Pushing Develop Code to Master Branch. (non release repo)

.github/workflows/chart-lint-publish.yml

@@ -0,0 +1,62 @@
+name: Validate / Publish helm charts
+
+on:
+  release:
+    types: [published]
+  pull_request:
+    types: [opened, reopened, synchronize]
+    paths:
+      - 'helm/**'
+  workflow_dispatch:
+    inputs:
+      IGNORE_CHARTS:
+        description: 'Provide list of charts to be ignored separated by pipe(|)'
+        required: false
+        default: '""'
+        type: string
+      CHART_PUBLISH:
+        description: 'Chart publishing to gh-pages branch'
+        required: false
+        default: 'NO'
+        type: string
+        options:
+          - YES
+          - NO
+      INCLUDE_ALL_CHARTS:
+        description: 'Include all charts for Linting/Publishing (YES/NO)'
+        required: false
+        default: 'NO'
+        type: string
+        options:
+          - YES
+          - NO
+  push:
+    branches:
+      - '!release-branch'
+      - '!master'
+      - 1.*
+      - 0.*
+      - develop
+      - MOSIP*
+      - release*
+    paths:
+      - 'helm/**'
+
+jobs:
+  chart-lint-publish:
+    uses: mosip/kattu/.github/workflows/chart-lint-publish.yml@master
+    with:
+      CHARTS_DIR: ./helm
+      CHARTS_URL: https://mosip.github.io/mosip-helm
+      REPOSITORY: mosip-helm
+      BRANCH: gh-pages
+      INCLUDE_ALL_CHARTS: "${{ inputs.INCLUDE_ALL_CHARTS || 'NO' }}"
+      IGNORE_CHARTS: "${{ inputs.IGNORE_CHARTS || '\"\"' }}"
+      CHART_PUBLISH: "${{ inputs.CHART_PUBLISH || 'YES' }}"
+      LINTING_CHART_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-schema.yaml"
+      LINTING_LINTCONF_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/lintconf.yaml"
+      LINTING_CHART_TESTING_CONFIG_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/chart-testing-config.yaml"
+      LINTING_HEALTH_CHECK_SCHEMA_YAML_URL: "https://raw.githubusercontent.com/mosip/kattu/master/.github/helm-lint-configs/health-check-schema.yaml"
+    secrets:
+      TOKEN: ${{ secrets.ACTION_PAT }}
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/push-trigger.yml

@@ -0,0 +1,47 @@
+name: Building Security Tools
+
+on:
+  release:
+    types: [published]
+  pull_request:
+    types: [opened, reopened, synchronize]
+  workflow_dispatch:
+    inputs:
+      message:
+        description: 'Message for manually triggering'
+        required: false
+        default: 'Triggered for Updates'
+        type: string
+  push:
+    branches:
+      - master
+      - 1.*
+      - develop*
+      - release*
+      - MOSIP*
+      - update
+
+jobs:
+  build-dockers:
+    strategy:
+      matrix:
+        include:
+          - SERVICE_LOCATION: 'databreachdetector'
+            SERVICE_NAME: 'databreachdetector'
+          - SERVICE_LOCATION: 'certmanager'
+            SERVICE_NAME: 'certmanager'
+          - SERVICE_LOCATION: 'auditsweeper'
+            SERVICE_NAME: 'auditsweeper'
+            ONLY_DOCKER: true
+      fail-fast: false
+    name: ${{ matrix.SERVICE_NAME }}
+    uses: mosip/kattu/.github/workflows/docker-build.yml@master
+    with:
+      SERVICE_LOCATION: ${{ matrix.SERVICE_LOCATION }}
+      SERVICE_NAME: ${{ matrix.SERVICE_NAME }}
+      ONLY_DOCKER: ${{ matrix.ONLY_DOCKER }}
+    secrets:
+      DEV_NAMESPACE_DOCKER_HUB: ${{ secrets.DEV_NAMESPACE_DOCKER_HUB }}
+      ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }}
+      RELEASE_DOCKER_HUB: ${{ secrets.RELEASE_DOCKER_HUB }}
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_DEVOPS }}

.github/workflows/sonar-check.yml

@@ -0,0 +1,41 @@
+name: SonarCloud PR Quality Gate
+
+on:
+  push:
+    branches:
+      - develop
+
+jobs:
+  sonar_analysis:
+    name: maven-sonar-analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up JDK 21
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: 'temurin'
+
+      - name: Cache SonarCloud packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+
+      - name: Cache Maven packages
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+
+      - name: Run SonarCloud analysis
+        env:
+          SONAR_TOKEN: f4e496ee8ddc6661404844949201593f56078e94
+        run: |
+          mvn -B verify sonar:sonar -Dsonar.projectKey=mosip_security-tools -Dsonar.organization=mosip -Dsonar.host.url=https://sonarcloud.io -DskipSigning=true

auditsweeper/Dockerfile

@@ -0,0 +1,39 @@
+FROM python:3.9
+
+ARG SOURCE
+ARG COMMIT_HASH
+ARG COMMIT_ID
+ARG BUILD_TIME
+LABEL source=${SOURCE}
+LABEL commit_hash=${COMMIT_HASH}
+LABEL commit_id=${COMMIT_ID}
+LABEL build_time=${BUILD_TIME}
+
+ARG container_user=mosip
+ARG container_user_group=mosip
+ARG container_user_uid=1001
+ARG container_user_gid=1001
+
+# Create the user and set the working directory
+RUN groupadd -r ${container_user_group} && useradd -u ${container_user_uid} -r -g ${container_user_group} -s /bin/bash -m -d /home/${container_user} ${container_user}
+
+WORKDIR /home/${container_user}
+
+# Add all files to the correct working directory
+ADD . .
+
+# Install kubectl and Python dependencies
+RUN apt-get -y update && apt-get install -y curl \
+&& curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.sio/release/stable.txt)/bin/linux/amd64/kubectl" \
+&& chmod +x ./kubectl && mv ./kubectl /usr/local/bin/kubectl \
+&& pip install --no-cache-dir -r requirements.txt \
+&& chown -R ${container_user}:${container_user_group} /home/${container_user}
+
+USER ${container_user}
+
+ENV db-server=
+ENV db-port=
+ENV db-su-user=
+ENV postgres-password=
+
+CMD ["python", "auditsweeper.py"]

auditsweeper/auditsweeper.py

@@ -0,0 +1,87 @@
+import os
+import sys
+import configparser
+import psycopg2
+
+# This script performs a cleanup of old log entries from a PostgreSQL database.
+# It is designed to be run as a Docker container via a cron job.
+
+def get_db_credentials():
+    """
+    Attempts to get database credentials from environment variables.
+    If not found, falls back to a local.properties file.
+    """
+    # List of required variables
+    required_vars = [
+        "db-host", "db-port", "db-su-user",
+        "postgres-password", "log-age-days"
+    ]
+
+    env_vars = {var: os.getenv(var) for var in required_vars}
+
+    # Check if all environment variables are set
+    if all(env_vars.values()):
+        print("Using credentials from environment variables.")
+        return env_vars
+    else:
+        print("One or more required environment variables are not set. Checking for local.properties...")
+        config = configparser.ConfigParser()
+        config_file = "local.properties"
+
+        if not os.path.exists(config_file):
+            print(f"Error: Required variables not set and '{config_file}' not found.")
+            sys.exit(1)
+
+        try:
+            # Read the properties file, assuming a single section
+            config.read_string(f"[DEFAULT]\n{open(config_file).read()}")
+            props = config['DEFAULT']
+
+            # Populate variables from the properties file
+            return {var: props.get(var) for var in required_vars}
+        except configparser.Error as e:
+            print(f"Error reading local.properties file: {e}")
+            sys.exit(1)
+
+def cleanup_db(config):
+    """
+    Connects to the database and performs the cleanup operation.
+    """
+    db_name = "mosip_audit"
+    try:
+        conn = psycopg2.connect(
+            host=config["db-host"],
+            port=config["db-port"],
+            user=config["db-su-user"],
+            password=config["postgres-password"],
+            dbname=db_name
+        )
+        cur = conn.cursor()
+
+        print(f"Starting database cleanup for logs older than {config['log-age-days']} days...")
+        print(f"Connecting to DB: {config['db-su-user']}@{config['db-host']}:{config['db-port']}/{db_name}")
+
+        # The core DELETE command
+        # Use a parameterized query for safety
+        delete_query = "DELETE FROM audit.app_audit_log WHERE log_dtimes < NOW() - INTERVAL %s"
+        interval_str = f"{config['log-age-days']} days"
+
+        cur.execute(delete_query, (interval_str,))
+
+        # Get the number of rows deleted
+        rows_deleted = cur.rowcount
+        conn.commit()
+
+        print(f"Successfully deleted {rows_deleted} rows.")
+
+    except psycopg2.OperationalError as e:
+        print(f"Database connection or query failed: {e}")
+        sys.exit(1)
+    finally:
+        if 'conn' in locals() and conn:
+            conn.close()
+
+if __name__ == "__main__":
+    db_config = get_db_credentials()
+    cleanup_db(db_config)
+    print("Database cleanup script finished successfully.")

auditsweeper/local.properties

@@ -0,0 +1,5 @@
+db-host=postgres.dev1.mosip.net
+db-port=5432
+db-su-user=postgres
+postgres-password=HEdM***9ZXir7Tu2F
+log-age-days=85

auditsweeper/requirements.txt

@@ -0,0 +1 @@
+psycopg2-binary==2.9.1

certmanager/Dockerfile

@@ -0,0 +1,46 @@
+FROM python:3.9
+
+ARG SOURCE
+ARG COMMIT_HASH
+ARG COMMIT_ID
+ARG BUILD_TIME
+LABEL source=${SOURCE}
+LABEL commit_hash=${COMMIT_HASH}
+LABEL commit_id=${COMMIT_ID}
+LABEL build_time=${BUILD_TIME}
+
+ARG container_user=mosip
+ARG container_user_group=mosip
+ARG container_user_uid=1001
+ARG container_user_gid=1001
+
+# Install kubectl binary
+RUN apt-get -y update \
+ && apt-get install -y curl \
+ && curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
+ && chmod +x ./kubectl && mv ./kubectl /usr/local/bin/kubectl
+
+# Create user group
+RUN groupadd -r ${container_user_group} && useradd -u ${container_user_uid} -r -g ${container_user_group} -s /bin/bash -m -d /home/${container_user} ${container_user}
+RUN chown -R ${container_user}:${container_user} /home/${container_user}
+WORKDIR /home/${container_user}
+USER ${container_user}
+
+ENV MYDIR=`pwd`
+ENV DATE="$(date --utc +%FT%T.%3NZ)"
+ENV ENABLE_INSECURE=false
+ENV MODULE=
+
+
+ENV db-server=
+ENV db-port=
+ENV db-su-user=
+ENV postgres-password=
+ENV ns_esignet=esignet
+
+COPY partner.properties .
+COPY requirements.txt .
+COPY checkupdate.py .
+COPY bootstrap.properties .
+RUN pip install --no-cache-dir -r requirements.txt
+CMD ["python", "checkupdate.py"]