feat: add cron job to disable xsrf token validation on subscribed tenants automatically (#107)

Author: reey

README.md

@@ -8,23 +8,15 @@ A sample usecase might be to access a configuration UI on your device or to e.g.
 
 ## Prerequisits & Limitations
 
-This functionality is heavily relying on the [Cloud Remote Access feature of Cumulocity](https://cumulocity.com/guides/cloud-remote-access/cra-general-aspects/).
+This functionality is heavily relying on the [Cloud Remote Access feature of Cumulocity](https://cumulocity.com/docs/cloud-remote-access/cra-general-aspects/).
 
 - The shell application that you are installing the UI plugin to should use at least version 1017+ of the Web SDK.
 
 - **PASSTHROUGH endpoint:** To use the proxy you need a remote access `PASSTHROUGH` endpoint configured on each of your devices you want to connect to. See [this guide](https://tech.forums.softwareag.com/t/how-to-get-started-with-cloud-remote-access-for-cumulocity-iot/258446#step-by-step-guide-to-setup-a-passthrough-connection-16) for further details.
 
-- **Tenant Authentication Method:** The desired tenant must be configured to use the [`OAI Secure` Authentication](https://cumulocity.com/guides/users-guide/administration/#authentication)
+- **Tenant Authentication Method:** The desired tenant must be configured to use the [`OAI Secure` Authentication](https://cumulocity.com/docs/authentication/basic-settings/#login-settings)
 
-- **Disable XSRF-Token validation**: The XSRF-Token validation of Cumulocity needs to be disabled for the tenant. Please check on your own if this might be a security concern for you: [Cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery). To do this, the corresponding tenant option (category: `jwt`, key: `xsrf-validation.enabled`) must be set to `false`.
-
-  **Note**
-
-  If you're using [go-c8y-cli](https://goc8ycli.netlify.app/), then you can set the tenant option using the following command:
-
-  ```
-  c8y tenantoptions update --category jwt --key xsrf-validation.enabled --value false
-  ```
+- **Disable XSRF-Token validation**: The XSRF-Token validation of Cumulocity needs to be disabled for the tenant. Please check on your own if this might be a security concern for you: [Cross-site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery). To do this, the corresponding tenant option (category: `jwt`, key: `xsrf-validation.enabled`) must be set to `false`. The microservice will take care of disabling this on subscribed tenants automatically.
 
 - Requests through the proxy can be made via both HTTP and HTTPS. For requests made to an HTTPS server, the certificate of the server is not actually validated.
 
@@ -48,7 +40,7 @@ It's functionality can be described in the following steps:
 The UI plugin adds tabs on device level to the application it has been installed to.
 The UI detects remote access connections available for the device that have been prefixed with `http:` and use the `PASSTHROUGH` protocol.
 
-For instructions on how to install an UI plugin, please check [here](https://cumulocity.com/guides/users-guide/administration/#extensions).
+For instructions on how to install an UI plugin, please check [here](https://cumulocity.com/docs/standard-tenant/ecosystem/#extensions).
 
 ### Configuring a new connection
 

backend/cumulocity.json

@@ -9,7 +9,10 @@
   },
   "isolation": "MULTI_TENANT",
   "roles": [],
-  "requiredRoles": [],
+  "requiredRoles": [
+    "ROLE_OPTION_MANAGEMENT_READ",
+    "ROLE_OPTION_MANAGEMENT_ADMIN"
+  ],
   "livenessProbe": {
     "httpGet": {
       "path": "/health",

backend/package.json

@@ -23,7 +23,7 @@
     "typescript": "~5.5.2"
   },
   "dependencies": {
-    "@c8y/client": "1021.3.1",
+    "@c8y/client": "1021.54.6",
     "agentkeepalive": "^4.5.0",
     "cookie-parse": "^0.4.0",
     "cron": "^3.2.1",

backend/src/index.ts

@@ -11,6 +11,7 @@ import { RCAServerStore } from "./rca-server-store";
 import Agent from "agentkeepalive";
 import { HttpsAgent } from "agentkeepalive";
 import * as http from "http";
+import { BasicAuth, Client, ICredentials } from "@c8y/client";
 
 dotenv.config();
 
@@ -25,19 +26,91 @@ const serverStore = new RCAServerStore(logger);
 const agentOptions: Agent.HttpOptions = {
   timeout: 60_000, // active socket keepalive for 60 seconds
   freeSocketTimeout: 30_000, // free socket keepalive for 30 seconds
-}
+};
 const agents = {
   http: new Agent({
-    ...agentOptions
+    ...agentOptions,
   }),
   https: new HttpsAgent({
-    ...agentOptions
-  })
-}
+    ...agentOptions,
+  }),
+};
 
 logger.debug(JSON.stringify(process.env));
 const app = express();
 
+const tenantIdsWhereXSRFTokenValidationHasBeenDisabled = new Array<string>();
+async function disableXSRFTokenValidation() {
+  let subscriptions = new Array<ICredentials>();
+  try {
+    subscriptions = await Client.getMicroserviceSubscriptions(
+      {
+        tenant: process.env.C8Y_BOOTSTRAP_TENANT,
+        user: process.env.C8Y_BOOTSTRAP_USER,
+        password: process.env.C8Y_BOOTSTRAP_PASSWORD,
+      },
+      process.env.C8Y_BASEURL
+    );
+  } catch (e) {
+    logger.error("Failed to get subscriptions", { e });
+    return;
+  }
+
+  for (const subscription of subscriptions) {
+    const { tenant } = subscription;
+    try {
+      if (tenantIdsWhereXSRFTokenValidationHasBeenDisabled.includes(tenant)) {
+        logger.debug(
+          `XSRF token validation already disabled for tenant ${tenant}`
+        );
+        continue;
+      }
+
+      logger.debug(`Disabling XSRF token validation for tenant ${tenant}`);
+      const client = new Client(
+        new BasicAuth(subscription),
+        process.env.C8Y_BASEURL
+      );
+      const category = "jwt";
+      const key = "xsrf-validation.enabled";
+
+      const {
+        data: { value },
+      } = await client.options.tenant.detail({
+        category,
+        key,
+      });
+      if (value === "false" || <any>value === false) {
+        logger.info(`XSRF token validation already disabled for tenant ${tenant}`);
+        tenantIdsWhereXSRFTokenValidationHasBeenDisabled.push(tenant);
+        continue;
+      }
+      await client.options.tenant.update({
+        category: "jwt",
+        key: "xsrf-validation.enabled",
+        value: "false",
+      });
+
+      logger.info(`Disabled XSRF token validation for tenant ${tenant}`);
+      tenantIdsWhereXSRFTokenValidationHasBeenDisabled.push(tenant);
+    } catch (e) {
+      logger.warn(
+        `Failed to disable XSRF token validation for tenant ${tenant}`,
+        { e }
+      );
+    }
+  }
+}
+
+CronJob.from({
+  cronTime: "0 */5 * * * *",
+  onTick: async () => {
+    await disableXSRFTokenValidation();
+  },
+  start: true,
+  runOnInit: true,
+});
+
 app.get("/health", (req, res) => {
   res.status(200).json({
     memory: process.memoryUsage(),
@@ -47,10 +120,13 @@ app.get("/health", (req, res) => {
 });
 
 app.use((req, res, next) => {
-  if (req.headers.authorization || req.headers.cookie?.includes('authorization')) {
+  if (
+    req.headers.authorization ||
+    req.headers.cookie?.includes("authorization")
+  ) {
     return next();
   }
-  res.setHeader('WWW-Authenticate', 'Basic realm="My Realm"')
+  res.setHeader("WWW-Authenticate", 'Basic realm="My Realm"');
   res.status(401).send();
 });
 
@@ -116,18 +192,28 @@ function getRewriteOptions(
     changeOrigin: !hasCustomHost,
     protocolRewrite: (req.headers["x-forwarded-proto"] as string) || "http",
     cookieDomainRewrite:
-        typeof forwardedHost === "string" ? `.${forwardedHost.replace(/:.*$/, '')}` : undefined,
-    cookiePathRewrite: `/service/cloud-http-proxy${secure ? '/s' : ''}/${req.params.cloudProxyDeviceId}/${req.params.cloudProxyConfigId}/`,
+      typeof forwardedHost === "string"
+        ? `.${forwardedHost.replace(/:.*$/, "")}`
+        : undefined,
+    cookiePathRewrite: `/service/cloud-http-proxy${secure ? "/s" : ""}/${
+      req.params.cloudProxyDeviceId
+    }/${req.params.cloudProxyConfigId}/`,
   };
 }
 
-function hasCustomHostHeader(req: express.Request, deviceId: string, configId: string) {
+function hasCustomHostHeader(
+  req: express.Request,
+  deviceId: string,
+  configId: string
+) {
   const headerToLookoutFor = `rca-http-header-host-${deviceId}-${configId}`;
   return !!req.headers[headerToLookoutFor];
 }
 
-function prefixCookiesToBeSet(proxy: Server<http.IncomingMessage, http.ServerResponse<http.IncomingMessage>>) {
-  proxy.on('proxyRes', (response) => {
+function prefixCookiesToBeSet(
+  proxy: Server<http.IncomingMessage, http.ServerResponse<http.IncomingMessage>>
+) {
+  proxy.on("proxyRes", (response) => {
     const cookiesToSet = response.headers["set-cookie"];
     if (!cookiesToSet?.length) {
       return;
@@ -149,7 +235,11 @@ app.use("/s/:cloudProxyDeviceId/:cloudProxyConfigId/", async (req, res) => {
   });
 
   try {
-    const hasCustomHost = hasCustomHostHeader(req, req.params.cloudProxyDeviceId, req.params.cloudProxyConfigId);
+    const hasCustomHost = hasCustomHostHeader(
+      req,
+      req.params.cloudProxyDeviceId,
+      req.params.cloudProxyConfigId
+    );
     const target = await getTarget(req, requestLogger, true);
     const rewriteOptions = getRewriteOptions(req, true, hasCustomHost);
     const proxy = createProxyServer({
@@ -196,7 +286,11 @@ app.use("/:cloudProxyDeviceId/:cloudProxyConfigId/", async (req, res) => {
   });
 
   try {
-    const hasCustomHost = hasCustomHostHeader(req, req.params.cloudProxyDeviceId, req.params.cloudProxyConfigId);
+    const hasCustomHost = hasCustomHostHeader(
+      req,
+      req.params.cloudProxyDeviceId,
+      req.params.cloudProxyConfigId
+    );
     const target = await getTarget(req, requestLogger);
     const rewriteOptions = getRewriteOptions(req, true, hasCustomHost);
     const proxy = createProxyServer({
@@ -254,4 +348,3 @@ if (!process.env.NO_STATISTICS) {
     start: true,
   });
 }
-

frontend/cumulocity.config.ts

@@ -39,7 +39,6 @@ export default {
       '@angular/platform-browser',
       '@angular/platform-browser-dynamic',
       '@angular/router',
-      '@angular/upgrade',
       '@c8y/client',
       '@c8y/ngx-components',
       'ngx-bootstrap',

frontend/package.json

@@ -31,10 +31,10 @@
     "@angular/platform-browser": "^18.2.0",
     "@angular/platform-browser-dynamic": "^18.2.0",
     "@angular/router": "^18.2.0",
-    "@c8y/bootstrap": "1021.3.1",
-    "@c8y/client": "1021.3.1",
-    "@c8y/ngx-components": "1021.3.1",
-    "@c8y/style": "1021.3.1",
+    "@c8y/bootstrap": "1021.54.6",
+    "@c8y/client": "1021.54.6",
+    "@c8y/ngx-components": "1021.54.6",
+    "@c8y/style": "1021.54.6",
     "ngx-bootstrap": "18.0.0",
     "rxjs": "^7.8.1",
     "tslib": "^2.3.0",
@@ -44,8 +44,8 @@
     "@angular-devkit/build-angular": "^18.2.10",
     "@angular/cli": "^18.2.10",
     "@angular/compiler-cli": "^18.2.0",
-    "@c8y/devkit": "1021.3.1",
-    "@c8y/options": "1021.3.1",
+    "@c8y/devkit": "1021.54.6",
+    "@c8y/options": "1021.54.6",
     "@types/jasmine": "~4.3.0",
     "jasmine-core": "~5.2.0",
     "karma": "~6.4.0",