• This repository has been archived on 20/Aug/2022
  • Stars
    star
    125
  • Rank 286,335 (Top 6 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created about 8 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Open source Access Manager for node.js

Udaru

Greenkeeper badge npm travis coveralls snyk

Udaru Udaru is a Policy Based Access Control (PBAC) authorization module. It supports Organizations, Teams and User entities that are used to build the access model. The policies attached to these entities define the 'Actions' that can be performed by an entity on various 'Resources'.

See the Udaru website for complete documentation on Udaru.

This repository is home to Udaru's three main modules:

Module Package
@nearform/udaru-core ./packages/udaru-core
@nearform/udaru-hapi-plugin (for Hapi v17 and above) ./packages/udaru-hapi-plugin
@nearform/udaru-hapi-16-plugin (for Hapi v16) ./packages/udaru-hapi-16-plugin
@nearform/udaru-hapi-server (for Hapi v16) ./packages/udaru-hapi-server

Database support

Udaru requires an instance of Postgres (version 9.5+) to function correctly. For simplicity, a preconfigured docker-compose file has been provided. To run:

docker-compose up
  • Note: Ensure you are using the latest version of Docker for (Linux/OSX/Windows)
  • Note: Udaru needs PostgreSQL >= 9.5

Populate the database

The Authorization database, system user and initial tables can be created by executing:

npm run pg:init

Test data can be added with:

npm run pg:load-test-data
  • Note: Running a test or coverage command will auto run these commands

Volume data set installation and bench tests

The Authorization database can be further initialized with a larger volume of data, which can be tested using autocannon bench tests in order to demonstrate the potential throughput of the authorization API.

To populate the database with volume data, execute the following command:

npm run pg:init-volume-db
  • Note: Running this command will auto run the standard database population commands also

All volume data sits under the organization 'CONCH' and has the following default setup:

  • 500 teams
  • 100 users per team (the first of every 100 being the parent of subsequent 99)
  • 10 policies per team

After loading the data, the autocannon bench tests can be run by executing:

npm run bench:volume

This will run 15 second autocannon tests, which fire multiple concurrent requests at 2 frequently used endpoints. This results in the database being queried randomly across the entire set of data giving a good indication of average end-to-end latency and potential requests per second for a database containing 50K users.

pgAdmin database access

As the Postgresql docker container has its 5432 port forwarded on the local machine the database can be accessed with pgAdmin.

To access the database using the pgAdmin you have to fill in also the container IP beside the database names and access credentials. The container IP can be seen with docker ps. Use IP 127.0.0.1 and use postgres as username/password to connect to database server.

Migrations

We use postgrator for database migrations. You can find the sql files in the database/migrations folder. To run the migrations manually:

node packages/udaru-core/database/migrate.js --version=<version>`
  • Note: Running the tests or init commands will automaticaly bring the db to the latest version.

To get more information see Service Api documentation

Setup SuperUser

The init script needs to be run in order to setup the SuperUser: node packages/udaru-core/scripts/init

If you want to specify a better SuperUser id (default is SuperUserId) you can prefix the script as follow:

UDARU_SERVICE_authorization_superUser_id=myComplexId12345 node packages/udaru-core/scripts/init
  • Note: if you have already ran some tests or loaded the test data, you will need to run npm run pg:init again to reset the db.

Load policies from file

Run the following script to load policies:

Usage: node packages/udaru-core/scripts/loadPolicies --org=FOO policies.json

JSON structure:

{
  "policies": [
    {
      "id": "unique-string", // <== optional
      "version": "",
      "name": "policy name",
      "organizationId": "your_organization" // <== optional, if present will override the "--org=FOO" parameter
      "statements": [
        {
          "Effect": "Allow/Deny",
          "Action": "act",
          "Resource": "res"
        },
        { /*...*/ }
      ]
    },
    { /*...*/ }
  ]
}

Documentation

The Udaru documentation site can be found at nearform.github.io/udaru.

Swagger API Documentation

The Swagger API documentation gives explanations on the exposed API. The documentation can be found at nearform.github.io/udaru/swagger/.

It is also possible to access the Swagger documentation from Udaru itself. Simply start the server:

npm run start

and then go to http://localhost:8080/documentation

The Swagger documentation also gives the ability to execute calls to the API and see their results. If you're using the test database, you can use 'ROOTid' as the required authorization parameter and 'WONKA' as the organisation.

ENV variables to set configuration options

There are three default configuration files, one per "level": packages/udaru-core/config.js, packages/udaru-hapi-16-plugin/config.js and packages/udaru-server/config.js.

They are cumulative: when running udaru as a standalone server all the three files will be loaded; when using it as an Hapi plugin, plugin and core will be loaded.

This configuration is the one used in dev environment and we are quite sure the production one will be different :) To override this configuration you can:

  • provide a config object when using it as a standalone module or hapi server
  • ENV variables on the server/container/machine you will run Udaru on.

Config object

Standalone module

const buildUdaru = require('@nearform/udaru-core')
const udaru = buildUdaru(dbPool, {
  logger: {
    pino: {
      level: 'warn'
    }
  }
}})

Hapi plugin

async function () {
  const server = Hapi.Server()
  const UdaruPlugin = require('@nearform/udaru-hapi-plugin')

  await server.register({
    plugin: UdaruPlugin,
    options: {dbPool, config: {
      api: {
        servicekeys: {
          private: ['123456789']
        }
      }
  }}})

  await server.start()

  return server
}

Hapi 16 plugin

const Hapi = require('hapi')
const UdaruPlugin = require('@nearform/udaru-hapi-16-plugin')
const server = new Hapi.server()
server.register({
  register: UdaruPlugin,
  options: {dbPool, config: {
    api: {
      servicekeys: {
        private: ['123456789']
      }
    }
}}})

ENV variable override

UDARU_SERVICE_security_api_servicekeys_private_0=jerfkgfjdedfkg3j213i43u31jk2erwegjndf

To achieve this we use the reconfig module.

Testing, benching & linting

Before running tests, ensure a valid Postgres database is running. The simplest way to do this is via Docker. Assuming docker is installed on your machine, in the root folder, run:

docker-compose up -d

This will start a Postgres database. Running test or coverage runs will automatically populate the database with the information it needs.

  • Note: you can tail the Postgres logs if needed with docker-compose logs --tail=100 -f

To run tests:

npm run test
  • Note: running the tests will output duplicate keys errors in Postgres logs, this is expected, as the error handling of those cases is part of what is tested.

To lint the repository:

npm run lint

To fix (most) linting issues:

npm run lint -- --fix

To run a bench test on a given route:

npm run bench -- "METHOD swagger/route/template/path"

To create coverage reports:

npm run coverage

To populate the database with large volume of data:

npm run pg:init-volume-db

To run bench test against populated volume data (2 endpoints)

npm run bench:volume

For convenience, you can load the volume db and run the bench tests with the single command.

npm run bench:load-volume

This command will:

  • initialise the db & migrate to latest db schema
  • load the standard test fixtures
  • load the volume fixtures
  • spawn an instance of udaru server
  • run the autocannon tests & display results
  • shut down

Security

Udaru has been thoroughly evaluated against SQL injection, a detailed description of this can be found in the SQL Injection document.

To automatically run sqlmap injection tests run:

npm run test:security
  • Note: before running this, make sure you have a version of Python 2.x installed in your path.

These tests are not included in the main test suite. The security test spawns a hapi.js server exposing the Udaru routes. It only needs the DB to be running and being initialized with data.

The injection tests can be configured in the sqlmap config. A few output configuration changes that can be made:

  • level can be set to 5 for more aggressive testing
  • risk can be set to 3 for more testing options. Note: this level might alter the DB data
  • verbose can be set to level 1-5. Level 1 displays info about the injections tried

See the sqlmap repository for more details.

Also, Udaru, has some additional security related (penetration) testing available through npm commands based on OWASP Zed Attack Proxy. End results of the scans are stored as HTML reports in the Udaru documentation and should be reviewed manually post execution.

Note: before running this, make sure you have a Docker installed and the weekly Zed Attack proxy might take quite a bit to download (1,5GB + in size). Also note that the API scan is very thorough, extensive and takes quite some time to complete (45+ mins).

To run the baseline scan:

npm run test:security:pentest:baseline

To run the API attack scan:

npm run test:security:pentest:api

To run both:

npm run test:security:pentest

License

Copyright nearForm Ltd 2017-2018. Licensed under MIT license.

More Repositories

1

graphql-hooks

🎣 Minimal hooks-first GraphQL client
TypeScript
1,878
star
2

temporal_tables

Postgresql temporal_tables extension in PL/pgSQL, without the need for external c extension.
PLpgSQL
429
star
3

fast-jwt

Fast JSON Web Token implementation
JavaScript
330
star
4

nscale

Deployment just got easy
JavaScript
325
star
5

react-animation

Animation components and styles for React projects
JavaScript
285
star
6

sql

SQL injection protection module
JavaScript
201
star
7

react-browser-hooks

React Browser Hooks
JavaScript
128
star
8

node-cephes

Implementation of special functions and distributions mathematical functions from the cephes library.
C
115
star
9

the-fastify-workshop

A workshop about Fastify
JavaScript
113
star
10

gammaray

Node.js vulnerability scanner
Go
104
star
11

autopsy

dissect your dead node services with mdb via a smart os vm
JavaScript
89
star
12

fastify-auth0-verify

Auth0 verification plugin for Fastify
JavaScript
87
star
13

titus

Deploy useful features in sprint one
JavaScript
61
star
14

micro-services-tutorial-iot

An instructor led microservices workshop
JavaScript
54
star
15

developing-microservices

A workshop on microservices in nodejs
JavaScript
54
star
16

heap-profiler

Heap dump and sample profiler generator for Node.
JavaScript
52
star
17

docker-cloudwatch

Docker Cloudwatch
JavaScript
46
star
18

promises-workshop

Broken Promises Exercises
HTML
45
star
19

polaris

NearForm multi-platform application accelerator
JavaScript
35
star
20

nscale-workshop

Nodeconf.eu nscale workshop
35
star
21

well

well
JavaScript
35
star
22

nceubadge

The NodeConf EU 2017 Badge
HTML
34
star
23

owasp-top-ten-workshop

NearForm OWASP Top Ten Security Vulnerabilities Workshop
JavaScript
34
star
24

graphql-auto-federate

Automatically federate a Mercurius GraphQL service
JavaScript
32
star
25

trail

Audit trail log service
JavaScript
32
star
26

slow-rest-api

A REST API that is slow
HTML
31
star
27

stats

📊 Collect stats about your node.js process 📊
JavaScript
29
star
28

node-hidden-markov-model-tf

A trainable Hidden Markov Model with Gaussian emissions using TensorFlow.js
JavaScript
28
star
29

autocannon-ui

A graphical user interface for autocannon providing the same user experience
JavaScript
28
star
30

react-pwa

Hackernews Progressive Web Application built with React
JavaScript
28
star
31

open-banking-reference-app

NearForm reference application for open banking - https://community.nearform.com/api-banking
TypeScript
27
star
32

react-redux-typescript-saga-immutable

Sample React boilerplate written in TypeScript, including React Router, Redux, Redux Saga, ImmutableJS and Styled Components.
TypeScript
27
star
33

fastify-overview-ui

UI for fastify-overview
JavaScript
26
star
34

minishift-demo

Demo for local development using minishift
Shell
25
star
35

reviewbot

A bot to assist with code reviews via AI
JavaScript
25
star
36

get-jwks

Fetch utils for JWKS keys
JavaScript
23
star
37

sharing-components

JavaScript
23
star
38

tf-modules-example

Code example for the reusable, configurable Terraform modules blog post
HCL
22
star
39

aws-proxy-pattern

Terraform module to create a transparent proxy within AWS
HCL
20
star
40

openapi-transformer-toolkit

Automate design-first API workflows by generating schemas and types from OpenAPI specs.
TypeScript
20
star
41

fastify-casbin

A plugin for Fastify that adds support for Casbin
JavaScript
19
star
42

the-graphql-workshop

A workshop about GraphQL with mercurius
JavaScript
18
star
43

choo-pwa

PWA with Choo
JavaScript
17
star
44

no-gres

A small module to mock pg for testing purposes.
JavaScript
17
star
45

nscale-docs

Documentation for nscale
17
star
46

optic

App for generating OTP tokens for 2FA protected accounts
JavaScript
17
star
47

initium-platform

A set of Kubernetes add-ons with optimal configuration and test coverage to create a day zero platform for your code
Go
16
star
48

optic-release-automation-action

Automate the release process of your npm modules, apps and actions
JavaScript
15
star
49

brokeneck

Admin UI for Auth0, Azure AD and AWS Cognito
JavaScript
15
star
50

node-test-runner-workshop

The Node.js Test Runner Workshop
JavaScript
14
star
51

graphql-hooks-workshop

HTML
14
star
52

react-patterns-workshop

A workshop which covers intermediate and advanced React usage patterns
JavaScript
14
star
53

node-test-github-reporter

A GitHub test reporter for the Node.js test runner
JavaScript
14
star
54

mira

The Mira Accelerator fast-tracks the setup of common Amazon Web Services (AWS) Serverless infrastructure
TypeScript
13
star
55

react-native-apple-wallet-demo

Create Custom Apple Wallet Passes with React Native and Fastify
JavaScript
13
star
56

langchain-google-calendar

A spike project: allows natural language to create actions in Google Calendar
TypeScript
12
star
57

fastify-casbin-rest

A plugin for Fastify that adds support for Casbin's REST model
JavaScript
12
star
58

cloudwatchlogs-stream

Stream interfacet to CloudWatch Logs
JavaScript
11
star
59

mercurius-apollo-registry

A Mercurius plugin for schema reporting to Apollo Studio
JavaScript
11
star
60

leaistic

An ElasticSearch manager
JavaScript
11
star
61

stats-to-elasticsearch

Collect and send stats about your node.js process to elasticsearch. 📊🔌📈
JavaScript
10
star
62

nceubadge2018

NodeConf EU 2018 Badge code and hardware design files
JavaScript
10
star
63

openshift-kafka

Run Apache Kafka in Openshift Origin
Smarty
10
star
64

create-stats-dashboard

📈 A wrapper to create and initialise a stats dashboard on kibana using import-kibana-dashboard, for easy manipulation of stats sent via stats-to-elasticsearch 📉
JavaScript
10
star
65

fastify-mssql

MSSQL Plugin for Fastify
JavaScript
10
star
66

mercurius-explain

A Mercurius plugin that shows the execution time of each resolver in a query
JavaScript
10
star
67

the-micro-frontends-workshop

The Micro Frontends Workshop with Module Federation
JavaScript
9
star
68

commentami

A 'google docs' like commenting system
JavaScript
9
star
69

zoom-shuffle-bot

Zoom Chatbot used to retrieve a randomized list of your current meeting's participants
JavaScript
9
star
70

jsnation-node-workshop

Our workshop at JSNation 2019
JavaScript
9
star
71

optic-expo

Secure 2FA OTP via Mobile Push Notifications
TypeScript
8
star
72

choo-data

Simple data fetching plugin for Choo with server-side rendering support
JavaScript
8
star
73

nodeconfeu-gesture-models

Ongoing attempts at gesture models
C++
8
star
74

slack-knowledgebase-chatgpt-responder

ChatGPT powered slack responder to the questions that are about NearForm knowledge base
JavaScript
8
star
75

initium

Deploy your code on day zero, avoiding vendor lock-in.
7
star
76

playwright-firebase

A plugin to handle Firebase authentication in Playwright tests
TypeScript
7
star
77

docker-container

JavaScript
7
star
78

otlp-blueprint

Open Telemetry + Jaeger + 3-tier application Blueprint
HCL
7
star
79

pwa-poc

PWA for proof of concept for sharing images, qrcode scanning and geolocation from a PWA
JavaScript
7
star
80

slidev-theme-nearform

NearForm theme for sli.dev presentations
CSS
6
star
81

saluki

Utility based CSS-in-JS theming
JavaScript
6
star
82

fastify-secrets-aws

Fastify secrets plugin for AWS Secrets Manager
JavaScript
6
star
83

fastify-cloud-run

Fastify on Google Cloud Run
JavaScript
6
star
84

iot-system

A fuge config for a demo iot system
JavaScript
6
star
85

fastify-slow-down

A slow down plugin for fastify
JavaScript
6
star
86

github-action-check-linked-issues

GitHub action to check if pull requests have their corresponding issues.
JavaScript
6
star
87

github-board-slack-notifications

Send notifications to a Slack channel for any changes that are performed in a GitHub board (Projects v2 / beta)
JavaScript
6
star
88

openshift-ansible

Ansible code for openshift
Python
5
star
89

fastify-jwt-jwks

JSON Web Key Set (JWKS) verification plugin for Fastify
JavaScript
5
star
90

memleak-exercise

JavaScript
5
star
91

github-action-notify-release

GitHub Action that automatically creates an issue with an overview of the commits that are waiting to be released
JavaScript
5
star
92

fastify-ravendb

Fastify RavenDB connection plugin
JavaScript
5
star
93

fastify-secrets-azure

Fastify secrets plugin for Azure Key Vault
JavaScript
5
star
94

anger

pub-sub tester for Nes
JavaScript
5
star
95

choo-bundles

Bundle splitting with HTTP2 push support for Choo with choo-ssr
JavaScript
5
star
96

sentinel

Sentinel - a testing & monitoring application
JavaScript
5
star
97

mercurius-explain-graphiql-plugin

A Graphiql plugin to show the results from mercurius-explain
JavaScript
5
star
98

azure-workshop

Azure Workshop on Kubernetes
JavaScript
5
star
99

webinar-streams

Examples for the streams Webinar
JavaScript
4
star
100

initium-cli

CLI tool for the Initium project
Go
4
star