open-consul/ui/packages/consul-ui/server/index.js

/*eslint node/no-extraneous-require: "off"*/
'use strict';
const fs = require('fs');
const promisify = require('util').promisify;
const read = promisify(fs.readFile);
const express = require('express');

module.exports = function(app, options) {
  // During development the proxy server has no way of
  // knowing the content/mime type of our `oidc/callback` file
  // as it has no extension.
  // This shims the default server to set the correct headers
  // just for this file

  const file = `/oidc/callback`;
  const rootURL = options.rootURL;
  const url = `${rootURL.substr(0, rootURL.length - 1)}${file}`;
  app.use(function(req, resp, next) {
    if (req.url.split('?')[0] === url) {
      return read(`${process.cwd()}/public${file}`).then(function(buffer) {
        resp.header('Content-Type', 'text/html');
        resp.write(buffer.toString());
        resp.end();
      });
    }
    next();
  });

  // sets the base CSP policy for the UI
  app.use(function(request, response, next) {
    response.set({
      'Content-Security-Policy': `default-src 'self' ws: localhost:${options.liveReloadPort} http: localhost:${options.liveReloadPort}; img-src 'self' data: ; style-src 'self' 'unsafe-inline'`,
    });
    next();
  });
  // Serve the coverage folder for easy viewing during development
  app.use('/coverage', express.static('coverage'));
};
ui: Move linting to the `node:test` script (#9385) * Reconfigure linting to be a node-test * Fixup linting across the project 2020-12-14 15:28:35 +00:00			`/eslint node/no-extraneous-require: "off"/`
UI: Improved Login/Logout flow inc SSO support (#7790) * 6 new components for new login/logout flow, plus SSO support UI Components: 1. AuthDialog: Wraps/orchestrates AuthForm and AuthProfile 2. AuthForm: Authorization form shown when logged out. 3. AuthProfile: Simple presentational component to show the users 'Profile' 4. OidcSelect: A 'select' component for selecting an OIDC provider, dynamically uses either a single select menu or multiple buttons depending on the amount of providers Data Components: 1. JwtSource: Given an OIDC provider URL this component will request a token from the provider and fire an donchange event when it has been retrieved. Used by TokenSource. 2. TokenSource: Given a oidc provider name or a Consul SecretID, TokenSource will use whichever method/API requests required to retrieve Consul ACL Token, which is emitted to the onchange event handler. Very basic README documentation included here, which is likely to be refined somewhat. * CSS required for new auth/SSO UI components * Remaining app code required to tie the new auth/SSO work together * CSS code required to help tie the auth/SSO work together * Test code in order to get current tests passing with new auth/SSO flow ..plus extremely basics/skipped rendering tests for the new components * Treat the secret received from the server as the truth Previously we've always treated what the user typed as the truth, this breaks down when using SSO as the user doesn't type anything to retrieve a token. Therefore we change this so that we use the secret in the API response as the truth. * Make sure removing an dom tree from a buffer only removes its own tree 2020-05-11 15:37:11 +00:00			`'use strict';`
			`const fs = require('fs');`
			`const promisify = require('util').promisify;`
			`const read = promisify(fs.readFile);`
ui: Remove jQuery from the production build (#8088) * ui: Split up client/http and replace $.ajax This splits the client/http service more in the following ways: 1. Connections are now split out into its own service 2. The transport is now split out into its own service that returns a listener based http transport 3. Various string parsing/stringifying functions are now split out into utils * Remove jQuery from our production build * Move the coverage serving to the server.js file * Self review amends * Add X-Requested-With header * Move some files around, externalize some functions * Move connection tracking to use native Set * Ensure HTTP parsing doesn't encode headers In the future this will change to deal with all HTTP parsing in one place, hence the commented out METHOD_PARSING etc * Start to fix up integration tests to use requestParams 2020-07-07 18:58:46 +00:00			`const express = require('express');`
UI: Improved Login/Logout flow inc SSO support (#7790) * 6 new components for new login/logout flow, plus SSO support UI Components: 1. AuthDialog: Wraps/orchestrates AuthForm and AuthProfile 2. AuthForm: Authorization form shown when logged out. 3. AuthProfile: Simple presentational component to show the users 'Profile' 4. OidcSelect: A 'select' component for selecting an OIDC provider, dynamically uses either a single select menu or multiple buttons depending on the amount of providers Data Components: 1. JwtSource: Given an OIDC provider URL this component will request a token from the provider and fire an donchange event when it has been retrieved. Used by TokenSource. 2. TokenSource: Given a oidc provider name or a Consul SecretID, TokenSource will use whichever method/API requests required to retrieve Consul ACL Token, which is emitted to the onchange event handler. Very basic README documentation included here, which is likely to be refined somewhat. * CSS required for new auth/SSO UI components * Remaining app code required to tie the new auth/SSO work together * CSS code required to help tie the auth/SSO work together * Test code in order to get current tests passing with new auth/SSO flow ..plus extremely basics/skipped rendering tests for the new components * Treat the secret received from the server as the truth Previously we've always treated what the user typed as the truth, this breaks down when using SSO as the user doesn't type anything to retrieve a token. Therefore we change this so that we use the secret in the API response as the truth. * Make sure removing an dom tree from a buffer only removes its own tree 2020-05-11 15:37:11 +00:00
			`module.exports = function(app, options) {`
			`// During development the proxy server has no way of`
			// knowing the content/mime type of our `oidc/callback` file
			`// as it has no extension.`
			`// This shims the default server to set the correct headers`
			`// just for this file`

			const file = `/oidc/callback`;
			`const rootURL = options.rootURL;`
			const url = `${rootURL.substr(0, rootURL.length - 1)}${file}`;
			`app.use(function(req, resp, next) {`
			`if (req.url.split('?')[0] === url) {`
			return read(`${process.cwd()}/public${file}`).then(function(buffer) {
			`resp.header('Content-Type', 'text/html');`
			`resp.write(buffer.toString());`
			`resp.end();`
			`});`
			`}`
			`next();`
			`});`
ui: CSP Improvements (#9847) * Configure ember-auto-import so we can use a stricter CSP * Create a fake filesystem using JSON to avoid inline scripts in index We used to have inline scripts in index.html in order to support embers filepath fingerprinting and our configurable rootURL. Instead of using inline scripts we use application/json plus a JSON blob to create a fake filesystem JSON blob/hash/map to hold all of the rootURL'ed fingerprinted file paths which we can then retrive later in non-inline scripts. We move our inlined polyfills script into the init.js external script, and we move the CodeMirror syntax highlighting configuration inline script into the main app itself - into the already existing CodeMirror initializer (this has been moved so we can lookup a service located document using ember's DI container) * Set a strict-ish CSP policy during development 2021-03-17 10:46:21 +00:00
			`// sets the base CSP policy for the UI`
			`app.use(function(request, response, next) {`
			`response.set({`
			'Content-Security-Policy': `default-src 'self' ws: localhost:${options.liveReloadPort} http: localhost:${options.liveReloadPort}; img-src 'self' data: ; style-src 'self' 'unsafe-inline'`,
			`});`
			`next();`
			`});`
ui: Remove jQuery from the production build (#8088) * ui: Split up client/http and replace $.ajax This splits the client/http service more in the following ways: 1. Connections are now split out into its own service 2. The transport is now split out into its own service that returns a listener based http transport 3. Various string parsing/stringifying functions are now split out into utils * Remove jQuery from our production build * Move the coverage serving to the server.js file * Self review amends * Add X-Requested-With header * Move some files around, externalize some functions * Move connection tracking to use native Set * Ensure HTTP parsing doesn't encode headers In the future this will change to deal with all HTTP parsing in one place, hence the commented out METHOD_PARSING etc * Start to fix up integration tests to use requestParams 2020-07-07 18:58:46 +00:00			`// Serve the coverage folder for easy viewing during development`
			`app.use('/coverage', express.static('coverage'));`
UI: Improved Login/Logout flow inc SSO support (#7790) * 6 new components for new login/logout flow, plus SSO support UI Components: 1. AuthDialog: Wraps/orchestrates AuthForm and AuthProfile 2. AuthForm: Authorization form shown when logged out. 3. AuthProfile: Simple presentational component to show the users 'Profile' 4. OidcSelect: A 'select' component for selecting an OIDC provider, dynamically uses either a single select menu or multiple buttons depending on the amount of providers Data Components: 1. JwtSource: Given an OIDC provider URL this component will request a token from the provider and fire an donchange event when it has been retrieved. Used by TokenSource. 2. TokenSource: Given a oidc provider name or a Consul SecretID, TokenSource will use whichever method/API requests required to retrieve Consul ACL Token, which is emitted to the onchange event handler. Very basic README documentation included here, which is likely to be refined somewhat. * CSS required for new auth/SSO UI components * Remaining app code required to tie the new auth/SSO work together * CSS code required to help tie the auth/SSO work together * Test code in order to get current tests passing with new auth/SSO flow ..plus extremely basics/skipped rendering tests for the new components * Treat the secret received from the server as the truth Previously we've always treated what the user typed as the truth, this breaks down when using SSO as the user doesn't type anything to retrieve a token. Therefore we change this so that we use the secret in the API response as the truth. * Make sure removing an dom tree from a buffer only removes its own tree 2020-05-11 15:37:11 +00:00			`};`