Apply end to end security to securely store files
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.bluemix
public
scripts
.dockerignore
.gitignore
Architecture.png
Dockerfile
License.txt
Notice.txt
README.md
app.js
credentials.template.env
package-lock.json
package.json
secure-file-storage.template.yaml

README.md

Apply end to end security to a cloud application

The repository features a sample application that enables groups of users to upload files to a common storage pool and to provide access to those files via shareable links. The application is written in Node.js and deployed as Docker container to the IBM Cloud Kubernetes service. It leverages several security-related services and features to improve app security. It includes data encrypted with your own keys, user authentication, and security auditing.

Refer to this tutorial for instructions.

Architecture

  1. The user connects to the application.
  2. App ID secures the application and redirects the user to the authentication page. Users can sign up from there too.
  3. The application is running in a Kubernetes cluster from an image stored in the container registry. The image is automatically scanned for vulnerabilities.
  4. Files uploaded by the user are stored in Cloud Object Storage.
  5. The bucket where the files are stored is using a user-provided key to encrypt the data.
  6. All activities related to managing the solution are logged by Activity Tracker.

Deploy with a toolchain

This project comes with a partially automated toolchain capable of deploying the application to IBM Cloud while provisioning all required services.

Prerequisites

  1. Create a standard Kubernetes cluster

  2. Create a registry namespace

  3. Optionally create a specific resource group for this project

And then

Create toolchain

Once the toolchain has completed, the application will be available at https://secure-file-storage.<your-cluster-ingress-domain>.

The toolchain includes a stage named UNINSTALL (manual). This stage can only be triggered manually and will remove all resources created by the toolchain (app and services).

Code Structure

File Description
app.js Implementation of the application.
credentials.template.env To be copied to credentials.env and filled with credentials to access services. credentials.env is used when running the app locally and to create a Kubernetes secret before deploying the application to a cluster manually.
Dockerfile Docker image description file.
secure-file-storage.template.yaml Kubernetes deployment file with placeholders. To be copied to secure-file-storage.yaml and edited to match your environment.

To test locally

  1. Follow the tutorial instructions to have the app deployed to a cluster. Specially the sections to create all the services and to populate the credentials.env file.
  2. Access the tokens with https://secure-file-storage.<INGRESS_SUBDOMAIN>/api/tokens. This will shows the raw App ID authorization header together with the decode JWT tokens for your session.
  3. In your local shell:
    export TEST_AUTHORIZATION_HEADER="<value of the header attribute 'Bearer ... ...'>"
    
  4. npm start

License

See License.txt for license information.