minvws / nl-covid19-notification-app-backend Goto Github PK
View Code? Open in Web Editor NEWServer-side code for CoronaMelder.
License: European Union Public License 1.2
Server-side code for CoronaMelder.
License: European Union Public License 1.2
The concern is the existence of the code block in https://github.com/minvws/nl-covid19-notification-app-backend/blob/master/Components/Icc/Models/TheIdentityHubClaimTypes.cs:
internal const string AccessToken = "http://schemas.u2uconsult.com/ws/2014/03/identity/claims/accesstoken";
internal const string AuthenticationStrength = "http://schemas.u2uconsult.com/ws/2016/08/identity/claims/authenticationstrength";
internal const string ClientId = "http://schemas.u2uconsult.com/ws/2014/11/identity/claims/clientid";
internal const string OldIdentityId = "http://schemas.u2uconsult.com/ws/2019/02/identity/claims/oldidentityid";
internal const string DisplayName = "http://schemas.u2uconsult.com/ws/2014/04/identity/claims/displayname";
internal const string EmailAddress = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";
internal const string EmailAddressVerified = "http://schemas.u2uconsult.com/ws/2017/02/identity/claims/emailaddressverified";
internal const string GivenName = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname";
internal const string IdentityProvider = "http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider";
internal const string LargePicture = "http://schemas.u2uconsult.com/ws/2014/04/identity/claims/largepicture";
internal const string MediumPicture = "http://schemas.u2uconsult.com/ws/2014/04/identity/claims/mediumpicture";
internal const string Scope = "http://schemas.u2uconsult.com/ws/2014/03/identity/claims/scope";
internal const string SmallPicture = "http://schemas.u2uconsult.com/ws/2014/04/identity/claims/smallpicture";
internal const string Surname = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname";
internal static readonly string NameIdentifier = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier";
I'm assuming these are either not used or they are used to indicate URLs to third-parties that can be used to establish the validity of the schemes. However, I haven't looked into it. Reasons to remove this:
Fix. Https links to your own backend or remove.
Docker local run fails
Steps to reproduce the behavior:
Missing projects:
DbProvision/DbProvision.csproj
DbFillExampleContent/DbFillExampleContent.csproj
Changed names of exe files in entrypoint in docker-compose.yml
instruction from readme to run the project in docker should work without errors
I see that WireMock.Net is used to unit-test the TheIdentityHubService in the TheIdentityHubServiceTests.cs file.
However a fixed port is used:
This can cause issues when running these unit-tests on a build-server, there is not 100% guarantee that this port will be free on the OS.
My suggestion would be to start the WireMock.Net without a fixed port. Just like:
var server = WireMockServer.Start();
// Getting the random port on which the WireMock.Net server is running, can be done like:
var port = server.Ports[0];
// Or you can also get the full URL where the WireMock.Net server is running with:
var url = server.Urls[0];
However this means that setting up the TheIdentityHubOptions
should be done in each unit-test because the port is not fixed anymore.
Another suggestion:
I see that in every test the WireMock.Net server is started and stopped, in that case using a local variable var server =
instead of defining and reusing a private class variable like private WireMockServer _Server;
would be a better option.
Another idea would be to start the WireMock.Net server once during start from the test-class and reset + add a new mapping in each test. This can be a bit quicker when running the tests.
It hurts when the name of the world's most awesomest database is mangled like this.
What is this project doing?
I see it mentions .NET, MSSQL, as Node JS, Yarn and Angular CLI, shouldn't the 'frontend' for care workers be in another project?
My advise to make this more accessible for other developer ๐
README.md
with folder overview plus short summaryREADME.md
in every folder with the project/folder description what this thing is doing.I don't think you want your private key visible like that. Best remove it quickly and regenerate.
It gives me the creeps to see stuff like this in a code base.
Also, I see you're not working with a process to handle security issues like this one.
Would be nice to have that in place too.
Currently docker-compose up --build
fails on a clean clone due to a couple of errors in the Docker file.
This is running on Ubuntu 20.04.
Steps to reproduce the behavior:
git clone https://github.com/minvws/nl-covid19-notification-app-backend.git
cd nl-covid19-notification-app-backend
cd docker
docker-compose up --build
$ docker-compose up --build
Building mobile_api
Step 1/23 : FROM mcr.microsoft.com/dotnet/core/sdk:3.1-alpine AS builder
---> 656495ef4e20
Step 2/23 : COPY . app/
---> Using cache
---> c642901eb776
Step 3/23 : WORKDIR app/
---> Using cache
---> 1ace1d52bf4c
Step 4/23 : COPY docker/development/appsettings.json .
---> Using cache
---> 88648b988891
Step 5/23 : RUN rm Components/Framework/WindowsIdentityStuff.cs
---> Running in d0d719382673
rm: can't remove 'Components/Framework/WindowsIdentityStuff.cs': No such file or directory
ERROR: Service 'mobile_api' failed to build: The command '/bin/sh -c rm Components/Framework/WindowsIdentityStuff.cs' returned a non-zero code: 1
MSBUILD : error MSB1009: Project file does not exist.
Switch: DbFillExampleContent/DbFillExampleContent.csproj
ERROR: Service 'mobile_api' failed to build: The command '/bin/sh -c dotnet publish DbFillExampleContent/DbFillExampleContent.csproj --no-self-contained --configuration Release -o publish/Tools/DbFillExampleContent --version-suffix local' returned a non-zero code: 1
The docker containers are successfully brought up.
n/a, see console output above
I'll shortly submit a simple PR to address the issues.
First of all I would like to say that I really appreciate that this work is being open sourced.
I want to propose adding a security.txt
file to be publicly served by this application.
security.txt is a proposed standard for listing responsible disclosure policies and contact information. Its purpose is to provide a standard location so security researchers can easily get in contact to report a security issue. The standard is currently in draft stage but is already in use by organizations like Google and GitHub.
This GitHub repository already has a security policy, but once this application is running in production a security researcher who has found a vulnerability might not be aware of the fact that this repository is publicly visible. They will have to search for out-of-band information in order to responsibly disclose security issues. As explained for example by security researcher Troy Hunt, who runs the popular data breach notification service Have I Been Pwned?, the security.txt
file is one of the first things he will look for when he tries to contact an organization about a data breach.
Given the high public profile of this application and the focus on privacy and security I believe it is a good step to serve this file, and it comes at no real cost.
Based on the existing security policy published on GitHub, the contents of security.txt
could look like this:
Contact: https://www.ncsc.nl/contact/kwetsbaarheid-melden
Contact: https://english.ncsc.nl/contact/reporting-a-vulnerability-cvd
Encryption: https://english.ncsc.nl/contact/pgp-key
Policy: https://github.com/minvws/nl-covid19-notification-app-backend/security/policy
This file should be served from /.well-known/security.txt
(RFC8615). Other fields, such as Acknowledgments
, Canonical
and Preferred-Languages
are also supported. Please refer to the draft standard or to https://securitytxt.org/ for the full specification.
I would be happy to create a pull request, but I'm not sure where to create this file in order for it to be served as a static file in the document root. If I'm understanding correctly the Docker configuration and ServerStandAlone
directory are only used for development, and will not be used in production. Alternatively the file could be stored in the root of the repository (as suggested on https://securitytxt.org/) and be be copied to the right location during build-time. As I said, if someone can point me in the right direction I would happily create a pull request for this.
When running the docker-compose install on Linux, executing the following command fails:
docker exec docker_content_api_1 EksEngine/EksEngine
This is running on Ubuntu 20.04.
Steps to reproduce the behavior:
docker-compose up --build
docker exec docker_content_api_1 Tools/DbProvision/DbProvision
docker exec docker_content_api_1 Tools/GenTeks/GenTeks
docker exec docker_content_api_1 Tools/ForceTekAuth/ForceTekAuth
docker exec docker_content_api_1 EksEngine/EksEngine
[21:38:59 FTL] System.PlatformNotSupportedException: Windows Principal functionality is not supported on this platform.
at System.Security.Principal.WindowsIdentity.GetCurrent()
at NL.Rijksoverheid.ExposureNotification.BackEnd.Components.Framework.WindowsIdentityQueries.CurrentUserIsAdministrator() in /app/Components/Framework/WindowsIdentityQueries.cs:line 13
at NL.Rijksoverheid.ExposureNotification.BackEnd.Components.ExposureKeySetsEngine.ExposureKeySetBatchJobMk3.Execute() in /app/Components/ExposureKeySetsEngine/ExposureKeySetBatchJobMk3.cs:line 78
at NL.Rijksoverheid.ExposureNotification.BackEnd.EksEngine.Program.Start(IServiceProvider serviceProvider, String[] args) in /app/EksEngine/Program.cs:line 46
at NL.Rijksoverheid.ExposureNotification.BackEnd.Components.ConsoleApps.ConsoleAppRunner.Execute(String[] args, Action`2 configure, Action`2 start) in /app/Components/ConsoleApps/ConsoleAppRunner.cs:line 41
The EksEngine starts up successfully and the exposureKeySet ids are added to the manifest.
n/a.
PR #27 highlights where the errors occur in the EtkEngine code. The problem stems from the fact that the user certificate store isn't available on Linux (I'm not sure whether this is a Linux issue or a Docker issue though). The PR works around the problem, but isn't really a fix because it results in dummy signatures being generated (it does, however, make clear where the issues are, I think).
According to the design documentation the decoy probability should change depending on positive test numbers (and possibly install counts). However, it seems to be fixed to 0.00118, also on the production CDN.
Some files in this repository contain secrets. I don't think you want to expose sa
db - passwords to the whole world.
For instance here and here. (You should also not add an appsettings.development.json file in source-control).
Make use of docker secrets to inject secrets in a container; do not expose connectionstrings via the git repository!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.