🔀Merge branch 'keycloak'

Author: TarradeMarc

.github/workflows/publish-keycloak-controlpanel.yaml

@@ -0,0 +1,47 @@
+name: Create and publish Docker image for keycloak for controlpanel to ghcr.io
+
+on:
+  release:
+    types: ['published']
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: SAP/keycloak-controlpanel
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    environment: ghcr:cloud-active-defense
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3.2.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: Extract metadata of keycloak for controlpanel
+        id: meta
+        uses: docker/metadata-action@v5.5.1
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image of keycloak for controlpanel
+        id: push
+        uses: docker/build-push-action@v5.3.0
+        with:
+          context: ./keycloak
+          push: true
+          file: ./keycloak/Dockerfile
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }} 

assets/keycloak-register.png

@@ -5,8 +5,10 @@ DB_PORT=5432
 
 CONTROLPANEL_FRONTEND_URL=http://localhost:4200
 DEPLOYMENT_MANAGER_URL=
+KEYCLOAK_URL=http://host.docker.internal:8080
 
 ***REMOVED***
 
+***REMOVED***
 ***REMOVED***
 ***REMOVED***

controlpanel/api/.env

@@ -0,0 +1,12 @@
+const Keycloak = require('keycloak-connect');
+require('dotenv').config({ path: __dirname + '/.env' });
+
+const keycloak = new Keycloak({}, {
+  "realm": "cad",
+  "bearer-only": true,
+  "auth-server-url": process.env.KEYCLOAK_URL,
+  "ssl-required": "external",
+  "resource": "cad"
+});
+
+module.exports = keycloak;

controlpanel/api/config/keycloak.js

@@ -0,0 +1,64 @@
+const Customer = require('../models/Customer');
+const ProtectedApp = require('../models/ProtectedApp');
+const Decoy = require('../models/Decoy-data');
+
+const authorizationFromPa_id = async (req, res, next) => {
+    const token = req.headers['authorization']?.split(' ')[1];
+    if (!token) return res.status(401).json({ code: 401, type: 'error', message: 'Unauthorized' });
+
+    const customer_id = await extractCustomersFromToken(token);
+    if (!customer_id) return res.status(401).json({ code: 401, type: 'error', message: 'Invalid authorization token' });
+    
+    const pa_id = req.params.pa_id || (req.body && req.body.pa_id);
+    if (!pa_id) return res.status(400).json({ code: 400, type: 'error', message: 'Protected app ID is missing' });
+    
+    const protectedApp = await ProtectedApp.findOne({ where: { id: pa_id }, include: [{model: Customer, as: 'customer'}]});
+    if (!protectedApp) return res.status(404).json({ code: 404, type: 'error', message: 'Protected app not found' });
+    if (!customer_id == protectedApp.customer.id) return res.status(403).json({ code: 403, type: 'error', message: 'Forbidden' });
+    next();
+}
+const authorizationFromCu_id = async (req, res, next) => {
+    const token = req.headers['authorization']?.split(' ')[1];
+    if (!token) return res.status(401).json({ code: 401, type: 'error', message: 'Unauthorized' });
+
+    const customer_id = await extractCustomersFromToken(token);
+    if (!customer_id) return res.status(401).json({ code: 401, type: 'error', message: 'Invalid authorization token' });
+    req.cu_id = customer_id;
+    next();
+}
+const authorizationFromDecoyId = async (req, res, next) => {
+    const token = req.headers['authorization']?.split(' ')[1];
+    if (!token) return res.status(401).json({ code: 401, type: 'error', message: 'Unauthorized' });
+
+    const customer_id = await extractCustomersFromToken(token);
+    if (!customer_id) return res.status(401).json({ code: 401, type: 'error', message: 'Invalid authorization token' });
+    
+    const decoyId = req.params.id || (req.body && req.body.id);
+    if (!decoyId) return res.status(400).json({ code: 400, type: 'error', message: 'Decoy ID is missing' });
+    
+    const decoy = await Decoy.findOne({ where: { id: decoyId }, include: [{ model: ProtectedApp, as: 'protectedApp' }] });
+    if (!decoy) return res.status(404).json({ code: 404, type: 'error', message: 'Decoy not found' });
+    
+    if (!customer_id == decoy.protectedApp.cu_id) return res.status(403).json({ code: 403, type: 'error', message: 'Forbidden' });
+    next();
+}
+
+const extractCustomersFromToken = async (token) => {
+    const parts = token.split('.');
+    if (parts.length !== 3) return null;
+
+    const payload = Buffer.from(parts[1], 'base64').toString('utf8');
+    const data = JSON.parse(payload);
+
+    if (!data || !data.groups) return null;
+
+    const customer = await Customer.findOne({ where: { name: data.groups }, attributes: ['id']});
+    if (!customer) return null;
+    return customer.id;
+}
+
+module.exports = {
+    authorizationFromPa_id,
+    authorizationFromCu_id,
+    authorizationFromDecoyId
+};

controlpanel/api/middleware/customer-authorization.js

@@ -0,0 +1,18 @@
+const ApiKey = require('../models/Api-key');
+
+const authenticate = async (req, res, next) => {
+    const key = req.headers['authorization'];
+    if (!key) {
+        return res.status(401).json({ type: 'error', code: 401, message: "You must use an API key to access this" });
+    }
+    const apiKey = await ApiKey.findOne({ where: { key }})
+    if (!apiKey) {
+        return res.status(403).json({ type: 'error', code: 403, message: "Invalid API key" });
+    }
+    if (!apiKey.permissions.includes('keycloak') && !apiKey.permissions.includes('admin')) {
+        return res.status(403).json({ type: 'error', code: 403, message: "You don't have the required permissions to access this" });
+    }
+    next();
+};
+
+module.exports = authenticate;

controlpanel/api/middleware/keycloak-authentication.js

@@ -18,7 +18,6 @@ const ApiKey = sequelize.define("apiKey", {
     },
     pa_id: {
         type: DataTypes.UUID,
-        allowNull: false,
         references: {
             model: ProtectedApp,
             key: 'id'

controlpanel/api/models/Api-key.js

@@ -7,6 +7,8 @@ const Logs = require("./Logs");
 const ApiKey = require("./Api-key");
 const Customer = require("./Customer");
 
+let dbInitialized = false;
+
 async function initializeDatabase() {
   await sequelize.sync();
 
@@ -26,26 +28,31 @@ async function initializeDatabase() {
         GRANT SELECT ON TABLE customers TO deployment_manager;
       `, { replacements: { password }});
     }
+    dbInitialized = true;
     console.log("Database connected successfully.");
   } catch (error) {
     console.error("Unable to connect to the database...\n", error);
     throw error;
   }
 }
 
-Decoy.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedApps'});
-ProtectedApp.hasMany(Decoy, {foreignKey: 'pa_id', as: 'decoys' });
+function isInitialized() {
+  return dbInitialized;
+}
+
+Decoy.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedApp', onDelete: 'CASCADE'});
+ProtectedApp.hasMany(Decoy, {foreignKey: 'pa_id', as: 'decoys', onDelete: 'CASCADE'});
 
-Config.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedApps'});
-ProtectedApp.hasMany(Config, {foreignKey: 'pa_id', as: 'configs' });
+Config.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedApp', onDelete: 'CASCADE'});
+ProtectedApp.hasMany(Config, {foreignKey: 'pa_id', as: 'configs', onDelete: 'CASCADE'});
 
-Logs.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedApps'});
-ProtectedApp.hasMany(Logs, {foreignKey: 'pa_id', as: 'logs' });
+Logs.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedApp', onDelete: 'CASCADE'});
+ProtectedApp.hasMany(Logs, {foreignKey: 'pa_id', as: 'logs', onDelete: 'CASCADE'});
 
-ApiKey.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedapps'});
-ProtectedApp.hasMany(ApiKey, {foreignKey: 'pa_id', as: 'apiKeys' });
+ApiKey.belongsTo(ProtectedApp, {foreignKey: 'pa_id', as: 'protectedApp', onDelete: 'CASCADE'});
+ProtectedApp.hasMany(ApiKey, {foreignKey: 'pa_id', as: 'apiKeys', onDelete: 'CASCADE'});
 
-ProtectedApp.belongsTo(Customer, {foreignKey: 'cu_id', as: 'customers' });
+ProtectedApp.belongsTo(Customer, {foreignKey: 'cu_id', as: 'customer' });
 Customer.hasMany(ProtectedApp, {foreignKey: 'cu_id', as: 'protectedApps' });
 
-module.exports = { sequelize, initializeDatabase };
+module.exports = { sequelize, initializeDatabase, isInitialized };