Merge branch 'trunk' into settings_for_DC

ideacrew · Jun 17, 2024 · ef43456 · ef43456
2 parents e498726 + bea25d6
commit ef43456
Show file tree

Hide file tree

Showing 10 changed files with 94 additions and 7 deletions.
diff --git a/.docker/production/Dockerfile.gha b/.docker/production/Dockerfile.gha
@@ -49,6 +49,8 @@ RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2
     && /tmp/aws/install \
     && rm -rf /tmp/aws /tmp/awscliv2.zip awscliv2.zip
 
+RUN mkdir /etc/infra
+
 # Configure bundler and PATH, install bundler version
 ENV GEM_HOME=/usr/local/bundle
 ENV BUNDLE_PATH=$GEM_HOME
@@ -215,5 +217,6 @@ COPY --chown=$USERNAME:$USERNAME ./.docker/config/mongoid.yml $HOME/config
 COPY --chown=$USERNAME:$USERNAME ./.docker/config/credentials.yml.enc $HOME/config
 COPY --chown=$USERNAME:$USERNAME ./.docker/config/master.key $HOME/config
 
+RUN echo '[ ! -z "$TERM" -a -r /etc/infra/motd ] && cat /etc/infra/motd' >> /etc/bash.bashrc
 
 USER $USERNAME
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -16,6 +16,7 @@ concurrency:
 env:
   RABBITMQ_DEFAULT_USER: "guest"
   RABBITMQ_DEFAULT_PASS: "guest"
+  SYSDIG_SECURE_ENDPOINT: "https://us2.app.sysdig.com"
 
 jobs:
   prep:
@@ -153,7 +154,14 @@ jobs:
           build-args: |
             HOSTNAME=172.17.0.1
 
-      - name: Scan Docker image
+      - name: Setup cache
+        uses: actions/cache@v3
+        with:
+          path: cache
+          key: ${{ runner.os }}-cache-${{ hashFiles('**/sysdig-cli-scanner', '**/latest_version.txt', '**/db/main.db.meta.json', '**/scanner-cache/inlineScannerCache.db') }}
+          restore-keys: ${{ runner.os }}-cache-
+
+      - name: Scan docker image
         if: github.event_name != 'pull_request'
         id: scan
         uses: anchore/scan-action@main
@@ -163,7 +171,27 @@ jobs:
           fail-build: false
           severity-cutoff: critical
 
-      - name: upload Anchore scan SARIF report
+      - name: Download sysdig-cli-scanner if needed and scan the image with sysdig scanner
+        env:
+          SECURE_API_TOKEN: ${{ secrets.SECURE_API_TOKEN }}
+        run: |
+          curl -sLO https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt
+          mkdir -p "${GITHUB_WORKSPACE}/cache/db/"
+          if [ ! -f "${GITHUB_WORKSPACE}/cache/latest_version.txt" ] || [ "$(cat ./latest_version.txt)" != "$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)" ]; then
+            cp ./latest_version.txt "${GITHUB_WORKSPACE}/cache/latest_version.txt"
+            curl -sL -o "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner" "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(cat ${GITHUB_WORKSPACE}/cache/latest_version.txt)/linux/amd64/sysdig-cli-scanner"
+            chmod +x "${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner"
+          else
+            echo "Latest version of sysdig cli scanner is already downloaded"
+          fi
+          ${GITHUB_WORKSPACE}/cache/sysdig-cli-scanner \
+            --apiurl "${SYSDIG_SECURE_ENDPOINT}" \
+            ${{ format('{0}/{1}', needs.prep.outputs.registryGhcr, needs.prep.outputs.taggedImage) }} \
+            --console-log \
+            --dbpath="${GITHUB_WORKSPACE}/cache/db/" \
+            --cachepath="${GITHUB_WORKSPACE}/cache/scanner-cache/"
+
+      - name: Upload anchore scan SARIF report
         if: github.event_name != 'pull_request'
         uses: github/codeql-action/upload-sarif@v2
         with:

diff --git a/Gemfile b/Gemfile
@@ -14,6 +14,8 @@ gem 'combine_pdf', '~> 1.0'
 gem 'config', '~> 2.0' # Deprecate for Resource Registry
 
 gem 'devise', '~> 4.8'
+# for account locking
+gem 'devise-security'
 
 gem 'dry-matcher', '~> 0.8'
 gem 'dry-monads', '~> 1.3'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -213,6 +213,8 @@ GEM
       railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
+    devise-security (0.18.0)
+      devise (>= 4.3.0)
     diff-lcs (1.4.4)
     dry-configurable (0.9.0)
       concurrent-ruby (~> 1.0)
@@ -651,6 +653,7 @@ DEPENDENCIES
   config (~> 2.0)
   database_cleaner-mongoid
   devise (~> 4.8)
+  devise-security
   dry-matcher (~> 0.8)
   dry-monads (~> 1.3)
   dry-schema (~> 1.6)

diff --git a/app/models/account.rb b/app/models/account.rb
@@ -5,7 +5,8 @@ class Account
   # Include default devise modules. Others available are:
   # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
   devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :validatable
+         :recoverable, :rememberable, :validatable,
+         :session_limitable, :expirable
 
   ## Database authenticatable
   field :email,              type: String, default: ""
@@ -18,6 +19,17 @@ class Account
   ## Rememberable
   field :remember_created_at, type: Time
 
+  # Session limitable
+  field :unique_session_id, type: String
+
+  # Expirable
+  field :last_activity_at, type: Time
+  field :expired_at, type: Time
+
+  index({ unique_session_id: 1 })
+  index({ last_activity_at: 1 })
+  index({ expired_at: 1 })
+
   ## Trackable
   # field :sign_in_count,      type: Integer, default: 0
   # field :current_sign_in_at, type: Time

diff --git a/config/application.rb b/config/application.rb
@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+DEVISE_ORM = :mongoid
 require_relative "boot"
 
 require "rails"

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -308,4 +308,14 @@
   # When set to false, does not sign a user in automatically after their password is
   # changed. Defaults to true, so a user is signed in automatically after changing a password.
   # config.sign_in_after_change_password = true
+
+  # ==> Configuration for :expirable
+  # Time period for account expiry from last_activity_at
+  user_account_lock_period = 60
+  unless ENV['DEVISE_USER_INACTIVITY_LOCK_PERIOD_IN_DAYS'].blank?
+    period_in_days_env = ENV['DEVISE_USER_INACTIVITY_LOCK_PERIOD_IN_DAYS']
+    num_days = period_in_days_env.to_i
+    user_account_lock_period = num_days if num_days.to_s == period_in_days_env
+  end
+  config.expire_after = user_account_lock_period.days
 end
diff --git a/spec/controllers/sections_controller_spec.rb b/spec/controllers/sections_controller_spec.rb
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "rails_helper"
+
+RSpec.describe New::SectionsController,
+               "attempting to log in an expired account",
+               type: :controller, dbclean: :after_each do
+  let(:account) do
+    account_record = FactoryBot.create(:account)
+    account_record.last_activity_at = Time.now - 180.days
+    account_record.save!
+    account_record
+  end
+
+  before :each do
+    sign_in account
+  end
+
+  it "can't access the endpoint" do
+    get :new
+    expect(response).to redirect_to("http://test.host/accounts/sign_in")
+  end
+end
diff --git a/spec/factories/accounts.rb b/spec/factories/accounts.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
-# FactoryBot.define do
-#   factory :account do
-#   end
-# end
+FactoryBot.define do
+  factory :account do
+    sequence(:email) {|n| "example#{n}@example.com"}
+    password { "dfkjghfj!!123" }
+  end
+end
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -58,4 +58,7 @@
   config.filter_rails_from_backtrace!
   # arbitrary gems may also be filtered via:
   # config.filter_gems_from_backtrace("gem name")
+
+  config.include Devise::Test::ControllerHelpers, type: :controller
+  config.include Warden::Test::Helpers
 end