From 77c15cda13f76ff7b161a6df009e510b8df83f06 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 24 Oct 2023 22:41:40 +0100 Subject: [PATCH 01/39] optional ipfilter for array of allowed_ips in config or environment --- app/config.json.sample | 3 +++ app/package.json | 1 + app/server/app.js | 4 +++- app/server/config.js | 8 +++++++- 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/app/config.json.sample b/app/config.json.sample index 26f8c39..1f8c29f 100644 --- a/app/config.json.sample +++ b/app/config.json.sample @@ -8,6 +8,9 @@ "path": "/ssh/socket.io", "origins": ["localhost:2222"], }, + "ipfilter": { + allowed_ips: [] + }, "user": { "name": null, "password": null, diff --git a/app/package.json b/app/package.json index c843c4d..ef6e46e 100644 --- a/app/package.json +++ b/app/package.json @@ -36,6 +36,7 @@ "cidr-matcher": "^2.1.1", "debug": "^4.3.4", "express": "^4.18.1", + "express-ipfilter": "^1.3.1", "express-session": "^1.17.3", "morgan": "~1.10.0", "read-config-ng": "^3.0.5", diff --git a/app/server/app.js b/app/server/app.js index 195b614..1b38c2a 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -17,11 +17,12 @@ const server = require('http').Server(app); const favicon = require('serve-favicon'); const io = require('socket.io')(server, config.socketio); const session = require('express-session')(config.express); +const ipfilter = require('express-ipfilter').IpFilter const appSocket = require('./socket'); const { setDefaultCredentials, basicAuth } = require('./util'); const { webssh2debug } = require('./logging'); -const { reauth, connect, notfound, handleErrors } = require('./routes'); +const { reauth, connect, notfound, handleForbidden, handleErrors } = require('./routes'); setDefaultCredentials(config.user); @@ -38,6 +39,7 @@ function safeShutdownGuard(req, res, next) { // express app.use(safeShutdownGuard); app.use(session); +if (config.ipfilter.allowed_ips.length > 0) app.use(ipfilter(config.ipfilter.allowed_ips, { mode: 'allow' })) if (config.accesslog) app.use(logger('common')); app.disable('x-powered-by'); app.use(favicon(path.join(publicPath, 'favicon.ico'))); diff --git a/app/server/config.js b/app/server/config.js index bb3639b..aaac959 100644 --- a/app/server/config.js +++ b/app/server/config.js @@ -38,7 +38,10 @@ const configDefault = { setHeaders(res) { res.set('x-timestamp', Date.now()); }, - }, + } + }, + ipfilter: { + allowed_ips: [], }, user: { name: null, @@ -133,4 +136,7 @@ if (process.env.SOCKETIO_PATH) config.socketio.path = process.env.SOCKETIO_PATH; if (process.env.SOCKETIO_SERVECLIENT) config.socketio.serveClient = process.env.SOCKETIO_SERVECLIENT; +if (process.env.ALLOWED_IP_ADDRESSES) + config.ipfilter.allowed_ips.push(process.env.ALLOWED_IP_ADDRESSES.split(" ")) + module.exports = config; From b3fcaf8b98f629f1253932b6370e2cf1fb0a3f4b Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 24 Oct 2023 22:45:19 +0100 Subject: [PATCH 02/39] removed unused function to handleForbidden from ipfilter --- app/server/app.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/server/app.js b/app/server/app.js index 1b38c2a..9a597cb 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -22,7 +22,7 @@ const ipfilter = require('express-ipfilter').IpFilter const appSocket = require('./socket'); const { setDefaultCredentials, basicAuth } = require('./util'); const { webssh2debug } = require('./logging'); -const { reauth, connect, notfound, handleForbidden, handleErrors } = require('./routes'); +const { reauth, connect, notfound, handleErrors } = require('./routes'); setDefaultCredentials(config.user); From 2208424c879fc09cea782277acb92a9e5769ca3d Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 24 Oct 2023 22:51:27 +0100 Subject: [PATCH 03/39] updated readme --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index ef319cb..981069f 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ +# RUSI gatsby devops + +This repo is used to initiate an ssh session for devops purposes and is restricted to Aer VPN IP address access. + # WebSSH2 [![Build Status](https://travis-ci.com/billchurch/webssh2.svg?branch=main)](https://travis-ci.com/billchurch/webssh2) [![GitHub version](https://img.shields.io/github/v/release/billchurch/webssh2)](https://github.com/billchurch/webssh2/releases/latest) [![docker build images](https://github.com/billchurch/webssh2/actions/workflows/docker-multiplatform.yml/badge.svg)](https://github.com/billchurch/webssh2/actions/workflows/docker-multiplatform.yml) From d8a563088561e73dc0dc414dc70922f963cbc7fe Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 24 Oct 2023 22:52:14 +0100 Subject: [PATCH 04/39] removed badges from readme --- README.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/README.md b/README.md index 981069f..c070ea7 100644 --- a/README.md +++ b/README.md @@ -4,16 +4,10 @@ This repo is used to initiate an ssh session for devops purposes and is restrict # WebSSH2 -[![Build Status](https://travis-ci.com/billchurch/webssh2.svg?branch=main)](https://travis-ci.com/billchurch/webssh2) [![GitHub version](https://img.shields.io/github/v/release/billchurch/webssh2)](https://github.com/billchurch/webssh2/releases/latest) [![docker build images](https://github.com/billchurch/webssh2/actions/workflows/docker-multiplatform.yml/badge.svg)](https://github.com/billchurch/webssh2/actions/workflows/docker-multiplatform.yml) - -[![Buy Me A Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://www.buymeacoffee.com/billchurch) - Web SSH Client using ssh2, socket.io, xterm.js, and express A bare bones example of an HTML5 web-based terminal emulator and SSH client. We use SSH2 as a client on a host to proxy a Websocket / Socket.io connection to a SSH2 server. -WebSSH2 v0.2.0 demo - # Requirements Node v14.x or above. If using Date: Wed, 25 Oct 2023 00:01:58 +0100 Subject: [PATCH 05/39] removed config sample --- app/config.json.sample | 86 ------------------------------------------ 1 file changed, 86 deletions(-) delete mode 100644 app/config.json.sample diff --git a/app/config.json.sample b/app/config.json.sample deleted file mode 100644 index 1f8c29f..0000000 --- a/app/config.json.sample +++ /dev/null @@ -1,86 +0,0 @@ -{ - "listen": { - "ip": "0.0.0.0", - "port": 2224 - }, - "socketio": { - "serveClient": false, - "path": "/ssh/socket.io", - "origins": ["localhost:2222"], - }, - "ipfilter": { - allowed_ips: [] - }, - "user": { - "name": null, - "password": null, - "privatekey": null, - "overridebasic": false - }, - "ssh": { - "host": null, - "port": 22, - "localAddress": null, - "localPort": null, - "term": "xterm-color", - "readyTimeout": 20000, - "keepaliveInterval": 120000, - "keepaliveCountMax": 10, - "allowedSubnets": [] - }, - "terminal": { - "cursorBlink": true, - "scrollback": 10000, - "tabStopWidth": 8, - "bellStyle": "sound", - "fontSize": 14 - }, - "header": { - "text": null, - "background": "green" - }, - "session": { - "name": "WebSSH2", - "secret": "mysecret" - }, - "options": { - "challengeButton": true, - "allowreauth": false - }, - "algorithms": { - "kex": [ - "ecdh-sha2-nistp256", - "ecdh-sha2-nistp384", - "ecdh-sha2-nistp521", - "diffie-hellman-group-exchange-sha256", - "diffie-hellman-group14-sha1" - ], - "cipher": [ - "aes128-ctr", - "aes192-ctr", - "aes256-ctr", - "aes128-gcm", - "aes128-gcm@openssh.com", - "aes256-gcm", - "aes256-gcm@openssh.com", - "aes256-cbc" - ], - "hmac": [ - "hmac-sha2-256", - "hmac-sha2-512", - "hmac-sha1" - ], - "compress": [ - "none", - "zlib@openssh.com", - "zlib" - ] - }, - "serverlog": { - "client": false, - "server": false - }, - "accesslog": false, - "verify": false, - "safeShutdownDuration": 300 -} From b242739a0760cac38fb66e916af56e41c8a3e013 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:06:48 +0100 Subject: [PATCH 06/39] upload images and sample config --- app/config.json.sample | 86 ++++++++++++++++++++++++++++++++++++++++++ image-build-upload.sh | 64 +++++++++++++++++++++++++++++++ 2 files changed, 150 insertions(+) create mode 100644 app/config.json.sample create mode 100644 image-build-upload.sh diff --git a/app/config.json.sample b/app/config.json.sample new file mode 100644 index 0000000..1432ad2 --- /dev/null +++ b/app/config.json.sample @@ -0,0 +1,86 @@ +{ + "listen": { + "ip": "0.0.0.0", + "port": 2222 + }, + "socketio": { + "serveClient": false, + "path": "/ssh/socket.io", + "origins": ["localhost:2222"], + }, + "ipfilter": { + allowed_ips: ['127.21.0.1'] + }, + "user": { + "name": "aer", + "password": null, + "privatekey": null, + "overridebasic": false + }, + "ssh": { + "host": null, + "port": 22, + "localAddress": null, + "localPort": null, + "term": "xterm-color", + "readyTimeout": 20000, + "keepaliveInterval": 120000, + "keepaliveCountMax": 10, + "allowedSubnets": [] + }, + "terminal": { + "cursorBlink": true, + "scrollback": 10000, + "tabStopWidth": 8, + "bellStyle": "sound", + "fontSize": 14 + }, + "header": { + "text": null, + "background": "green" + }, + "session": { + "name": "rusi-gatsby-devops-container", + "secret": "set-by-gha" + }, + "options": { + "challengeButton": true, + "allowreauth": false + }, + "algorithms": { + "kex": [ + "ecdh-sha2-nistp256", + "ecdh-sha2-nistp384", + "ecdh-sha2-nistp521", + "diffie-hellman-group-exchange-sha256", + "diffie-hellman-group14-sha1" + ], + "cipher": [ + "aes128-ctr", + "aes192-ctr", + "aes256-ctr", + "aes128-gcm", + "aes128-gcm@openssh.com", + "aes256-gcm", + "aes256-gcm@openssh.com", + "aes256-cbc" + ], + "hmac": [ + "hmac-sha2-256", + "hmac-sha2-512", + "hmac-sha1" + ], + "compress": [ + "none", + "zlib@openssh.com", + "zlib" + ] + }, + "serverlog": { + "client": false, + "server": false + }, + "accesslog": false, + "verify": false, + "safeShutdownDuration": 300 +} diff --git a/image-build-upload.sh b/image-build-upload.sh new file mode 100644 index 0000000..37c6d9f --- /dev/null +++ b/image-build-upload.sh @@ -0,0 +1,64 @@ +#!/bin/bash +#################################### +# +# This script will build and upload a container to ECR +# flags --package-path | -p path to the package, default to pwd +# --checks-only | -c if = 1 will just check the registry if the package exists or not +#################################### + + +RUSI_AWS_ECR_ACCOUNT_ID="615693933970" +REPO_NAME="rusi-web-gatsby-devops-ops" +IMAGE_VERSION="latest" +REQ_BUILD=0 #we check local repo to see if image already exists +REQ_UPLOAD=0 #we check the ecr repo to see if already exists + + +echo "Authenticating with AWS ECR." +AWS_ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account) +if [[ -z "$AWS_ACCOUNT_ID" ]]; then + echo "Unable to get AWS account ID." + exit 1 +fi +if [[ "${AWS_ACCOUNT_ID}" != "${RUSI_AWS_ECR_ACCOUNT_ID}" ]]; then + echo "You're not logged in to the RUSI aws account." + exit 1 +fi + +echo "Checking if repository exists" +#note, we are calling the repository for a given image the same name as the image +#create the repository if it doesn't exist +aws ecr describe-repositories --repository-names "${REPO_NAME}" || aws ecr create-repository --repository-name "${REPO_NAME}" + +#check to see if the image version already exists in the repo +echo "Checking if image version already exists in ECR" +if [ -z $(aws ecr list-images --repository-name "${REPO_NAME}" --query imageIds[?imageTag==\'"${IMAGE_VERSION}"\'].imageTag --output text) ];then + echo "The container will need uploading" + REQ_UPLOAD="1" +fi +#Forcing until we have unique image versions in place +REQ_UPLOAD="1" + +#no need to go any further if image version already in registry +if [ "${REQ_UPLOAD}" == "0" ]; then + echo "Image version ${IMAGE_VERSION} already in Registry, exiting" + exit 0 +fi + +echo "Local ${REPO_NAME}:${IMAGE_VERSION} does not exist, building..." +docker build -t ${REPO_NAME}:${IMAGE_VERSION} . + +#upload the image into ECR + +aws ecr get-login-password --region eu-west-1 | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}.dkr.ecr.eu-west-1.amazonaws.com" &> /dev/null + +ECR_IMAGE="${AWS_ACCOUNT_ID}.dkr.ecr.eu-west-1.amazonaws.com/${REPO_NAME}:${IMAGE_VERSION}" + +echo "Pushing drupal container to ECR" + +docker tag "${REPO_NAME}:${IMAGE_VERSION}" $ECR_IMAGE + +if ! docker push $ECR_IMAGE; then + echo "Unable to push container to ECR" + exit 1 +fi From ee506ed92100ee7635583a8032ae88cc2c5a1f37 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:07:12 +0100 Subject: [PATCH 07/39] workflow to build and upload image --- .github/workflows/upload-image.yml | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/upload-image.yml diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml new file mode 100644 index 0000000..4a2aa7c --- /dev/null +++ b/.github/workflows/upload-image.yml @@ -0,0 +1,34 @@ +# Sample workflow to access AWS resources when workflow is tied to branch +# The workflow Creates static website using aws s3 +name: RUSI Gatsby publisher image uploader +on: workflow_dispatch + +# permission can be added at job level or workflow level +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + ImagePackageUpload: + runs-on: ubuntu-latest + steps: + - name: Git clone the repository + uses: actions/checkout@v4 + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v3 + with: + role-to-assume: arn:aws:iam::615693933970:role/rusi-web-github-actions-oidc-role-ops + role-session-name: rusiwebgithubactions + aws-region: "eu-west-1" + # Upload an image to ECR + - name: create ssh pub key for container + env: + KEY: ${{ secrets.SSH_KEY }} + AER_USER_PWD: ${{ secrets.AER_USER_PWD }} + run: | + mv app/config.json.sample app/config.json + jq --arg pk "$KEY" '.user.privatekey = $pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json + jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json + - name: Upload Gatsby publisher image to ECR + run: | + ./image-build-upload.sh From 561e913bf33375bed5bd8975790436a92cfa7c33 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:09:32 +0100 Subject: [PATCH 08/39] update to workflows --- .github/workflows/action-test.yml | 65 --------------------- .github/workflows/docker-multiplatform.yml | 67 ---------------------- .github/workflows/release.yml | 46 --------------- .github/workflows/upload-image.yml | 2 +- 4 files changed, 1 insertion(+), 179 deletions(-) delete mode 100644 .github/workflows/action-test.yml delete mode 100644 .github/workflows/docker-multiplatform.yml delete mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/action-test.yml b/.github/workflows/action-test.yml deleted file mode 100644 index 439aa02..0000000 --- a/.github/workflows/action-test.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: Manually Release Previous Tag - -on: - workflow_dispatch: - inputs: - tag: - description: 'Repo Branch/Tag' - default: 'main' - type: 'string' - required: true - -jobs: - docker: - runs-on: ubuntu-latest - steps: - - name: 'Checkout' - uses: actions/checkout@v3 - with: - ref: ${{ inputs.tag }} - - name: Prepare - id: prep - run: | - DOCKER_IMAGE=${{ secrets.DOCKER_USERNAME }}/${GITHUB_REPOSITORY#*/} - - VERSION=${{ inputs.tag }} - VERSION="${VERSION//v}" - TAGS="${DOCKER_IMAGE}:${VERSION},${DOCKER_IMAGE}" - - # If the VERSION looks like a version number, assume that - # this is the most recent version of the image and also - # tag it 'latest'. - if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then - TAGS="$TAGS,${DOCKER_IMAGE}" - fi - - - # Set output parameters. - echo ::set-output name=tags::${TAGS} - echo ::set-output name=docker_image::${DOCKER_IMAGE} - - - name: Set up QEMU - uses: docker/setup-qemu-action@master - with: - platforms: all - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@master - - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Build - uses: docker/build-push-action@v2 - with: - builder: ${{ steps.buildx.outputs.name }} - context: . - file: ./Dockerfile - platforms: linux/amd64,linux/arm64,linux/ppc64le - push: true - tags: ${{ steps.prep.outputs.tags }} \ No newline at end of file diff --git a/.github/workflows/docker-multiplatform.yml b/.github/workflows/docker-multiplatform.yml deleted file mode 100644 index 9e9853c..0000000 --- a/.github/workflows/docker-multiplatform.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -name: 'Build Docker Images' - -on: - release: - types: [published] - -jobs: - docker: - runs-on: ubuntu-latest - steps: - - name: 'Checkout' - uses: actions/checkout@v3 - - name: Prepare - id: prep - run: | - DOCKER_IMAGE=${{ secrets.DOCKER_USERNAME }}/${GITHUB_REPOSITORY#*/} - - # If this is git tag, use the tag name as a docker tag - if [[ $GITHUB_REF == refs/tags/* ]]; then - VERSION=${GITHUB_REF#refs/tags/webssh2-v} - TAGS="${DOCKER_IMAGE}:${VERSION}" - fi - - # If this is git branch, use the branch name as a docker tag - if [[ $GITHUB_REF == refs/heads/* ]]; then - VERSION=${GITHUB_REF#refs/heads/} - TAGS="${DOCKER_IMAGE}:${VERSION}" - fi - - # If the VERSION looks like a version number, assume that - # this is the most recent version of the image and also - # tag it 'latest'. This is done by just specifying the ${DOCKER_IMAGE} - # without a tag. - if [[ $VERSION =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then - TAGS="$TAGS,${DOCKER_IMAGE}" - fi - - # Set output parameters. - echo ::set-output name=tags::${TAGS} - echo ::set-output name=docker_image::${DOCKER_IMAGE} - - - name: Set up QEMU - uses: docker/setup-qemu-action@master - with: - platforms: all - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@master - - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Build - uses: docker/build-push-action@v2 - with: - builder: ${{ steps.buildx.outputs.name }} - context: . - file: ./Dockerfile - platforms: linux/amd64,linux/arm64,linux/ppc64le - push: true - tags: ${{ steps.prep.outputs.tags }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index b46a3d5..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -name: 'Create Release' -on: - push: - branches: - - main - paths-ignore: - - '.github/**' - - '.devcontainer/**' - - '.**' - - '**.md' -jobs: - release: - runs-on: ubuntu-latest - outputs: - paths_released: ${{ steps.manifest_release.outputs.paths_released }} - steps: - - uses: google-github-actions/release-please-action@v3 - id: manifest_release - with: - token: ${{ secrets.RELEASE_PLEASE_UAT }} - command: manifest - package-name: webssh2 - path: app - default-branch: main - publish: - runs-on: ubuntu-20.04 - needs: release - strategy: - fail-fast: false - matrix: - path: ${{fromJson(needs.release.outputs.paths_released)}} - steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 - with: - node-version: 16 - registry-url: 'https://registry.npmjs.org' - - name: publish-to-npm - env: - NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} - run: | - cd ${{ matrix.path }} - npm install - npx lerna bootstrap - npx lerna publish from-package --no-push --no-private --yes \ No newline at end of file diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 4a2aa7c..5b77a55 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -1,6 +1,6 @@ # Sample workflow to access AWS resources when workflow is tied to branch # The workflow Creates static website using aws s3 -name: RUSI Gatsby publisher image uploader +name: RUSI Gatsby Devops image uploader on: workflow_dispatch # permission can be added at job level or workflow level From d3f6af15e85ceb8c92fbbd99a7fe9e314f96ce32 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:10:58 +0100 Subject: [PATCH 09/39] use p key --- .github/workflows/upload-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 5b77a55..53b3ca8 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -23,7 +23,7 @@ jobs: # Upload an image to ECR - name: create ssh pub key for container env: - KEY: ${{ secrets.SSH_KEY }} + KEY: ${{ secrets.GATSBY_DEVOPS_PRIVATE_KEY }} AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | mv app/config.json.sample app/config.json From 8fe25d0eb763d290582d7d5fa9ec300c45f548ec Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:15:17 +0100 Subject: [PATCH 10/39] testing without jq --- .github/workflows/upload-image.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 53b3ca8..67f8b89 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -21,14 +21,12 @@ jobs: role-session-name: rusiwebgithubactions aws-region: "eu-west-1" # Upload an image to ECR - - name: create ssh pub key for container + - name: create config env: KEY: ${{ secrets.GATSBY_DEVOPS_PRIVATE_KEY }} AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | mv app/config.json.sample app/config.json - jq --arg pk "$KEY" '.user.privatekey = $pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload Gatsby publisher image to ECR run: | ./image-build-upload.sh From a21eac8a37d60995e46bb7bc639baaac06e7fb4f Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:16:37 +0100 Subject: [PATCH 11/39] removed files and made upload script executable --- .github/ISSUE_TEMPLATE/bug_report.yml | 75 ----------------------- .github/ISSUE_TEMPLATE/custom.md | 10 --- .github/ISSUE_TEMPLATE/feature_request.md | 20 ------ image-build-upload.sh | 0 4 files changed, 105 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml delete mode 100644 .github/ISSUE_TEMPLATE/custom.md delete mode 100644 .github/ISSUE_TEMPLATE/feature_request.md mode change 100644 => 100755 image-build-upload.sh diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml deleted file mode 100644 index 4ed0614..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ /dev/null @@ -1,75 +0,0 @@ -name: Bug Report -description: File a bug report -title: "[Bug]: " -labels: ["bug", "triage"] -assignees: - - billchurch -body: - - type: markdown - attributes: - value: | - Depending on the type of issue, please include the follwing information: - - type: textarea - id: what-happened - attributes: - label: What happened? - description: Also tell us, what did you expect to happen? - placeholder: Tell us what you see! - value: "A bug happened!" - validations: - required: true - - type: input - id: node_ver - attributes: - label: Node Version - description: version of Node this problem occurs on - placeholder: npm -v - validations: - required: true - - type: input - id: npm_ver - attributes: - label: NPM Version - description: version of NPM this problem occurs on - placeholder: npm -v - validations: - required: true - - type: input - id: server_ver - attributes: - label: Server OS Version - description: Server OS Version / Distribution / Processor Architecture - placeholder: uname -a;cat /etc/os-release - validations: - required: true - - type: input - id: webssh2_ver - attributes: - label: WebSSH2 release version - description: Version of WebSSH you are using - placeholder: grep version app/package.json - validations: - required: true - - type: input - id: sshhost_ver - attributes: - label: OS and Version of SSH server - description: OS and Version of SSH server connecting to - placeholder: 'on target server run: uname -a;sshd -v' - validations: - required: false - - type: input - id: browser_ver - attributes: - label: Browser Version - description: Information from brwoser's About... or a screenshot of the about screen. - placeholder: - validations: - required: false - - type: textarea - id: logs - attributes: - label: Relevant log output - description: Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. - render: shell - diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md deleted file mode 100644 index 785b574..0000000 --- a/.github/ISSUE_TEMPLATE/custom.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -name: Question -about: General how-to questions -title: '' -labels: '' -assignees: '' - ---- - - diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md deleted file mode 100644 index bbcbbe7..0000000 --- a/.github/ISSUE_TEMPLATE/feature_request.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for this project -title: '' -labels: '' -assignees: '' - ---- - -**Is your feature request related to a problem? Please describe.** -A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] - -**Describe the solution you'd like** -A clear and concise description of what you want to happen. - -**Describe alternatives you've considered** -A clear and concise description of any alternative solutions or features you've considered. - -**Additional context** -Add any other context or screenshots about the feature request here. diff --git a/image-build-upload.sh b/image-build-upload.sh old mode 100644 new mode 100755 From 3d5ea6160b12a2ec7f07e3979359100c990b5b53 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:19:24 +0100 Subject: [PATCH 12/39] testign --- .github/workflows/upload-image.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 67f8b89..fcc9770 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -27,6 +27,8 @@ jobs: AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | mv app/config.json.sample app/config.json + echo "jq --arg pk \"$KEY\" '.user.privatekey = $pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json" + echo "jq --arg pwd \"$AER_USER_PWD\" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json" - name: Upload Gatsby publisher image to ECR run: | ./image-build-upload.sh From 851fb3fe89d69fbe8ade8606685d4d1a0dd347a5 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:24:34 +0100 Subject: [PATCH 13/39] testing --- .github/workflows/upload-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index fcc9770..11a9def 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -27,8 +27,8 @@ jobs: AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | mv app/config.json.sample app/config.json - echo "jq --arg pk \"$KEY\" '.user.privatekey = $pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json" - echo "jq --arg pwd \"$AER_USER_PWD\" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json" + echo "jq --arg pk \"$KEY\" '.user.privatekey = \$pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json" + echo "jq --arg pwd \"$AER_USER_PWD\" '.user.password = \$pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json" - name: Upload Gatsby publisher image to ECR run: | ./image-build-upload.sh From 3f45f2fbd6abe8bcab76cd9d9e97eef2349e1365 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:26:24 +0100 Subject: [PATCH 14/39] jq should work now --- .github/workflows/upload-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 11a9def..3f04932 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -27,8 +27,8 @@ jobs: AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | mv app/config.json.sample app/config.json - echo "jq --arg pk \"$KEY\" '.user.privatekey = \$pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json" - echo "jq --arg pwd \"$AER_USER_PWD\" '.user.password = \$pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json" + echo jq --arg pk "$KEY" '.user.privatekey = \$pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json + echo jq --arg pwd "$AER_USER_PWD" '.user.password = \$pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload Gatsby publisher image to ECR run: | ./image-build-upload.sh From 1755adafc0c0e675491aa75760af0ff376af0f1d Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Wed, 25 Oct 2023 00:32:11 +0100 Subject: [PATCH 15/39] sync npm package-lock --- .github/workflows/upload-image.yml | 2 +- app/package-lock.json | 114 +++++++++++++++++++++++++---- image-build-upload.sh | 2 +- 3 files changed, 100 insertions(+), 18 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 3f04932..23572a4 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -29,6 +29,6 @@ jobs: mv app/config.json.sample app/config.json echo jq --arg pk "$KEY" '.user.privatekey = \$pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json echo jq --arg pwd "$AER_USER_PWD" '.user.password = \$pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - - name: Upload Gatsby publisher image to ECR + - name: Upload image to ECR run: | ./image-build-upload.sh diff --git a/app/package-lock.json b/app/package-lock.json index 846e69b..7632f30 100644 --- a/app/package-lock.json +++ b/app/package-lock.json @@ -1,18 +1,19 @@ { "name": "webssh2", - "version": "0.5.0-pre-4", + "version": "0.5.0-pre-5", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "webssh2", - "version": "0.5.0-pre-4", + "version": "0.5.0-pre-5", "license": "SEE LICENSE IN FILE - LICENSE", "dependencies": { "basic-auth": "~2.0.1", "cidr-matcher": "^2.1.1", "debug": "^4.3.4", "express": "^4.18.1", + "express-ipfilter": "^1.3.1", "express-session": "^1.17.3", "morgan": "~1.10.0", "read-config-ng": "^3.0.5", @@ -3989,6 +3990,25 @@ "node": ">= 0.10.0" } }, + "node_modules/express-ipfilter": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/express-ipfilter/-/express-ipfilter-1.3.1.tgz", + "integrity": "sha512-9WZC8wGkI6I6ygZNzuZ2MbFJiGoDXs1dM+E8LKtSP13pdgqrnkonWlgvvbxG3YZpa7Haz7Ndum9/J6qkj52OqA==", + "dependencies": { + "ip": "^1.1.8", + "lodash": "^4.17.11", + "proxy-addr": "^2.0.7", + "range_check": "^2.0.4" + }, + "engines": { + "node": ">=8.9.0" + } + }, + "node_modules/express-ipfilter/node_modules/ip": { + "version": "1.1.8", + "resolved": "https://registry.npmjs.org/ip/-/ip-1.1.8.tgz", + "integrity": "sha512-PuExPYUiu6qMBQb4l06ecm6T6ujzhmh+MeJcW9wa89PoAz5pvd4zPgN5WJV104mb6S2T1AwNIAaB70JNrLQWhg==" + }, "node_modules/express-session": { "version": "1.17.3", "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.17.3.tgz", @@ -5181,6 +5201,14 @@ "integrity": "sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ==", "dev": true }, + "node_modules/ip6": { + "version": "0.2.10", + "resolved": "https://registry.npmjs.org/ip6/-/ip6-0.2.10.tgz", + "integrity": "sha512-1LdpyKjhvepd6EbAU6rW4g14vuYtx5TnJX9TfZZBhsM6DsyPQLNzW12rtbUqXBMwqFrLVV/Gcxv0GNFvJp2cYA==", + "bin": { + "ip6": "ip6-cli.js" + } + }, "node_modules/ip6addr": { "version": "0.2.5", "resolved": "https://registry.npmjs.org/ip6addr/-/ip6addr-0.2.5.tgz", @@ -6549,10 +6577,16 @@ "optional": true }, "node_modules/nanoid": { - "version": "3.3.4", - "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz", - "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==", + "version": "3.3.6", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz", + "integrity": "sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==", "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], "bin": { "nanoid": "bin/nanoid.cjs" }, @@ -7465,9 +7499,9 @@ } }, "node_modules/postcss": { - "version": "8.4.14", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.14.tgz", - "integrity": "sha512-E398TUmfAYFPBSdzgeieK2Y1+1cpdxJx8yXbK/m57nRhKSmk1GB2tO4lbLBtlkfPQTDKfe4Xqv1ASWPpayPEig==", + "version": "8.4.31", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz", + "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==", "dev": true, "funding": [ { @@ -7477,10 +7511,14 @@ { "type": "tidelift", "url": "https://tidelift.com/funding/github/npm/postcss" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" } ], "dependencies": { - "nanoid": "^3.3.4", + "nanoid": "^3.3.6", "picocolors": "^1.0.0", "source-map-js": "^1.0.2" }, @@ -7778,6 +7816,18 @@ "safe-buffer": "^5.1.0" } }, + "node_modules/range_check": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/range_check/-/range_check-2.0.4.tgz", + "integrity": "sha512-aed0ocXXj+SIiNNN9b+mZWA3Ow2GXHtftOGk2xQwshK5GbEZAvUcPWNQBLTx/lPcdFRIUFlFCRtHTQNIFMqynQ==", + "dependencies": { + "ip6": "^0.2.0", + "ipaddr.js": "^1.9.1" + }, + "engines": { + "node": ">=10.0.0" + } + }, "node_modules/range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", @@ -13318,6 +13368,24 @@ } } }, + "express-ipfilter": { + "version": "1.3.1", + "resolved": "https://registry.npmjs.org/express-ipfilter/-/express-ipfilter-1.3.1.tgz", + "integrity": "sha512-9WZC8wGkI6I6ygZNzuZ2MbFJiGoDXs1dM+E8LKtSP13pdgqrnkonWlgvvbxG3YZpa7Haz7Ndum9/J6qkj52OqA==", + "requires": { + "ip": "^1.1.8", + "lodash": "^4.17.11", + "proxy-addr": "^2.0.7", + "range_check": "^2.0.4" + }, + "dependencies": { + "ip": { + "version": "1.1.8", + "resolved": "https://registry.npmjs.org/ip/-/ip-1.1.8.tgz", + "integrity": "sha512-PuExPYUiu6qMBQb4l06ecm6T6ujzhmh+MeJcW9wa89PoAz5pvd4zPgN5WJV104mb6S2T1AwNIAaB70JNrLQWhg==" + } + } + }, "express-session": { "version": "1.17.3", "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.17.3.tgz", @@ -14189,6 +14257,11 @@ "integrity": "sha512-WKa+XuLG1A1R0UWhl2+1XQSi+fZWMsYKffMZTTYsiZaUD8k2yDAj5atimTUD2TZkyCkNEeYE5NhFZmupOGtjYQ==", "dev": true }, + "ip6": { + "version": "0.2.10", + "resolved": "https://registry.npmjs.org/ip6/-/ip6-0.2.10.tgz", + "integrity": "sha512-1LdpyKjhvepd6EbAU6rW4g14vuYtx5TnJX9TfZZBhsM6DsyPQLNzW12rtbUqXBMwqFrLVV/Gcxv0GNFvJp2cYA==" + }, "ip6addr": { "version": "0.2.5", "resolved": "https://registry.npmjs.org/ip6addr/-/ip6addr-0.2.5.tgz", @@ -15216,9 +15289,9 @@ "optional": true }, "nanoid": { - "version": "3.3.4", - "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz", - "integrity": "sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==", + "version": "3.3.6", + "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.6.tgz", + "integrity": "sha512-BGcqMMJuToF7i1rt+2PWSNVnWIkGCU78jBG3RxO/bZlnZPK2Cmi2QaffxGO/2RvWi9sL+FAiRiXMgsyxQ1DIDA==", "dev": true }, "natural-compare": { @@ -15874,12 +15947,12 @@ } }, "postcss": { - "version": "8.4.14", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.14.tgz", - "integrity": "sha512-E398TUmfAYFPBSdzgeieK2Y1+1cpdxJx8yXbK/m57nRhKSmk1GB2tO4lbLBtlkfPQTDKfe4Xqv1ASWPpayPEig==", + "version": "8.4.31", + "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz", + "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==", "dev": true, "requires": { - "nanoid": "^3.3.4", + "nanoid": "^3.3.6", "picocolors": "^1.0.0", "source-map-js": "^1.0.2" } @@ -16076,6 +16149,15 @@ "safe-buffer": "^5.1.0" } }, + "range_check": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/range_check/-/range_check-2.0.4.tgz", + "integrity": "sha512-aed0ocXXj+SIiNNN9b+mZWA3Ow2GXHtftOGk2xQwshK5GbEZAvUcPWNQBLTx/lPcdFRIUFlFCRtHTQNIFMqynQ==", + "requires": { + "ip6": "^0.2.0", + "ipaddr.js": "^1.9.1" + } + }, "range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", diff --git a/image-build-upload.sh b/image-build-upload.sh index 37c6d9f..f6f125a 100755 --- a/image-build-upload.sh +++ b/image-build-upload.sh @@ -54,7 +54,7 @@ aws ecr get-login-password --region eu-west-1 | docker login --username AWS --pa ECR_IMAGE="${AWS_ACCOUNT_ID}.dkr.ecr.eu-west-1.amazonaws.com/${REPO_NAME}:${IMAGE_VERSION}" -echo "Pushing drupal container to ECR" +echo "Pushing container to ECR" docker tag "${REPO_NAME}:${IMAGE_VERSION}" $ECR_IMAGE From af6cd9e07f09d1a1af72e01ec5b02aadf07ea49a Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 09:05:42 +0100 Subject: [PATCH 16/39] added healthchecker url before ipfiltering --- app/server/app.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/app/server/app.js b/app/server/app.js index 9a597cb..83c3d29 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -39,6 +39,11 @@ function safeShutdownGuard(req, res, next) { // express app.use(safeShutdownGuard); app.use(session); +//just respond with success for healthchecker no matter what the ip addess is +app.get('/status', function (req, res) { + res.status(200).send('success'); +}); +//restrict access to anything else via ip addresses if (config.ipfilter.allowed_ips.length > 0) app.use(ipfilter(config.ipfilter.allowed_ips, { mode: 'allow' })) if (config.accesslog) app.use(logger('common')); app.disable('x-powered-by'); From 8e649aac836d96aea28d823c0de9a01d09b5f9b6 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 09:26:55 +0100 Subject: [PATCH 17/39] make sure the config is written based on the sample --- .github/workflows/upload-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 23572a4..5b07ea9 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -27,8 +27,8 @@ jobs: AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | mv app/config.json.sample app/config.json - echo jq --arg pk "$KEY" '.user.privatekey = \$pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - echo jq --arg pwd "$AER_USER_PWD" '.user.password = \$pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json + echo jq --arg pk "$KEY" '.user.privatekey = \$pk' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json + echo jq --arg pwd "$AER_USER_PWD" '.user.password = \$pwd' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload image to ECR run: | ./image-build-upload.sh From 94c80fb3e1511419d73a24fe778b27e7d43bb9b0 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 09:47:10 +0100 Subject: [PATCH 18/39] don't echo the command into the config pipe the result into the file --- .github/workflows/upload-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 5b07ea9..df93f9d 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -27,8 +27,8 @@ jobs: AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | mv app/config.json.sample app/config.json - echo jq --arg pk "$KEY" '.user.privatekey = \$pk' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json - echo jq --arg pwd "$AER_USER_PWD" '.user.password = \$pwd' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json + jq --arg pk "$KEY" '.user.privatekey = \$pk' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json + jq --arg pwd "$AER_USER_PWD" '.user.password = \$pwd' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload image to ECR run: | ./image-build-upload.sh From d0e2e267d745485f2b9e23d94f9fe8e607c600b2 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 09:58:38 +0100 Subject: [PATCH 19/39] remove escape chars --- .github/workflows/upload-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index df93f9d..15ed61c 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -27,8 +27,8 @@ jobs: AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | mv app/config.json.sample app/config.json - jq --arg pk "$KEY" '.user.privatekey = \$pk' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json - jq --arg pwd "$AER_USER_PWD" '.user.password = \$pwd' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json + jq --arg pk "$KEY" '.user.privatekey = $pk' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json + jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload image to ECR run: | ./image-build-upload.sh From 994145bef17c37d86b7a81b2b7fbb1e18d48640b Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 10:00:56 +0100 Subject: [PATCH 20/39] don't rename the file first just use the renamed version --- .github/workflows/upload-image.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 15ed61c..683f856 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -26,7 +26,6 @@ jobs: KEY: ${{ secrets.GATSBY_DEVOPS_PRIVATE_KEY }} AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | - mv app/config.json.sample app/config.json jq --arg pk "$KEY" '.user.privatekey = $pk' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload image to ECR From 37a0a311f9b37297a376e60cec80112a1aef51a8 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 10:07:27 +0100 Subject: [PATCH 21/39] fix json --- app/config.json.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/config.json.sample b/app/config.json.sample index 1432ad2..f2d1902 100644 --- a/app/config.json.sample +++ b/app/config.json.sample @@ -6,7 +6,7 @@ "socketio": { "serveClient": false, "path": "/ssh/socket.io", - "origins": ["localhost:2222"], + "origins": ["localhost:2222"] }, "ipfilter": { allowed_ips: ['127.21.0.1'] From 0ff70a05ac963399550ee32afb6cd5065a7d2402 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 10:10:41 +0100 Subject: [PATCH 22/39] missing quotes so thought was literarl --- app/config.json.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/config.json.sample b/app/config.json.sample index f2d1902..daa9504 100644 --- a/app/config.json.sample +++ b/app/config.json.sample @@ -9,7 +9,7 @@ "origins": ["localhost:2222"] }, "ipfilter": { - allowed_ips: ['127.21.0.1'] + "allowed_ips": ['127.21.0.1'] }, "user": { "name": "aer", From 2159570abc7f85cc33b116634fb4270f0139cd78 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 10:13:03 +0100 Subject: [PATCH 23/39] crikey another - wrong quote! --- app/config.json.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/config.json.sample b/app/config.json.sample index daa9504..77b6675 100644 --- a/app/config.json.sample +++ b/app/config.json.sample @@ -9,7 +9,7 @@ "origins": ["localhost:2222"] }, "ipfilter": { - "allowed_ips": ['127.21.0.1'] + "allowed_ips": ["127.21.0.1"] }, "user": { "name": "aer", From a1bbca84ca31845e2718724d3bb0fe7570a15d45 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 10:32:32 +0100 Subject: [PATCH 24/39] config json --- .github/workflows/upload-image.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 683f856..2b57054 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -26,8 +26,9 @@ jobs: KEY: ${{ secrets.GATSBY_DEVOPS_PRIVATE_KEY }} AER_USER_PWD: ${{ secrets.AER_USER_PWD }} run: | - jq --arg pk "$KEY" '.user.privatekey = $pk' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json - jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json.sample > app/config.json.tmp && mv app/config.json.tmp app/config.json + mv app/config.json.sample app/config.json + jq --arg pk "$KEY" '.user.privatekey = $pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json + jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload image to ECR run: | ./image-build-upload.sh From 739cc7a91627dec80827e3cdd66f1918c1342518 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 12:00:26 +0100 Subject: [PATCH 25/39] log the request to see what we can use in lightsail to lock it down --- app/server/app.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/server/app.js b/app/server/app.js index 83c3d29..cf55093 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -39,8 +39,10 @@ function safeShutdownGuard(req, res, next) { // express app.use(safeShutdownGuard); app.use(session); + //just respond with success for healthchecker no matter what the ip addess is app.get('/status', function (req, res) { + console.log(req); res.status(200).send('success'); }); //restrict access to anything else via ip addresses From b2e60189bd32cc83a2168e96c48eccdc8f476802 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 12:45:31 +0100 Subject: [PATCH 26/39] commented out ipfilter and logging request and headers --- app/server/app.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/app/server/app.js b/app/server/app.js index cf55093..136fdd9 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -42,11 +42,17 @@ app.use(session); //just respond with success for healthchecker no matter what the ip addess is app.get('/status', function (req, res) { + res.status(200).send('success'); +}); +app.get('/headers', function (req, res) { + console.log("request"); console.log(req); + console.log("headers"); + console.log(req.headers); res.status(200).send('success'); }); //restrict access to anything else via ip addresses -if (config.ipfilter.allowed_ips.length > 0) app.use(ipfilter(config.ipfilter.allowed_ips, { mode: 'allow' })) +//if (config.ipfilter.allowed_ips.length > 0) app.use(ipfilter(config.ipfilter.allowed_ips, { mode: 'allow' })) if (config.accesslog) app.use(logger('common')); app.disable('x-powered-by'); app.use(favicon(path.join(publicPath, 'favicon.ico'))); From 78761eb37e150f10d65c619c5b82a0dd4b96e4a6 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 13:01:56 +0100 Subject: [PATCH 27/39] don't cache the docker build --- image-build-upload.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image-build-upload.sh b/image-build-upload.sh index f6f125a..909220d 100755 --- a/image-build-upload.sh +++ b/image-build-upload.sh @@ -46,7 +46,7 @@ if [ "${REQ_UPLOAD}" == "0" ]; then fi echo "Local ${REPO_NAME}:${IMAGE_VERSION} does not exist, building..." -docker build -t ${REPO_NAME}:${IMAGE_VERSION} . +docker build -t ${REPO_NAME}:${IMAGE_VERSION} . --no-cache #upload the image into ECR From 30914719aab09c366055e2bf96b284b3b90a953e Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 14:08:55 +0100 Subject: [PATCH 28/39] change the ipfiltering to be based on x-forwarded for --- app/server/app.js | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/app/server/app.js b/app/server/app.js index 136fdd9..4b07836 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -51,8 +51,20 @@ app.get('/headers', function (req, res) { console.log(req.headers); res.status(200).send('success'); }); -//restrict access to anything else via ip addresses -//if (config.ipfilter.allowed_ips.length > 0) app.use(ipfilter(config.ipfilter.allowed_ips, { mode: 'allow' })) +//restrict access to anything else via ip addresses based on x-forwarded for +let clientIp = function(req, res) { + return req.headers['x-forwarded-for'] ? (req.headers['x-forwarded-for']).split(',')[0] : "" +}; + +if(config.ipfilter.allowed_ips.length > 0){ + app.use( + ipFilter({ + detectIp: clientIp, + forbidden: 'You are not authorized to access this page.', + filter: allowlist_ips, + }) + ); +} if (config.accesslog) app.use(logger('common')); app.disable('x-powered-by'); app.use(favicon(path.join(publicPath, 'favicon.ico'))); From 0a032ab901f68fda84d08c771d0f1afecc81e7e6 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Fri, 27 Oct 2023 14:11:07 +0100 Subject: [PATCH 29/39] added a todo suggestion --- app/server/app.js | 1 + 1 file changed, 1 insertion(+) diff --git a/app/server/app.js b/app/server/app.js index 4b07836..e44ab6e 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -52,6 +52,7 @@ app.get('/headers', function (req, res) { res.status(200).send('success'); }); //restrict access to anything else via ip addresses based on x-forwarded for +//@todo create environment var to determin to used this or the general req header let clientIp = function(req, res) { return req.headers['x-forwarded-for'] ? (req.headers['x-forwarded-for']).split(',')[0] : "" }; From 1065370eb45b54cdbff8ac3c17b4a3944245d36d Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 30 Oct 2023 08:40:18 +0000 Subject: [PATCH 30/39] force user to enter a user and password --- .github/workflows/upload-image.yml | 2 +- app/config.json.sample | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 2b57054..3d173f6 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -28,7 +28,7 @@ jobs: run: | mv app/config.json.sample app/config.json jq --arg pk "$KEY" '.user.privatekey = $pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json + //jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload image to ECR run: | ./image-build-upload.sh diff --git a/app/config.json.sample b/app/config.json.sample index 77b6675..4275f0f 100644 --- a/app/config.json.sample +++ b/app/config.json.sample @@ -12,7 +12,7 @@ "allowed_ips": ["127.21.0.1"] }, "user": { - "name": "aer", + "name": null, "password": null, "privatekey": null, "overridebasic": false From 44763812935ad76141f265fdc4132e69b3dc0e74 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 30 Oct 2023 08:41:39 +0000 Subject: [PATCH 31/39] the right kind of comment --- .github/workflows/upload-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index 3d173f6..a366b7a 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -28,7 +28,7 @@ jobs: run: | mv app/config.json.sample app/config.json jq --arg pk "$KEY" '.user.privatekey = $pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - //jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json + #jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload image to ECR run: | ./image-build-upload.sh From bc594edf37224b7166a88944c71fb7f0e357ed91 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 30 Oct 2023 08:52:57 +0000 Subject: [PATCH 32/39] ipFilter cammel case --- app/server/app.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/server/app.js b/app/server/app.js index e44ab6e..93e1081 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -17,7 +17,7 @@ const server = require('http').Server(app); const favicon = require('serve-favicon'); const io = require('socket.io')(server, config.socketio); const session = require('express-session')(config.express); -const ipfilter = require('express-ipfilter').IpFilter +const ipFilter = require('express-ipfilter').IpFilter const appSocket = require('./socket'); const { setDefaultCredentials, basicAuth } = require('./util'); From d4bdf189b70dd8b5ece818409e1f3d9ab5cca151 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 30 Oct 2023 08:56:00 +0000 Subject: [PATCH 33/39] use the allowed ips --- app/server/app.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/server/app.js b/app/server/app.js index 93e1081..58fe158 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -62,7 +62,7 @@ if(config.ipfilter.allowed_ips.length > 0){ ipFilter({ detectIp: clientIp, forbidden: 'You are not authorized to access this page.', - filter: allowlist_ips, + filter: config.ipfilter.allowlist_ips, }) ); } From 03746788ad1de9fc3ed25846190e63da07bd75eb Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 30 Oct 2023 09:19:24 +0000 Subject: [PATCH 34/39] added aer vpn ip --- app/config.json.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/config.json.sample b/app/config.json.sample index 4275f0f..9247ad4 100644 --- a/app/config.json.sample +++ b/app/config.json.sample @@ -9,7 +9,7 @@ "origins": ["localhost:2222"] }, "ipfilter": { - "allowed_ips": ["127.21.0.1"] + "allowed_ips": ["18.130.190.183"] }, "user": { "name": null, From 0d5f87b6d74349260c0eb91efa443f67d4338da5 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 30 Oct 2023 09:22:54 +0000 Subject: [PATCH 35/39] typo --- app/server/app.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/server/app.js b/app/server/app.js index 58fe158..36c7895 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -58,11 +58,12 @@ let clientIp = function(req, res) { }; if(config.ipfilter.allowed_ips.length > 0){ + console.log("using ip filter"); app.use( ipFilter({ detectIp: clientIp, forbidden: 'You are not authorized to access this page.', - filter: config.ipfilter.allowlist_ips, + filter: config.ipfilter.allowed_ips, }) ); } From 3ad319cda6e8bf097eaaa883a1d1810057319e21 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 30 Oct 2023 09:32:11 +0000 Subject: [PATCH 36/39] move the ipfilter clientip to the conditional --- app/server/app.js | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/app/server/app.js b/app/server/app.js index 36c7895..867dc41 100644 --- a/app/server/app.js +++ b/app/server/app.js @@ -52,13 +52,13 @@ app.get('/headers', function (req, res) { res.status(200).send('success'); }); //restrict access to anything else via ip addresses based on x-forwarded for -//@todo create environment var to determin to used this or the general req header -let clientIp = function(req, res) { - return req.headers['x-forwarded-for'] ? (req.headers['x-forwarded-for']).split(',')[0] : "" -}; - +//@todo create environment var to determin to used this or the general req header if(config.ipfilter.allowed_ips.length > 0){ console.log("using ip filter"); + let clientIp = function(req, res) { + return req.headers['x-forwarded-for'] ? (req.headers['x-forwarded-for']).split(',')[0] : ""; + }; + app.use( ipFilter({ detectIp: clientIp, From bebeb94678c2b0751f5fd811b1566f662abd20b9 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 30 Oct 2023 09:33:23 +0000 Subject: [PATCH 37/39] reinstate default aer user --- .github/workflows/upload-image.yml | 2 +- app/config.json.sample | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/upload-image.yml b/.github/workflows/upload-image.yml index a366b7a..2b57054 100644 --- a/.github/workflows/upload-image.yml +++ b/.github/workflows/upload-image.yml @@ -28,7 +28,7 @@ jobs: run: | mv app/config.json.sample app/config.json jq --arg pk "$KEY" '.user.privatekey = $pk' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - #jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json + jq --arg pwd "$AER_USER_PWD" '.user.password = $pwd' app/config.json > app/config.json.tmp && mv app/config.json.tmp app/config.json - name: Upload image to ECR run: | ./image-build-upload.sh diff --git a/app/config.json.sample b/app/config.json.sample index 9247ad4..0f44b7f 100644 --- a/app/config.json.sample +++ b/app/config.json.sample @@ -12,7 +12,7 @@ "allowed_ips": ["18.130.190.183"] }, "user": { - "name": null, + "name": aer, "password": null, "privatekey": null, "overridebasic": false From 048b0f5c5da765ffe4ea8b5cc073e9243cadadd9 Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Mon, 30 Oct 2023 09:41:05 +0000 Subject: [PATCH 38/39] needs quotes --- app/config.json.sample | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/config.json.sample b/app/config.json.sample index 0f44b7f..6aa0a1a 100644 --- a/app/config.json.sample +++ b/app/config.json.sample @@ -12,7 +12,7 @@ "allowed_ips": ["18.130.190.183"] }, "user": { - "name": aer, + "name": "aer", "password": null, "privatekey": null, "overridebasic": false From 461e2c3ccc13cc46e3e29e7c50c548b6d0370a7a Mon Sep 17 00:00:00 2001 From: Tom Broughton Date: Tue, 31 Oct 2023 13:40:18 +0000 Subject: [PATCH 39/39] repo is not in use notice --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index c070ea7..c9a1fdc 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +# THIS REPO IS NOT IN USE - leaving here in case we need it in near future + # RUSI gatsby devops This repo is used to initiate an ssh session for devops purposes and is restricted to Aer VPN IP address access.