From 0da496f537c5d9a43502560477f537634a08792c Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Fri, 22 Nov 2024 17:55:24 +0100 Subject: [PATCH] Add QA tests --- .github/qa-sq-behind-ngix/compose.yml | 27 +++++ .../generate-certificates.sh | 69 ++++++++++++ .github/qa-sq-behind-ngix/nginx.conf | 54 ++++++++++ .github/workflows/qa.yml | 100 +++++++++++++++++- 4 files changed, 249 insertions(+), 1 deletion(-) create mode 100644 .github/qa-sq-behind-ngix/compose.yml create mode 100755 .github/qa-sq-behind-ngix/generate-certificates.sh create mode 100644 .github/qa-sq-behind-ngix/nginx.conf diff --git a/.github/qa-sq-behind-ngix/compose.yml b/.github/qa-sq-behind-ngix/compose.yml new file mode 100644 index 0000000..5888b38 --- /dev/null +++ b/.github/qa-sq-behind-ngix/compose.yml @@ -0,0 +1,27 @@ +services: + sonarqube: + image: sonarqube:lts-community + ports: + - 9000:9000 + healthcheck: + test: 'grep -Fq "SonarQube is operational" /opt/sonarqube/logs/sonar.log' + interval: 10s + timeout: 5s + retries: 20 + start_period: 2m + + https-proxy: + image: nginx + ports: + - 4443:4443 + volumes: + - $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/nginx.conf:/etc/nginx/nginx.conf:ro + - $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/ca.crt:/etc/nginx/client_certs/ca.crt:ro + - $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/server.crt:/etc/nginx/server.crt:ro + - $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/server.key:/etc/nginx/server.key:ro + healthcheck: + test: ["CMD", "curl", "--fail", "localhost:8080/health"] + interval: 10s + timeout: 5s + retries: 20 + start_period: 2m \ No newline at end of file diff --git a/.github/qa-sq-behind-ngix/generate-certificates.sh b/.github/qa-sq-behind-ngix/generate-certificates.sh new file mode 100755 index 0000000..d86bdf6 --- /dev/null +++ b/.github/qa-sq-behind-ngix/generate-certificates.sh @@ -0,0 +1,69 @@ +#!/bin/sh + +set -eux + +echo Generating server certificate... + +openssl req \ + -newkey rsa:4096 \ + -x509 \ + -sha256 \ + -addext "subjectAltName = DNS:localhost" \ + -days 3650 \ + -nodes \ + -out server.crt \ + -subj "/C=CH/ST=Geneva/L=Geneva/O=Server/OU=Dept" \ + -keyout server.key + +echo Generating client certificate... + +# Generate Certificate Authority key +openssl genrsa \ + -passout pass:test42 \ + -des3 \ + -out ca.key 4096 \ + +# Generate Certificate Authority certificate +openssl req \ + -passin pass:test42 \ + -new \ + -x509 \ + -days 365 \ + -key ca.key \ + -out ca.crt \ + -subj "/C=CH/ST=Geneva/L=Geneva/O=CertificateAuthority/OU=ExpertDepartment" + +# Generating Client certificate key +openssl genrsa \ + -passout pass:test42 \ + -des3 \ + -out user.key 4096 + +# Generating Client certificate certificate +openssl req \ + -passin pass:test42 \ + -new \ + -key user.key \ + -out user.csr \ + -subj "/C=CH/ST=Geneva/L=Geneva/O=UserOrg/OU=UserDepartment" + +# Sign the certificate +openssl x509 \ + -passin pass:test42 \ + -req \ + -days 365 \ + -in user.csr \ + -CA ca.crt \ + -CAkey ca.key \ + -set_serial 01 \ + -out user.crt + +# Generate a PKCS12 format certificate +openssl pkcs12 \ + -passin pass:test42 \ + -passout pass:test42 \ + -export \ + -out user.p12 \ + -inkey user.key \ + -in user.crt \ + -certfile ca.crt diff --git a/.github/qa-sq-behind-ngix/nginx.conf b/.github/qa-sq-behind-ngix/nginx.conf new file mode 100644 index 0000000..fd588d6 --- /dev/null +++ b/.github/qa-sq-behind-ngix/nginx.conf @@ -0,0 +1,54 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + + keepalive_timeout 65; + + include /etc/nginx/conf.d/*.conf; + + server { + listen 8080; + + location /health { + access_log off; + add_header 'Content-Type' 'text/plain'; + return 200 "healthy\n"; + } + } + + server { + listen 4443 ssl; + + ssl_protocols TLSv1.1 TLSv1.2; + ssl_certificate /etc/nginx/server.crt; + ssl_certificate_key /etc/nginx/server.key; + + access_log /var/log/nginx/localhost; + error_log /var/log/nginx/localhost.error debug; + + location / { + proxy_pass http://sonarqube:9000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto https; + } + } +} diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index f4bd70c..08e5c93 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -274,4 +274,102 @@ jobs: SONAR_HOST_URL: http://not_actually_used - name: Assert run: | - ./test/assertFileExists ~/.sonar/ssl/truststore.p12 \ No newline at end of file + ./test/assertFileExists ~/.sonar/ssl/truststore.p12 + analysisWithSslCertificate: + name: > + Analysis takes into account 'SONAR_ROOT_CERT' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Generate certificates + run: ./generate-certificates.sh + working-directory: .github/qa-sq-behind-ngix + - name: Start nginx and SonarQube via Docker Compose + run: docker compose up -d --wait + working-directory: .github/qa-sq-behind-ngix + - name: Read correct client certificate from + run: | + # read server.crt from .github/qa-sq-behind-ngix/ and store into the SONAR_ROOT_CERT_VALID + # environment variable, to be able to read it in the next step + { + echo 'SONAR_ROOT_CERT_VALID<<==========' + cat .github/qa-sq-behind-ngix/server.crt + echo ========== + } >> $GITHUB_ENV + - name: Run action with the correct SSL certificate + uses: ./ + env: + SONAR_ROOT_CERT: ${{ env.SONAR_ROOT_CERT_VALID }} + SONAR_HOST_URL: https://localhost:4443 + with: + args: -Dsonar.login=admin -Dsonar.password=admin + projectBaseDir: ./test/example-project + - name: Clear imported certificates + run: | + rm -f ~/.sonar/ssl/truststore.p12 + - name: Run action with an invalid SSL certificate + id: invalid_ssl_certificate + continue-on-error: true + uses: ./ + env: + SONAR_ROOT_CERT: | + -----BEGIN CERTIFICATE----- + INVALID + -----END CERTIFICATE----- + SONAR_HOST_URL: https://localhost:4443 + with: + args: -Dsonar.login=admin -Dsonar.password=admin + projectBaseDir: ./test/example-project + - name: Assert failure of previous step + if: steps.invalid_ssl_certificate.outcome == 'success' + run: exit 1 + - name: Clear imported certificates + run: | + rm -f ~/.sonar/ssl/truststore.p12 + - name: Run action with the wrong SSL certificate + id: wrong_ssl_certificate + continue-on-error: true + uses: ./ + env: + SONAR_ROOT_CERT: | + -----BEGIN CERTIFICATE----- + MIIFlTCCA32gAwIBAgIUXK4LyGUFe4ZVL93StPXCoJzmnLMwDQYJKoZIhvcNAQEL + BQAwTzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu + ZXZhMQ8wDQYDVQQKDAZTZXJ2ZXIxDTALBgNVBAsMBERlcHQwHhcNMjQxMTAxMDgx + MzM3WhcNMzQxMDMwMDgxMzM3WjBPMQswCQYDVQQGEwJDSDEPMA0GA1UECAwGR2Vu + ZXZhMQ8wDQYDVQQHDAZHZW5ldmExDzANBgNVBAoMBlNlcnZlcjENMAsGA1UECwwE + RGVwdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK5m0V6IFFykib77 + nmlN7weS9q3D6YGEj+8hRNQViL9KduUoLjoKpONIihU5kfIg+5SkGygjHRkBvIp3 + b0HQqhkwtGln3/FxxaSfGEguLHgzXR8JDQSyJ8UKIGOPCH93n1rUip5Ok1iExVup + HtkiVDRoCC9cRjZXbGOKrO6VBT4RvakpkaqCdXYikV244B5ElM7kdFdz8fso78Aq + xekb9dM0f21uUaDBKCIhRcxWeafp0CJIoejTq0+PF7qA2qIY5UHqWElWO5NsvQ8+ + MqKkIdsOa1pYNuH/5eQ59k9KSE92ps1xTKweW000GfPqxx8IQ/e4aAd2SaMTKvN6 + aac6piWBeJ7AssgWwkg/3rnZB5seQIrWjIUePmxJ4c0g0eL9cnVpYF0K/Dldle/G + wg0zi1g709rBI1TYj9xwrivxSwEQupz8OdKqOmgqrKHJJ/CCLl+JdFYjgwl3NWLH + wsU639H1bMXIJoQujg9U47e9fXbwiqdkMQzt7rPGkOBBaAkSctAReiXnWy+CbVEM + QFHDrnD5YUJRd5t/DUuWuqhR2QhfUvRClPUKoVqB/iOu2IumlgDEDA8jb1dxEW+W + iaYokQCS94OpxOJ8aeReSt9bghT0vc9ifCLWvuE1iBjujdK32ekKSY9DCZyBHXsG + J9N1nt1qd/k7QqWOkuPjr1JrTIMbAgMBAAGjaTBnMB0GA1UdDgQWBBQw4ESReEk+ + AIxwjHRqPkESzMv1bTAfBgNVHSMEGDAWgBQw4ESReEk+AIxwjHRqPkESzMv1bTAP + BgNVHRMBAf8EBTADAQH/MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0B + AQsFAAOCAgEAE8WefoZN23aOSe79ZN7zRBWP8DdPgFAqg5XUhfc9bCIVfJ4XMpEe + 3lzRhgjwDm4naEs35QWOhPZH2vx8XrEKnZNI6vKO8JzaCsivgngk8bsWnvhwSXy5 + eFdc99K+FOmOHevDmeiimoQnikffnSULRhQYzE2Qwyo9iky8703/+D3IKEC/8exC + rlyGMUV/Nqj+4M+57DiZ6OXeFuunfoFB7vmcDZygqDhKoHhVRyu8qN6PeK2fvUFK + EjeRtvA0GkdlOtLIF2g5yBTK2ykkt/oLUoAolfYUTKcoV2/FS0gVR5ovmEpKyBcP + H9hzr16a8dtrEqOf/oKHQSLwxn8afmS354HJ75sq9SujOtIWpHfyH5IgqtUpiBN/ + bzvKs/QZjtGlqvquOTkdh9L4oxTXqG7zEStZyo/v9g5jf1Tq195b2DNFwVUZIcbb + u2d4CvAZ1yNr+8ax/kTwBSY8WU+mCtmvowFstdvsJXVXJKnUO6EZOdbg0GxTBVyE + zMsnPcnkOwV5TJIKKhonrgrwmPmQ9IOV9BrThVxujjjEbAdA6jM9PMiXzuDukldm + QBRwNbczGbdsHkMKHmQnrTqOyQyI4KCXF08kcOm4C1P+Whrvi0DXkqHnyKvBE0td + dciInBoeHwUs2eclz7gP7pMBJUlFUkKfQxwxGLIqZSXnlAFBfW6hHLI= + -----END CERTIFICATE----- + SONAR_HOST_URL: https://localhost:4443 + with: + args: -Dsonar.login=admin -Dsonar.password=admin + projectBaseDir: ./test/example-project + - name: Assert failure of previous step + if: steps.wrong_ssl_certificate.outcome == 'success' + run: exit 1 \ No newline at end of file