telefonicaid · gtorodelvalle · Sep 29, 2015 · Sep 28, 2015 · Sep 28, 2015 · Sep 29, 2015
diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE
@@ -22,4 +22,5 @@
 - [cosmos-gui] [HARDENING] Allow the storage and computing clusters to be the same (#61)
 - [cosmos] [HARDENING] Add a User and Programmer Manual (#69)
 - [cosmos] [HARDENING] Add a Administration and Configuration Manual (#70)
+- [cosmos-gui] [HARDENING] Add TLS support (#77)
 - [cosmos-gui] [BUG] The new_password route uses the stored username instead of the email-based one (#65)
diff --git a/cosmos-gui/README.md b/cosmos-gui/README.md
@@ -32,6 +32,8 @@ As seen, the storage cluster is always shared, and depending on the chosen flavo
 
 In addition, the cosmos-gui can be used as a centralized dashboard where a user can explore its HDFS space and run [predefined MapReduce](https://github.com/telefonicaid/fiware-tidoop/tree/develop/tidoop-mr-lib-api) jobs, once his/her Cosmos account has been provisioned.
 
+[Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) (TLS) is used to provide communications security through asymetric cryptography (public/private encryption keys).
+
 [Top](#top)
 
 ##<a name="maininstall"></a>Installation
@@ -156,7 +158,9 @@ To be done.
 cosmos-gui is configured through `conf/cosmos-gui.json`. There you will find a JSON document with six main *sections*:
 
 * **gui**:
-    * **port**: specifies the listening port for the application. By default it is 80, but can be changed if such a port is being used in your deployment.
+    * **port**: Specifies the listening port for the application. By default it is 80, but can be changed if such a port is being used in your deployment.
+    * **private\_key\_file**: File name containing the private key used to encrypt the communications with the clients.
+    * **certificate\_file**: File name containing the self-signed X509 certificate used by the server to send the clients the public counterpart of the above private key.
 * **clusters**:
     * **storage**
         * **endpoint**: IP address or FQDN of the Namenode/HttpFS server of the storage cluster.
@@ -165,26 +169,26 @@ cosmos-gui is configured through `conf/cosmos-gui.json`. There you will find a J
     * **computing**
         * **endpoint**: IP address or FQDN of the Namenode/HttpFS server of the computing cluster.
         * **user**: Unix user within the Namenode/HttpFS server having sudo permissions.
-        * **private_key**: user's private key used to ssh into the Namenode/HttpFS server.
+        * **private_key**: User's private key used to ssh into the Namenode/HttpFS server.
 * **hdfs**:
-    * **quota**: measured in gigabytes, defines the size of the HDFS space assigned to each Cosmos user.
+    * **quota**: Measured in gigabytes, defines the size of the HDFS space assigned to each Cosmos user.
     * **superuser**: HDFS superuser, typically `hdfs`.
 * **oauth2**:
     * **idmURL**: URL where the FIWARE Identity Manager runs. If using the global instance at FIWARE LAB, it is `https://account.lab.fiware.org`.
-    * **client_id**: this is given by the Identity Manager once the cosmos-gui has been registered.
-    * **client_secre**t: this is given by the Identity Manager once the cosmos-gui has been registered.
+    * **client_id**: This is given by the Identity Manager once the cosmos-gui has been registered.
+    * **client_secret**: This is given by the Identity Manager once the cosmos-gui has been registered.
     * **callbackURL**: URL used by the Identity Manager to return the control to the GUI once the delegated authentication step has finished. This must be `http://localhost:<listening_port>/auth`.
-    * **response_type**: must be `code`.
+    * **response_type**: Must be `code`.
 * **mysql**:
     * **host**: IP or FQDN of the host running the MySQL server.
-    * **port**: port the MySQL server is listening for new incoming connections. Typically 3306.
-    * **user**: a valid user in the MySQL server with permissions to insert into the `cosmos_user` table.
-    * **password**: password for the above user in MySQL.
-    * **database**: must be `cosmos`.
-* **users_blacklist**: an array of strings not allowed to be a username.
+    * **port**: Port the MySQL server is listening for new incoming connections. Typically 3306.
+    * **user**: A valid user in the MySQL server with permissions to insert into the `cosmos_user` table.
+    * **password**: Password for the above user in MySQL.
+    * **database**: Must be `cosmos`.
+* **users_blacklist**: An array of strings not allowed to be a username.
 * **log**:
-    * **file_name**: path of the file where the log traces will be saved in a daily rotation basis. This file must be within the logging folder owned by the the user `cosmos-gui`.
-    * **date_pattern**: data pattern to be appended to the log file name when the log file is rotated.
+    * **file_name**: Path of the file where the log traces will be saved in a daily rotation basis. This file must be within the logging folder owned by the the user `cosmos-gui`.
+    * **date_pattern**: Data pattern to be appended to the log file name when the log file is rotated.
 
 [Top](#top)
 
@@ -205,7 +209,7 @@ If everything goes well, you should be able to see in a web browser the login pa
 
 ![](doc/images/cosmos_gui__init.png)
 
-cosmos-gui typically listens in the TCP/80 port, but you can change it by editing `conf/cosmos-gui.conf`.
+cosmos-gui typically listens in the TCP/443 port (TLS encryption), but you can change it by editing `conf/cosmos-gui.conf`.
 
 [Top](#top)
 

diff --git a/cosmos-gui/conf/cosmos-gui.json b/cosmos-gui/conf/cosmos-gui.json
@@ -1,6 +1,8 @@
 {
   "gui": {
-    "port": 80
+    "port": 443,
+    "private_key_file": "",
+    "certificate_file": ""
   },
   "clusters": {
     "storage": {

diff --git a/cosmos-gui/src/app.js b/cosmos-gui/src/app.js
@@ -25,6 +25,8 @@
 
 // Module dependencies
 var express = require('express');
+var https = require('https');
+var fs = require('fs');
 var boom = require('boom');
 var stylus = require('stylus');
 var nib = require('nib');
@@ -49,6 +51,10 @@ var scEndpoint = config.clusters.storage.endpoint;
 var ccPrivKey = config.clusters.computing.private_key;
 var ccUser = config.clusters.computing.user;
 var ccEndpoint = config.clusters.computing.endpoint;
+var httpsOptions = {
+    key: fs.readFileSync(config.private_ley_filekey),
+    cert: fs.readFileSync(config.certificate_file)
+}
 
 // Express configuration
 var app = express();
@@ -209,6 +215,6 @@ mysqlDriver.connect(function(error, result) {
     } else {
         // Start the application, listening at the configured port
         logger.info("cosmos-gui running at http://localhost:" + port);
-        app.listen(port);
+        https.createServer(httpsOptions, app).listen(port);
     } // if else
 });