Merge f466dc5 into 8d9c28c

ministryofjustice · Oct 17, 2024 · 3f321a3 · 3f321a3
2 parents 8d9c28c + f466dc5
commit 3f321a3
Show file tree

Hide file tree

Showing 5 changed files with 209 additions and 87 deletions.
diff --git a/.github/workflows/docker_job.yml b/.github/workflows/docker_job.yml
@@ -127,6 +127,7 @@ jobs:
             TAG=${{inputs.tag}}
         env:
           SOURCE_DATE_EPOCH: 0
+          DOCKER_CONTENT_TRUST: 1
 
       - name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
         id: trivy_scan
@@ -185,6 +186,7 @@ jobs:
           provenance: false
         env:
           SOURCE_DATE_EPOCH: 0
+          DOCKER_CONTENT_TRUST: 1
 
       - name: Push ${{ matrix.ecr_repository }} Image to ECR for Path to Live
         if: ${{ github.workflow == 'Path To Live' }}
@@ -206,3 +208,4 @@ jobs:
           provenance: false
         env:
           SOURCE_DATE_EPOCH: 0
+          DOCKER_CONTENT_TRUST: 1
diff --git a/.github/workflows/workflow_pr.yml b/.github/workflows/workflow_pr.yml
@@ -32,72 +32,78 @@ jobs:
     needs: detect_changes
     uses: ./.github/workflows/tags_job.yml
     with:
-      changes_detected: ${{ needs.detect_changes.outputs.changes_detected }}
-
-  go_unit_tests:
-    name: Run Go unit tests
-    if: needs.detect_changes.outputs.changes_detected == 'true'
-    needs: create_tags
-    uses: ./.github/workflows/go-unit-tests.yml
-    with:
-      tag: ${{ needs.create_tags.outputs.version_tag }}
-      commit_sha: ${{ github.event.pull_request.head.sha }}
-      branch: ${{ github.head_ref }}
-    secrets:
-      pact_broker_password: ${{ secrets.PACT_BROKER_PASSWORD }}
-      codecov_token: ${{ secrets.CODECOV_TOKEN }}
+      # changes_detected: ${{ needs.detect_changes.outputs.changes_detected }}
+      changes_detected: true
+
+  # go_unit_tests:
+  #   name: Run Go unit tests
+  #   if: needs.detect_changes.outputs.changes_detected == 'true'
+  #   needs: create_tags
+  #   uses: ./.github/workflows/go-unit-tests.yml
+  #   with:
+  #     tag: ${{ needs.create_tags.outputs.version_tag }}
+  #     commit_sha: ${{ github.event.pull_request.head.sha }}
+  #     branch: ${{ github.head_ref }}
+  #   secrets:
+  #     pact_broker_password: ${{ secrets.PACT_BROKER_PASSWORD }}
+  #     codecov_token: ${{ secrets.CODECOV_TOKEN }}
 
   docker_build_scan_push:
     name: Docker Build, Scan and Push
-    if: needs.detect_changes.outputs.changes_detected == 'true' &&
-      (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped')
+    if: always()
+    # if: needs.detect_changes.outputs.changes_detected == 'true' &&
+    #   (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped')
     uses: ./.github/workflows/docker_job.yml
     needs: [
-      go_unit_tests,
+      # go_unit_tests,
       create_tags
-      ]
+    ]
     with:
       tag: ${{ needs.create_tags.outputs.version_tag }}
       branch_name: ${{ github.head_ref }}
 
-  terraform_account_workflow_development:
-    name: TF Plan Dev Account
-    uses: ./.github/workflows/terraform_account_job.yml
-    with:
-      workspace_name: development
-    secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-      pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
-
-  terraform_account_workflow_preproduction:
-    name: TF Plan Preprod Account
-    needs: terraform_account_workflow_development
-    uses: ./.github/workflows/terraform_account_job.yml
-    with:
-      workspace_name: preproduction
-    secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-      pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
-
-  terraform_account_workflow_production:
-    name: TF Plan Prod Account
-    needs: terraform_account_workflow_development
-    uses: ./.github/workflows/terraform_account_job.yml
-    with:
-      workspace_name: production
-    secrets:
-      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
-      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
-      pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
+  # terraform_account_workflow_development:
+  #   name: TF Plan Dev Account
+  #   uses: ./.github/workflows/terraform_account_job.yml
+  #   with:
+  #     workspace_name: development
+  #   secrets:
+  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+  #     pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
+
+  # terraform_account_workflow_preproduction:
+  #   name: TF Plan Preprod Account
+  #   needs: terraform_account_workflow_development
+  #   uses: ./.github/workflows/terraform_account_job.yml
+  #   with:
+  #     workspace_name: preproduction
+  #   secrets:
+  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+  #     pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
+
+  # terraform_account_workflow_production:
+  #   name: TF Plan Prod Account
+  #   needs: terraform_account_workflow_development
+  #   uses: ./.github/workflows/terraform_account_job.yml
+  #   with:
+  #     workspace_name: production
+  #   secrets:
+  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+  #     pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
 
   ui_tests_image:
     name: Run Cypress UI Tests On Images
-    if: needs.detect_changes.outputs.changes_detected == 'true' &&
-      (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped')
+    if: always()
+    # if: needs.detect_changes.outputs.changes_detected == 'true' &&
+    #   (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped')
     uses: ./.github/workflows/ui_test_job.yml
-    needs: [docker_build_scan_push, create_tags]
+    needs: [
+      docker_build_scan_push,
+      create_tags
+    ]
     with:
       run_against_image: true
       tag: ${{ needs.create_tags.outputs.version_tag }}
@@ -110,13 +116,14 @@ jobs:
 
   pr_deploy:
       name: PR Environment Deploy
-      if: always() &&
-        (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') &&
-        (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') &&
-        (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped')
+      if: always()
+      # if: always() &&
+      #   (needs.go_unit_tests.result == 'success' || needs.go_unit_tests.result == 'skipped') &&
+      #   (needs.docker_build_scan_push.result == 'success' || needs.docker_build_scan_push.result == 'skipped') &&
+      #   (needs.ui_tests_image.result == 'success' || needs.ui_tests_image.result == 'skipped')
       needs: [
         create_tags,
-        go_unit_tests,
+        # go_unit_tests,
         docker_build_scan_push,
         ui_tests_image
       ]
@@ -135,10 +142,14 @@ jobs:
 
   ui_tests_pr_env:
     name: Run Cypress UI Tests On PR Environment
-    if: always() &&
-      needs.pr_deploy.result == 'success'
+    if: always()
+    # if: always() &&
+    #   needs.pr_deploy.result == 'success'
     uses: ./.github/workflows/ui_test_job.yml
-    needs: [pr_deploy, create_tags]
+    needs: [
+      pr_deploy,
+      create_tags
+    ]
     with:
       run_against_image: false
       base_url: "https://${{ needs.pr_deploy.outputs.url }}"
@@ -162,26 +173,26 @@ jobs:
       aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
       aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
 
-  end_of_pr_workflow:
-    name: End of PR Workflow
-    runs-on: ubuntu-latest
-    if: always()
-    environment:
-      name: "dev_${{ needs.create_tags.outputs.environment_workspace_name }}"
-      url: "https://${{ needs.pr_deploy.outputs.url }}"
-    needs: [pr_deploy, create_tags, ui_tests_pr_env]
-    steps:
-      - name: End of PR Workflow
-        run: |
-          echo "${{ needs.pr_deploy.outputs.terraform_workspace_name }} PR environment tested, built and deployed"
-          echo "Tag Deployed: ${{ needs.pr_deploy.outputs.terraform_container_version }}"
-          echo "URL: https://${{ needs.pr_deploy.outputs.url }}"
-
-          if ${{ contains(needs.ui_tests_pr_env.result,'success') }}
-          then
-            echo "PR environment tested, built and deployed"
-            exit 0
-          else
-            echo "PR environment tested, built and deployed but UI tests failed"
-            exit 1
-          fi
+  # end_of_pr_workflow:
+  #   name: End of PR Workflow
+  #   runs-on: ubuntu-latest
+  #   if: always()
+  #   environment:
+  #     name: "dev_${{ needs.create_tags.outputs.environment_workspace_name }}"
+  #     url: "https://${{ needs.pr_deploy.outputs.url }}"
+  #   needs: [pr_deploy, create_tags, ui_tests_pr_env]
+  #   steps:
+  #     - name: End of PR Workflow
+  #       run: |
+  #         echo "${{ needs.pr_deploy.outputs.terraform_workspace_name }} PR environment tested, built and deployed"
+  #         echo "Tag Deployed: ${{ needs.pr_deploy.outputs.terraform_container_version }}"
+  #         echo "URL: https://${{ needs.pr_deploy.outputs.url }}"
+
+  #         if ${{ contains(needs.ui_tests_pr_env.result,'success') }}
+  #         then
+  #           echo "PR environment tested, built and deployed"
+  #           exit 0
+  #         else
+  #           echo "PR environment tested, built and deployed but UI tests failed"
+  #           exit 1
+  #         fi
diff --git a/docker/mlpa/Dockerfile b/docker/mlpa/Dockerfile
@@ -54,9 +54,17 @@ COPY --from=build-env /go/bin/mlpab mlpab
 COPY --link web/template web/template
 COPY --link lang lang
 
-RUN addgroup -S app && \
-  adduser -S -g app app && \
-  chown -R app:app mlpab web/template web/static web/robots.txt
-USER app
+
+RUN addgroup -S user && \
+  adduser -S -g user user && \
+  chown -R user:user mlpab web/template web/static web/robots.txt
+
+COPY scripts/docker_hardening/alpine_image_hardening.sh /harden.sh
+
+RUN /harden.sh && rm /harden.sh
+
+USER user
+
+EXPOSE 8080
 
 ENTRYPOINT ["./mlpab"]
diff --git a/docker/mock-pay/Dockerfile b/docker/mock-pay/Dockerfile
@@ -3,3 +3,5 @@ FROM outofcoffee/imposter:4.0.5
 COPY ./docker/mock-pay /opt/imposter/config/
 
 USER imposter
+
+EXPOSE 8080
diff --git a/scripts/docker_hardening/alpine_image_hardening.sh b/scripts/docker_hardening/alpine_image_hardening.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+echo "=== Starting Alpine Hardening Script ==="
+
+echo "add default user"
+adduser -D -s /bin/sh -u 1000 user && \
+    sed -i -r 's/^user:!:/user:x:/' /etc/shadow && \
+    chmod u-s /usr/sbin/login_duo
+
+echo "/etc/duo/login_duo.conf must be readable only by user 'user'."
+chown user:user /etc/duo/login_duo.conf && \
+chmod 0400 /etc/duo/login_duo.conf
+
+echo "Ensure strict ownership and perms."
+chown root:root /usr/bin/github_pubkeys && \
+    chmod 0555 /usr/bin/github_pubkeys && \
+    echo -e "\n\nApp container image built on $(date)." > /etc/motd
+
+echo "Remove world-writeable permissions except for /tmp/"
+find / -xdev -type d -perm +0002 -exec chmod o-w {} + \
+  && find / -xdev -type f -perm +0002 -exec chmod o-w {} + \
+  && chmod 777 /tmp/ \
+  && chown www-data:root /tmp/
+
+echo "Remove unnecessary user accounts."
+sed -i -r '/^(user|root|sshd|www-data|nobody)/!d' /etc/group
+sed -i -r '/^(user|root|sshd|www-data|nobody)/!d' /etc/passwd
+
+echo "Remove existing crontabs, if any."
+rm -fr /var/spool/cron \
+  && rm -fr /etc/crontabs \
+  && rm -fr /etc/periodic
+
+echo "Remove interactive login shell for everybody but user."
+sed -i -r '/^user:/! s#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
+
+sysdirs="
+  /bin
+  /etc
+  /lib
+  /sbin
+  /usr
+"
+echo "Remove apk configs."
+find $sysdirs -xdev -regex '.*apk.*' -exec rm -fr {} +
+find $sysdirs -xdev -type f -regex '.*-$' -exec rm -f {} +
+
+echo "Ensure system dirs are owned by root and not writable by anybody else."
+find $sysdirs -xdev -type d \
+  -exec chown root:root {} \; \
+  -exec chmod 0755 {} \;
+
+echo "Remove all suid files."
+find $sysdirs -xdev -type f -a -perm +4000 -delete
+find $sysdirs -xdev -type f -a \( -perm +4000 -o -perm +2000 \) -delete
+
+echo "Remove other programs that could be dangerous."
+find $sysdirs -xdev \( \
+  -name hexdump -o \
+  -name chgrp -o \
+  -name chmod -o \
+  -name chown -o \
+  -name ln -o \
+  -name od -o \
+  -name strings -o \
+  -name su \
+  -name sudo \
+  \) -delete
+
+echo "Remove init scripts since we do not use them."
+rm -fr /etc/init.d
+rm -fr /lib/rc
+rm -fr /etc/conf.d
+rm -fr /etc/inittab
+rm -fr /etc/runlevels
+rm -fr /etc/rc.conf
+rm -fr /etc/logrotate.d
+
+echo "Remove kernel tunables since we do not need them."
+rm -fr /etc/sysctl*
+rm -fr /etc/modprobe.d
+rm -fr /etc/modules
+rm -fr /etc/mdev.conf
+rm -fr /etc/acpi
+
+echo "Remove root homedir since we do not need it."
+rm -fr /root
+
+echo "Remove fstab since we do not need it."
+rm -f /etc/fstab
+
+echo "Remove all but a handful of admin commands."
+find /sbin /usr/sbin ! -type d -a ! -name apk -a ! -name ln -delete
+
+echo "Remove broken symlinks (because we removed the targets above)."
+find $sysdirs -xdev -type l -exec test ! -e {} \; -delete
+
+echo "Disable password login for everybody"
+while IFS=: read -r username _; do passwd -l "$username"; done < /etc/passwd || true
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3,3 +3,5 @@ FROM outofcoffee/imposter:4.0.5
		COPY ./docker/mock-pay /opt/imposter/config/

		USER imposter

		EXPOSE 8080