CI/CD and Security fixes

.circleci/config.yml

@@ -0,0 +1,79 @@
+version: 2
+defaults: &defaults
+    docker:
+      - image: circleci/python:2.7.18-stretch-browsers
+install_dependency: &install_dependency
+  name: Installation of build and deployment dependencies.
+  command: |
+    sudo apt install jq
+    sudo pip install awscli --upgrade
+    sudo pip install docker-compose
+install_deploysuite: &install_deploysuite
+  name: Installation of install_deploysuite.
+  command: |
+    git clone --branch v1.4.5 https://github.com/topcoder-platform/tc-deploy-scripts ../buildscript
+    cp ./../buildscript/master_deploy.sh .
+    cp ./../buildscript/buildenv.sh .
+    cp ./../buildscript/awsconfiguration.sh .
+
+builddeploy_steps: &builddeploy_steps
+      - checkout
+      - setup_remote_docker
+      - run: *install_dependency
+      - run: *install_deploysuite
+      - run: 
+          name: Running build script.
+          command: |
+            ./awsconfiguration.sh $DEPLOY_ENV
+            source awsenvconf
+            ./buildenv.sh -e $DEPLOY_ENV -b ${LOGICAL_ENV}-${APPNAME}-buildvar
+            source buildenvvar          
+            ./build.sh
+      - deploy:
+          name: Running MasterScript.
+          command: |
+            source awsenvconf
+            ./buildenv.sh -e $DEPLOY_ENV -b ${LOGICAL_ENV}-${APPNAME}-deployvar
+            source buildenvvar
+            ./master_deploy.sh -d CFRONT -e $DEPLOY_ENV -c true
+
+jobs:
+  # Build & Deploy against development backend
+  "build-dev":
+    <<: *defaults
+    environment:
+      DEPLOY_ENV: "DEV"
+      LOGICAL_ENV: "dev"
+      APPNAME: "tc-auth-lib"    
+    steps: *builddeploy_steps
+
+  "build-prod":
+    <<: *defaults
+    environment:
+      DEPLOY_ENV: "PROD"
+      LOGICAL_ENV: "prod"    
+      APPNAME: "tc-auth-lib"  
+    steps: *builddeploy_steps
+
+workflows:
+  version: 2
+  build:
+    jobs:
+      # Development builds are executed on "develop" branch only.
+      - "build-dev":
+          context : org-global
+          filters:
+            branches:
+              only:
+                - dev
+
+      # Production builds are exectuted only on tagged commits to the
+      # master branch.
+      - "build-prod":
+          context : org-global
+          filters:
+            branches:
+              only: master
+
+
+

README.md

@@ -1,2 +1,3 @@
 # authlib
 Mixed front-end lib for auth0 authorization 
+

build.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -eo pipefail
+CONFFILENAME="./web-assets/js/setupAuth0WithRedirect.js"
+
+perl -pi -e "s/\{\{DOMAIN\}\}/$DOMAIN/g" $CONFFILENAME
+perl -pi -e "s/\{\{AUTH0_CLIENT_ID\}\}/$AUTH0_CLIENT_ID/g" $CONFFILENAME
+perl -pi -e "s/\{\{LOGGERMODE\}\}/$LOGGERMODE/g" $CONFFILENAME
+perl -pi -e "s/\{\{AUTH0DOMAIN\}\}/$AUTH0DOMAIN/g" $CONFFILENAME
+
+SIGNUPFILENAME="./web-assets/js/signup.js"
+perl -pi -e "s/\{\{DOMAIN\}\}/$DOMAIN/g" $SIGNUPFILENAME
+perl -pi -e "s/\{\{AUTH0DOMAIN\}\}/$AUTH0DOMAIN/g" $SIGNUPFILENAME
+
+
+mkdir dist
+cp -rv ./web-assets/css/* ./dist/
+cp -rv ./web-assets/js/* ./dist/
+cp -rv ./web-assets/images ./dist/
+cp -rv ./web-assets/static-pages/* ./dist/
+
+
+

web-assets/js/setupAuth0WithRedirect.js

@@ -23,8 +23,8 @@ const qs = (function (a) {
 
 const authSetup = function () {
 
-    let domain = 'auth.topcoder.com';
-    const clientId = 'UW7BhsnmAQh0itl56g1jUPisBO9GoowD';
+    let domain = 'auth.{{DOMAIN}}';
+    const clientId = '{{AUTH0_CLIENT_ID}}';
     const useLocalStorage = false;
     const useRefreshTokens = false;
     const v3JWTCookie = 'v3jwt';
@@ -38,7 +38,7 @@ const authSetup = function () {
     const utmSource = qs['utm_source'];
     const utmMedium = qs['utm_medium'];
     const utmCampaign = qs['utm_campaign'];
-    const loggerMode = "prod";
+    const loggerMode = "{{LOGGERMODE}}";
     const IframeLogoutRequestType = "LOGOUT_REQUEST";
     const enterpriseCustomers = ['zurich', 'cs'];
     const mode = qs['mode'] || 'signIn';
@@ -48,7 +48,7 @@ const authSetup = function () {
     if (utmSource &&
         (utmSource != 'undefined') &&
         (enterpriseCustomers.indexOf(utmSource) > -1)) {
-        domain = "topcoder.auth0.com";
+        domain = "{{AUTH0DOMAIN}}";
         returnAppUrl += '&utm_source=' + utmSource;
     }
 

web-assets/js/signup.js

@@ -1,5 +1,5 @@
 
-var apiServerUrl = "https://api.topcoder.com/v3/users";
+var apiServerUrl = "https://api.{{DOMAIN}}/v3/users";
 var qs = (function (a) {
   if (a == "") return {};
   var b = {};
@@ -46,14 +46,21 @@ $(document).ready(function () {
         if (result.result.status === 200 && result.result.content.valid) {
           $("#error").closest(".message").fadeOut();
           $("#error").html("");
-          document.getElementById("signup").action = qs["formAction"];
-          document.getElementById("state").value = qs["state"];
-          document.getElementById("regSource").value = qs["regSource"];
-          document.getElementById("utmSource").value = qs["utmSource"];
-          document.getElementById("utmMedium").value = qs["utmMedium"];
-          document.getElementById("utmCampaign").value = qs["utmCampaign"];
-          document.getElementById("returnUrl").value = qs["returnUrl"];
-          document.getElementById("signup").submit();
+          let formAction = qs["formAction"];
+          const opt1 = 'https://auth.{{DOMAIN}}/continue';
+          const opt2 = 'https://{{AUTH0DOMAIN}}/continue';
+          if (!formAction.startsWith(opt1) && !formAction.startsWith(opt2)) {
+            // looks like XSS attack
+            formAction = "#";
+          }
+          $('#signup').attr('action', formAction);
+          $("#state").val(qs["state"]);
+          $("#regSource").val(qs["regSource"]);
+          $("#utmSource").val(qs["utmSource"]);
+          $("#utmMedium").val(qs["utmMedium"]);
+          $("#utmCampaign").val(qs["utmCampaign"]);
+          $("#returnUrl").val(qs["returnUrl"]);
+          $("#signup").submit();
         }
       },
     });