX BUG XXX need to pass own url in to use as issuer for own tokens
req.oauth3.accountIdx = result.sub + '@' + decoded.iss;
console.log('[rescope] result:');
console.log(results);
console.log(req.oauth3.accountIdx);
return PromiseA.resolve(req.oauth3.accountIdx);
});
};
}
function extractAccessToken(req) {
var token = null;
var parts;
var scheme;
var credentials;
if (req.headers && req.headers.authorization) {
// Works for all of Authorization: Bearer {{ token }}, Token {{ token }}, JWT {{ token }}
parts = req.headers.authorization.split(' ');
if (parts.length !== 2) {
return PromiseA.reject(new Error("malformed Authorization header"));
}
scheme = parts[0];
credentials = parts[1];
if (-1 !== ['token', 'bearer'].indexOf(scheme.toLowerCase())) {
token = credentials;
}
}
if (req.body && req.body.access_token) {
if (token) { PromiseA.reject(new Error("token exists in header and body")); }
token = req.body.access_token;
}
// TODO disallow query with req.method === 'GET'
// NOTE: the case of DDNS on routers requires a GET and access_token
// (cookies should be used for protected static assets)
if (req.query && req.query.access_token) {
if (token) { PromiseA.reject(new Error("token already exists in either header or body and also in query")); }
token = req.query.access_token;
}
/*
err = new Error(challenge());
err.code = 'E_BEARER_REALM';
if (!token) { return PromiseA.reject(err); }
*/
return PromiseA.resolve(token);
}
function verifyToken(token) {
var jwt = require('jsonwebtoken');
var decoded;
if (!token) {
return PromiseA.reject({
message: 'no token provided'
, code: 'E_NO_TOKEN'
, url: 'https://oauth3.org/docs/errors#E_NO_TOKEN'
});
}
try {
decoded = jwt.decode(token, {complete: true});
} catch (e) {}
if (!decoded) {
return PromiseA.reject({
message: 'provided token not a JSON Web Token'
, code: 'E_NOT_JWT'
, url: 'https://oauth3.org/docs/errors#E_NOT_JWT'
});
}
var sub = decoded.payload.sub || decoded.payload.ppid || decoded.payload.appScopedId;
if (!sub) {
return PromiseA.reject({
message: 'token missing sub'
, code: 'E_MISSING_SUB'
, url: 'https://oauth3.org/docs/errors#E_MISSING_SUB'
});
}
var kid = decoded.header.kid || decoded.payload.kid;
if (!kid) {
return PromiseA.reject({
message: 'token missing kid'
, code: 'E_MISSING_KID'
, url: 'https://oauth3.org/docs/errors#E_MISSING_KID'
});
}
if (!decoded.payload.iss) {
return PromiseA.reject({
message: 'token missing iss'
, code: 'E_MISSING_ISS'
, url: 'https://oauth3.org/docs/errors#E_MISSING_ISS'
});
}
var OAUTH3 = require('oauth3.js');
OAUTH3._hooks = require('oauth3.js/oauth3.node.storage.js');
return OAUTH3.discover(decoded.payload.iss).then(function (directives) {
var args = (directives || {}).retrieve_jwk;
if (typeof args === 'string') {
args = { url: args, method: 'GET' };
}
if (typeof (args || {}).url !== 'string') {
return PromiseA.reject({
message: 'token issuer does not support retrieving JWKs'
, code: 'E_INVALID_ISS'
, url: 'https://oauth3.org/docs/errors#E_INVALID_ISS'
});
}
var params = {
sub: sub
, kid: kid
};
var url = args.url;
var body;
Object.keys(params).forEach(function (key) {
if (url.indexOf(':'+key) !== -1) {
url = url.replace(':'+key, params[key]);
delete params[key];
}
});
if (Object.keys(params).length > 0) {
if ('GET' === (args.method || 'GET').toUpperCase()) {
url += '?' + OAUTH3.query.stringify(params);
} else {
body = params;
}
}
return OAUTH3.request({
url: OAUTH3.url.resolve(directives.api, url)
, method: args.method
, data: body
}).catch(function (err) {
return PromiseA.reject({
message: 'failed to retrieve public key from token issuer'
, code: 'E_NO_PUB_KEY'
, url: 'https://oauth3.org/docs/errors#E_NO_PUB_KEY'
, subErr: err.toString()
});
});
}, function (err) {
return PromiseA.reject({
message: 'token issuer is not a valid OAuth3 provider'
, code: 'E_INVALID_ISS'
, url: 'https://oauth3.org/docs/errors#E_INVALID_ISS'
, subErr: err.toString()
});
}).then(function (res) {
if (res.data.error) {
return PromiseA.reject(res.data.error);
}
var opts = {};
if (Array.isArray(res.data.alg)) {
opts.algorithms = res.data.alg;
} else if (typeof res.data.alg === 'string') {
opts.algorithms = [res.data.alg];
}
try {
return jwt.verify(token, require('jwk-to-pem')(res.data), opts);
} catch (err) {
return PromiseA.reject({
message: 'token verification failed'
, code: 'E_INVALID_TOKEN'
, url: 'https://oauth3.org/docs/errors#E_INVALID_TOKEN'
, subErr: err.toString()
});
}
});
}
function deepFreeze(obj) {
Object.keys(obj).forEach(function (key) {
if (obj[key] && typeof obj[key] === 'object') {
deepFreeze(obj[key]);
}
});
Object.freeze(obj);
}
function cookieOauth3(Models, req, res, next) {
req.oauth3 = {};
var token = req.cookies.jwt;
req.oauth3.encodedToken = token;
req.oauth3.verifyAsync = function (jwt) {
return verifyToken(jwt || token);
};
return verifyToken(token).then(function (decoded) {
req.oauth3.token = decoded;
if (!decoded) {
return null;
}
var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
req.oauth3.ppid = ppid;
req.oauth3.accountIdx = ppid+'@'+decoded.iss;
var hash = require('crypto').createHash('sha256').update(req.oauth3.accountIdx).digest('base64');
hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=+/g, '');
req.oauth3.accountHash = hash;
req.oauth3.rescope = generateRescope(req, Models, decoded, fullPpid, ppid);
}).then(function () {
deepFreeze(req.oauth3);
//Object.defineProperty(req, 'oauth3', {configurable: false, writable: false});
next();
}, function (err) {
if ('E_NO_TOKEN' === err.code) {
next();
return;
}
console.error('[walnut] cookie lib/oauth3 error:');
console.error(err);
res.send(err);
});
}
function attachOauth3(Models, req, res, next) {
req.oauth3 = {};
extractAccessToken(req).then(function (token) {
req.oauth3.encodedToken = token;
req.oauth3.verifyAsync = function (jwt) {
return verifyToken(jwt || token);
};
if (!token) {
return null;
}
return verifyToken(token);
}).then(function (decoded) {
req.oauth3.token = decoded;
if (!decoded) {
return null;
}
var ppid = decoded.sub || decoded.ppid || decoded.appScopedId;
var fullPpid = ppid+'@'+decoded.iss;
req.oauth3.ppid = ppid;
// TODO we can anonymize the relationship between our user as the other service's user
// in our own database by hashing the remote service's ppid and using that as the lookup
var hash = require('crypto').createHash('sha256').update(fullPpid).digest('base64');
hash = hash.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=+/g, '');
req.oauth3.accountHash = hash;
req.oauth3.rescope = generateRescope(req, Models, decoded, fullPpid, ppid);
console.log('############### assigned req.oauth3:');
console.log(req.oauth3);
}).then(function () {
//deepFreeze(req.oauth3);
//Object.defineProperty(req, 'oauth3', {configurable: false, writable: false});
next();
}, function (err) {
console.error('[walnut] JWT lib/oauth3 error:');
console.error(err);
res.send(err);
});
}
module.exports.attachOauth3 = attachOauth3;
module.exports.cookieOauth3 = cookieOauth3;
module.exports.verifyToken = verifyToken;

14
lib/package-server-apis.js
View File

@ -55,7 +55,19 @@ function getApi(conf, pkgConf, pkgDeps, packagedApi) {
packagedApi._api = require('express-lazy')(); packagedApi._api = require('express-lazy')();
packagedApi._api_app = myApp; packagedApi._api_app = myApp;
packagedApi._api.use('/', require('./oauth3').attachOauth3); //require('./oauth3-auth').inject(conf, packagedApi._api, pkgConf, pkgDeps);
pkgDeps.getOauth3Controllers =
packagedApi._getOauth3Controllers = require('oauthcommon/example-oauthmodels').create(conf).getControllers;
require('oauthcommon').inject(packagedApi._getOauth3Controllers, packagedApi._api, pkgConf, pkgDeps);
// DEBUG
//
/*
packagedApi._api.use('/', function (req, res, next) {
console.log('[DEBUG pkgApiApp]', req.method, req.hostname, req.url);
next();
});
//*/
// TODO fix backwards compat // TODO fix backwards compat

58
lib/worker.js
View File

@ -150,21 +150,6 @@ module.exports.create = function (webserver, xconfx, state) {
models: models models: models
// TODO don't let packages use this directly // TODO don't let packages use this directly
, Promise: PromiseA , Promise: PromiseA
, dns: PromiseA.promisifyAll(require('dns'))
, crypto: PromiseA.promisifyAll(require('crypto'))
, fs: PromiseA.promisifyAll(require('fs'))
, path: require('path')
, validate: {
isEmail: function (email) {
return /@/.test(email) && !/\s+/.test(email);
}
, email: function (email) {
if (apiDeps.validate.isEmail(email)) {
return null;
}
return new Error('invalid email address');
}
}
}; };
var apiFactories = { var apiFactories = {
memstoreFactory: { create: scopeMemstore } memstoreFactory: { create: scopeMemstore }
@ -195,7 +180,7 @@ module.exports.create = function (webserver, xconfx, state) {
function setupMain() { function setupMain() {
if (xconfx.debug) { console.log('[main] setup'); } if (xconfx.debug) { console.log('[main] setup'); }
mainApp = express(); mainApp = express();
require('./main').create(mainApp, xconfx, apiFactories, apiDeps, errorIfApi, errorIfAssets).then(function () { require('./main').create(mainApp, xconfx, apiFactories, apiDeps, errorIfApi).then(function () {
if (xconfx.debug) { console.log('[main] ready'); } if (xconfx.debug) { console.log('[main] ready'); }
// TODO process.send({}); // TODO process.send({});
}); });
@ -240,24 +225,6 @@ module.exports.create = function (webserver, xconfx, state) {
next(); next();
} }
function errorIfNotAssets(req, res, next) {
var hostname = req.hostname || req.headers.host;
if (!/^assets\.[a-z0-9\-]+/.test(hostname)) {
res.send({ error:
{ message: "['" + hostname + req.url + "'] protected asset access is restricted to proper 'asset'-prefixed lowercase subdomains."
+ " The HTTP 'Host' header must exist and must begin with 'assets.' as in 'assets.example.com'."
+ " For development you may test with assets.localhost.daplie.me (or any domain by modifying your /etc/hosts)"
, code: 'E_NOT_API'
, _hostname: hostname
}
});
return;
}
next();
}
function errorIfApi(req, res, next) { function errorIfApi(req, res, next) {
if (!/^api\./.test(req.headers.host)) { if (!/^api\./.test(req.headers.host)) {
next(); next();
@ -273,25 +240,7 @@ module.exports.create = function (webserver, xconfx, state) {
return; return;
} }
res.send({ error: { code: 'E_NO_IMPL', message: "API not implemented" } }); res.send({ error: { code: 'E_NO_IMPL', message: "not implemented" } });
}
function errorIfAssets(req, res, next) {
if (!/^assets\./.test(req.headers.host)) {
next();
return;
}
// has api. hostname prefix
// doesn't have /api url prefix
if (!/^\/assets\//.test(req.url)) {
console.log('[walnut/worker assets] req.url', req.url);
res.send({ error: { message: "missing /assets/ url prefix" } });
return;
}
res.send({ error: { code: 'E_NO_IMPL', message: "assets handler not implemented" } });
} }
app.disable('x-powered-by'); app.disable('x-powered-by');
@ -309,11 +258,8 @@ module.exports.create = function (webserver, xconfx, state) {
})); }));
app.use('/api', recase); app.use('/api', recase);
var cookieParser = require('cookie-parser'); // signing is done in JWT
app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']); app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
app.use('/api', errorIfNotApi); app.use('/api', errorIfNotApi);
app.use('/assets', /*errorIfNotAssets,*/ cookieParser()); // serializer { path: '/assets', httpOnly: true, sameSite: true/*, domain: assets.example.com*/ }
app.use('/', function (req, res) { app.use('/', function (req, res) {
if (!(req.encrypted || req.secure)) { if (!(req.encrypted || req.secure)) {
// did not come from https // did not come from https

34
package.json
View File

@ -1,6 +1,6 @@
{ {
"name": "walnut", "name": "walnut",
"version": "1.2.5", "version": "0.1.0",
"description": "zero-config home cloud server", "description": "zero-config home cloud server",
"main": "walnut.js", "main": "walnut.js",
"scripts": { "scripts": {
@ -8,7 +8,7 @@
}, },
"repository": { "repository": {
"type": "git", "type": "git",
"url": "https://git.coolaj86.com/coolaj86/walnut.js.git" "url": "https://github.com/Daplie/walnut.git"
}, },
"bin": { "bin": {
"walnut": "./bin/walnut.js" "walnut": "./bin/walnut.js"
@ -33,48 +33,38 @@
"private", "private",
"public" "public"
], ],
"author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com)", "author": "AJ ONeal <aj@daplie.com> (https://daplie.com)",
"license": "(MIT or Apache2)", "license": "Apache2",
"bugs": { "bugs": {
"url": "https://git.coolaj86.com/coolaj86/walnut.js/issues" "url": "https://github.com/Daplie/walnut/issues"
}, },
"homepage": "https://git.coolaj86.com/coolaj86/walnut.js", "homepage": "https://github.com/Daplie/walnut",
"dependencies": { "dependencies": {
"bluebird": "3.x", "bluebird": "3.x",
"body-parser": "1.x", "body-parser": "1.x",
"cluster-store": "^2.0.8", "cluster-store": "git+https://git.daplie.com/Daplie/cluster-store.git#v2",
"connect": "3.x", "connect": "3.x",
"connect-cors": "0.5.x", "connect-cors": "0.5.x",
"connect-recase": "^1.0.2", "connect-recase": "^1.0.2",
"connect-send-error": "1.x", "connect-send-error": "1.x",
"cookie-parser": "^1.4.3",
"escape-html": "^1.0.2", "escape-html": "^1.0.2",
"escape-string-regexp": "1.x", "escape-string-regexp": "1.x",
"express": "4.x", "express": "4.x",
"express-lazy": "^1.1.1", "express-lazy": "^1.1.1",
"express-session": "^1.11.3", "express-session": "^1.11.3",
"jsonwebtoken": "^7.4.1",
"jwk-to-pem": "^1.2.6",
"mailchimp-api-v3": "^1.7.0", "mailchimp-api-v3": "^1.7.0",
"mandrill-api": "^1.0.45", "mandrill-api": "^1.0.45",
"masterquest-sqlite3": "^1.1.1", "masterquest-sqlite3": "git+https://git.daplie.com/node/masterquest-sqlite3.git",
"mkdirp": "^0.5.1", "mkdirp": "^0.5.1",
"multiparty": "^4.1.3", "multiparty": "^4.1.3",
"nodemailer": "^1.4.0", "nodemailer": "^1.4.0",
"nodemailer-mailgun-transport": "1.x", "nodemailer-mailgun-transport": "1.x",
"oauth3.js": "git+https://git.oauth3.org/OAuth3/oauth3.js.git#v1.2", "oauthcommon": "git+https://git.daplie.com/node/oauthcommon.git",
"recase": "^1.0.4",
"request": "^2.81.0", "request": "^2.81.0",
"scmp": "^2.0.0",
"serve-static": "1.x", "serve-static": "1.x",
"sqlite3-cluster": "^2.1.2", "sqlite3-cluster": "git+https://git.daplie.com/coolaj86/sqlite3-cluster.git#v2",
"stripe": "^4.22.0", "stripe": "^4.22.0",
"twilio": "1.x" "twilio": "1.x",
}, "ursa": "^0.9.1"
"gitDependencies": {
"cluster-store": "git+https://git.coolaj86.com/coolaj86/cluster-store.git#v2",
"masterquest-sqlite3": "git+https://git.coolaj86.com/coolaj86/masterquest-sqlite3.git",
"oauth3.js": "git+https://git.oauth3.org/OAuth3/oauth3.js.git#v1.2",
"sqlite3-cluster": "git+https://git.coolaj86.com/coolaj86/sqlite3-cluster.git#v2"
} }
} }