Skip to content

Commit

Permalink
Merge branch 'main' into ga-csp-nonce
Browse files Browse the repository at this point in the history
  • Loading branch information
ojbravo authored Jun 21, 2024
2 parents b91d24b + c7e279d commit b14008c
Show file tree
Hide file tree
Showing 15 changed files with 115 additions and 112 deletions.
50 changes: 34 additions & 16 deletions .pnp.cjs

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Binary file not shown.
Binary file removed .yarn/cache/ip-npm-2.0.1-ee48691f03-d765c9fd21.zip
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file removed .yarn/cache/ws-npm-8.16.0-46943f6199-feb3eecd2b.zip
Binary file not shown.
Binary file not shown.
25 changes: 14 additions & 11 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,9 @@ FROM ghcr.io/cfpb/regtech/sbl/nginx-alpine:1.24
ENV NGINX_USER=svc_nginx_sbl
RUN apk update; apk upgrade
RUN rm -rf /etc/nginx/conf.d
COPY nginx /etc/nginx

# copy useragent rules for nginx
COPY nginx/useragent.rules /etc/nginx/useragent.rules

# copy nginx configuration into template folder for env var injection
COPY nginx/nginx.conf /etc/nginx/templates/nginx.conf.template

# copy the application bundle from dist to nging/html to be served
# copy the app into the nginx html folder to be served
COPY --from=build-stage /usr/src/app/dist /usr/share/nginx/html

# copy necessary import-meta-env-alpine files for env var injection
Expand All @@ -36,14 +31,22 @@ COPY --from=build-stage \
/usr/src/app/.env.example \
/usr/share/nginx/html/

# copy nginx configuration into template folder for env var injection
COPY nginx/nginx.conf /etc/nginx/templates/nginx.conf.template

# Security Basline - Meets requirement 9
RUN find /etc/nginx -type d | xargs chmod 750 && \
find /etc/nginx -type f | xargs chmod 640
# Security Basline - The `sed` was added to meet requirement 17
RUN sed -i '/Faithfully yours/d' /usr/share/nginx/html/50x.html && \
adduser -S $NGINX_USER nginx && \
addgroup -S $NGINX_USER && \
addgroup $NGINX_USER $NGINX_USER && \
adduser -S $NGINX_USER -G $NGINX_USER && \
# We need to come back and reconcile the multiple pids.
touch /run/nginx.pid && \
chown -R $NGINX_USER:$NGINX_USER /etc/nginx /run/nginx.pid /var/cache/nginx/
touch /var/run/nginx.pid && \
chown -R $NGINX_USER:$NGINX_USER /etc/nginx /run/nginx.pid /var/cache/nginx/ /var/run/nginx.pid /usr/share/nginx/html/index.html /usr/share/nginx/html/import-meta-env-alpine /usr/share/nginx/html/nginx-entrypoint.sh /usr/share/nginx/html/.env.example
EXPOSE 8080
USER svc_nginx_sbl

# use entrypoint to inject vars and switch to non-root user
# use entrypoint to inject vars
ENTRYPOINT ["sh","/usr/share/nginx/html/nginx-entrypoint.sh"]
77 changes: 19 additions & 58 deletions buildspec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,73 +2,34 @@ version: 0.2

env:
variables:
SERVICE_NAME: sbl-frontend
CONTACTS_SECRET: cfpb/team/regtech/contact-info
IMAGE_SCANNER_SECRET: cfpb/team/regtech/image-scanner-creds
SMTP_CREDS_SECRET: cfpb/team/regtech/smtp-ses-creds
SMTP_FROM_ADDRESS: noreply@cfpb.gov
secrets-manager:
TL_CONSOLE_URL: cfpb/team/regtech/twistlock:TL_CONSOLE_URL
TL_USER: cfpb/team/regtech/twistlock:TL_USER
TL_PASSWORD: cfpb/team/regtech/twistlock:TL_PASSWORD
SMTP_PASSWORD: "${SMTP_CREDS_SECRET}:password"
EMAIL_TO: "${CONTACTS_SECRET}:developers_all"
IMAGE_SCANNER_URL: "${IMAGE_SCANNER_SECRET}:url"
IMAGE_SCANNER_USERNAME: "${IMAGE_SCANNER_SECRET}:username"
IMAGE_SCANNER_PASSWORD: "${IMAGE_SCANNER_SECRET}:password"
SMTP_HOST: "${SMTP_CREDS_SECRET}:mail_server"
SMTP_PORT: "${SMTP_CREDS_SECRET}:smtp_port"
SMTP_SERVER: "${SMTP_CREDS_SECRET}:smtp_server"
SMTP_USERNAME: "${SMTP_CREDS_SECRET}:username"
EMAIL_LIST: "${SMTP_CREDS_SECRET}:email_list"
SMTP_PASSWORD: "${SMTP_CREDS_SECRET}:password"

phases:
install:
commands:
- codebuild-init && source ./env.sh
pre_build:
commands:
# Set envvars dependent on CodeBuild project's own envvars
- sudo yum -y install mailx coreutils --allowerasing --skip-broken
- export JOB_NAME=$CODEBUILD_BUILD_ID
- export IMAGE_NAME="cfpb/${TEAM_NAMESPACE}/sbl-frontend"
- export IMAGE_NAME="cfpb/${TEAM_NAMESPACE}/sbl-frontend"
- export IMAGE_TAG="preview"
# EMAIL_LIST should be a distribution list or a space separate string of multiple recipients
#- export EMAIL_LIST="foo@foobar.com"
- AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query 'Account' --output text --no-cli-pager)
- ECR_ACCOUNT_REGISTRY="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
- export IMAGE_NAME="cfpb/${NAMESPACE}/${SERVICE_NAME}"
- export IMAGE_TAG=$GIT_REF
- export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"
- env | sort

# Login to ECR registry
- aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_ACCOUNT_REGISTRY

# Authenticate with EKS cluster
- aws eks update-kubeconfig --name $EKS_CLUSTER_NAME
build:
commands:
- export DEPLOYMENT_NAME="sbl-frontend"
- docker build -t "${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" -f Dockerfile .
- curl -k -u "$TL_USER:$TL_PASSWORD" "$TL_CONSOLE_URL/api/v1/util/twistcli" --output twistcli
- chmod +x twistcli
# Setting pipefail preserves the exit code of the following command
- set -o pipefail
- >
./twistcli images scan --details -address "${TL_CONSOLE_URL}" \
-u "${TL_USER}" \
-p "${TL_PASSWORD}" \
"${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" | tee twistcli.log; EXITCODE=$?
# The `tr -d` bit is needed as mailx was interpreting the output file as binary and sending the
# output as an attachment.
- >
if [ "$EXITCODE" -ne 0 ]; then
cat -v twistcli.log | tr -d '^[[' > twistcli-parsed.log
LOG=$(cat twistcli-parsed.log)
echo $LOG |
mailx -s "Twistlock Policy Violation $JOB_NAME" \
-S smtp-use-starttls \
-S ssl-verify=ignore \
-S smtp-auth=login \
-S smtp=smtp://"$SMTP_SERVER":"$SMTP_PORT" \
-S from="$SMTP_FROM_ADDRESS" \
-S smtp-auth-user=$SMTP_USERNAME \
-S smtp-auth-password=$SMTP_PASSWORD \
$EMAIL_LIST
else
echo "Twistcli did not detect any vulnerabilities or compliance concerns per configured Twistlock policies."
fi
- docker push "${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}"
- echo "Checking ImagePullPolicy"
- >
kubectl get deployment -n "${TEAM_NAMESPACE}" "$DEPLOYMENT_NAME" -oyaml |
grep "imagePullPolicy: Always" || echo "imagePullPolicy is not set to Always! Please fix"
- kubectl rollout restart -n "${TEAM_NAMESPACE}" "deployment/$DEPLOYMENT_NAME"
- docker build -t $REGISTRY_IMAGE_NAME .
#- scan-image $REGISTRY_IMAGE_NAME $EMAIL_TO
- docker push $REGISTRY_IMAGE_NAME
- echo "Image ${REGISTRY_IMAGE_NAME} now available for use. Enjoy!"
12 changes: 3 additions & 9 deletions nginx-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,13 @@ set -e # Exit immediately if a command exits with a non-zero status
# Use import-meta-env-alpine to inject environment variables
cd /usr/share/nginx/html

# reset env variable injection if already performed to allow container
# restarts with new variables
[[ -e index.html.bak ]] && cp index.html.bak index.html

# inject non-secret, public env variables into index.html
./import-meta-env-alpine -x .env.example -p index.html || exit 1
./import-meta-env-alpine -x .env.example -p index.html --disposable || exit 1

# create nginx.conf with env vars from template
# must specify variables to be substituted to avoid replacing base nginx vars
# # create nginx.conf with env vars from template
# # must specify variables to be substituted to avoid replacing base nginx vars
envsubst \$SBL_REGTECH_BASE_URL < /etc/nginx/templates/nginx.conf.template > /etc/nginx/nginx.conf

# start nginx as non-root user
su -s /bin/ash svc_nginx_sbl

# start nginx
nginx -g "daemon off;"
19 changes: 13 additions & 6 deletions nginx/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,19 @@ error_log /dev/stdout info;

http {

log_format main 'server="$server_name" host="$host” dest_port="$server_port"'
'src="$remote_addr" ip="$realip_remote_addr" user="$remote_user" '
'time_local="$time_local" http_status="$status" '
'http_referer="$http_referer" http_user_agent="$http_user_agent" '
'http_x_forwarded_for="$http_x_forwarded_for" '
'http_x_header="$http_x_header" uri_query="$query_string" uri_path="$uri" '
'request=$request http_method="$request_method"';

# Don't emit version info
server_tokens off;

dav_methods off

# Prevent clickjacking
add_header X-Frame-Options SAMEORIGIN;
add_header X-Frame-Options SAMEORIGIN always;

# Prevent content-type sniffing
add_header X-Content-Type-Options nosniff;
Expand Down Expand Up @@ -48,8 +54,8 @@ http {
client_header_buffer_size 1k;
client_max_body_size 5m;
large_client_header_buffers 4 8k;
client_body_timeout 60s;
client_header_timeout 60s;
client_body_timeout 10s;
client_header_timeout 10s;
# Security Basline - Added to meet requirement 14
keepalive_timeout 10s;
# Security Basline - Added to meet requirement 15
Expand All @@ -73,9 +79,11 @@ http {
server {
listen 8080;
root /usr/share/nginx/html/;

# Security Basline - Changed to meet requirement
autoindex off;
access_log /dev/stdout;
#gzip on;
#gzip_types application/javascript text/css application/json;
# Security Basline - Changed to meet requirement 4
gzip off;
Expand All @@ -84,7 +92,6 @@ http {
tcp_nodelay on;
expires $expires;
limit_conn addr 8;
ssl_session_tickets off;

# Security Basline - Added to meet requirement 39
if ($request_method !~ ^(GET|HEAD|OPTIONS)$) { return 444; }
Expand Down
3 changes: 3 additions & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,9 @@
"workbox-build": "6.5.4",
"workbox-window": "6.5.4"
},
"resolutions": {
"socks": "2.7.4"
},
"browserslist": {
"production": "Edge >= 18, Firefox >= 60, Chrome >= 61, Safari >= 11, Opera >= 48",
"development": [
Expand Down
Loading

0 comments on commit b14008c

Please sign in to comment.