Skip to content

sbcq-202 : Keyclock Audit script #4

sbcq-202 : Keyclock Audit script

sbcq-202 : Keyclock Audit script #4

Workflow file for this run

name: Pull Request Deploy
on:
pull_request:
push:
workflow_dispatch:
inputs:
pr-number:
description: "Pull Request Number:"
type: string
required: true
namespace:
description: "Deploy To:"
type: choice
required: true
options:
- The Q Dev
- QMS Dev
- The Q Test
jobs:
##### SETUP ##################################################################
parse-inputs:
name: refs/pull/${{ github.event.pull_request.number }}/head to ${{ github.event.inputs.namespace }}
runs-on: ubuntu-latest
outputs:
environment: ${{ steps.parse.outputs.environment }}
image-tag: ${{ steps.parse.outputs.image-tag }}
push-qms: ${{ steps.parse.outputs.push-qms }}
push-theq: ${{ steps.parse.outputs.push-theq }}
ref: ${{ steps.parse.outputs.ref }}
steps:
- name: Checkout repository
uses: actions/checkout@v2
# Use the input values to create more coding-friendly values.
- name: Parse Inputs
id: parse
run: |
# Gets "dev" or "test".
ENVIRONMENT=$(echo ${{ github.event.inputs.namespace }} | \
awk -F' ' '{print $NF}' | tr '[:upper:]' '[:lower:]')
echo ENVIRONMENT:$ENVIRONMENT
echo "environment=$ENVIRONMENT" >> $GITHUB_OUTPUT
IMAGE_TAG=${{ github.event.pull_request.number }}
echo IMAGE_TAG:$IMAGE_TAG
echo "image-tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
if [ $GITHUB_REPOSITORY_OWNER != "bcgov" ]; then
# Never push in forks - useful and safer for development.
PUSH_QMS=false
PUSH_THEQ=false
elif [[ "${{ github.event.inputs.namespace }}" == QMS* ]]; then
PUSH_QMS=true
PUSH_THEQ=false
else
PUSH_QMS=false
PUSH_THEQ=true
fi
echo PUSH_QMS:$PUSH_QMS
echo "push-qms=$PUSH_QMS" >> $GITHUB_OUTPUT
echo PUSH_THEQ:$PUSH_THEQ
echo "push-theq=$PUSH_THEQ" >> $GITHUB_OUTPUT
REF=refs/pull/${{ github.event.pull_request.number }}/head
echo REF:$REF
echo "ref=$REF" >> $GITHUB_OUTPUT
##### TEST ###################################################################
appointment-frontend-cypress:
name: Appointment Frontend Cypress
needs: parse-inputs
uses: ./.github/workflows/tyu-reusable-appointment-frontend-cypress.yaml
secrets:
bceid-endpoint: ${{ secrets.CYPRESS_BCEID_ENDPOINT }}
bceid-password: ${{ secrets.CYPRESS_BCEID_PASSWORD }}
bceid-username: ${{ secrets.CYPRESS_BCEID_USERNAME }}
cypress-project-id: ${{ secrets.CYPRESS_PROJECT_ID }}
cypress-record-key: ${{ secrets.CYPRESS_RECORD_KEY }}
keycloak-auth-url: ${{ secrets.KEYCLOAK_AUTH_URL_DEV }}/auth/
keycloak-client: ${{ secrets.KEYCLOAK_APPOINTMENTS_FRONTEND_CLIENT }}
keycloak-realm: ${{ secrets.KEYCLOAK_REALM }}
with:
ref: ${{ needs.parse-inputs.outputs.ref }}
##### BUILD ##################################################################
appointment-frontend:
name: appointment-frontend
needs: [parse-inputs, appointment-frontend-cypress]
uses: ./.github/workflows/reusable-build-dockerfile.yaml
secrets:
artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }}
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
namespace-theq-username: ${{ secrets.SA_USERNAME }}
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
namespace-qms-username: ${{ secrets.SA_USERNAME }}
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
with:
ref: ${{ needs.parse-inputs.outputs.ref }}
directory: appointment-frontend
image-name: appointment-nginx-frontend
image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}
feedback-api:
name: feedback-api
needs: [parse-inputs, appointment-frontend-cypress]
uses: ./.github/workflows/reusable-build-s2i.yaml
secrets:
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
namespace-theq-username: ${{ secrets.SA_USERNAME }}
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
namespace-qms-username: ${{ secrets.SA_USERNAME }}
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
with:
ref: ${{ needs.parse-inputs.outputs.ref }}
directory: feedback-api
image-name: feedback-api
image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}
notifications-api:
name: notifications-api
needs: [parse-inputs, appointment-frontend-cypress]
uses: ./.github/workflows/reusable-build-s2i.yaml
secrets:
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
namespace-theq-username: ${{ secrets.SA_USERNAME }}
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
namespace-qms-username: ${{ secrets.SA_USERNAME }}
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
with:
ref: ${{ needs.parse-inputs.outputs.ref }}
directory: notifications-api
image-name: notifications-api
image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}
queue-management-api:
name: queue-management-api
needs: [parse-inputs, appointment-frontend-cypress]
uses: ./.github/workflows/reusable-build-s2i.yaml
secrets:
artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }}
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
namespace-theq-username: ${{ secrets.SA_USERNAME }}
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
namespace-qms-username: ${{ secrets.SA_USERNAME }}
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
with:
ref: ${{ needs.parse-inputs.outputs.ref }}
directory: api
image-name: queue-management-api
image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}
queue-management-frontend:
name: queue-management-frontend
needs: [parse-inputs, appointment-frontend-cypress]
uses: ./.github/workflows/reusable-build-dockerfile.yaml
secrets:
artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }}
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
namespace-theq-username: ${{ secrets.SA_USERNAME }}
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
namespace-qms-username: ${{ secrets.SA_USERNAME }}
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
with:
ref: ${{ needs.parse-inputs.outputs.ref }}
directory: frontend
image-name: queue-management-nginx-frontend
image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}
send-appointment-reminder-crond:
name: send-appointment-reminder-crond
needs: [parse-inputs, appointment-frontend-cypress]
uses: ./.github/workflows/reusable-build-dockerfile.yaml
secrets:
artifactory-password: ${{ secrets.ARTIFACTORY_PASSWORD }}
artifactory-registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
artifactory-username: ${{ secrets.ARTIFACTORY_USERNAME }}
namespace-theq: ${{ secrets.LICENCE_PLATE_THEQ }}-tools
namespace-theq-password: ${{ secrets.SA_PASSWORD_THEQ_TOOLS }}
namespace-theq-username: ${{ secrets.SA_USERNAME }}
namespace-qms: ${{ secrets.LICENCE_PLATE_QMS }}-tools
namespace-qms-password: ${{ secrets.SA_PASSWORD_QMS_TOOLS }}
namespace-qms-username: ${{ secrets.SA_USERNAME }}
openshift-registry: ${{ secrets.OPENSHIFT_REGISTRY }}
with:
ref: ${{ needs.parse-inputs.outputs.ref }}
directory: jobs/appointment_reminder
image-name: send-appointment-reminder-crond
image-tags: ${{ needs.parse-inputs.outputs.image-tag }}
push-qms: ${{ needs.parse-inputs.outputs.push-qms == 'true' }}
push-theq: ${{ needs.parse-inputs.outputs.push-theq == 'true' }}
##### DEPLOY #################################################################
tag:
name: Tag
if: github.repository_owner == 'bcgov'
needs: [parse-inputs, appointment-frontend, feedback-api, notifications-api, queue-management-api, queue-management-frontend, send-appointment-reminder-crond]
uses: ./.github/workflows/reusable-tag-image.yaml
secrets:
licence-plate: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.LICENCE_PLATE_QMS || secrets.LICENCE_PLATE_THEQ }}
openshift-api: ${{ secrets.OPENSHIFT_API }}
token: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.SA_PASSWORD_QMS_TOOLS || secrets.SA_PASSWORD_THEQ_TOOLS }}
with:
image-names: appointment-nginx-frontend feedback-api notifications-api queue-management-api queue-management-nginx-frontend send-appointment-reminder-crond
tag-from: ${{ needs.parse-inputs.outputs.image-tag }}
tag-to: ${{ needs.parse-inputs.outputs.environment }}
wait-for-rollouts:
name: Wait for Rollouts
if: github.repository_owner == 'bcgov'
needs: [parse-inputs, tag]
uses: ./.github/workflows/reusable-wait-for-rollouts.yaml
secrets:
licence-plate: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.LICENCE_PLATE_QMS || secrets.LICENCE_PLATE_THEQ }}
openshift-api: ${{ secrets.OPENSHIFT_API }}
token: ${{ needs.parse-inputs.outputs.push-qms == 'true' && secrets.SA_PASSWORD_QMS_DEV || ( needs.parse-inputs.outputs.environment == 'dev' && secrets.SA_PASSWORD_THEQ_DEV || secrets.SA_PASSWORD_THEQ_TEST ) }}
with:
image-names: appointment-nginx-frontend feedback-api notifications-api queue-management-api queue-management-nginx-frontend send-appointment-reminder-crond-${{ needs.parse-inputs.outputs.environment }}
tag-to: ${{ needs.parse-inputs.outputs.environment }}
##### TEST ###################################################################
# Only run Newman for The Q dev - other environments will fail due to data.
newman-theq-dev:
name: Newman Tests
if: github.event.inputs.namespace == 'The Q Dev'
needs: [parse-inputs, wait-for-rollouts]
runs-on: ubuntu-latest
steps:
- name: Check out
uses: actions/checkout@v2
- name: NPM Install
run: |
cd api/postman
npm install newman
- name: Run Newman Tests
run: |
cd api/postman
node_modules/newman/bin/newman.js run API_Test_TheQ_Booking.json \
-e postman_env.json \
--delay-request 250 \
--global-var 'auth_url=${{ vars.POSTMAN_AUTH_URL_DEV }}' \
--global-var 'client_secret=${{ secrets.POSTMAN_CLIENT_SECRET_DEV }}' \
--global-var 'clientid=${{ vars.POSTMAN_CLIENTID_DEV }}' \
--global-var 'password=${{ secrets.POSTMAN_PASSWORD }}' \
--global-var 'password_nonqtxn=${{ secrets.POSTMAN_PASSWORD_NONQTXN }}' \
--global-var 'public_url=${{ vars.POSTMAN_PUBLIC_API_URL_THEQ_DEV }}' \
--global-var 'public_user_id=${{ vars.POSTMAN_PUBLIC_USERID }}' \
--global-var 'public_user_password=${{ secrets.POSTMAN_PASSWORD_PUBLIC_USER }}' \
--global-var 'realm=${{ vars.POSTMAN_REALM }}' \
--global-var 'url=${{ vars.POSTMAN_API_URL_THEQ_DEV }}' \
--global-var 'userid=${{ vars.POSTMAN_USERID }}' \
--global-var 'userid_nonqtxn=${{ vars.POSTMAN_USERID_NONQTXN }}'
owasp-staff:
name: OWASP ZAP Scan of Staff Frontend
needs: [parse-inputs, wait-for-rollouts]
runs-on: ubuntu-latest
steps:
- name: Get Parameters
run: |
if [ ${{ needs.parse-inputs.outputs.push-qms }} == true ]; then
echo "ZAP_URL=${{ secrets.ZAP_STAFFURL_QMS_DEV }}" >> $GITHUB_ENV
elif [ ${{ needs.parse-inputs.outputs.environment }} == dev ]; then
echo "ZAP_URL=${{ secrets.ZAP_STAFFURL_THEQ_DEV }}" >> $GITHUB_ENV
else
echo "ZAP_URL=${{ secrets.ZAP_STAFFURL_THEQ_TEST }}" >> $GITHUB_ENV
fi
- name: OWASP ZAP Scan
uses: zaproxy/[email protected]
with:
allow_issue_writing: false
cmd_options: '-z "-config scanner.threadPerHost=20"'
target: ${{ env.ZAP_URL }}
- name: Upload Report as Artifact
uses: actions/upload-artifact@v3
with:
name: OWASP ZAP - Staff Front End Report
path: report_html.html
owasp-appointment:
name: OWASP ZAP Scan of Appointment Frontend
needs: [parse-inputs, wait-for-rollouts]
runs-on: ubuntu-latest
steps:
- name: Get Parameters
run: |
if [ ${{ needs.parse-inputs.outputs.push-qms }} == true ]; then
echo "ZAP_URL=${{ secrets.ZAP_APPTMNTURL_QMS_DEV }}" >> $GITHUB_ENV
elif [ ${{ needs.parse-inputs.outputs.environment }} == dev ]; then
echo "ZAP_URL=${{ secrets.ZAP_APPTMNTURL_THEQ_DEV }}" >> $GITHUB_ENV
else
echo "ZAP_URL=${{ secrets.ZAP_APPTMNTURL_THEQ_TEST }}" >> $GITHUB_ENV
fi
- name: OWASP ZAP Scan
uses: zaproxy/[email protected]
with:
allow_issue_writing: false
cmd_options: '-z "-config scanner.threadPerHost=20"'
target: ${{ env.ZAP_URL }}
- name: Upload Report as Artifact
uses: actions/upload-artifact@v3
with:
name: OWASP ZAP - Appointment Front End Report
path: report_html.html