Skip to content

Commit b6f7b07

Browse files
reinkrulreinkrul
committed
Have NUTS_STRICTMODE follow Kooppunt strictmode
1 parent dd6d624 commit b6f7b07

File tree

6 files changed

+48
-24
lines changed

6 files changed

+48
-24
lines changed

cmd/core/config_test.go

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
package core
2+
3+
import (
4+
"testing"
5+
6+
"github.com/stretchr/testify/assert"
7+
)
8+
9+
func TestDefaultConfig(t *testing.T) {
10+
t.Run("strict mode is on by default", func(t *testing.T) {
11+
assert.True(t, DefaultConfig().StrictMode)
12+
})
13+
}

cmd/start.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,10 @@ func Start(ctx context.Context, config Config) error {
2323
zerolog.SetGlobalLevel(zerolog.DebugLevel)
2424
zerolog.DefaultContextLogger = &log.Logger
2525

26+
if !config.StrictMode {
27+
log.Ctx(ctx).Warn().Msgf("Strict mode is disabled. This is NOT recommended for production environments!")
28+
}
29+
2630
publicMux := http.NewServeMux()
2731
internalMux := http.NewServeMux()
2832
mcsdUpdateClient, err := mcsd.New(config.MCSD)

component/nutsnode/component.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99
"os"
1010
"strconv"
1111

12+
knooppuntCore "github.com/nuts-foundation/nuts-knooppunt/cmd/core"
1213
"github.com/nuts-foundation/nuts-knooppunt/component"
1314
"github.com/nuts-foundation/nuts-knooppunt/lib/netutil"
1415
"github.com/nuts-foundation/nuts-node/cmd"
@@ -53,6 +54,7 @@ func New(config Config) (*Component, error) {
5354

5455
type Component struct {
5556
config Config
57+
coreConfig knooppuntCore.Config
5658
ctx context.Context
5759
cancel context.CancelFunc
5860
system *core.System
@@ -72,6 +74,7 @@ func (c *Component) Start() error {
7274
"NUTS_HTTP_PUBLIC_ADDRESS": c.publicAddr.Host,
7375
"NUTS_DATADIR": dataDir,
7476
"NUTS_VERBOSITY": zerolog.GlobalLevel().String(),
77+
"NUTS_STRICTMODE": strconv.FormatBool(c.coreConfig.StrictMode),
7578
}
7679
// Only set NUTS_CONFIGFILE if the config file exists
7780
if _, err := os.Stat(configFile); err == nil {

config/knooppunt.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
# Nuts Knooppunt Configuration
22
# This file demonstrates the configuration options available
33

4+
strictmode: false
5+
46
# mCSD (Mobile Care Services Discovery) configuration
57
mcsd:
68
# Root directories to synchronize from

config/nuts.yml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,3 @@
1-
strictmode: false
21
url: http://localhost:8080
32

43
didmethods:

docs/CONFIGURATION.md

Lines changed: 26 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -8,32 +8,35 @@ Configuration is loaded in the following order (later sources override earlier o
88

99
1. Default values
1010
2. YAML configuration files, loaded from:
11-
- `config/knooppunt.yml`: Knooppunt-specific configuration ([example](../config/knooppunt.yml))
12-
- `config/nuts.yml`: Nuts-specific configuration, see [Nuts documentation](https://nuts-node.readthedocs.io/en/stable/pages/deployment/configuration.html) ([example](../config/nuts.yml))
11+
- `config/knooppunt.yml`: Knooppunt-specific configuration ([example](../config/knooppunt.yml))
12+
- `config/nuts.yml`: Nuts-specific configuration,
13+
see [Nuts documentation](https://nuts-node.readthedocs.io/en/stable/pages/deployment/configuration.html) ([example](../config/nuts.yml))
1314
3. Environment variables with `KNPT_` prefix
1415

1516
## Configuration Options
1617

1718
Environment variables use the prefix `KNPT_` followed by the configuration path in uppercase with underscores:
1819

19-
| Environment Variable | YAML Path | Description |
20-
|-------------------------------------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|
21-
| **Authentication / Nuts** | | |
22-
| `KNPT_NUTS_ENABLED` | `nuts.enabled` | Enable embedded Nuts node.<br/>Defaults to `true`. |
23-
| **Addressing / mCSD** | | |
24-
| `KNPT_MCSDADMIN_FHIRBASEURL` | `mcsdadmin.fhirbaseurl` | (Optional) FHIR base URL of the local mCSD Administration Directory, if managed through the mCSD Web Application. |
25-
| `KNPT_MCSD_QUERY_FHIRBASEURL` | `mcsd.query.fhirbaseurl` | FHIR base URL of the local mCSD Query Directory to synchronize to. |
26-
| `KNPT_MCSD_ADMIN_<KEY>_FHIRBASEURL` | `mcsd.admin.<key>.fhirbaseurl` | Map of root directories (mCSD Admin Directory FHIR base URLs) to synchronize from. |
27-
| `KNPT_MCSD_ADMINEXCLUDE` | `mcsd.adminexclude` | (Optional) List of FHIR base URLs to exclude from being registered as administration directories. Useful to prevent self-referencing loops when the query directory is discovered as an Endpoint. Multiple values can be specified as a comma-separated list. |
28-
| **Localization / NVI** | | |
29-
| `KNPT_NVI_BASEURL` | `nvi.baseurl` | Base URL of the NVI service. |
30-
| `KNPT_NVI_AUDIENCE` | `nvi.audience` | Name of the NVI service, used for creating BSN transport tokens.<br/>Defaults to `nvi`. |
31-
| **Consent / Mitz** | | |
32-
| `KNPT_MITZ_MITZBASE` | `mitz.mitzbase` | Base URL of the MITZ endpoint |
33-
| `KNPT_MITZ_NOTIFYENDPOINT` | `mitz.notifyendpoint` | Endpoint that will be used in `Subscription.channel.endpoint` when subscribing to Mitz (unless one is provided in the Subscription request to the knooppunt) |
34-
| `KNPT_MITZ_GATEWAYSYSTEM` | `mitz.gatewaysystem` | (Optional) URL where MITZ will send consent notifications (your callback endpoint) |
35-
| `KNPT_MITZ_SOURCESYSTEM` | `mitz.sourcesystem` | (Optional) gateway system OID (added as FHIR extension) |
36-
| `KNPT_MITZ_TLSCERTFILE` | `mitz.tlscertfile` | Path to client certificate (.p12/.pfx or .pem) |
37-
| `KNPT_MITZ_TLSKEYFILE` | `mitz.tlskeyfile` | Path to private key (only for .pem certs) |
38-
| `KNPT_MITZ_TLSKEYPASSWORD` | `mitz.tlskeypassword` | Password for .p12/.pfx |
39-
| `KNPT_MITZ_TLSCAFILE` | `mitz.tlscafile` | Path to server certificate |
20+
| Environment Variable | YAML Path | Description |
21+
|-------------------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
22+
| **General** | | |
23+
| `KNPT_STRICTMODE` | `strictmode` | Enables secure operation mode. Disabling it allows connection to plain HTTP server, and [OIDC Provider dev mode](https://zitadel.com/docs/guides/manage/console/applications#development-mode). It also sets the Nuts node's strict mode configuration parameter.<br/>Defaults to `true`. |
24+
| **Authentication / Nuts** | | |
25+
| `KNPT_NUTS_ENABLED` | `nuts.enabled` | Enable embedded Nuts node.<br/>Defaults to `true`. |
26+
| **Addressing / mCSD** | | |
27+
| `KNPT_MCSDADMIN_FHIRBASEURL` | `mcsdadmin.fhirbaseurl` | (Optional) FHIR base URL of the local mCSD Administration Directory, if managed through the mCSD Web Application. |
28+
| `KNPT_MCSD_QUERY_FHIRBASEURL` | `mcsd.query.fhirbaseurl` | FHIR base URL of the local mCSD Query Directory to synchronize to. |
29+
| `KNPT_MCSD_ADMIN_<KEY>_FHIRBASEURL` | `mcsd.admin.<key>.fhirbaseurl` | Map of root directories (mCSD Admin Directory FHIR base URLs) to synchronize from. |
30+
| `KNPT_MCSD_ADMINEXCLUDE` | `mcsd.adminexclude` | (Optional) List of FHIR base URLs to exclude from being registered as administration directories. Useful to prevent self-referencing loops when the query directory is discovered as an Endpoint. Multiple values can be specified as a comma-separated list. |
31+
| **Localization / NVI** | | |
32+
| `KNPT_NVI_BASEURL` | `nvi.baseurl` | Base URL of the NVI service. |
33+
| `KNPT_NVI_AUDIENCE` | `nvi.audience` | Name of the NVI service, used for creating BSN transport tokens.<br/>Defaults to `nvi`. |
34+
| **Consent / Mitz** | | |
35+
| `KNPT_MITZ_MITZBASE` | `mitz.mitzbase` | Base URL of the MITZ endpoint |
36+
| `KNPT_MITZ_NOTIFYENDPOINT` | `mitz.notifyendpoint` | Endpoint that will be used in `Subscription.channel.endpoint` when subscribing to Mitz (unless one is provided in the Subscription request to the knooppunt) |
37+
| `KNPT_MITZ_GATEWAYSYSTEM` | `mitz.gatewaysystem` | (Optional) URL where MITZ will send consent notifications (your callback endpoint) |
38+
| `KNPT_MITZ_SOURCESYSTEM` | `mitz.sourcesystem` | (Optional) gateway system OID (added as FHIR extension) |
39+
| `KNPT_MITZ_TLSCERTFILE` | `mitz.tlscertfile` | Path to client certificate (.p12/.pfx or .pem) |
40+
| `KNPT_MITZ_TLSKEYFILE` | `mitz.tlskeyfile` | Path to private key (only for .pem certs) |
41+
| `KNPT_MITZ_TLSKEYPASSWORD` | `mitz.tlskeypassword` | Password for .p12/.pfx |
42+
| `KNPT_MITZ_TLSCAFILE` | `mitz.tlscafile` | Path to server certificate |

0 commit comments

Comments
 (0)