Merge branch 'develop' into snyk-upgrade-ab1ef2ce79d0e5e96bf82268198c…

…f08a
OWASP · Nov 28, 2023 · 528ae43 · 528ae43
2 parents 7cdb24f + e641d35
commit 528ae43
Show file tree

Hide file tree

Showing 67 changed files with 5,452 additions and 7,788 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -246,3 +246,7 @@ jobs:
           cache-from: type=gha,scope=mailhog-service
           cache-to: type=gha,mode=max,scope=mailhog-service
 
+      - name: Dump docker logs on failure
+        if: failure()
+        uses: jwalton/gh-docker-logs@v2
+
diff --git a/deploy/docker/docker-compose.yml b/deploy/docker/docker-compose.yml
@@ -10,7 +10,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
 services:
 
   crapi-identity:
@@ -39,18 +38,25 @@ services:
       - [email protected]
       - SMTP_AUTH=true
       - SMTP_STARTTLS=true
+      - JWT_EXPIRATION=604800000
       - ENABLE_LOG4J=${ENABLE_LOG4J:-false}
-      - API_GATEWAY_URL=https://api.crapi.io
+      - API_GATEWAY_URL=https://api.mypremiumdealership.com
+      - TLS_ENABLED=${TLS_ENABLED:-false}
+      - TLS_KEYSTORE_TYPE=PKCS12
+      - TLS_KEYSTORE=classpath:certs/server.p12
+      - TLS_KEYSTORE_PASSWORD=passw0rd
+      - TLS_KEY_PASSWORD=passw0rd
+      - TLS_KEY_ALIAS=identity
     depends_on:
       postgresdb:
         condition: service_healthy
       mongodb:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:${IDENTITY_SERVER_PORT:-8080}/identity/health_check
-        interval: 15s
-        timeout: 15s
-        retries: 15
+      test: /app/health.sh
+      interval: 15s
+      timeout: 15s
+      retries: 15
     deploy:
       resources:
         limits:
@@ -75,6 +81,9 @@ services:
       - MONGO_DB_USER=admin
       - MONGO_DB_PASSWORD=crapisecretpassword
       - MONGO_DB_NAME=crapi
+      - TLS_ENABLED=${TLS_ENABLED:-false}
+      - TLS_CERTIFICATE=certs/server.crt
+      - TLS_KEY=certs/server.key
     depends_on:
       postgresdb:
         condition: service_healthy
@@ -83,10 +92,10 @@ services:
       crapi-identity:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:${COMMUNITY_SERVER_PORT:-8087}/community/home
-        interval: 15s
-        timeout: 15s
-        retries: 15
+      test: /app/health.sh
+      interval: 15s
+      timeout: 15s
+      retries: 15
     deploy:
       resources:
         limits:
@@ -112,7 +121,10 @@ services:
       - MONGO_DB_PASSWORD=crapisecretpassword
       - MONGO_DB_NAME=crapi
       - SECRET_KEY=crapi
-      - API_GATEWAY_URL=https://api.crapi.io
+      - API_GATEWAY_URL=https://api.mypremiumdealership.com
+      - TLS_ENABLED=${TLS_ENABLED:-false}
+      - TLS_CERTIFICATE=certs/server.crt
+      - TLS_KEY=certs/server.key
     depends_on:
       postgresdb:
         condition: service_healthy
@@ -123,10 +135,10 @@ services:
       crapi-community:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:${WORKSHOP_SERVER_PORT:-8000}/workshop/health_check/
-        interval: 15s
-        timeout: 15s
-        retries: 15
+      test: /app/health.sh
+      interval: 15s
+      timeout: 15s
+      retries: 15
     deploy:
       resources:
         limits:
@@ -138,10 +150,12 @@ services:
     image: crapi/crapi-web:${VERSION:-latest}
     ports:
       - "${LISTEN_IP:-127.0.0.1}:8888:80"
+      - "${LISTEN_IP:-127.0.0.1}:8443:443"
     environment:
       - COMMUNITY_SERVICE=crapi-community:${COMMUNITY_SERVER_PORT:-8087}
       - IDENTITY_SERVICE=crapi-identity:${IDENTITY_SERVER_PORT:-8080}
       - WORKSHOP_SERVICE=crapi-workshop:${WORKSHOP_SERVER_PORT:-8000}
+      - TLS_ENABLED=${TLS_ENABLED:-false}
     depends_on:
       crapi-community:
         condition: service_healthy
@@ -150,10 +164,10 @@ services:
       crapi-workshop:
         condition: service_healthy
     healthcheck:
-        test: curl 0.0.0.0:80/web/health
-        interval: 15s
-        timeout: 15s
-        retries: 15
+      test: curl 0.0.0.0:80/web/health
+      interval: 15s
+      timeout: 15s
+      retries: 15
     deploy:
       resources:
         limits:
@@ -170,10 +184,10 @@ services:
     #ports:
     #  - "${LISTEN_IP:-127.0.0.1}:5432:5432"
     healthcheck:
-        test: ["CMD-SHELL", "pg_isready"]
-        interval: 15s
-        timeout: 15s
-        retries: 15
+      test: [ "CMD-SHELL", "pg_isready" ]
+      interval: 15s
+      timeout: 15s
+      retries: 15
     volumes:
       - postgresql-data:/var/lib/postgresql/data/
     deploy:
@@ -191,11 +205,11 @@ services:
     #ports:
     #  - "${LISTEN_IP:-127.0.0.1}:27017:27017"
     healthcheck:
-        test: echo 'db.runCommand("ping").ok' | mongo mongodb:27017/test --quiet
-        interval: 15s
-        timeout: 15s
-        retries: 15
-        start_period: 20s
+      test: echo 'db.runCommand("ping").ok' | mongo mongodb:27017/test --quiet
+      interval: 15s
+      timeout: 15s
+      retries: 15
+      start_period: 20s
     volumes:
       - mongodb-data:/data/db
     deploy:
@@ -212,29 +226,30 @@ services:
       MH_MONGO_URI: admin:crapisecretpassword@mongodb:27017
       MH_STORAGE: mongodb
     ports:
-    #  - "127.0.0.1:1025:1025" # smtp server
+      #  - "127.0.0.1:1025:1025" # smtp server
       - "${LISTEN_IP:-127.0.0.1}:8025:8025" # Mail ui
     healthcheck:
-        test: ["CMD", "nc", "-z", "localhost", "8025"]
-        interval: 15s
-        timeout: 15s
-        retries: 15
+      test: [ "CMD", "nc", "-z", "localhost", "8025" ]
+      interval: 15s
+      timeout: 15s
+      retries: 15
     deploy:
       resources:
         limits:
           cpus: '0.3'
           memory: 128M
 
-  api.crapi.io:
-    container_name: api.crapi.io
+  api.mypremiumdealership.com:
+    container_name: api.mypremiumdealership.com
     image: crapi/gateway-service:${VERSION:-latest}
     #ports:
     #  - "${LISTEN_IP:-127.0.0.1}:8443:443" # https
     healthcheck:
-        test: curl -vk 0.0.0.0:443
-        interval: 15s
-        timeout: 15s
-        retries: 15
+      test: echo -n "GET / HTTP/1.1\n\n" > /dev/tcp/api.mypremiumdealership.com/443
+      interval: 15s
+      timeout: 15s
+      retries: 15
+      start_period: 15s
     deploy:
       resources:
         limits:

diff --git a/deploy/docker/scripts/load.sh b/deploy/docker/scripts/load.sh
@@ -0,0 +1,8 @@
+docker load -i mailhog.tar
+docker load -i gateway-service.tar
+docker load -i crapi-identity.tar
+docker load -i crapi-community.tar
+docker load -i crapi-workshop.tar
+docker load -i crapi-web.tar
+docker load -i postgres.tar
+docker load -i mongo.tar
diff --git a/deploy/docker/scripts/save.sh b/deploy/docker/scripts/save.sh
@@ -0,0 +1,8 @@
+docker save crapi/mailhog:develop -o mailhog.tar
+docker save crapi/gateway-service:develop -o gateway-service.tar
+docker save crapi/crapi-identity:develop -o crapi-identity.tar
+docker save crapi/crapi-community:develop -o crapi-community.tar
+docker save crapi/crapi-workshop:develop -o crapi-workshop.tar
+docker save crapi/crapi-web:develop -o crapi-web.tar
+docker save postgres:14 -o postgres.tar
+docker save mongo:4.4 -o mongo.tar
diff --git a/deploy/helm/templates/community/config.yaml b/deploy/helm/templates/community/config.yaml
@@ -22,3 +22,4 @@ data:
     MONGO_DB_PASSWORD: {{ .Values.mongodb.config.mongoPassword }}
     MONGO_DB_NAME: {{ .Values.mongodb.config.mongoDbName }}
     SERVER_PORT: {{ .Values.community.port | quote }}
+    TLS_ENABLED: {{ .Values.tlsEnabled | quote }}
diff --git a/deploy/helm/templates/identity/config.yaml b/deploy/helm/templates/identity/config.yaml
@@ -27,6 +27,13 @@ data:
   SMTP_PASS: {{ .Values.identity.config.smtpPass }}
   SMTP_FROM: {{ .Values.identity.config.smtpFrom }}
   SMTP_AUTH: {{ .Values.identity.config.smtpAuth | quote }}
+  JWT_EXPIRATION: {{ .Values.identity.config.jwtExpiration | quote }}
   SMTP_STARTTLS: {{ .Values.identity.config.smtpStartTLS | quote }}
   SERVER_PORT: {{ .Values.identity.port | quote }}
   API_GATEWAY_URL: {{ if .Values.apiGatewayServiceInstall }}"https://{{ .Values.apiGatewayService.service.name }}"{{ else }}{{ .Values.apiGatewayServiceUrl }}{{ end }}
+  TLS_ENABLED: {{ .Values.tlsEnabled | quote }}
+  TLS_KEYSTORE_TYPE: {{ .Values.identity.config.keyStoreType }}
+  TLS_KEYSTORE: {{ .Values.identity.config.keyStore }}
+  TLS_KEYSTORE_PASSWORD: {{ .Values.identity.config.keyStorePassword }}
+  TLS_KEY_PASSWORD: {{ .Values.identity.config.keyPassword }}
+  TLS_KEY_ALIAS: {{ .Values.identity.config.keyAlias }}
diff --git a/deploy/helm/templates/web/configmap.yaml b/deploy/helm/templates/web/configmap.yaml
@@ -9,3 +9,4 @@ data:
   COMMUNITY_SERVICE: {{ .Values.community.service.name }}:{{ .Values.community.port }}
   IDENTITY_SERVICE: {{ .Values.identity.service.name }}:{{ .Values.identity.port }}
   WORKSHOP_SERVICE: {{ .Values.workshop.service.name }}:{{ .Values.workshop.port }}
+  TLS_ENABLED: {{ .Values.tlsEnabled | quote }}
diff --git a/deploy/helm/templates/web/deployment.yaml b/deploy/helm/templates/web/deployment.yaml
@@ -23,6 +23,7 @@ spec:
           image: {{ .Values.web.image }}:{{ .Chart.AppVersion }}
           imagePullPolicy: {{ .Values.imagePullPolicy }}
           ports:
+            - containerPort: 443
             - containerPort: 80
           {{- if .Values.web.resources }}
           resources:

diff --git a/deploy/helm/templates/web/ingress.yaml b/deploy/helm/templates/web/ingress.yaml
@@ -11,6 +11,10 @@ spec:
     targetPort: 80
     nodePort: {{ .Values.web.service.nodePort }}
     name: nginx
+  - port: {{ .Values.web.sslPort }}
+    targetPort: 443
+    nodePort: {{ .Values.web.service.sslNodePort }}
+    name: nginx-ssl
   type: LoadBalancer
   selector:
     {{- toYaml .Values.web.serviceSelectorLabels | nindent 4 }}
diff --git a/deploy/helm/templates/workshop/config.yaml b/deploy/helm/templates/workshop/config.yaml
@@ -22,3 +22,4 @@ data:
     MONGO_DB_NAME: {{ .Values.mongodb.config.mongoDbName }}
     SERVER_PORT: {{ .Values.workshop.port | quote }}
     API_GATEWAY_URL: {{ if .Values.apiGatewayServiceInstall }}"https://{{ .Values.apiGatewayService.service.name }}"{{ else }}{{ .Values.apiGatewayServiceUrl }}{{ end }}
+    TLS_ENABLED: {{ .Values.tlsEnabled | quote }}
diff --git a/deploy/helm/values-tls.yaml b/deploy/helm/values-tls.yaml
@@ -0,0 +1,32 @@
+# Default values for crapi.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+replicaCount: 1
+imagePullPolicy: Always
+apiGatewayServiceUrl: https://api.mypremiumdealership.com
+apiGatewayServiceInstall: false
+enableLog4j: true
+enableShellInjection: true
+tlsEnabled: true
+
+web:
+  image: crapi/crapi-web
+  port: 80
+  sslPort: 443
+identity:
+  image: crapi/crapi-identity
+  port: 8080
+community:
+  image: crapi/crapi-community
+  port: 8087
+workshop:
+  image: crapi/crapi-workshop
+  port: 8000
+mailhog:
+  image: crapi/mailhog
+mongodb:
+  image: mongo
+  version: 5.0
+postgresdb:
+  image: postgres
+  version: 14
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -6,9 +6,10 @@ jwtSecret: crapi
 enableLog4j: false
 enableShellInjection: true
 imagePullPolicy: Always
-apiGatewayServiceUrl: https://api.crapi.io
+apiGatewayServiceUrl: https://api.mypremiumdealership.com
 apiGatewayServiceInstall: true
-apiGatewayPassword: 
+apiGatewayPassword:
+tlsEnabled: false
 
 waitForK8sResources:
   image: groundnuty/k8s-wait-for:v1.3
@@ -19,11 +20,13 @@ web:
   image: crapi/crapi-web
   replicaCount: 1
   port: 80
+  sslPort: 443
   service:
     name: crapi-web
     labels:
       app: crapi-web
     nodePort: 30080
+    sslNodePort: 30443
   config:
     name: crapi-web-configmap
     labels:
@@ -70,6 +73,12 @@ identity:
     smtpFrom: "[email protected]"
     smtpAuth: true
     smtpStartTLS: true
+    jwtExpiration: 604800000
+    keyStoreType: PKCS12
+    keyStore: classpath:certs/server.p12
+    keyStorePassword: passw0rd
+    keyPassword: passw0rd
+    keyAlias: identity
   resources:
     limits:
       cpu: "500m"
@@ -278,4 +287,4 @@ apiGatewayService:
   deploymentSelectorMatchLabels:
     app: gateway-service
   serviceSelectorLabels:
-    app: gateway-service
+    app: gateway-service
diff --git a/deploy/k8s/base/identity/config.yaml b/deploy/k8s/base/identity/config.yaml
@@ -7,7 +7,7 @@ metadata:
 data:
   DB_HOST: postgresdb
   DB_DRIVER: postgresql
-  JWT_SECRET: crapi #Used for creating a JWT. Can be anything 
+  JWT_SECRET: crapi #Used for creating a JWT. Can be anything
   DB_USER: admin
   DB_PASSWORD: crapisecretpassword
   DB_NAME: crapi
@@ -24,5 +24,6 @@ data:
   SMTP_PASS: "xxxxxxxxxxxxxx"
   SMTP_FROM: "[email protected]"
   SMTP_AUTH: "true"
+  JWT_EXPIRATION: "604800000"
   SMTP_STARTTLS: "true"
   SERVER_PORT: "8080"
diff --git a/deploy/vagrant/provisioner.sh b/deploy/vagrant/provisioner.sh
@@ -41,8 +41,7 @@ mkdir /opt/crapi
 
 cp "$MOUNT_DIR/deploy/docker/docker-compose.yml" /opt/crapi \
     && sed -i /opt/crapi/docker-compose.yml \
-        -e "s/127.0.0.1:8888:80/80:80/" \
-        -e "s/127.0.0.1:8025:8025/8025:8025/"
+    -e 's/${LISTEN_IP:-127\.0\.0\.1}:8888:80/80:80/; s/${LISTEN_IP:-127\.0\.0\.1}:8025:8025/8025:8025/'
 cp "$MOUNT_DIR/deploy/vagrant/crapi.service" /etc/systemd/system/ \
     && systemctl daemon-reload \
     && systemctl enable crapi.service

diff --git a/postman_collections/crAPI.postman_collection.json b/postman_collections/crAPI.postman_collection.json
@@ -33,7 +33,7 @@
           }
         ],
         "request": {
-          "method": "GET",
+          "method": "POST",
           "header": [
             {
               "key": "User-Agent",