Compare commits
8 Commits
acf09db63e
..
main
| Author | SHA1 | Date | |
|---|---|---|---|
 janis
|
301cbf9d06 | ||
|
janis
|
d1025134cd | ||
|
janis
|
8766e534df | ||
|
janis
|
31e480d3de | ||
|
janis
|
c773169ff6 | ||
|
janis
|
f8560068dd | ||
|
janis
|
ccae7bf73c | ||
|
janis
|
fc3181ee3b |
+48
-25
@@ -5,17 +5,32 @@ on:
|
||||
branches:
|
||||
- main
|
||||
|
||||
env:
|
||||
GIT_HOST: git.jakach.ch
|
||||
GIT_REPO: jakach/jakach-login
|
||||
GIT_BRANCH: main
|
||||
|
||||
APP_NAME: auth
|
||||
APP_DOMAIN: auth.jakach.ch
|
||||
APP_PORT: 447
|
||||
|
||||
SECURITY_SCAN_ENABLED: ${{ vars.SECURITY_SCAN_ENABLED }}
|
||||
CODE_SCAN_ENABLED: ${{ vars.CODE_SCAN_ENABLED }}
|
||||
TRIVY_SEVERITY: HIGH,CRITICAL
|
||||
TRIVY_IMAGE_SCANNERS: vuln
|
||||
TRIVY_VEX: repo
|
||||
TRIVY_FS_SCANNERS: vuln,misconfig,secret
|
||||
SEMGREP_CONFIG: p/default
|
||||
|
||||
jobs:
|
||||
security_scan:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
env:
|
||||
GIT_REPO: jakach/jakach-login
|
||||
GIT_BRANCH: main
|
||||
GIT_USER: ${{ vars.GIT_USER }}
|
||||
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
|
||||
SECURITY_SCAN_ENABLED: ${{ vars.SECURITY_SCAN_ENABLED }}
|
||||
TRIVY_SEVERITY: HIGH,CRITICAL
|
||||
TRIVY_REGISTRY_USER: ${{ vars.TRIVY_REGISTRY_USER }}
|
||||
TRIVY_REGISTRY_PASSWORD: ${{ secrets.TRIVY_REGISTRY_PASSWORD }}
|
||||
|
||||
steps:
|
||||
- name: Scan Docker images for vulnerabilities
|
||||
@@ -53,7 +68,6 @@ jobs:
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
fi
|
||||
|
||||
GIT_HOST="${GIT_HOST:-git.jakach.ch}"
|
||||
REPO_URL="https://${GIT_USER}:${GIT_TOKEN}@${GIT_HOST}/${GIT_REPO}"
|
||||
|
||||
git clone \
|
||||
@@ -96,6 +110,12 @@ jobs:
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -n "${TRIVY_REGISTRY_USER:-}" ] || [ -n "${TRIVY_REGISTRY_PASSWORD:-}" ]; then
|
||||
: "${TRIVY_REGISTRY_USER:?TRIVY_REGISTRY_USER is required when TRIVY_REGISTRY_PASSWORD is set}"
|
||||
: "${TRIVY_REGISTRY_PASSWORD:?TRIVY_REGISTRY_PASSWORD is required when TRIVY_REGISTRY_USER is set}"
|
||||
echo "Using registry credentials from TRIVY_REGISTRY_USER/TRIVY_REGISTRY_PASSWORD"
|
||||
fi
|
||||
|
||||
TRIVY_IGNORE_ARGS=""
|
||||
|
||||
if [ -f cve_blacklist.txt ]; then
|
||||
@@ -125,20 +145,37 @@ jobs:
|
||||
echo ""
|
||||
echo "Scanning ${image}"
|
||||
|
||||
if ! trivy \
|
||||
if [ -n "${TRIVY_REGISTRY_USER:-}" ]; then
|
||||
if ! trivy \
|
||||
image \
|
||||
--username "${TRIVY_REGISTRY_USER}" \
|
||||
--password "${TRIVY_REGISTRY_PASSWORD}" \
|
||||
--scanners "${TRIVY_IMAGE_SCANNERS}" \
|
||||
--vex "${TRIVY_VEX}" \
|
||||
--exit-code 1 \
|
||||
--severity "${TRIVY_SEVERITY}" \
|
||||
--ignore-unfixed \
|
||||
${TRIVY_IGNORE_ARGS} \
|
||||
--no-progress \
|
||||
"${image}"; then
|
||||
failed=1
|
||||
fi
|
||||
elif ! trivy \
|
||||
image \
|
||||
--scanners "${TRIVY_IMAGE_SCANNERS}" \
|
||||
--vex "${TRIVY_VEX}" \
|
||||
--exit-code 1 \
|
||||
--severity "${TRIVY_SEVERITY}" \
|
||||
--ignore-unfixed \
|
||||
${TRIVY_IGNORE_ARGS} \
|
||||
--no-progress \
|
||||
"${image}"; then
|
||||
failed=1
|
||||
failed=1
|
||||
fi
|
||||
done < images.txt
|
||||
|
||||
if [ "$failed" -ne 0 ]; then
|
||||
echo "WARNING: High or critical vulnerabilities were found in one or more Docker images. Deployment stopped."
|
||||
echo "WARNING: One or more Docker image scans failed or found ${TRIVY_SEVERITY} vulnerabilities. Deployment stopped."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
@@ -148,11 +185,8 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
env:
|
||||
GIT_REPO: jakach/jakach-login
|
||||
GIT_BRANCH: main
|
||||
GIT_USER: ${{ vars.GIT_USER }}
|
||||
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
|
||||
CODE_SCAN_ENABLED: ${{ vars.CODE_SCAN_ENABLED }}
|
||||
|
||||
steps:
|
||||
- name: Scan source code
|
||||
@@ -197,7 +231,6 @@ jobs:
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
fi
|
||||
|
||||
GIT_HOST="${GIT_HOST:-git.jakach.ch}"
|
||||
REPO_URL="https://${GIT_USER}:${GIT_TOKEN}@${GIT_HOST}/${GIT_REPO}"
|
||||
|
||||
git clone \
|
||||
@@ -208,14 +241,14 @@ jobs:
|
||||
cd source
|
||||
|
||||
semgrep scan \
|
||||
--config p/default \
|
||||
--config "${SEMGREP_CONFIG}" \
|
||||
--error \
|
||||
--metrics=off
|
||||
|
||||
trivy fs \
|
||||
--scanners vuln,misconfig,secret \
|
||||
--scanners "${TRIVY_FS_SCANNERS}" \
|
||||
--exit-code 1 \
|
||||
--severity HIGH,CRITICAL \
|
||||
--severity "${TRIVY_SEVERITY}" \
|
||||
--ignore-unfixed \
|
||||
--no-progress \
|
||||
.
|
||||
@@ -226,14 +259,6 @@ jobs:
|
||||
- security_scan
|
||||
- code_scan
|
||||
|
||||
env:
|
||||
GIT_REPO: jakach/jakach-login
|
||||
GIT_BRANCH: main
|
||||
|
||||
APP_NAME: template
|
||||
APP_DOMAIN: auth.jakach.ch
|
||||
APP_PORT: 447
|
||||
|
||||
steps:
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
@@ -273,8 +298,6 @@ jobs:
|
||||
: "${GIT_USER:?GIT_USER is required}"
|
||||
: "${GIT_TOKEN:?GIT_TOKEN is required}"
|
||||
|
||||
GIT_HOST="${GIT_HOST:-git.jakach.ch}"
|
||||
|
||||
REPO_NAME="$(basename "$GIT_REPO")"
|
||||
APP_DIR="/srv/systems/${REPO_NAME}"
|
||||
|
||||
|
||||
@@ -21,7 +21,11 @@ Using Jakach Login is straightforward:
|
||||
```bash
|
||||
docker volume create jakach-login-db-storage
|
||||
```
|
||||
4. **Run the system using Docker Compose:**
|
||||
4. **Authenticate to Docker Hardened Images:**
|
||||
```bash
|
||||
docker login dhi.io
|
||||
```
|
||||
5. **Run the system using Docker Compose:**
|
||||
```bash
|
||||
docker-compose up
|
||||
```
|
||||
|
||||
@@ -10,6 +10,11 @@ secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
|
||||
function print_json_response($data): void
|
||||
{
|
||||
print(htmlentities(json_encode($data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT), ENT_NOQUOTES, 'UTF-8'));
|
||||
}
|
||||
|
||||
// Assuming you've already established a database connection here
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
||||
@@ -104,7 +109,7 @@ try {
|
||||
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification, $crossPlatformAttachment);
|
||||
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($createArgs));
|
||||
print_json_response($createArgs);
|
||||
|
||||
// save challange to session. you have to deliver it to processGet later.
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
@@ -138,7 +143,7 @@ try {
|
||||
$getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
|
||||
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($getArgs));
|
||||
print_json_response($getArgs);
|
||||
|
||||
// save challange to session. you have to deliver it to processGet later.
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
|
||||
@@ -7,6 +7,12 @@ include "../utils/security.php";
|
||||
secure_session_start();
|
||||
require_same_origin_request();
|
||||
require_csrf_token();
|
||||
|
||||
function print_json_response($data): void
|
||||
{
|
||||
print(htmlentities(json_encode($data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT), ENT_NOQUOTES, 'UTF-8'));
|
||||
}
|
||||
|
||||
include "../../config/config.php";
|
||||
$conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
|
||||
if ($conn->connect_error) {
|
||||
@@ -90,7 +96,7 @@ try {
|
||||
// Get create arguments
|
||||
$createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification);
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($createArgs));
|
||||
print_json_response($createArgs);
|
||||
|
||||
// Save challenge to session or somewhere else if needed
|
||||
} else if ($fn === 'getGetArgs') {
|
||||
@@ -120,7 +126,7 @@ try {
|
||||
$getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
|
||||
|
||||
header('Content-Type: application/json');
|
||||
print(json_encode($getArgs));
|
||||
print_json_response($getArgs);
|
||||
|
||||
// save challange to session. you have to deliver it to processGet later.
|
||||
$_SESSION['challenge'] = $WebAuthn->getChallenge();
|
||||
|
||||
@@ -16,21 +16,32 @@ if ($conn->connect_error) {
|
||||
}
|
||||
|
||||
$search = trim($_GET['search'] ?? '');
|
||||
$sort = $_GET['sort'] ?? 'id';
|
||||
$sort = $_GET['sort'] ?? '';
|
||||
$order = strtoupper($_GET['order'] ?? 'ASC') === 'DESC' ? 'DESC' : 'ASC';
|
||||
|
||||
$allowedSorts = ['id', 'username'];
|
||||
if (!in_array($sort, $allowedSorts)) {
|
||||
$sort = 'id';
|
||||
}
|
||||
|
||||
if ($search !== '') {
|
||||
$query = "SELECT id, username FROM users WHERE username LIKE ? ORDER BY $sort $order";
|
||||
if ($sort === 'username') {
|
||||
$query = $order === 'DESC'
|
||||
? "SELECT id, username FROM users WHERE username LIKE ? ORDER BY username DESC"
|
||||
: "SELECT id, username FROM users WHERE username LIKE ? ORDER BY username ASC";
|
||||
} else {
|
||||
$query = $order === 'DESC'
|
||||
? "SELECT id, username FROM users WHERE username LIKE ? ORDER BY id DESC"
|
||||
: "SELECT id, username FROM users WHERE username LIKE ? ORDER BY id ASC";
|
||||
}
|
||||
$stmt = $conn->prepare($query);
|
||||
$like = '%' . $search . '%';
|
||||
$stmt->bind_param('s', $like);
|
||||
} else {
|
||||
$query = "SELECT id, username FROM users ORDER BY $sort $order";
|
||||
if ($sort === 'username') {
|
||||
$query = $order === 'DESC'
|
||||
? "SELECT id, username FROM users ORDER BY username DESC"
|
||||
: "SELECT id, username FROM users ORDER BY username ASC";
|
||||
} else {
|
||||
$query = $order === 'DESC'
|
||||
? "SELECT id, username FROM users ORDER BY id DESC"
|
||||
: "SELECT id, username FROM users ORDER BY id ASC";
|
||||
}
|
||||
$stmt = $conn->prepare($query);
|
||||
}
|
||||
|
||||
@@ -50,4 +61,4 @@ $stmt->close();
|
||||
$conn->close();
|
||||
|
||||
echo json_encode(['success' => true, 'data' => $users]);
|
||||
?>
|
||||
?>
|
||||
|
||||
+2
-2
@@ -1,10 +1,10 @@
|
||||
services:
|
||||
jakach-login-db:
|
||||
image: mariadb:10.6.25
|
||||
image: dhi.io/mariadb:12
|
||||
container_name: jakach-login-db
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
MYSQL_ROOT_PASSWORD: 1234
|
||||
MARIADB_ROOT_PASSWORD: 1234
|
||||
networks:
|
||||
jakach-login-network:
|
||||
ipv4_address: 192.168.5.2
|
||||
|
||||
Reference in New Issue
Block a user