Upload the Keyrock configuration.

9f75126c · Cédric Crettaz · 216efb5b · 9f75126c
Commit 9f75126c authored Oct 08, 2021 by Cédric Crettaz 🖥
--- a/keyrock/config.js
+++ b/keyrock/config.js
+const config = {};
+
+function to_boolean(env, default_value){
+    return (env !== undefined) ? (env.toLowerCase() === 'true') : default_value;
+}
+
+function to_array(env, default_value){
+    return (env !== undefined) ? env.split(',') : default_value;
+}
+
+config.port = (process.env.IDM_PORT || 3000 );
+config.host = (process.env.IDM_HOST || 'http://localhost:' + config.port);
+
+config.debug = to_boolean(process.env.IDM_DEBUG, true);
+
+// HTTPS enable
+config.https = {
+    enabled: to_boolean(process.env.IDM_HTTPS_ENABLED, false),
+    cert_file: '/etc/letsencrypt/live/test.naiades-project.eu/fullchain.pem',
+    key_file: '/etc/letsencrypt/live/test.naiades-project.eu/privkey.pem',
+    ca_certs: [],
+    port: (process.env.IDM_HTTPS_PORT || 443 )
+};
+
+// Config email list type to use domain filtering
+config.email_list_type = (process.env.IDM_EMAIL_LIST || null );   // whitelist or blacklist
+
+// Secret for user sessions in web
+config.session = {
+    secret:  (process.env.IDM_SESSION_SECRET || 'nodejs_idm'),       // Must be changed
+    expires: (process.env.IDM_SESSION_DURATION || 60 * 60 * 1000)     // 1 hour
+}
+
+// Key to encrypt user passwords
+config.password_encryption = {
+    key: (process.env.IDM_ENCRYPTION_KEY || 'nodejs_idm')   // Must be changed
+}
+
+// Enable CORS
+config.cors = {
+    enabled: to_boolean(process.env.IDM_CORS_ENABLED, false),
+    options: {
+        /* eslint-disable snakecase/snakecase */
+        origin: to_array(process.env.IDM_CORS_ORIGIN, '*'),
+        methods: to_array(process.env.IDM_CORS_METHODS, ['GET','HEAD','PUT','PATCH','POST','DELETE']),
+        allowedHeaders: (process.env.IDM_CORS_ALLOWED_HEADERS || '*'),
+        exposedHeaders: (process.env.IDM_CORS_EXPOSED_HEADERS || undefined),
+        credentials: (process.env.IDM_CORS_CREDENTIALS || undefined),
+        maxAge: (process.env.IDM_CORS_MAS_AGE || undefined),
+        preflightContinue: (process.env.IDM_CORS_PREFLIGHT || false),
+        optionsSuccessStatus: (process.env.IDM_CORS_OPTIONS_STATUS || 204)
+        /* eslint-enable snakecase/snakecase */
+    }
+}
+
+// Config oauth2 parameters
+config.oauth2 = {
+    allow_empty_state: (process.env.IDM_OAUTH_EMPTY_STATE || false),                       // allow empty state in request
+    authorization_code_lifetime: (process.env.IDM_OAUTH_AUTH_LIFETIME || 5 * 60),        // Five minutes
+    access_token_lifetime: (process.env.IDM_OAUTH_ACC_LIFETIME || 60 * 60),              // One hour
+    ask_authorization: (process.env.IDM_OAUTH_ASK_AUTH || true),                         // Prompt a message to users to allow the application to read their details
+    refresh_token_lifetime: (process.env.IDM_OAUTH_REFR_LIFETIME || 60 * 60 * 24 * 14),  // Two weeks
+    unique_url: (process.env.IDM_OAUTH_UNIQUE_URL || false)                              // This parameter allows to verify that an application with the same url
+                                                                                         // does not exist when creating or editing it. If there are already applications
+                                                                                         // with the same URL, they should be changed manually
+}
+
+// Config api parameters
+config.api = {
+    token_lifetime: (process.env.IDM_API_LIFETIME || 60*60)     // One hour
+}
+
+// Configure Policy Decision Point (PDP)
+//  - IdM can perform basic policy checks (HTTP verb + path)
+//  - AuthZForce can perform basic policy checks as well as advanced
+// If authorization level is advanced you can create rules, HTTP verb+resource and XACML advanced. In addition
+// you need to have an instance of authzforce deployed to perform advanced authorization request from a Pep Proxy.
+// If authorization level is basic, only HTTP verb+resource rules can be created
+config.authorization = {
+    level: (process.env.IDM_PDP_LEVEL || 'basic'),     // basic|advanced
+    authzforce: {
+        enabled: to_boolean(process.env.IDM_AUTHZFORCE_ENABLED, false),
+        host: (process.env.IDM_AUTHZFORCE_HOST || 'localhost'),
+        port: (process.env.IDM_AUTHZFORCE_PORT||  8080),
+    }
+}
+
+// Enable usage control and configure where is the Policy Translation Point
+config.usage_control = {
+    enabled: to_boolean(process.env.IDM_USAGE_CONTROL_ENABLED, false),
+    ptp: {
+        host: (process.env.IDM_PTP_HOST || 'localhost'),
+        port: (process.env.IDM_PTP_PORT||  8081),
+    }
+}
+
+
+// Database info
+config.database  = {
+    host:     (process.env.IDM_DB_HOST || 'localhost'),
+    password: (process.env.IDM_DB_PASS || 'idm'),
+    username: (process.env.IDM_DB_USER || 'root'),
+    database: (process.env.IDM_DB_NAME || 'idm'),
+    dialect:  (process.env.IDM_DB_DIALECT || 'mysql'),
+    port:     (process.env.IDM_DB_PORT || undefined)
+    //define: { charset: 'latin1', dialectOptions: { collate: 'latin1_bin' }},
+    //define: { charset: 'utf8mb4', dialectOptions: { collate: 'utf8mb4_unicode_ci' }},
+  };
+//  if (config.database.dialect != 'mysql') {
+//    console.log('>>>>>>>>>>>>>>> remove options define: charset/collate')
+//    config.database.define = {};
+//  } else {
+//    console.log('>>>>>>>>>>>>>>> keep mysql options define: : ', config.database.define);
+//  };
+// External user authentication
+config.external_auth = {
+    enabled: (process.env.IDM_EX_AUTH_ENABLED || false ),
+    id_prefix: (process.env.IDM_EX_AUTH_ID_PREFIX || 'external_'),
+    password_encryption: (process.env.IDM_EX_AUTH_PASSWORD_ENCRYPTION || 'sha1'),    // bcrypt and sha1 supported
+    password_encryption_key: (process.env.IDM_EX_AUTH_PASSWORD_ENCRYPTION_KEY || undefined),
+    database: {
+        host: (process.env.IDM_EX_AUTH_DB_HOST ||'localhost'),
+        port: (process.env.IDM_EX_AUTH_PORT || undefined),
+        database: (process.env.IDM_EX_AUTH_DB_NAME ||'db_name'),
+        username: (process.env.IDM_EX_AUTH_DB_USER || 'db_user'),
+        password: (process.env.IDM_EX_AUTH_DB_PASS ||'db_pass'),
+        user_table: (process.env.IDM_EX_AUTH_DB_USER_TABLE ||'user_view'),
+        dialect: (process.env.IDM_EX_AUTH_DIALECT || 'mysql')
+    }
+}
+
+// Email configuration
+config.mail = {
+    host: (process.env.IDM_EMAIL_HOST || 'localhost'),
+    port: (process.env.IDM_EMAIL_PORT || 25),
+    from: (process.env.IDM_EMAIL_ADDRESS || 'noreply@localhost')
+}
+
+// Config themes
+config.site = {
+    title: (process.env.IDM_TITLE || 'Identity Manager'),
+    theme: (process.env.IDM_THEME || 'default')
+};
+
+// Config eIDAs Authentication
+config.eidas = {
+    enabled:       to_boolean(process.env.IDM_EIDAS_ENABLED, false),
+    gateway_host:  (process.env.IDM_EIDAS_GATEWAY_HOST || 'localhost'),
+    node_host:      (process.env.IDM_EIDAS_NODE_HOST || 'https://se-eidas.redsara.es/EidasNode/ServiceProvider'),
+    metadata_expiration: (process.env.IDM_EIDAS_METADATA_LIFETIME || 60 * 60 * 24 * 365) // One year
+}
+
+// Enables the possibility of adding identity attributes in users' profile
+config.identity_attributes = {
+    /* eslint-disable snakecase/snakecase */
+    enabled: false,
+    attributes: [
+        {name: 'Vision', key: 'vision', type: 'number', minVal: '0', maxVal: '100'},
+        {name: 'Color Perception', key: 'color', type: 'number', minVal: '0', maxVal: '100'},
+        {name: 'Hearing', key: 'hearing', type: 'number', minVal: '0', maxVal: '100'},
+        {name: 'Vocal Capability', key: 'vocal', type: 'number', minVal: '0', maxVal: '100'},
+        {name: 'Manipulation Strength', key: 'manipulation', type: 'number', minVal: '0', maxVal: '100'},
+        {name: 'Reach', key: 'reach', type: 'number', minVal: '0', maxVal: '100'},
+        {name: 'Cognition', key: 'cognition', type: 'number', minVal: '0', maxVal: '100'}
+    ]
+    /* eslint-enable snakecase/snakecase */
+}
+
+
+if (config.session.secret === 'nodejs_idm' || config.password_encryption.key  === 'nodejs_idm'){
+    /* eslint-disable no-console */
+    console.log('****************');
+    console.log('WARNING: The current encryption keys match the defaults found in the plaintext');
+    console.log('         template file - please update for a production instance');
+    console.log('****************');
+    /* eslint-enable no-console */
+}
+
+
+module.exports = config;
\ No newline at end of file