Merge pull request #70 from Qrucial/milestone2

Milestone2

README.md

@@ -18,8 +18,11 @@ Audit request on front-end ► Validation and hash verification of project p
 
 We believe that audits should be transparent and trustless.
 
-## 📄 Litepaper:
-Simply go to [qrucial.io/qrucial-dao](https://qrucial.io/wp-content/uploads/2022/06/QRUCIAL-DAO-Litepaper-2022.pdf)                                                                                              
+## 📄 Litepaper and whitepaper:
+[Litepaper link /to be actualized/](https://raw.githubusercontent.com/Qrucial/QRUCIAL-DAO/main/docs/QRUCIAL%20DAO%20Litepaper%202022.pdf)
+
+[Whitepaper link /to be actualized/](https://raw.githubusercontent.com/Qrucial/QRUCIAL-DAO/main/docs/QRUCIAL_DAO_Whitepaper.pdf)
+
 # 📚 Wiki:
 QDAO wiki [can be found here](https://github.com/Qrucial/QRUCIAL-DAO/wiki).       
 

docker/docker_clean.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+killall qdao-node
+killall qdao-exosysd
+killall lar.py
+#docker kill $(docker ps -q)
+#docker rm $(docker ps -a -q)
+#docker rmi $(docker images -q)
+docker system prune
+docker system prune -af

exotools/conf/nginx.conf

@@ -0,0 +1,68 @@
+user www-data;
+worker_processes 2;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+	sendfile off;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	gzip on;
+	gzip_disable "msie6";
+
+#    limit_req_zone $binary_remote_addr zone=one:10m rate=40r/s;
+#    limit_req zone=one;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name qrucial.io;
+    return 301 https://$server_name:443$request_uri;
+}
+
+server {
+    limit_rate 10240k;
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name qrucial.io;
+    gzip on;
+    charset UTF-8;
+
+    index = index.html
+
+    location / {
+        proxy_pass          http://127.0.0.1:8000;
+        proxy_http_version  1.1;
+        proxy_pass_header Server;
+        proxy_set_header Host $host;
+        proxy_buffering off;
+    }
+
+    ssl_certificate /etc/letsencrypt/live/qrucial.io/fullchain.pem; # managed by Certbot                                                                                                                          
+    ssl_certificate_key /etc/letsencrypt/live/qrucial.io/privkey.pem; # managed by Certbot
+
+    add_header Strict-Transport-Security "max-age=256000; includeSubDomains; preload;";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+	if ($http_user_agent ~* (wget|curl|libwww-perl|masscan|nmap|acunetix|roman|burp|arachni|urllib|burger-imperia|testproxy|semantic|nikto|nessus|sqlmap|wpscan|gobuster) ) {
+	return 403;}
+
+
+}
+

exotools/configs/nginx.conf

@@ -0,0 +1,114 @@
+# Hardened configuration for QDAO nodes
+user www-data;
+worker_processes 2;
+worker_rlimit_nofile 8192;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 2048;
+}
+
+http {
+	sendfile off;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server_tokens off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+	gzip on;
+
+# Just redir to HTTPS everitiem
+server {
+    listen 80;
+    #listen [::]:80; # No IPv6 for now
+    server_name qrucial.io;
+    return 301 https://$server_name:443$request_uri;
+  }
+
+## HTTPS server proxying the React based FE
+server {
+    limit_rate 10240k;
+    listen 443 ssl http2;
+    server_name qrucial.io;
+    gzip on;
+    charset UTF-8;
+    types_hash_max_size 2048;
+
+    # Buffer policy
+    client_body_buffer_size 1K;
+    client_header_buffer_size 1k;
+    client_max_body_size 1k;
+    large_client_header_buffers 2 1k;
+
+    # Only allow GET and POST
+    if ($request_method !~ ^(GET|POST)$ )
+    {
+    return 405;
+    }
+
+    index = index.html;
+
+    location / {
+        proxy_pass          http://127.0.0.1:8000;
+        proxy_http_version  1.1;
+        proxy_pass_header Server;
+        proxy_set_header Host $host;
+        proxy_buffering off;
+    }
+
+    # SSL
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'HIGH:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SRP:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+    ssl_certificate /etc/letsencrypt/live/qrucial.io/fullchain.pem;                                                                                                                       
+    ssl_certificate_key /etc/letsencrypt/live/qrucial.io/privkey.pem;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=256000; includeSubDomains; preload;";
+    add_header X-Content-Type-Options nosniff;          # Dont let guessing the content types
+    add_header X-XSS-Protection "1; mode=block";        # Browser inbuilt XSS protection blocks loading at attack
+    add_header X-Frame-Options "DENY";                  # Iframes are disabled
+    add_header Set-Cookie "Path=/; HttpOnly; Secure";   # Only allow S cookies
+
+    # Block scanners based on user-agent (nobrainer to bypass, but logs are more beautiful)
+    if ($http_user_agent ~* (wget|curl|libwww-perl|masscan|nmap|acunetix|roman|burp|arachni|urllib|burger-imperia|testproxy|semantic|nikto|nessus|sqlmap|wpscan|gobuster) ) {return 403;}
+
+  }
+
+## WSS proxy, so QDAO's Substrate chain can provide ws on 127.0.0.1:9944
+server {
+        root /var/www/html;
+        index index.html;
+
+        ssl_certificate /etc/letsencrypt/live/qrucial.io/fullchain.pem;                                                                                                                       
+        ssl_certificate_key /etc/letsencrypt/live/qrucial.io/privkey.pem;
+        listen 9995 ssl;
+
+        ssl_session_cache shared:cache_nginx_SSL:1m;
+        ssl_session_timeout 1440m;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers 'HIGH:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SRP:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
+
+        location / {
+          try_files $uri $uri/ =404;
+
+          proxy_buffering off;
+          proxy_pass http://127.0.0.1:9944 ;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header Host 127.0.0.1:9944;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+       }
+
+  }
+}

exotools/docker/docker_files/dockerfile

@@ -1,18 +1,17 @@
 FROM rust:buster
 
+RUN apt update 
+RUN apt-get install -y python3-pip graphviz xdg-utils
 RUN cargo install cargo-audit
 
 # This will always return success, it normally fails after update (we just need update)
 RUN cargo audit -db || : 
 RUN echo "Ignore Error above. just used to sync repo"
 
+# Prepare to run the off-chain automated audit
 RUN mkdir /usr/exotools/
 ADD ./scripts/audit_script.sh /usr/exotools/
 RUN chmod +x /usr/exotools/audit_script.sh
-# Figure out a check we can do to make sure the container is running nominaly.
-# for the pallets having it send a ping without failing would work,
-# for exotools we dont really need one yet, as they get deployed and then shut down.
-# HEALTHCHECK # ping 0.0.0.0
 
-ENTRYPOINT ["/usr/exotools/audit_script.sh"]
-# This is a not great solution but it works
+# This starts the off-chain automated auditing
+ENTRYPOINT ["/usr/exotools/audit_script.sh"]

exotools/docker/docker_files/scripts/audit_script.sh

@@ -74,7 +74,10 @@ function exec_audit {
   elif [[ $(find "$EXTRACT_PATH" -name Cargo.toml) ]]; then
     TOML_FILE="$(find "$EXTRACT_PATH" -name Cargo.toml)"
   else
-    echo "Cannot Continue, neither Cargo.lock, or Cargo.toml was found"
+    echo "Neither Cargo.lock, or Cargo.toml was found, assuming EVM/Solidity project"
+    cd $EXTRACT_PATH
+    chmod +x ~/.local/bin/octopus_eth_evm
+    ~/.local/bin/octopus_eth_evm -f evm.bin
     exit 1
   fi
 
@@ -93,25 +96,11 @@ function exec_audit {
 
   ( cd $(dirname $LOCK_FILE) && cargo audit --json > "$REPORT_PATH""report.json" )
   ( cd $(dirname $LOCK_FILE) && cargo clippy &> "$REPORT_PATH""clippy.out" )
-  # cargo audit --json > "$REPORT_PATH""report.json" # better save method. (?)
+
 
-  # cp or symlink, whatever is better
+  # cp or symlink could be an alternative
   cp -r "$REPORT_PATH" "$TIMESTAMP_PATH"
 
 }
 
-
-
-
-
-
-
-
-
-exec_audit
-
-
-
-
-
-
+exec_audit