ONLYOFFICE/DocSpace-buildtools
1
0
Fork 0
mirror of https://github.com/ONLYOFFICE/DocSpace-buildtools.git synced 2025-04-18 13:44:02 +03:00
Code

Add zap scanner (#192)

Browse Source 
Co-authored-by: danilapog <danil.titarenko@onlyoffice.com>
Co-committed-by: danilapog <danil.titarenko@onlyoffice.com>
This commit is contained in:
danilapog 2025-03-12 10:40:19 +00:00 committed by Alexey Golubev
parent d0656f4931
commit f6b3a27f55
1 changed files with 152 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

152
.github/workflows/zap-scanner.yaml vendored Normal file
View File

@ -0,0 +1,152 @@
---
name: Scanning DocSpace with ZAP
run-name: >
ZAP scanning DocSpace
on:
schedule:
- cron: '00 21 * * 6'
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.get-matrix.outputs.matrix }}
branches-status: ${{ steps.get-matrix.outputs.branches-status }}
name: Get DocSpace branches/versions
steps:
- name: Checkout
id: get-matrix
shell: bash
run: |
DOCSPACE_BRANCHES=($(curl -s -L \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/ONLYOFFICE/DocSpace-buildtools/branches | \
jq -r '.[] | select(.name != "hotfix/v1.0.0" and (.name | startswith("hotfix/") or startswith("release/"))) | .name'))
# Exit if there is not notfix/release
[[ -z "${DOCSPACE_BRANCHES}" ]] && { echo "Can't find any hotfix/release branches"; echo "branches-status=not-exist" >> "$GITHUB_OUTPUT" ; exit 0; }
matrix='{"include": []}'
for branch in ${DOCSPACE_BRANCHES[@]}; do
version=${branch#*v}
image_version=$(curl -s -H -X https://hub.docker.com/v2/repositories/onlyoffice/4testing-docspace-api/tags/?page_size=100 \
| jq -r '.results|.[]|.name' | grep -Eo -m1 "${version}.[0-9]{1,}" || true)
if [[ ! -z "${image_version}" ]]; then
echo "Image with version ${version} exist, include new matrix"
matrix=$(echo $matrix | jq '.include += [
{
"branch": "'"${branch}"'",
"version": "'"${image_version}"'"
}
]')
fi
done
echo "matrix=$(echo $matrix | jq -c)" >> "$GITHUB_OUTPUT"
zap:
runs-on: ubuntu-latest
if: needs.prepare.outputs.branches-status != 'not-exist'
strategy:
fail-fast: false
matrix: ${{fromJSON(needs.prepare.outputs.matrix)}}
needs: ['prepare']
env:
PROTO: https
permissions:
issues: write
name: "Zap DocSpace image: ${{ matrix.version }}"
steps:
- name: Checkout
uses: actions/checkout@v3
with:
path: build-tools
repository: ONLYOFFICE/DocSpace-buildtools
ref: ${{ matrix.branch }}
- name: Run and prepare DocSpace
id: prepare
env:
DOCKER_TAG: ${{ matrix.version }}
STATUS: "4testing-"
run: |
# Functions that will check that api is Healthy
function check_api_status() {
timeout 200 bash -c '
while true; do
status=$(docker exec onlyoffice-api curl -s localhost:5050/health | jq -r .status)
echo "Current status: $status"
[ "$status" = "Healthy" ] && break
sleep 1
done'
}
# Get gh-action runner local ip
LOCAL_IP=$(hostname -I | awk '{print $1}')
echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT"
# Create SSL certs
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 \
-keyout ${{ github.workspace }}/onlyofficekey.pem \
-out ${{ github.workspace }}/onlyofficecert.pem \
-subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=docspace.localhost"
# Run 4testing DocSpace with tag from previous build
cd ./build-tools/install/OneClickInstall
sudo printf "Y" | sudo bash ./docspace-install.sh docker -skiphc true --makeswap false --localscripts true -dsv ${DOCKER_TAG} -s ${STATUS}
check_api_status
# Replace SSL certs
sudo cp ${{ github.workspace }}/onlyofficekey.pem ${{ github.workspace }}/onlyofficecert.pem /app/onlyoffice/
sudo bash /app/onlyoffice/config/docspace-ssl-setup -f docspace.localhost /app/onlyoffice/onlyofficecert.pem /app/onlyoffice/onlyofficekey.pem
check_api_status
# Get Wizzard token and pwd hash for complete wizzard
WIZZARD_TOKEN=$(curl -k --request GET ${PROTO}://${LOCAL_IP}/api/2.0/settings | jq -r .response.wizardToken)
PWD_HASH=$(curl -k --request GET ${PROTO}://${LOCAL_IP}/api/2.0/settings | jq -r .response.passwordHash.salt)
EMAIL="example@mail.com"
USER_PWD="test666pass"
## Complete wizard
curl -k -v -D output.txt --request PUT -H "confirm: ${WIZZARD_TOKEN}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
--data '{"Email":"'"${EMAIL}"'","PasswordHash":"'"${PWD_HASH}"'"}' \
${PROTO}://${LOCAL_IP}/api/2.0/settings/wizard/complete
# Get cookie and user-id
COOKIE=$(cat ./output.txt | egrep -i asc_auth_key=* | cut -d '=' -f 2-) && COOKIE=${COOKIE%%;*}
USER_ID=$(curl -k --request GET -H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: ${COOKIE}" \
${PROTO}://${LOCAL_IP}/api/2.0/people/email?email=${EMAIL} | jq -r .response.id)
# Set new admin-user pwd
curl -k -v --request PUT -H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: ${COOKIE}" \
--data '{"Password":"'"${USER_PWD}"'"}' \
"${PROTO}://${LOCAL_IP}/api/2.0/people/${USER_ID}/password"
# Get new admin-user auth-token and authenticate the user
TOKEN=$(curl -k -v --request POST -H "Accept: application/json" \
-H "Content-Type: application/json" \
--data '{"userName":"'"${EMAIL}"'","password":"'"${USER_PWD}"'"}' \
"${PROTO}://${LOCAL_IP}/api/2.0/authentication" | jq -r .response.token)
# Set new auth-token for zap header
echo "ZAP_AUTH_HEADER_VALUE=${TOKEN}" >> "$GITHUB_ENV"
- name: ZAP Scan
uses: zaproxy/action-full-scan@v0.12.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: '${{ env.PROTO }}://${{ steps.prepare.outputs.local-ip }}/'
allow_issue_writing: false
artifact_name: 'zap-artifacts-${{ matrix.version }}'