Merge branch '363_delete_secrets' into 'development'

363_test secret detection See merge request sharing/codeability-sharing-platform!165

Merge branch '363_delete_secrets' into 'development'
363_test secret detection See merge request sharing/codeability-sharing-platform!165
debc25f2 · Michael Breu · f95f02bf · 35dea8f7 · debc25f2 · debc25f2
Commit debc25f2 authored 2 years ago by Michael Breu
--- a/.gitignore
+++ b/.gitignore
@@ -213,3 +213,4 @@ google-chrome-stable_current_amd64.deb
 .settings/org.eclipse.jdt.core.prefs

 .project
+.env
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -22,6 +22,23 @@ before_script:
  - export NG_CLI_ANALYTICS="false"
  - export MAVEN_USER_HOME=`pwd`/.maven

+include:
+  - template: Jobs/Secret-Detection.gitlab-ci.yml
+
+secret_detection:
+  variables:
+    GIT_DEPTH: 100
+    SECRET_DETECTION_LOG_OPTIONS: ${CI_MERGE_REQUEST_DIFF_BASE_SHA}..${CI_COMMIT_SHA}
+  script:
+    - apk add jq
+    - /analyzer run
+    - NUMBER_OF_VULNERABILITIES=$(cat gl-secret-detection-report.json | jq --raw-output '.vulnerabilities | length')
+    - if [[ $NUMBER_OF_VULNERABILITIES -gt 0 ]]; then exit "1"; fi
+  allow_failure: false
+  artifacts:
+    paths: [gl-secret-detection-report.json]
+    when: always
+
 pmdCheckstylePrettierLint:
  stage: lint
  cache: []
@@ -64,6 +81,8 @@ maven-test:
  variables:
    DOCKER_HOST: 'tcp://docker:2375'
    DOCKER_TLS_CERTDIR: ''
+    # APPLICATION_GITLAB_ADMINACCESSTOKEN: $APPLICATION_GITLAB_ADMINACCESSTOKEN
+    # APPLICATION_GITLAB_GENERALACCESSTOKEN: $APPLICATION_GITLAB_GENERALACCESSTOKEN
  stage: test
  cache:
    # inherit all global cache settings
@@ -71,7 +90,7 @@ maven-test:
    # override the policy
    policy: pull
  script:
-    - ./mvnw -ntp verify -P-webapp -Dmaven.repo.local=$MAVEN_USER_HOME -Dspring.profiles.active=testcontainers -Dlogging.level.ROOT=ERROR -Dlogging.level.org.zalando=OFF -Dlogging.level.tech.jhipster=OFF -Dlogging.level.at.ac.uibk.gitsearch=WARN -Dlogging.level.org.springframework=WARN -Dlogging.level.org.springframework.web=WARN -Dlogging.level.org.springframework.security=OFF -Dlogging.level.org.hibernate.SQL=WARN
+    - ./mvnw -ntp verify -P-webapp -Dmaven.repo.local=$MAVEN_USER_HOME -Dapplication.gitlab.guestAccessToken=$APPLICATION_GITLAB_GENERALACCESSTOKEN -Dapplication.gitlab.adminAccessToken=$APPLICATION_GITLAB_ADMINACCESSTOKEN -Dspring.profiles.active=testcontainers -Dlogging.level.ROOT=ERROR -Dlogging.level.org.zalando=OFF -Dlogging.level.tech.jhipster=OFF -Dlogging.level.at.ac.uibk.gitsearch=WARN -Dlogging.level.org.springframework=WARN -Dlogging.level.org.springframework.web=WARN -Dlogging.level.org.springframework.security=OFF -Dlogging.level.org.hibernate.SQL=WARN
  allow_failure: true
  artifacts:
    reports:
@@ -85,6 +104,9 @@ maven-test:
    when: always
    expire_in: 2 days
  needs: []
+  before_script:
+    - export APPLICATION_GITLAB_ADMINACCESSTOKEN=$APPLICATION_GITLAB_ADMINACCESSTOKEN
+    - export APPLICATION_GITLAB_GENERALACCESSTOKEN=$APPLICATION_GITLAB_GENERALACCESSTOKEN

 frontend-test:
  stage: test

--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -57,7 +57,8 @@
      "name": "Launch GitsearchApp",
      "request": "launch",
      "mainClass": "at.ac.uibk.gitsearch.GitsearchApp",
-      "projectName": "gitsearch"
+      "projectName": "gitsearch",
+      "envFile": "${workspaceFolder}/.env"
    }
  ]
 }
--- a/manual_depoy.sh
+++ b/manual_depoy.sh
 #!/bin/bash
-
 source src/main/docker/.env
 echo "Deploying Gitsearch"
 export GITBRANCH=test

--- a/src/main/docker/elasticsearch.yml
+++ b/src/main/docker/elasticsearch.yml
@@ -18,7 +18,7 @@ services:
      - discovery.type=single-node
      - xpack.security.enabled=false
    volumes:
-      - '/mnt/qt-codeability-austria/sharing/es/data:/usr/share/elasticsearch/data' # change this path for production
+      - '$ES_HOME/data:/usr/share/elasticsearch/data'
    ulimits:
      memlock:
        soft: -1

--- a/src/main/docker/gitsearch.yml
+++ b/src/main/docker/gitsearch.yml
@@ -23,7 +23,7 @@ services:
      - APPLICATION_GITLAB_GENERALACCESSTOKEN=${APPLICATION_GITLAB_GENERALACCESSTOKEN}
      - APPLICATION_GITLAB_ADMINACCESSTOKEN=${APPLICATION_GITLAB_ADMINACCESSTOKEN}
      - CONNECTOR_ARTEMIS_TOKEN=${CONNECTOR_ARTEMIS_TOKEN}
-      - gitBranch=${GIT_BRANCH}
+      - gitBranch=${GITBRANCH}
      - gitCommitId=${COMMIT_ID}
      - gitCommitDate=${COMMIT_DATE}
      - GITSEARCH_PATH=/home/contDeploy/gitsearch2/gitsearch
@@ -58,9 +58,9 @@ services:
    volumes:
      - postgres_data:/var/lib/postgresql/data1
    environment:
-      POSTGRES_DB: keycloak
-      POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: password
+      - POSTGRES_DB=keycloak
+      - POSTGRES_USER=${POSTGRES_USER_KEYCLOAK}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
    networks:
      - backend
      - frontend
@@ -69,15 +69,16 @@ services:
  keycloak:
    image: quay.io/keycloak/keycloak:18.0.2-legacy
    environment:
-      DB_VENDOR: POSTGRES
-      DB_ADDR: postgres
-      DB_DATABASE: keycloak
-      DB_USER: keycloak
-      DB_SCHEMA: public
-      DB_PASSWORD: password
-      KEYCLOAK_USER: admin
-      KEYCLOAK_PASSWORD: Pa55w0rd
-      PROXY_ADDRESS_FORWARDING: 'true'
+      - DB_VENDOR=POSTGRES
+      - DB_ADDR=postgres
+      - DB_DATABASE=keycloak
+      - DB_USER=${POSTGRES_USER_KEYCLOAK}
+      - DB_SCHEMA=public
+      - DB_PASSWORD=${POSTGRES_PASSWORD}
+      - KEYCLOAK_USER=${KEYCLOAK_USER}
+      - KEYCLOAK_PASSWORD=${KEYCLOAK_PASSWORD}
+      - PROXY_ADDRESS_FORWARDING=true
+      - GITSEARCH_PATH=$GITSEARCH_PATH
      # Uncomment the line below if you want to specify JDBC parameters. The parameter below is just an example, and it shouldn't be used in production without knowledge. It is highly recommended that you read the PostgreSQL JDBC driver documentation in order to use it.
      #JDBC_PARAMS: "ssl=true"
    ports:

--- a/src/main/docker/jhipster-control-center.yml
+++ b/src/main/docker/jhipster-control-center.yml
-## How to use JHCC docker compose
-# To allow JHCC to reach JHipster application from a docker container note that we set the host as host.docker.internal
-# To reach the application from a browser, you need to add '127.0.0.1 host.docker.internal' to your hosts file.
-### Discovery mode
-# JHCC support 3 kinds of discovery mode: Consul, Eureka and static
-# In order to use one, please set SPRING_PROFILES_ACTIVE to one (and only one) of this values: consul,eureka,static
-### Discovery properties
-# According to the discovery mode choose as Spring profile, you have to set the right properties
-# please note that current properties are set to run JHCC with default values, personalize them if needed
-# and remove those from other modes. You can only have one mode active.
-#### Eureka
-#       - EUREKA_CLIENT_SERVICE_URL_DEFAULTZONE=http://admin:admin@host.docker.internal:8761/eureka/
-#### Consul
-#       - SPRING_CLOUD_CONSUL_HOST=host.docker.internal
-#       - SPRING_CLOUD_CONSUL_PORT=8500
-#### Static
-# Add instances to "MyApp"
-#       - SPRING_CLOUD_DISCOVERY_CLIENT_SIMPLE_INSTANCES_MYAPP_0_URI=http://host.docker.internal:8081
-#       - SPRING_CLOUD_DISCOVERY_CLIENT_SIMPLE_INSTANCES_MYAPP_1_URI=http://host.docker.internal:8082
-# Or add a new application named MyNewApp
-#       - SPRING_CLOUD_DISCOVERY_CLIENT_SIMPLE_INSTANCES_MYNEWAPP_0_URI=http://host.docker.internal:8080
-# This configuration is intended for development purpose, it's **your** responsibility to harden it for production
-
-#### IMPORTANT
-# If you choose Consul or Eureka mode:
-# Do not forget to remove the prefix "127.0.0.1" in front of their port in order to expose them.
-# This is required because JHCC need to communicate with Consul or Eureka.
-# - In Consul mode, the ports are in the consul.yml file.
-# - In Eureka mode, the ports are in the jhipster-registry.yml file.
-
 version: '3.8'
 services:
  jhipster-control-center:
@@ -41,9 +11,9 @@ services:
      - _JAVA_OPTIONS=-Xmx512m -Xms256m
      - SPRING_PROFILES_ACTIVE=prod,api-docs,static
      - JHIPSTER_SLEEP=30 # gives time for other services to boot before the application
-      - SPRING_SECURITY_USER_PASSWORD=admin
+      - SPRING_SECURITY_USER_PASSWORD=${SPRING_SECURITY_USER_PASSWORD}
      # The token should have the same value than the one declared in you Spring configuration under the jhipster.security.authentication.jwt.base64-secret configuration's entry
-      - JHIPSTER_SECURITY_AUTHENTICATION_JWT_BASE64_SECRET=ZTY3OGIwZWZhMzdhYTQ2NjAwNTdlNDQ2NWM4YjQyMzlhMWVkMTJlYTExYzMwMzBjOWIzM2E1OTRmZWZkZmYzYzZhNWQ5N2EzZjMyNTFkMjM0ZjNmOWRhYTYzNGEzZDE3NThkYTNmZGVmNTQ1MmRlZjg1YWY4NTU4OGVmNDBkZDI=
+      - JHIPSTER_SECURITY_AUTHENTICATION_JWT_BASE64_SECRET=${JWT_BASE_SECRET}
      - SPRING_CLOUD_DISCOVERY_CLIENT_SIMPLE_INSTANCES_GITSEARCH_0_URI=http://host.docker.internal:8080
      - LOGGING_FILE_NAME=/tmp/jhipster-control-center.log
    # If you want to expose these ports outside your dev PC,

--- a/src/main/docker/keycloak.yml
+++ b/src/main/docker/keycloak.yml
@@ -11,21 +11,21 @@ services:
      - postgres_data:/var/lib/postgresql/data_new
    environment:
      POSTGRES_DB: keycloak
-      POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: password
+      POSTGRES_USER: ${POSTGRES_USER_KEYCLOAK}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
  keycloak:
    image: quay.io/keycloak/keycloak:18.0.2-legacy
    environment:
      DB_VENDOR: POSTGRES
      DB_ADDR: postgres
      DB_DATABASE: keycloak
-      DB_USER: keycloak
+      DB_USER: ${POSTGRES_USER_KEYCLOAK}
      DB_SCHEMA: public
-      DB_PASSWORD: password
-      KEYCLOAK_USER: admin
-      KEYCLOAK_PASSWORD: Pa55w0rd
+      DB_PASSWORD: ${POSTGRES_PASSWORD}
+      KEYCLOAK_USER: ${KEYCLOAK_USER}
+      KEYCLOAK_PASSWORD: ${KEYCLOAK_PASSWORD}
      PROXY_ADDRESS_FORWARDING: 'true'
-      GITSEARCH_PATH: /home/contDeploy/gitsearch2/gitsearch
+      GITSEARCH_PATH: ${GITSEARCH_PATH}
      # Uncomment the line below if you want to specify JDBC parameters. The parameter below is just an example, and it shouldn't be used in production without knowledge. It is highly recommended that you read the PostgreSQL JDBC driver documentation in order to use it.
      #JDBC_PARAMS: "ssl=true"
    ports:

--- a/src/main/docker/monitoring.yml
+++ b/src/main/docker/monitoring.yml
@@ -19,7 +19,7 @@ services:
    volumes:
      - ./grafana/provisioning/:/etc/grafana/provisioning/
    environment:
-      - GF_SECURITY_ADMIN_PASSWORD=admin
+      - GF_SECURITY_ADMIN_PASSWORD=${GF_SECURITY_ADMIN_PASSWORD}
      - GF_USERS_ALLOW_SIGN_UP=false
      - GF_INSTALL_PLUGINS=grafana-piechart-panel
    # If you want to expose these ports outside your dev PC,

--- a/src/main/resources/config/application-dev.yml
+++ b/src/main/resources/config/application-dev.yml
@@ -87,12 +87,12 @@ spring:
          #   issuer-uri: https://sharing.codeability-austria.uibk.ac.at
        registration:
          oidc:
-            client-id: myclient
-            client-secret: 7987e4e6e6d0c5ddb175a043d82c5675b69a2db177c7e815c13ae41515643498
+            client-id: ${OIDC_KEYCLOAK_CLIENTID}
+            client-secret: ${OIDC_KEYCLOAK_SECRET}
            scope: openid,profile,email
          # gitlabOidc:
-          #   client-id: 149276ac11138d9ba72fb3cd12815e3fa2f372866df0eac0f7d1aae5fdffea24
-          #   client-secret: 6f480635241f420a361581f4837594ea6f48f5ee6f515c1aa89f325dd922dbb0
+          #   client-id: ${GITLAB_OIDC_CLIENTID}
+          #   client-secret: ${GITLAB_OIDC_CLIENT_SECRET}
          #   scope: api,read_user,read_api,read_repository,write_repository,read_registry,write_registry,sudo,openid,profile,email
 server:
  port: 8080
@@ -121,11 +121,11 @@ jhipster:
    oauth2:
      audience:
    # TODO: audience seems not really relevant, could be omitted? It is identical with client-id above
-    #        - 149276ac11138d9ba72fb3cd12815e3fa2f372866df0eac0f7d1aae5fdffea24
+    #        - ${GITLAB_OIDC_CLIENT_SECRET}
    authentication:
      jwt:
        # This token must be encoded using Base64 and be at least 256 bits long (you can type `openssl rand -base64 64` on your command line to generate a 512 bits one)
-        base64-secret: ZTY3OGIwZWZhMzdhYTQ2NjAwNTdlNDQ2NWM4YjQyMzlhMWVkMTJlYTExYzMwMzBjOWIzM2E1OTRmZWZkZmYzYzZhNWQ5N2EzZjMyNTFkMjM0ZjNmOWRhYTYzNGEzZDE3NThkYTNmZGVmNTQ1MmRlZjg1YWY4NTU4OGVmNDBkZDI=
+        base64-secret: ${JWT_BASE_SECRET}
        # Token is valid 24 hours
        token-validity-in-seconds: 86400
        token-validity-in-seconds-for-remember-me: 2592000
@@ -153,13 +153,13 @@ jhipster:
 application:
  registeredConnectors:
    - url: 'http://localhost:8081/api/sharing/config'
-      accessToken: acdd-erdf-asd2-234f-234d-32eb
+      accessToken: ${SHARING_CONFIG_ACCESS_TOKEN}
    - url: 'http://localhost:8082/api/sharingPluginConfig'
-      accessToken: 2c8845a4-b3df-414b-a682-36e2313dc1c0
+      accessToken: ${SHARING_PLUGIN_ACCESS_TOKEN}
  registeredConnectorsCallBackURL: http://localhost:8080/api
  installationName: Sharing Plattform (Development)
  gitlab:
    url: https://sharing.codeability-austria.uibk.ac.at
-    guestAccessToken: zPxPmJE3UXAZJpBzxqej
-    adminAccessToken: PJopKiYsK9AxqajfBxR6
+    guestAccessToken: ${APPLICATION_GITLAB_GENERALACCESSTOKEN}
+    adminAccessToken: ${APPLICATION_GITLAB_ADMINACCESSTOKEN}
  oerLink: https://oeresource-dev.logic.at
--- a/src/main/resources/config/application-prod.yml
+++ b/src/main/resources/config/application-prod.yml
@@ -67,9 +67,9 @@ spring:
            issuer-uri: ${SECURITY_OAUTH2_CLIENT_PROVIDER_GITLABOIDC_ISSUERURI}
        registration:
          oidc:
-            client-id: myclient
-            client-secret: 7987e4e6e6d0c5ddb175a043d82c5675b69a2db177c7e815c13ae41515643498
-            scope: openid
+            client-id: ${OIDC_KEYCLOAK_CLIENTID}
+            client-secret: ${OIDC_KEYCLOAK_SECRET}
+            scope: openid,profile,email
          gitlabOidc:
            client-id: ${SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLABOIDC_CLIENTID}
            client-secret: ${SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLABOIDC_CLIENTSECRET}

--- a/src/main/resources/config/application-staging.yml
+++ b/src/main/resources/config/application-staging.yml
@@ -80,8 +80,8 @@ spring:
          #   issuer-uri: ${SECURITY_OAUTH2_CLIENT_PROVIDER_GITLABOIDC_ISSUERURI}
        registration:
          oidc:
-            client-id: myclient
-            client-secret: 7987e4e6e6d0c5ddb175a043d82c5675b69a2db177c7e815c13ae41515643498
+            client-id: ${OIDC_KEYCLOAK_CLIENTID}
+            client-secret: ${OIDC_KEYCLOAK_SECRET}
            scope: openid
          # gitlabOidc:
          #   client-id: ${SECURITY_OAUTH2_CLIENT_REGISTRATION_GITLABOIDC_CLIENTID}

--- a/src/test/resources/config/application.yml
+++ b/src/test/resources/config/application.yml
@@ -90,8 +90,8 @@ spring:
            issuer-uri: https://keycloak.codeability-austria.uibk.ac.at/auth/realms/gitsearch
        registration:
          oidc:
-            client-id: myclient
-            client-secret: 7987e4e6e6d0c5ddb175a043d82c5675b69a2db177c7e815c13ae41515643498
+            client-id: ${OIDC_KEYCLOAK_CLIENT_ID}
+            client-secret: ${OIDC_KEYCLOAK_SECRET}
            scope: openid,profile,email

 server:
@@ -149,8 +149,8 @@ application:
    highlight-post: </strong></mark>
  gitlab:
    url: https://sharing.codeability-austria.uibk.ac.at
-    guestAccessToken: zPxPmJE3UXAZJpBzxqej
-    adminAccessToken: PJopKiYsK9AxqajfBxR6
+    guestAccessToken: ${APPLICATION_GITLAB_GENERALACCESSTOKEN}
+    adminAccessToken: ${APPLICATION_GITLAB_ADMINACCESSTOKEN}

  registeredConnectors:
    - url: 'https://artemis.codeability-austria.uibk.ac.at/api/sharing/config' # may be not the current version!