mosip · ckm007 · Oct 6, 2025 · Sep 24, 2025 · Sep 24, 2025 · Sep 24, 2025
diff --git a/.github/workflows/push-trigger.yml b/.github/workflows/push-trigger.yml
@@ -1,4 +1,4 @@
-name: Build databreach-detector
+name: Building Security Tools
 
 on:
   release:
@@ -30,12 +30,16 @@ jobs:
             SERVICE_NAME: 'databreachdetector'
           - SERVICE_LOCATION: 'certmanager'
             SERVICE_NAME: 'certmanager'
+          - SERVICE_LOCATION: 'auditsweeper'
+            SERVICE_NAME: 'auditsweeper'
+            ONLY_DOCKER: true
       fail-fast: false
     name: ${{ matrix.SERVICE_NAME }}
     uses: mosip/kattu/.github/workflows/docker-build.yml@master
     with:
       SERVICE_LOCATION: ${{ matrix.SERVICE_LOCATION }}
       SERVICE_NAME: ${{ matrix.SERVICE_NAME }}
+      ONLY_DOCKER: ${{ matrix.ONLY_DOCKER }}
     secrets:
       DEV_NAMESPACE_DOCKER_HUB: ${{ secrets.DEV_NAMESPACE_DOCKER_HUB }}
       ACTOR_DOCKER_HUB: ${{ secrets.ACTOR_DOCKER_HUB }}

diff --git a/auditsweeper/Dockerfile b/auditsweeper/Dockerfile
@@ -0,0 +1,39 @@
+FROM python:3.9
+
+ARG SOURCE
+ARG COMMIT_HASH
+ARG COMMIT_ID
+ARG BUILD_TIME
+LABEL source=${SOURCE}
+LABEL commit_hash=${COMMIT_HASH}
+LABEL commit_id=${COMMIT_ID}
+LABEL build_time=${BUILD_TIME}
+
+ARG container_user=mosip
+ARG container_user_group=mosip
+ARG container_user_uid=1001
+ARG container_user_gid=1001
+
+# Create the user and set the working directory
+RUN groupadd -r ${container_user_group} && useradd -u ${container_user_uid} -r -g ${container_user_group} -s /bin/bash -m -d /home/${container_user} ${container_user}
+
+WORKDIR /home/${container_user}
+
+# Add all files to the correct working directory
+ADD . .
+
+# Install kubectl and Python dependencies
+RUN apt-get -y update && apt-get install -y curl \
+&& curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.sio/release/stable.txt)/bin/linux/amd64/kubectl" \
+&& chmod +x ./kubectl && mv ./kubectl /usr/local/bin/kubectl \
+&& pip install --no-cache-dir -r requirements.txt \
+&& chown -R ${container_user}:${container_user_group} /home/${container_user}
+
+USER ${container_user}
+
+ENV db-server=
+ENV db-port=
+ENV db-su-user=
+ENV postgres-password=
+
+CMD ["python", "auditsweeper.py"]
diff --git a/auditsweeper/auditsweeper.py b/auditsweeper/auditsweeper.py
@@ -0,0 +1,87 @@
+import os
+import sys
+import configparser
+import psycopg2
+
+# This script performs a cleanup of old log entries from a PostgreSQL database.
+# It is designed to be run as a Docker container via a cron job.
+
+def get_db_credentials():
+    """
+    Attempts to get database credentials from environment variables.
+    If not found, falls back to a local.properties file.
+    """
+    # List of required variables
+    required_vars = [
+        "db-host", "db-port", "db-su-user",
+        "postgres-password", "log-age-days"
+    ]
+
+    env_vars = {var: os.getenv(var.upper().replace('-', '_')) for var in required_vars}
+
+    # Check if all environment variables are set
+    if all(env_vars.values()):
+        print("Using credentials from environment variables.")
+        return env_vars
+    else:
+        print("One or more required environment variables are not set. Checking for local.properties...")
+        config = configparser.ConfigParser()
+        config_file = "local.properties"
+
+        if not os.path.exists(config_file):
+            print(f"Error: Required variables not set and '{config_file}' not found.")
+            sys.exit(1)
+
+        try:
+            # Read the properties file, assuming a single section
+            config.read_string(f"[DEFAULT]\n{open(config_file).read()}")
+            props = config['DEFAULT']
+
+            # Populate variables from the properties file
+            return {var: props.get(var) for var in required_vars}
+        except configparser.Error as e:
+            print(f"Error reading local.properties file: {e}")
+            sys.exit(1)
+
+def cleanup_db(config):
+    """
+    Connects to the database and performs the cleanup operation.
+    """
+    db_name = "mosip_audit"
+    try:
+        conn = psycopg2.connect(
+            host=config["db-host"],
+            port=config["db-port"],
+            user=config["db-su-user"],
+            password=config["postgres-password"],
+            dbname=db_name
+        )
+        cur = conn.cursor()
+
+        print(f"Starting database cleanup for logs older than {config['log-age-days']} days...")
+        print(f"Connecting to DB: {config['db-su-user']}@{config['db-host']}:{config['db-port']}/{db_name}")
+
+        # The core DELETE command
+        # Use a parameterized query for safety
+        delete_query = "DELETE FROM audit.app_audit_log WHERE log_dtimes < NOW() - INTERVAL %s"
+        interval_str = f"{config['log-age-days']} days"
+
+        cur.execute(delete_query, (interval_str,))
+
+        # Get the number of rows deleted
+        rows_deleted = cur.rowcount
+        conn.commit()
+
+        print(f"Successfully deleted {rows_deleted} rows.")
+
+    except psycopg2.OperationalError as e:
+        print(f"Database connection or query failed: {e}")
+        sys.exit(1)
+    finally:
+        if 'conn' in locals() and conn:
+            conn.close()
+
+if __name__ == "__main__":
+    db_config = get_db_credentials()
+    cleanup_db(db_config)
+    print("Database cleanup script finished successfully.")
diff --git a/auditsweeper/local.properties b/auditsweeper/local.properties
@@ -0,0 +1,5 @@
+db-host=postgres.dev1.mosip.net
+db-port=5432
+db-su-user=postgres
+postgres-password=HEdM***9ZXir7Tu2F
+log-age-days=85
diff --git a/auditsweeper/requirements.txt b/auditsweeper/requirements.txt
@@ -0,0 +1 @@
+psycopg2-binary==2.9.1
diff --git a/deploy/auditsweeper/README.md b/deploy/auditsweeper/README.md
@@ -0,0 +1,18 @@
+# auditsweeper
+Helm chart for installing auditsweeper
+
+## Introduction 
+It's a cronjob that  goes through the audit table and cleans up the audit logs after a customisable no of days.
+
+## Install
+* Review the `values.yaml` file and ensure that the database parameter values and log_age_days are set according to your environment
+* RUN Install script
+```
+./install.sh
+```
+
+# TL;DR
+```console
+$ helm repo add mosip https://mosip.github.io
+$ helm install my-release mosip/auditsweeper
+```
diff --git a/deploy/auditsweeper/copy_cm.sh b/deploy/auditsweeper/copy_cm.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# Copy configmaps from other namespaces
+# DST_NS: Destination (current) namespace
+
+function copying_cm() {
+  UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh
+  COPY_UTIL=./copy_cm_func.sh
+
+  wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh
+
+  DST_NS=auditsweeper
+
+  $COPY_UTIL configmap global default $DST_NS
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+copying_cm   # calling function
+
+
+
diff --git a/deploy/auditsweeper/copy_secrets.sh b/deploy/auditsweeper/copy_secrets.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+# Copy secrets from other namespaces
+# DST_NS: Destination namespace
+
+function copying_secrets() {
+  UTIL_URL=https://raw.githubusercontent.com/mosip/mosip-infra/master/deployment/v3/utils/copy_cm_func.sh
+  COPY_UTIL=./copy_cm_func.sh
+
+  wget -q $UTIL_URL -O copy_cm_func.sh && chmod +x copy_cm_func.sh
+
+  DST_NS=auditsweeper
+  $COPY_UTIL secret postgres-postgresql postgres $DST_NS
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+copying_secrets   # calling function
diff --git a/deploy/auditsweeper/delete.sh b/deploy/auditsweeper/delete.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+# Uninstalls print service
+## Usage: ./delete.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+function deleting_auditsweeper() {
+  NS=auditsweeper
+  while true; do
+      read -p "Are you sure you want to delete print helm chart?(Y/n) " yn
+      if [ $yn = "Y" ]
+        then
+          helm -n $NS delete auditsweeper
+          break
+        else
+          break
+      fi
+  done
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+deleting_auditsweeper  # calling function
diff --git a/deploy/auditsweeper/install.sh b/deploy/auditsweeper/install.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+# Installs sample print service
+## Usage: ./restart.sh [kubeconfig]
+
+if [ $# -ge 1 ] ; then
+  export KUBECONFIG=$1
+fi
+
+
+NS=auditsweeper
+CHART_VERSION=0.0.1-develop
+
+echo Create $NS namespace
+kubectl create ns $NS 
+
+function installing_auditsweeper() {
+  echo Istio label
+  kubectl label ns $NS istio-injection=disabled --overwrite
+  helm repo update
+
+  echo Copy configmaps
+  sed -i 's/\r$//' copy_cm.sh
+  ./copy_cm.sh
+
+  echo Copy secrets
+  sed -i 's/\r$//' copy_secrets.sh
+  ./copy_secrets.sh
+
+  echo Installing auditsweeper
+  helm -n $NS install auditsweeper mosip/auditsweeper -f values.yaml --wait --version $CHART_VERSION
+  return 0
+}
+
+# set commands for error handling.
+set -e
+set -o errexit   ## set -e : exit the script if any statement returns a non-true return value
+set -o nounset   ## set -u : exit the script if you try to use an uninitialised variable
+set -o errtrace  # trace ERR through 'time command' and other functions
+set -o pipefail  # trace ERR through pipes
+installing_auditsweeper   # calling function
diff --git a/deploy/auditsweeper/values.yaml b/deploy/auditsweeper/values.yaml
@@ -0,0 +1,12 @@
+
+crontime: "0 3 * * *"    ## run cronjob every day at 3 AM (time hr: 0-23 )
+
+auditsweeper:
+  configmaps:
+    db:
+      db-port: '5432'
+      db-su-user: 'postgres'
+      db-host: 'postgres.sandbox.mosip.net'
+    auditsweeper:
+      log-age-days: '90'
+
diff --git a/helm/auditsweeper/Chart.yaml b/helm/auditsweeper/Chart.yaml
@@ -0,0 +1,19 @@
+apiVersion: v2
+name: auditsweeper
+description: A Helm chart to deploy auditsweeper
+type: application
+version: 0.0.1-develop
+appVersion: ""
+dependencies:
+  - name: common
+    repository: https://charts.bitnami.com/bitnami
+    tags:
+      - bitnami-common
+    version: 1.x.x
+home: https://mosip.io
+keywords:
+  - mosip
+  - auditsweeper
+maintainers:
+  - email: [email protected]
+    name: MOSIP
diff --git a/helm/auditsweeper/README.md b/helm/auditsweeper/README.md
@@ -0,0 +1,12 @@
+# mosipcertmanager
+Helm chart for installing auditsweeper
+
+## Introduction
+t's a cronjob that  goes through the audit table and cleans up the audit logs after a customisable no of days.
+
+# TL;DR
+```console
+$ helm repo add mosip https://mosip.github.io
+$ helm install my-release mosip/auditsweeper
+```
+
diff --git a/helm/auditsweeper/templates/NOTES.txt b/helm/auditsweeper/templates/NOTES.txt
@@ -0,0 +1 @@
+