Develop - PR 1

.dockerignore

@@ -0,0 +1,7 @@
+.git
+.gitignore
+*.md
+docker
+teleport_interview
+frontend/build
+frontend/node_modules

.gitignore

@@ -12,4 +12,6 @@
 *.out
 
 # Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/
+
+teleport_interview

Makefile

@@ -0,0 +1,27 @@
+.DEFAULT_GOAL := build
+.PHONY: build run test test_backend test_frontend clean fmt
+
+COMPOSE = docker-compose -f docker/docker-compose.yml --project-directory .
+
+build:
+	${COMPOSE} build
+
+up:
+	${COMPOSE} up
+
+clean:
+	${COMPOSE} down
+	docker volume rm teleport_interview_dbdata
+
+fmt:
+	go fmt ./...
+
+test: test_backend test_frontend
+
+test_backend:
+	docker build -f docker/Dockerfile_test -t tp_int:test_backend .
+	docker run tp_int:test_backend
+
+test_frontend:
+	docker build -f docker/Dockerfile_webtest -t tp_int_web:test_frontend .
+	docker run tp_int_web:test_frontend

README.md

@@ -1,2 +1,15 @@
 # teleport_interview
-A repository for an implementation of Teleport's interview challenge.
+A repository for an implementation of [Teleport's fullstack interview challenge](https://github.com/gravitational/careers/blob/main/challenges/fullstack/dashboard.pdf).
+
+## Requirements
+Requires Docker/Docker-Compose (a recent enough version to support compose spec 3.9).
+
+## Commands
+All commands can be found in the `Makefile` in the root of the repository.
+- `make build` (also just `make`) - Build the Compose service for the app.
+- `make up` - Serve the app over HTTPS at localhost on port 8080. Ctrl+C to stop.
+- `make clean` - Remove Compose service and delete database volume.
+- `make fmt` - Runs Go formatter (note: this one does not run in Docker and requires Go to be installed).
+- `make test_backend` - Run backend tests.
+- `make test_frontend` - Run frontend tests.
+- `make test` - Run both backend and frontend tests.

design.md

@@ -0,0 +1,95 @@
+# Design Doc
+​
+## Features/Scope
+- Login page
+  - On successful login, go to dashboard
+  - On failed login, alert user and do not change pages
+- Dashboard
+  - For Level 1, just a dummy page
+  - On click logout, log user out and go to login page
+​
+## Tech
+​
+### Frontend
+Choices here are mostly down to personal preference/familiarity.
+​
+**Language: TypeScript**
+​
+**Framework: React**
+​
+### Backend
+**Language: Go**
+​
+**Framework: [Gin](https://github.com/gin-gonic/gin)**
+​
+- While the Go standard library's HTTP capabilities are plenty to support the app, using a framework like Gin can reduce boilerplate.
+​
+### Database
+**Database: MySQL**
+​
+The app really only needs some basic CRUD operations; MySQL is simple and gets the job done.
+​
+Why not:
+- PostgreSQL - wouldn't hurt, but it's more complicated than we need.
+- SQLite - although a file-based DB would allow us to run one fewer process and simplify setup, SQLite doesn't have user management and isn't very concurrency friendly.
+​
+Schema:
+- Accounts (account_id PK, email, pw_hash, salt)
+- Sessions (account_id (nullable), session_token PK, csrf_token, expire_idle, expire_abs)
+​
+### Other
+docker-compose for launching multiple containers and [secrets management](https://docs.docker.com/engine/swarm/secrets/#use-secrets-in-compose).
+​
+## API
+POST `/api/login`
+​
+- Logs in user. Expects Basic Auth.
+  - No post body; username, password, and csrf token will all be sent in headers
+- Return 200 and set session token on successful login.
+  - If user is logged in, do nothing.
+- Return 401 on failed login.
+  - Bad user/pass combo
+  - Bad csrf token
+​
+POST `/api/logout`
+​
+- Logs out user. Invalidates session token.
+  - If user is not logged in, do nothing.
+  - A user is considered logged in if the Sessions table contains a tuple with their account ID that hasn’t expired (see Sessions for info about expiration).
+- Return 200.
+​
+GET `/*`
+​
+- Fetch static files.
+  - If file is index.html, inject CSRF token.
+- Return 200.
+​
+## Security
+​
+### Sessions
+Following [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html):
+- 16 byte random token
+- Set cookie on authenticate
+  - Make sure to set these attributes: Secure, HttpOnly, SameSite
+- Session creation
+  - When a user first visits the site, a pre-auth session (null account_id, new session token and csrf token, and appropriate expire times) is created, and the created csrf token is sent back to the user.
+  - When a user attempts to log in, the server looks for a Sessions entry that matches the sent csrf token and pre-auth session ID. If a match is found, a new session replaces the pre-auth session, with account_id determined from the username and password.
+- Expiring sessions (the backend will delete an active session if any of the following occur):
+  - A logged in user makes a logout request
+  - A specified amount of time passes after a logged in user makes an authenticated request (Idle expire)
+  - A specified amount of time passes after a logged in user's initial login (Absolute expire)
+    - Note: a background task will remove expired sessions periodically; however, the server will still need to verify that exire_idle and expire_abs aren't in the past.
+​
+### Passwords
+Passwords will be salted and hashed with argon2id, [as recommended by OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id).
+- Check OWASP for ideal parameter settings
+- random per-user salt
+​
+### Attack Mitigation
+**XSS**: React should handle HTML escaping when rendering. We shouldn't ever need to use any [dangerous rendering methods](https://stackoverflow.com/a/51852579).
+​
+**CSRF**: Inject CSRF token into index.html when it's fetched; when performing future requests, client must put token in custom header.
+​
+**SSRF**: Server shouldn't ever need to make any HTTP requests, much less requests to user-specified URLs.
+​
+**SQL Injection**: Use prepared statements/parameterized queries.

docker/Dockerfile

@@ -0,0 +1,27 @@
+FROM node:16 AS builder
+WORKDIR /app
+COPY frontend/package.json frontend/package-lock.json ./
+RUN npm install
+COPY frontend ./
+RUN npm run build
+
+# would use alpine, but it's not officially supported yet (https://hub.docker.com/_/golang)
+FROM golang:1.16
+
+WORKDIR /go/src/app
+
+RUN useradd --no-log-init tp
+
+COPY go.mod go.sum main.go ./
+COPY internal ./internal
+RUN go install
+RUN go build
+
+COPY --from=builder /app/build internal/server/web/
+
+ENV GIN_MODE=release
+EXPOSE 8080
+
+USER tp
+
+CMD ["./teleport_interview"]

docker/Dockerfile_db

@@ -0,0 +1,8 @@
+FROM mysql:8.0
+
+ENV MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root
+ENV MYSQL_DATABASE_FILE=/run/secrets/mysql_db
+ENV MYSQL_USER_FILE=/run/secrets/mysql_user
+ENV MYSQL_PASSWORD_FILE=/run/secrets/mysql_pw
+
+COPY sql/* /docker-entrypoint-initdb.d/

docker/Dockerfile_test

@@ -0,0 +1,14 @@
+FROM golang:1.16
+
+WORKDIR /go/src/app
+
+# test hack
+# index.html is begging to be a template now
+COPY frontend/public/index.html internal/server/web/
+
+COPY go.mod go.sum main.go ./
+COPY internal ./internal
+RUN go install
+ENV GIN_MODE=test
+
+CMD ["go", "test" ,"./..."]

docker/Dockerfile_webtest

@@ -0,0 +1,5 @@
+FROM node:16
+WORKDIR /app
+COPY frontend ./
+RUN npm install
+CMD ["npm", "test", "--", "--watchAll=false"]

docker/docker-compose.yml

@@ -0,0 +1,50 @@
+version: "3.9"
+services:
+  backend:
+    build:
+      context: .
+      dockerfile: docker/Dockerfile
+    ports:
+      - "8080:8080"
+    networks:
+      - dashnet
+    secrets:
+      - server-cert.pem
+      - server-key.pem
+      - mysql_user
+      - mysql_pw
+      - mysql_db
+
+  db:
+    build:
+      context: .
+      dockerfile: docker/Dockerfile_db
+    networks:
+      - dashnet
+    volumes:
+      - "dbdata:/var/lib/mysql"
+    secrets:
+      - mysql_root
+      - mysql_db
+      - mysql_user
+      - mysql_pw
+
+networks:
+  dashnet:
+
+volumes:
+  dbdata:
+
+secrets:
+  mysql_root:
+    file: secrets/mysql_root_pw
+  mysql_db:
+    file: secrets/mysql_db
+  mysql_user:
+    file: secrets/mysql_user
+  mysql_pw:
+    file: secrets/mysql_pw
+  server-cert.pem:
+    file: secrets/cert.pem
+  server-key.pem:
+    file: secrets/server-key.pem

frontend/.gitignore

@@ -0,0 +1,23 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# dependencies
+/node_modules
+/.pnp
+.pnp.js
+
+# testing
+/coverage
+
+# production
+/build
+
+# misc
+.DS_Store
+.env.local
+.env.development.local
+.env.test.local
+.env.production.local
+
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*

frontend/README.md

@@ -0,0 +1,46 @@
+# Getting Started with Create React App
+
+This project was bootstrapped with [Create React App](https://github.com/facebook/create-react-app).
+
+## Available Scripts
+
+In the project directory, you can run:
+
+### `npm start`
+
+Runs the app in the development mode.\
+Open [http://localhost:3000](http://localhost:3000) to view it in the browser.
+
+The page will reload if you make edits.\
+You will also see any lint errors in the console.
+
+### `npm test`
+
+Launches the test runner in the interactive watch mode.\
+See the section about [running tests](https://facebook.github.io/create-react-app/docs/running-tests) for more information.
+
+### `npm run build`
+
+Builds the app for production to the `build` folder.\
+It correctly bundles React in production mode and optimizes the build for the best performance.
+
+The build is minified and the filenames include the hashes.\
+Your app is ready to be deployed!
+
+See the section about [deployment](https://facebook.github.io/create-react-app/docs/deployment) for more information.
+
+### `npm run eject`
+
+**Note: this is a one-way operation. Once you `eject`, you can’t go back!**
+
+If you aren’t satisfied with the build tool and configuration choices, you can `eject` at any time. This command will remove the single build dependency from your project.
+
+Instead, it will copy all the configuration files and the transitive dependencies (webpack, Babel, ESLint, etc) right into your project so you have full control over them. All of the commands except `eject` will still work, but they will point to the copied scripts so you can tweak them. At this point you’re on your own.
+
+You don’t have to ever use `eject`. The curated feature set is suitable for small and middle deployments, and you shouldn’t feel obligated to use this feature. However we understand that this tool wouldn’t be useful if you couldn’t customize it when you are ready for it.
+
+## Learn More
+
+You can learn more in the [Create React App documentation](https://facebook.github.io/create-react-app/docs/getting-started).
+
+To learn React, check out the [React documentation](https://reactjs.org/).