Initial commit

- Initial open source release of eVaka

Author: ci-evaka

.circleci/config.yml

@@ -0,0 +1 @@
+* text=auto

.gitattributes

@@ -0,0 +1,31 @@
+#### Summary
+<!-- Describe the change, including rationale and design decisions (not just what but also why) -->
+
+#### Dependencies
+<!-- Describe the dependencies the change has on other repositories, pull requests etc. -->
+
+#### Testing instructions
+<!-- Describe how the change can be tested, e.g., steps and tools to use -->
+
+#### Checklist for pull request creator
+<!-- Check that the necessary steps have been done before the PR is created -->
+
+- [ ] The code is consistent with the existing code base
+- [ ] Tests have been written for the change (e2e, integration tests)
+- [ ] The change has been tested locally
+- [ ] The change conforms to the UX specifications
+- [ ] The code is self-documenting or has been documented sufficiently, e.g., in the README
+- [ ] The branch has been rebased against master before the PR was created
+
+#### Checklist for pull request reviewer (copy to review text box)
+<!-- Check that the necessary steps have been done in the review. Copy the template beneath for the review. -->
+
+```
+- [ ] All changes in all changed files have been reviewed
+- [ ] The code is consistent with the existing code base
+- [ ] Tests have been written for the change (e2e, integration tests)
+- [ ] The change has been tested locally
+- [ ] The change conforms to the UX specifications
+- [ ] The code is self-documenting or has been documented sufficiently, e.g., in the README
+- [ ] The PR branch has been rebased against master and force pushed if necessary before merging
+```

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,15 @@
+# Dependabot configuration: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval
+
+version: 2
+# NOTE: Gradle Kotlin support is still missing: https://github.com/dependabot/dependabot-core/issues/2238
+# NOTE: There's no "security updates only" for Docker: https://github.com/dependabot/dependabot-core/issues/1971
+#       and there's no support for OS packages: https://github.com/dependabot/dependabot-core/issues/2129
+updates:
+- package-ecosystem: docker
+  directory: "/evaka-base"
+  schedule:
+    interval: weekly
+- package-ecosystem: docker
+  directory: "/proxy"
+  schedule:
+    interval: weekly

.github/dependabot.yml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2017-2020 City of Espoo
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+# OSX
+.DS_Store
+
+# IDEs
+/.vscode/
+/.idea/

.gitignore

@@ -0,0 +1,15 @@
+<!--
+SPDX-FileCopyrightText: 2017-2020 City of Espoo
+
+SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+# Contribution guide
+
+We appreciate your interest in contributing to this project.
+eVaka project is currently in a very active development phase. Due to this, the core development
+team may be unable to process or accept any contributions at this stage.
+
+We will establish contribution guidelines regarding e.g. how to create pull requests, what code
+conventions to use etc. in the upcoming months. This file will be updated accordingly, once the
+team is capable of accepting contributions. Thank you.

CONTRIBUTING.md

@@ -0,0 +1,58 @@
+<!--
+SPDX-FileCopyrightText: 2017-2020 City of Espoo
+
+SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+# eVaka – ERP for early childhood education
+
+This is eVaka – an ERP system developed for early childhood education in
+Finland. It is a web application developed using modern technologies and
+designed to be deployed in cloud environment.
+
+**Caution:** eVaka is currently under very active development. At this 
+point, it is not yet adviced to start developing or running your custom 
+solution based on this project. Most likely, the project will evolve 
+considerably before reaching more stable phase. Please refer to 
+project's roadmap for further information regarding development plans.
+However, feel free to explore the project and try running it locally.
+
+## How to get started
+
+For development purposes, the application can be run locally on your
+development machine. See further instructions in the
+[README](compose/README.md) file of the `compose/` directory.
+
+The applications consists of several sub-projects:
+
+- [`apigw`](apigw/) – API gateway, responsible for handling authentication and routing requests to backend services
+- [`frontend`](frontend/) – User interfaces for the citizens and 
+employees
+- [`service`](service/) – All the business logic, e.g. handling early 
+childhood education application process and daily work in daycare
+- [`message-service`](message-service/) – Service for sending messages 
+via [Suomi.fi Messages](https://www.suomi.fi/messages) service
+- [`compose`](compose/) – Tooling for running application in local 
+development environment, using e.g. [Docker](https://www.docker.com)
+- [`proxy`](proxy/) – [Nginx](https://www.nginx.com) image for proxying 
+fronetend requests to services
+- [`service-lib`](service-lib/) – A common library shared with `service` and 
+`message-service` projects
+
+## Contributing
+
+Please refer to [CONTRIBUTING.md](CONTRIBUTING.md) for further 
+instructions regarding code contributions.
+
+## Security issues
+
+In case you notice any information security related issue in our 
+services, or you have an idea how to improve information security,
+please contact us by email at [tietoturva@espoo.fi](tietoturva@espoo.fi)
+
+## License
+
+eVaka is published under **LGPL-2.1-or-later** license. Please refer to 
+[LICENSE](LICENSE) for further details.
+
+## Contact information

LICENSE

@@ -0,0 +1,13 @@
+<!--
+SPDX-FileCopyrightText: 2017-2020 City of Espoo
+
+SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you notice anything that may affect the information security of our services
+or you have ideas on how to improve information security, please contact
+**[tietoturva@espoo.fi](mailto:tietoturva@espoo.fi)**.

LICENSES/LGPL-2.1-or-later.txt

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2017-2020 City of Espoo
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+*
+!dist
+!config/certificates
+!package.json
+!yarn.lock
+!entrypoint.sh

README.md

@@ -0,0 +1,18 @@
+# SPDX-FileCopyrightText: 2017-2020 City of Espoo
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+node_modules/
+.cache/
+.idea/
+dist/
+*~
+*.bak
+*.log
+*.swp
+*.tmp
+*.iml
+.npmrc
+build/
+test-reports/
+.vscode

SECURITY.md

@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2017-2020 City of Espoo
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+FROM evaka-base:latest
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+USER root
+RUN set -euxo pipefail \
+    && apt-get update && apt-get -y --no-install-recommends install \
+       curl=7.68.* \
+       gnupg2=2.2.* \
+    && curl -sL https://deb.nodesource.com/setup_12.x | bash - \
+    && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - \
+    && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list \
+    && apt-get update && apt-get -y --no-install-recommends install \
+       nodejs \
+       yarn=1.22.* \
+    && rm -rf /var/lib/apt/lists/*
+
+USER evaka
+WORKDIR /home/evaka
+
+ENV NODE_ENV production
+COPY --chown=evaka:evaka . .
+RUN yarn install --production --frozen-lockfile && \
+    yarn cache clean
+
+# Add build and commit environment variables and labels
+# for tracing the image to the commit and build from which the image has been built.
+ARG build=none
+ARG commit=none
+ENV APP_BUILD "$build"
+ENV APP_COMMIT "$commit"
+LABEL fi.espoo.build="$build" \
+      fi.espoo.commit="$commit"
+
+ENTRYPOINT ["./entrypoint.sh"]
+CMD ["node", "dist/index.js"]

apigw/.dockerignore

@@ -0,0 +1,144 @@
+<!--
+SPDX-FileCopyrightText: 2017-2020 City of Espoo
+
+SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+# evaka-api-gateways
+
+Gateway between eVaka frontends and backend services
+
+* enduser gateway
+* internal gateway
+
+## Requirements
+
+* Node version 10.16
+* Yarn version 1.16
+
+The service requires redis running on port 6379. Easiest way is to run it with [compose](../compose/README.md) command
+
+```bash
+docker-compose up -d redis
+```
+
+## Development
+
+Install dependencies
+
+```bash
+yarn
+```
+
+Start development server with hot reloading. Requires running backend services.
+
+```bash
+yarn dev
+```
+
+Run tests
+
+```bash
+yarn test
+```
+
+Lint with auto-fix
+
+```bash
+yarn lint
+yarn lint-fix
+```
+
+## Generated JWTs for local testing
+
+If you need a JWT to test a service API locally, you can generate tokens for each gateway with:
+
+```bash
+NODE_ENV=local npx ts-node generate-jwts.ts
+```
+
+The JWTs by default includes all user roles, but you can edit the `generate-jwts.ts` to remove some of them, if you need to test that only certain roles are authorized to access an endpoint.
+
+## Run with Docker
+
+To run with Docker Compose, check the instructions in [compose README](../compose/README.md).
+You can build a local image by running
+
+```bash
+./build-docker.sh
+```
+
+## Keys
+
+Each gateway needs a set of keys to communicate with evaka services. New keys can be generated as follows:
+
+```bash
+openssl genpkey -out jwk_private_key.pem -algorithm RSA -pkeyopt rsa_keygen_bits:4096
+openssl rsa -in jwk_private_key.pem -pubout > jwk_public_key.pem
+```
+
+The public key can be converted to jwk-format with
+
+```bash
+npx pem-jwk jwk_public_key.pem > public.jwk
+```
+
+You then need to add `"kid": <service name>` pair to the `public.jwk` contents, eg.
+
+```json
+{
+    "kid": "evaka-internal-gw",
+    "kty": "RSA",
+    "n": ...,
+    "e": "AQAB"
+}
+```
+
+The pem files must be put into a **private** S3 buckets accessible to the services, into gateway-specific directories
+like: `s3://my-deployment-bucket-<env>/<gateway>/`. The contents of `public.jwk` must be copied into each related
+service's `keys` list in `jwks.json`, which should be similarly found in `s3://my-deployment-bucket-<env>/<service>/`.
+
+You can put the generated files to `dev` environment's bucket with e.g.:
+
+```bash
+# For Voltti environments, you can find the bucket ID from Terraform output
+export DEPLOYMENT_BUCKET=<REPLACE ME>
+echo aws s3 cp jwks.json "s3://${DEPLOYMENT_BUCKET}/evaka-srv/jwks.json"
+for VER in public private; do
+    echo aws s3 cp "jwk_${VER}_key.pem" "s3://${DEPLOYMENT_BUCKET}/internal-gw/jwk_${VER}_key.pem"
+done
+```
+
+Same goes for `test`, `staging` and `prod` but *be sure to use different keys* in all environments.
+
+## Authentication and session
+
+Session data is store in ElastiCache for Redis. Session includes the logged in user details required by passport
+and SAML to log out the user with Single Sign Out. The session also stores the user UUID. Downstream calls are
+authenticated with JWK-signed JWT:s that contain the user ID. To add an authentication header to a downstream call
+use the `createAuthHeaders(user)` function from `shared/auth/index.ts`. The user parameter is the user object
+from a logged in session (available at `req.user`).
+
+## Security
+
+### Headers
+
+The project uses Helmet to set sane default headers and remove unsafe headers set by Express. Many of these headers
+are already set at the proxy, but helmet was chosen to be kept with a default setting to incorporate possible additions
+that don't get updated to the proxy.
+
+### XSRF Protection
+
+After login an `XSRF-TOKEN` cookie is set with a random token value. The csurf middleware check all incoming traffic
+with HTTP POST methods for headers containing the token. Axios HTTP client automatically recognizes this cookie and
+send a `X-XSRF-TOKEN` header with the cookie value.
+
+Since the domain of the service is shared among multiple services all with different sessions and XSRF cookies. Some
+requests might fail when browsing multiple application simultaneously.
+
+### Session handling
+
+The session identifier of the login cookie is rolled after login to mitigate session fixation attacks.
+
+The session cookie is set without the secure flag, since the connection to the proxy is not secured and Express refuses
+to set the cookie. The cookie flag is ultimately set at the proxy.

apigw/.gitignore

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+# SPDX-FileCopyrightText: 2017-2020 City of Espoo
+#
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+set -euo pipefail
+
+DOCKER_IMAGE=${DOCKER_IMAGE:-evaka/api-gateway}
+DOCKER_TAG=${DOCKER_TAG:-local}
+GIT_SHA=$(git rev-parse HEAD)
+
+yarn build
+
+docker build --build-arg commit="${GIT_SHA}" --build-arg build=local -t "${DOCKER_IMAGE}" .
+docker tag "${DOCKER_IMAGE}" "${DOCKER_IMAGE}:${DOCKER_TAG}"
+docker tag "${DOCKER_IMAGE}:${DOCKER_TAG}" "${DOCKER_IMAGE}:${GIT_SHA}"