From 1e9b326dad491e8faa89e8cd903b4ee384e86023 Mon Sep 17 00:00:00 2001 From: TronoSfera <119615520+TronoSfera@users.noreply.github.com> Date: Mon, 2 Mar 2026 17:40:00 +0300 Subject: [PATCH] add security test 06 --- Makefile | 3 +++ scripts/ops/prod_security_audit.sh | 3 ++- scripts/ops/security_smoke.sh | 3 ++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index d1e71b3..9c97189 100644 --- a/Makefile +++ b/Makefile @@ -18,6 +18,7 @@ AUTO_CERT_INIT ?= 0 SKIP_LOCAL_SMOKE ?= 0 LOCAL_SMOKE_BASE_URL ?= https://127.0.0.1 LOCAL_SMOKE_CANDIDATES ?= $(LOCAL_SMOKE_BASE_URL),https://localhost,http://127.0.0.1,http://localhost +LOCAL_SMOKE_SKIP_DOCKER_CHECKS ?= 1 CONFIRM_TOKEN ?= ROTATE-PROD-SECRETS CERTBOT_DOMAINS = -d "$(DOMAIN)" -d "$(WWW_DOMAIN)" $(if $(strip $(SECOND_DOMAIN)),-d "$(SECOND_DOMAIN)") $(if $(strip $(SECOND_WWW_DOMAIN)),-d "$(SECOND_WWW_DOMAIN)") @@ -62,6 +63,7 @@ help: @echo " SKIP_LOCAL_SMOKE=$(SKIP_LOCAL_SMOKE)" @echo " LOCAL_SMOKE_BASE_URL=$(LOCAL_SMOKE_BASE_URL)" @echo " LOCAL_SMOKE_CANDIDATES=$(LOCAL_SMOKE_CANDIDATES)" + @echo " LOCAL_SMOKE_SKIP_DOCKER_CHECKS=$(LOCAL_SMOKE_SKIP_DOCKER_CHECKS)" local-up: $(LOCAL_COMPOSE) up -d --build @@ -138,6 +140,7 @@ prod-security-audit: check-cert-files SKIP_LOCAL_SMOKE="$(SKIP_LOCAL_SMOKE)" \ LOCAL_SMOKE_BASE_URL="$(LOCAL_SMOKE_BASE_URL)" \ LOCAL_SMOKE_CANDIDATES="$(LOCAL_SMOKE_CANDIDATES)" \ + LOCAL_SMOKE_SKIP_DOCKER_CHECKS="$(LOCAL_SMOKE_SKIP_DOCKER_CHECKS)" \ ./scripts/ops/prod_security_audit.sh prod-security-scheduler-up: check-prod-files diff --git a/scripts/ops/prod_security_audit.sh b/scripts/ops/prod_security_audit.sh index d282251..7b50d70 100755 --- a/scripts/ops/prod_security_audit.sh +++ b/scripts/ops/prod_security_audit.sh @@ -13,6 +13,7 @@ AUTO_CERT_INIT="${AUTO_CERT_INIT:-0}" SKIP_LOCAL_SMOKE="${SKIP_LOCAL_SMOKE:-0}" LOCAL_SMOKE_BASE_URL="${LOCAL_SMOKE_BASE_URL:-https://127.0.0.1}" LOCAL_SMOKE_CANDIDATES="${LOCAL_SMOKE_CANDIDATES:-${LOCAL_SMOKE_BASE_URL},https://localhost,http://127.0.0.1,http://localhost}" +LOCAL_SMOKE_SKIP_DOCKER_CHECKS="${LOCAL_SMOKE_SKIP_DOCKER_CHECKS:-1}" PROD_COMPOSE=(docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml) CERT_COMPOSE=(docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml -f docker-compose.prod.cert.yml) @@ -164,7 +165,7 @@ run_local_smoke() { [[ -z "$candidate" ]] && continue if ./scripts/ops/check_chat_health.sh "$candidate" >/dev/null 2>&1 && \ - ./scripts/ops/security_smoke.sh "$candidate" >/dev/null 2>&1; then + SECURITY_SMOKE_SKIP_DOCKER_CHECKS="$LOCAL_SMOKE_SKIP_DOCKER_CHECKS" ./scripts/ops/security_smoke.sh "$candidate" >/dev/null 2>&1; then log "Local smoke checks passed via ${candidate} (attempt ${attempt}/${max_attempts})" ok=1 break diff --git a/scripts/ops/security_smoke.sh b/scripts/ops/security_smoke.sh index 7f8f6b0..894d94e 100755 --- a/scripts/ops/security_smoke.sh +++ b/scripts/ops/security_smoke.sh @@ -50,7 +50,8 @@ http_status_ok() { check_required_headers() { local url="$1" local head - head="$(curl -k -L -sS -I "$url" || true)" + # Use GET headers dump instead of HEAD. Some FastAPI routes return 405 for HEAD. + head="$(curl -k -L -sS -D - -o /dev/null "$url" || true)" local normalized normalized="$(echo "$head" | tr -d '\r' | tr '[:upper:]' '[:lower:]')"