tronosfera/Law
1
0
Fork 0
mirror of https://github.com/TronoSfera/Law.git synced 2026-05-18 18:13:46 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

add security test 06

Browse source
This commit is contained in:
TronoSfera 2026-03-02 17:40:00 +03:00
parent 78ecfb120f
commit 1e9b326dad
3 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
Makefile
View file

@ -18,6 +18,7 @@ AUTO_CERT_INIT ?= 0
SKIP_LOCAL_SMOKE ?= 0 SKIP_LOCAL_SMOKE ?= 0
LOCAL_SMOKE_BASE_URL ?= https://127.0.0.1 LOCAL_SMOKE_BASE_URL ?= https://127.0.0.1
LOCAL_SMOKE_CANDIDATES ?= $(LOCAL_SMOKE_BASE_URL),https://localhost,http://127.0.0.1,http://localhost LOCAL_SMOKE_CANDIDATES ?= $(LOCAL_SMOKE_BASE_URL),https://localhost,http://127.0.0.1,http://localhost
LOCAL_SMOKE_SKIP_DOCKER_CHECKS ?= 1
CONFIRM_TOKEN ?= ROTATE-PROD-SECRETS CONFIRM_TOKEN ?= ROTATE-PROD-SECRETS
CERTBOT_DOMAINS = -d "$(DOMAIN)" -d "$(WWW_DOMAIN)" $(if $(strip $(SECOND_DOMAIN)),-d "$(SECOND_DOMAIN)") $(if $(strip $(SECOND_WWW_DOMAIN)),-d "$(SECOND_WWW_DOMAIN)") CERTBOT_DOMAINS = -d "$(DOMAIN)" -d "$(WWW_DOMAIN)" $(if $(strip $(SECOND_DOMAIN)),-d "$(SECOND_DOMAIN)") $(if $(strip $(SECOND_WWW_DOMAIN)),-d "$(SECOND_WWW_DOMAIN)")
@ -62,6 +63,7 @@ help:
@echo " SKIP_LOCAL_SMOKE=$(SKIP_LOCAL_SMOKE)" @echo " SKIP_LOCAL_SMOKE=$(SKIP_LOCAL_SMOKE)"
@echo " LOCAL_SMOKE_BASE_URL=$(LOCAL_SMOKE_BASE_URL)" @echo " LOCAL_SMOKE_BASE_URL=$(LOCAL_SMOKE_BASE_URL)"
@echo " LOCAL_SMOKE_CANDIDATES=$(LOCAL_SMOKE_CANDIDATES)" @echo " LOCAL_SMOKE_CANDIDATES=$(LOCAL_SMOKE_CANDIDATES)"
@echo " LOCAL_SMOKE_SKIP_DOCKER_CHECKS=$(LOCAL_SMOKE_SKIP_DOCKER_CHECKS)"
local-up: local-up:
$(LOCAL_COMPOSE) up -d --build $(LOCAL_COMPOSE) up -d --build
@ -138,6 +140,7 @@ prod-security-audit: check-cert-files
SKIP_LOCAL_SMOKE="$(SKIP_LOCAL_SMOKE)" \ SKIP_LOCAL_SMOKE="$(SKIP_LOCAL_SMOKE)" \
LOCAL_SMOKE_BASE_URL="$(LOCAL_SMOKE_BASE_URL)" \ LOCAL_SMOKE_BASE_URL="$(LOCAL_SMOKE_BASE_URL)" \
LOCAL_SMOKE_CANDIDATES="$(LOCAL_SMOKE_CANDIDATES)" \ LOCAL_SMOKE_CANDIDATES="$(LOCAL_SMOKE_CANDIDATES)" \
LOCAL_SMOKE_SKIP_DOCKER_CHECKS="$(LOCAL_SMOKE_SKIP_DOCKER_CHECKS)" \
./scripts/ops/prod_security_audit.sh ./scripts/ops/prod_security_audit.sh
prod-security-scheduler-up: check-prod-files prod-security-scheduler-up: check-prod-files

3
scripts/ops/prod_security_audit.sh
View file

@ -13,6 +13,7 @@ AUTO_CERT_INIT="${AUTO_CERT_INIT:-0}"
SKIP_LOCAL_SMOKE="${SKIP_LOCAL_SMOKE:-0}" SKIP_LOCAL_SMOKE="${SKIP_LOCAL_SMOKE:-0}"
LOCAL_SMOKE_BASE_URL="${LOCAL_SMOKE_BASE_URL:-https://127.0.0.1}" LOCAL_SMOKE_BASE_URL="${LOCAL_SMOKE_BASE_URL:-https://127.0.0.1}"
LOCAL_SMOKE_CANDIDATES="${LOCAL_SMOKE_CANDIDATES:-${LOCAL_SMOKE_BASE_URL},https://localhost,http://127.0.0.1,http://localhost}" LOCAL_SMOKE_CANDIDATES="${LOCAL_SMOKE_CANDIDATES:-${LOCAL_SMOKE_BASE_URL},https://localhost,http://127.0.0.1,http://localhost}"
LOCAL_SMOKE_SKIP_DOCKER_CHECKS="${LOCAL_SMOKE_SKIP_DOCKER_CHECKS:-1}"
PROD_COMPOSE=(docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml) PROD_COMPOSE=(docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml)
CERT_COMPOSE=(docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml -f docker-compose.prod.cert.yml) CERT_COMPOSE=(docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml -f docker-compose.prod.cert.yml)
@ -164,7 +165,7 @@ run_local_smoke() {
[[ -z "$candidate" ]] && continue [[ -z "$candidate" ]] && continue
if ./scripts/ops/check_chat_health.sh "$candidate" >/dev/null 2>&1 && \ if ./scripts/ops/check_chat_health.sh "$candidate" >/dev/null 2>&1 && \
./scripts/ops/security_smoke.sh "$candidate" >/dev/null 2>&1; then SECURITY_SMOKE_SKIP_DOCKER_CHECKS="$LOCAL_SMOKE_SKIP_DOCKER_CHECKS" ./scripts/ops/security_smoke.sh "$candidate" >/dev/null 2>&1; then
log "Local smoke checks passed via ${candidate} (attempt ${attempt}/${max_attempts})" log "Local smoke checks passed via ${candidate} (attempt ${attempt}/${max_attempts})"
ok=1 ok=1
break break

3
scripts/ops/security_smoke.sh
View file

@ -50,7 +50,8 @@ http_status_ok() {
check_required_headers() { check_required_headers() {
local url="$1" local url="$1"
local head local head
head="$(curl -k -L -sS -I "$url" || true)" # Use GET headers dump instead of HEAD. Some FastAPI routes return 405 for HEAD.
head="$(curl -k -L -sS -D - -o /dev/null "$url" || true)"
local normalized local normalized
normalized="$(echo "$head" | tr -d '\r' | tr '[:upper:]' '[:lower:]')" normalized="$(echo "$head" | tr -d '\r' | tr '[:upper:]' '[:lower:]')"