Ssl support (flyteorg#210)

* adding generate script Signed-off-by: Haytham Abuelfutuh <[email protected]> * wip Signed-off-by: Haytham Abuelfutuh <[email protected]> * wip Signed-off-by: Haytham Abuelfutuh <[email protected]> * Fixing conflict with package/yarn * Adding DCO Signed-off-by: Jason Porter <[email protected]> Co-authored-by: Haytham Abuelfutuh <[email protected]>
eapolinario · Sep 22, 2021 · 1c757c7 · 1c757c7
1 parent c79ae71
commit 1c757c7
Show file tree

Hide file tree

Showing 9 changed files with 86 additions and 41 deletions.
diff --git a/.gitignore b/.gitignore
@@ -50,3 +50,10 @@ jest
 jest_0
 yarn-error.log
 .coverage/
+
+# Certs
+.srl
+script/rootCA.*
+script/server.crt
+script/server.csr
+script/server.key
diff --git a/Makefile b/Makefile
@@ -38,3 +38,7 @@ clean:
 .PHONY: test_unit_codecov
 test_unit_codecov:
 	yarn run test-coverage
+
+.PHONY: generate_ssl
+generate_ssl:
+	./script/generate_ssl.sh
diff --git a/README.rst b/README.rst
@@ -169,14 +169,24 @@ URL of your target FlyteAdmin API instance. These instructions will use
 `https://different.admin.service.com` as an example.
 
 
-#. Export value for `ADMIN_API_URL`
+#. Set `ADMIN_API_URL` and `ADMIN_API_USE_SSL`
 
    .. code:: bash
 
       export ADMIN_API_URL=https://different.admin.service.com
+      export ADMIN_API_USE_SSL="https"
+
+   .. note:: Hint
+      Add these to your local profile (eg, `./profile`) to prevent having to do this step each time
+
+#. Generate SSL certificate
+
+   Run the following command from your `flyteconsole` directory
+
+   .. code:: bash
+
+      make generate_ssl
 
-      .. note:: Hint
-         Add this to your local profile (eg, `./profile`) to prevent having to do this step each time
 
 #. Add new record to hosts file
 
@@ -194,20 +204,6 @@ URL of your target FlyteAdmin API instance. These instructions will use
 
       .. note:: Activate plugin (toggle to "on")
 
-#. Install Chrome plugin: `ModHeader <https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj?hl=en>`_
-
-      .. note:: Configure ModHead by adding record
-
-         - Header: `Host`
-         - Value: `different.admin.service.com`
-
-#. Set Schemeful Same-Site to disabled
-
-   - Enter `chrome://flags` in url bar
-   - Find 'Schemeful Same-Site' and set to `disabled`
-
-#. Restart Chrome
-
 #. Start `flyteconsole`
 
    .. code:: bash
@@ -218,21 +214,4 @@ URL of your target FlyteAdmin API instance. These instructions will use
 
 .. note:: Hint
 
-   Ensure you don't have `ADMIN_API_URL` or `DISABLE_AUTH` set (eg, in your `/.profile`.)
-
-=================================
-CORS Proxying: Node configuration
-=================================
-
-For any requests which do not share the same ``origin`` value, the client application will route
-requests through a special endpoint on the NodeJS server. This is done to
-minimize the amount of extra configuration required for ingress to the Admin API
-and data storage, as well as to simplify local development of the console without
-the need to grant CORS access to ``localhost``. To proxy requests for local
-development, set ``ADMIN_API_URL`` to
-``http://localhost:3000/cors_proxy/http://<admin-host>:<admin-port>``.
-
-The requests and responses are piped through the NodeJS server with minimal
-overhead. However, it is still recommended to host the Admin API and console on
-the same domain to prevent unnecessary load on the NodeJS server and extra
-latency on API requests due to the additional hop.
+   Ensure you don't have `ADMIN_API_URL` or `DISABLE_AUTH` set (eg, in your `/.profile`.)
diff --git a/env.js b/env.js
@@ -8,6 +8,8 @@ const NODE_ENV = process.env.NODE_ENV || 'development';
 
 // If this is unset, API calls will default to the same host used to serve this app
 const ADMIN_API_URL = process.env.ADMIN_API_URL;
+// Use this to create SSL server 
+const ADMIN_API_USE_SSL = process.env.ADMIN_API_USE_SSL || 'http';
 
 const BASE_URL = process.env.BASE_URL || '';
 const CORS_PROXY_PREFIX = process.env.CORS_PROXY_PREFIX || '/cors_proxy';
@@ -27,6 +29,7 @@ const DISABLE_AUTH = process.env.DISABLE_AUTH;
 
 module.exports = {
     ADMIN_API_URL,
+    ADMIN_API_USE_SSL,
     BASE_URL,
     CORS_PROXY_PREFIX,
     DISABLE_AUTH,

diff --git a/index.js b/index.js
@@ -81,13 +81,28 @@ if (process.env.NODE_ENV === 'production') {
     );
 }
 
+/* Set ADMIN_API_USE_SSL to https for CORS support */
+let server;
 const port = process.env.PORT || 3000;
-const server = app.listen(port, error => {
-    if (error) {
-        throw error;
-    }
-    console.log(`Server started: http://localhost:${port}/`);
-});
+if(env.ADMIN_API_USE_SSL == "https"){
+    const fs = require('fs')
+    const https = require('https')
+    var privateKey = fs.readFileSync('script/server.key');
+    var certificate = fs.readFileSync('script/server.crt');
+
+    server = https.createServer({
+        key: privateKey,
+        cert: certificate
+    }, app).listen(port);
+    console.log(`Server started with SSL: https://localhost:${port}/`);
+} else {
+    server = app.listen(port, error => {
+        if (error) {
+            throw error;
+        }
+        console.log(`Server started: http://localhost:${port}/`);
+    });
+}
 
 process.on('SIGTERM', () => {
     console.info('SIGTERM signal received. Shutting down.');

diff --git a/script/generate_ssl.sh b/script/generate_ssl.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+script="$0"
+basename="$(dirname $script)"
+
+echo "Script name $script resides in $basename directory."
+
+openssl genrsa -des3 -out "$basename/rootCA.key" 2048
+openssl req -x509 -new -nodes -key "$basename/rootCA.key" -sha256 -days 1024 -out "$basename/rootCA.pem"
+openssl req -new -sha256 -nodes -out "$basename/server.csr" -newkey rsa:2048 -keyout "$basename/server.key" -config <( cat "$basename/server.csr.cnf" )
+openssl x509 -req -in "$basename/server.csr" -CA "$basename/rootCA.pem" -CAkey "$basename/rootCA.key" -CAcreateserial -out "$basename/server.crt" -days 500 -sha256 -extfile "$basename/v3.ext"
diff --git a/script/server.csr.cnf b/script/server.csr.cnf
@@ -0,0 +1,14 @@
+[req]
+default_bits = 2048
+prompt = no
+default_md = sha256
+distinguished_name = dn
+
+[dn]
+C=US
+ST=RandomState
+L=RandomCity
+O=RandomOrganization
+OU=RandomOrganizationUnit
+emailAddress[email protected]
+CN = localhost
diff --git a/script/v3.ext b/script/v3.ext
@@ -0,0 +1,7 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
diff --git a/yarn.lock b/yarn.lock
@@ -13403,6 +13403,11 @@ nan@^2.14.0:
   resolved "https://registry.yarnpkg.com/nan/-/nan-2.15.0.tgz#3f34a473ff18e15c1b5626b62903b5ad6e665fee"
   integrity sha512-8ZtvEnA2c5aYCZYd1cvgdnU6cqwixRoYg70xPLWUws5ORTa/lnw+u4amixRS/Ac5U5mQVgp9pnlSUnbNWFaWZQ==
 
+nanoid@^3.1.23:
+  version "3.1.25"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.1.25.tgz#09ca32747c0e543f0e1814b7d3793477f9c8e152"
+  integrity sha512-rdwtIXaXCLFAQbnfqDRnI6jaRHp9fTcYBjtFKE8eezcZ7LuLjhUaQGNeMXf1HmRoCH32CLz6XwX0TtxEOS/A3Q==
+
 napi-build-utils@^1.0.1:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/napi-build-utils/-/napi-build-utils-1.0.2.tgz#b1fddc0b2c46e380a0b7a76f984dd47c41a13806"