Security fix (#57)

* security fixes
* add forseti api status page /api
* update package.json/locks
* update package version to 2.1.0

forseti-api/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "forseti-visualizer-api",
-	"version": "2.0.0",
+	"version": "2.1.0",
 	"description": "Forseti Visualizer API to serve Forseti Based GCP content",
 	"author": "Garrett Wong",
 	"main": "server.js",
@@ -27,45 +27,46 @@
 		}
 	},
 	"dependencies": {
-		"@google-cloud/bigtable": "^0.15.0",
-		"@google-cloud/kms": "^0.4.0",
-		"@grpc/proto-loader": "^0.4.0",
-		"axios": "^0.19.0",
+		"@grpc/proto-loader": "^0.5.4",
+		"acorn-globals": "^6.0.0",
+		"axios": "^0.19.2",
 		"body-parser": "^1.18.3",
-		"braces": ">=2.3.1",
+		"braces": "^3.0.2",
 		"compression": "^1.7.3",
 		"cors": "^2.8.4",
-		"eslint-utils": "^1.4.1",
+		"eslint-utils": "^1.4.3",
 		"express": "^4.16.1",
-		"express-session": "^1.15.6",
-		"grpc": "^1.18.0",
+		"express-session": "^1.17.0",
+		"grpc": "^1.24.2",
 		"lodash": ">=4.17.13",
 		"lodash.merge": ">=4.6.2",
-		"morgan": "^1.9.1",
-		"mysql": "^2.16.0",
-		"pug": "^2.0.3",
+		"morgan": "^1.10.0",
+		"mysql": "^2.18.1",
+		"pug": "^2.0.4",
 		"resource-router-middleware": "^0.7.0",
-		"session-file-store": "^1.2.0",
-		"uuid": "^3.3.2"
+		"session-file-store": "^1.4.0",
+		"telnet-client": "^1.4.0",
+		"uuid": "^3.4.0"
 	},
 	"license": "Apache-2.0",
 	"repository": {
 		"type": "git",
 		"url": "https://github.com/npm/npm.git"
 	},
 	"devDependencies": {
-		"@babel/cli": "^7.7.0",
-		"@babel/core": "^7.7.0",
-		"@babel/node": "^7.7.0",
-		"@babel/preset-env": "^7.7.1",
-		"@babel/register": "^7.7.0",
+		"@babel/cli": "^7.8.4",
+		"@babel/core": "^7.9.0",
+		"@babel/node": "^7.8.7",
+		"@babel/preset-env": "^7.9.5",
+		"@babel/register": "^7.9.0",
 		"chai": "^4.2.0",
 		"chai-http": "^4.3.0",
 		"eslint": "^5.3.0",
 		"js-yaml": ">=3.13.1",
-		"mocha": "^6.2.2",
-		"nodemon": "^1.18.3",
+		"minimist": "^1.2.5",
+		"mocha": "^6.2.3",
+		"nodemon": "^1.19.4",
 		"sinon": "^7.5.0",
-		"sinon-chai": "^3.3.0"
+		"sinon-chai": "^3.5.0"
 	}
 }

forseti-api/public/styles/style.css

@@ -0,0 +1,14 @@
+* {
+    font-family: Roboto,Helvetica,Arial,sans-serif;
+}
+
+h3 {
+    font-size: 36px;
+    font-weight: 300;
+    color: #1976d2;
+}
+
+p {
+    font-size: 130%;
+    font-weight: 300;
+}

forseti-api/server.js

@@ -16,21 +16,27 @@
 
 // express 4.0
 const express = require('express');
+const Telnet = require('telnet-client');
 
+import {
+  version
+} from './package.json';
+import RenderHelpers from './server/render-helpers';
 import api from './server/api';
 
-// setup app
+// setup application
 const app = express();
-app.set('view engine', 'pug');
-app.use(express.static('public')); // images,css,etc.
+app.set('view engine', 'pug'); // use pug for HTML templating
+app.use(express.static('public')); // configure static assets folder, images,css,etc.
 
+// configure default headers
 app.all('*', function (req, res, next) {
   res.header("Access-Control-Allow-Origin", "*");
   res.header("Access-Control-Allow-Headers", "X-Requested-With");
   next();
 });
 
-// Override static assets to use public
+// extend static assets to use the forseti-visualizer-ui UI code distribution
 console.log(__dirname);
 const {
   resolve
@@ -42,16 +48,49 @@ const staticConf = {
 };
 app.use(express.static(publicPath, staticConf));
 
-// set up /api routes
-app.use('/api', api({}));
 
-// set up / main route
+
+/* API Route Configuration */
+
+
+// set up the main route '/'
 app.get('/', (req, res) => {
-  res.render('index', {
-    title: `Forseti-Visualizer`
-  });
+  let connection = new Telnet();
+
+  console.log(RenderHelpers);
+  if (!process.env['CLOUDSQL_HOSTNAME']) {
+    RenderHelpers.renderError(res, version);
+    return;
+  }
+
+  console.log('Attempting connection to: ' + process.env['CLOUDSQL_HOSTNAME']);
+
+  let params = {
+    host: process.env['CLOUDSQL_HOSTNAME'],
+    port: 3306,
+    negotiationMandatory: false,
+    timeout: 5000
+  };
+
+  connection.connect(params)
+    .then(function (prompt) {
+      console.log('Connected to Cloud SQL');
+      RenderHelpers.renderIndex(res, version, true);
+    }, function (error) {
+      console.log('Not connected to Cloud SQL', error);
+      RenderHelpers.renderIndex(res, version, false);
+    })
+    .catch(function (error) {
+      // handle the throw (timeout)
+      console.log('Not connected to Cloud SQL', error);
+      RenderHelpers.renderIndex(res, version, false);
+    });
 });
 
-// initialize app
+// set up the default /api route
+app.use('/api', api({}));
+
+
+// EXPOSE APP using the API_HOST and API_PORT environment variables
 app.listen(process.env['API_PORT'], process.env['API_HOST']);
 console.log(`Running on http://${process.env['API_HOST']}:${process.env['API_PORT']}`);

forseti-api/server/api/index.js

@@ -39,13 +39,47 @@ export default ({
 		db
 	}));
 
+
+
+
+
+
 	// perhaps expose some API metadata at the root
 	api.get('/', (req, res) => {
 		console.log(req.session);
 
-		res.json({
-			version
-		});
+		// res.json({
+		// 	version
+		// });
+
+		let connection = new Telnet();
+
+		if (process.env['CLOUDSQL_HOSTNAME'] === '') {
+			res.render('error')
+		}
+
+		console.log('Attempting connection to: ' + process.env['CLOUDSQL_HOSTNAME']);
+
+		let params = {
+			host: process.env['CLOUDSQL_HOSTNAME'],
+			port: 3306,
+			negotiationMandatory: false,
+			timeout: 5000
+		};
+
+		connection.connect(params)
+			.then(function (prompt) {
+				console.log('Connected to Cloud SQL');
+				renderIndex(res, true);
+			}, function (error) {
+				console.log('Not connected to Cloud SQL', error);
+				renderIndex(res, false);
+			})
+			.catch(function (error) {
+				// handle the throw (timeout)
+				console.log('Not connected to Cloud SQL', error);
+				renderIndex(res, false);
+			});
 	});
 
 	return api;

forseti-api/server/render-helpers/index.js

@@ -0,0 +1,31 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+const title = 'Forseti Visualizer';
+export default {
+	renderIndex: function (res, version, canConnectToCloudSql) {
+		res.render('index', {
+			title: title,
+			version: version,
+			canConnectToCloudSql: canConnectToCloudSql
+		});
+	},
+	renderError: function (res, version, errorMsg) {
+		res.render('error', {
+			title: title,
+			version: version,
+			errorMsg: errorMsg
+		});
+	}
+};

forseti-api/views/error.pug

@@ -0,0 +1,19 @@
+html
+  head
+    title= title
+
+    link(href='https://fonts.googleapis.com/icon?family=Material+Icons', rel='stylesheet')
+    link(href='https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0-rc.2/css/materialize.min.css', rel='stylesheet')
+    style
+      include ../public/styles/style.css
+  body
+
+    div(class="container-fluid")
+        div(class="row")
+            div(class="col s12 m12", style={'text-align': 'center' })
+              h3 Forseti Visualizer API Error v#{version}
+              p(style={ color: 'red' }) An error has occurred.  Please confirm that you have run `source source.env` and that the environment variables are properly set.
+              img(src="/images/forseti-visibility-icon.svg", style={'text-align': 'center', height: '176px', width: '176px', 'border-radius': '50%'})
+
+    script(src="https://code.jquery.com/jquery-3.3.1.min.js")
+    script(src="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0-rc.2/js/materialize.min.js")

forseti-api/views/index.pug

@@ -4,14 +4,29 @@ html
 
     link(href='https://fonts.googleapis.com/icon?family=Material+Icons', rel='stylesheet')
     link(href='https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0-rc.2/css/materialize.min.css', rel='stylesheet')
-
+    style
+      include ../public/styles/style.css
   body
 
     div(class="container-fluid")
         div(class="row")
             div(class="col s12 m12", style={'text-align': 'center' })
-              h3 Forseti API
-              img(src="/images/google_bear.jpg", style={'text-align': 'center', height: '176px', width: '176px', 'border-radius': '50%'})
+              h3 Forseti Visualizer API v#{version}
+              p Visualization API running on top of Forseti Security's Cloud SQL Database and GRPC API
+              img(src="/images/forseti-visibility-icon.svg", style={'text-align': 'center', height: '176px', width: '176px', 'border-radius': '50%'})
+
+        hr
+
+        div(class="row")
+            div(class="col s12 m12", style={'text-align': 'center' })
+              h3 Cloud SQL Connectivity Status
+              if canConnectToCloudSql
+                p Connectivity Status: 
+                p(style={ color: 'green' }) Connected
+              else
+                p Connectivity Status: 
+                p(style={ color: 'red' }) Disconnected
+              img(src="/images/cloud-sql-icon.png", style={'text-align': 'center', height: '176px', width: '176px', 'border-radius': '50%'})
 
     script(src="https://code.jquery.com/jquery-3.3.1.min.js")
     script(src="https://cdnjs.cloudflare.com/ajax/libs/materialize/1.0.0-rc.2/js/materialize.min.js")