tronosfera/Law
1
0
Fork 0
mirror of https://github.com/TronoSfera/Law.git synced 2026-05-18 10:03:45 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

add security test 10

Browse source
This commit is contained in:
TronoSfera 2026-03-02 18:01:41 +03:00
parent 492394d221
commit 87f32f72b2
2 changed files with 105 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

121
scripts/ops/prod_security_audit.sh
View file

@ -36,29 +36,116 @@ file_missing() {
[[ ! -f "$1" ]] [[ ! -f "$1" ]]
} }
lower() {
echo "${1:-}" | tr '[:upper:]' '[:lower:]'
}
read_env_value() {
local file="$1"
local key="$2"
if [[ ! -f "$file" ]]; then
echo ""
return 0
fi
grep -E "^${key}=" "$file" | tail -n1 | cut -d= -f2- || true
}
upsert_env_value() {
local file="$1"
local key="$2"
local value="$3"
local tmp
tmp="$(mktemp)"
awk -v k="$key" -v v="$value" '
BEGIN { done = 0 }
$0 ~ ("^" k "=") { print k "=" v; done = 1; next }
{ print }
END { if (!done) print k "=" v }
' "$file" > "$tmp"
mv "$tmp" "$file"
}
is_prod_env() {
local value
value="$(lower "${1:-}")"
[[ "$value" == "prod" || "$value" == "production" ]]
}
is_valid_samesite() {
local value
value="$(lower "${1:-}")"
[[ "$value" == "lax" || "$value" == "strict" || "$value" == "none" ]]
}
is_truthy() {
local value
value="$(lower "${1:-}")"
[[ "$value" == "true" || "$value" == "1" || "$value" == "yes" || "$value" == "on" ]]
}
ensure_env_file() { ensure_env_file() {
if [[ -f ".env" ]]; then if [[ ! -f ".env" ]]; then
log ".env found" if [[ -f ".env.prod" ]]; then
return 0 cp .env.prod .env
chmod 600 .env
log ".env was missing -> restored from .env.prod"
elif [[ -f ".env.production" ]]; then
cp .env.production .env
chmod 600 .env
log ".env was missing -> restored from .env.production"
else
fail "Cannot build .env automatically: missing .env, .env.prod and .env.production"
fi
fi fi
if [[ -f ".env.prod" ]]; then local app_env cookie_secure current_samesite strict_origin target_samesite
cp .env.prod .env local changed=0
app_env="$(read_env_value ".env" "APP_ENV")"
cookie_secure="$(read_env_value ".env" "PUBLIC_COOKIE_SECURE")"
current_samesite="$(read_env_value ".env" "PUBLIC_COOKIE_SAMESITE")"
strict_origin="$(read_env_value ".env" "PUBLIC_STRICT_ORIGIN_CHECK")"
target_samesite="$(lower "$current_samesite")"
if ! is_valid_samesite "$target_samesite"; then
local fallback_samesite
fallback_samesite="$(lower "$(read_env_value ".env.prod" "PUBLIC_COOKIE_SAMESITE")")"
if is_valid_samesite "$fallback_samesite"; then
target_samesite="$fallback_samesite"
else
target_samesite="lax"
fi
fi
if ! is_prod_env "$app_env"; then
changed=1
fi
if ! is_truthy "$cookie_secure"; then
changed=1
fi
if ! is_valid_samesite "$current_samesite"; then
changed=1
fi
if ! is_truthy "$strict_origin"; then
changed=1
fi
if [[ "$changed" == "1" ]]; then
local backup_file
backup_file=".env.backup.$(date +%Y%m%d-%H%M%S)"
cp .env "$backup_file"
chmod 600 "$backup_file"
upsert_env_value ".env" "APP_ENV" "prod"
upsert_env_value ".env" "PUBLIC_COOKIE_SECURE" "true"
upsert_env_value ".env" "PUBLIC_COOKIE_SAMESITE" "$target_samesite"
upsert_env_value ".env" "PUBLIC_STRICT_ORIGIN_CHECK" "true"
chmod 600 .env chmod 600 .env
log ".env was missing -> restored from .env.prod"
return 0
fi
if [[ -f ".env.production" ]]; then warn ".env updated in-place for production smoke checks (backup: ${backup_file})"
log ".env/.env.prod missing -> generating .env.prod from .env.production" else
./scripts/ops/rotate_prod_secrets.sh --env-in .env.production --env-out .env.prod log ".env found (APP_ENV=$(lower "$app_env"), PUBLIC_COOKIE_SAMESITE=$(lower "$current_samesite"))"
cp .env.prod .env
chmod 600 .env
log ".env created from generated .env.prod"
return 0
fi fi
fail "Cannot build .env automatically: missing both .env.prod and .env.production"
} }
ensure_minio_tls_bundle() { ensure_minio_tls_bundle() {

1
scripts/ops/rotate_prod_secrets.sh
View file

@ -189,6 +189,7 @@ upsert_env_value "PRODUCTION_ENFORCE_SECURE_SETTINGS" "true" "$ENV_OUT"
upsert_env_value "OTP_DEV_MODE" "false" "$ENV_OUT" upsert_env_value "OTP_DEV_MODE" "false" "$ENV_OUT"
upsert_env_value "ADMIN_BOOTSTRAP_ENABLED" "false" "$ENV_OUT" upsert_env_value "ADMIN_BOOTSTRAP_ENABLED" "false" "$ENV_OUT"
upsert_env_value "PUBLIC_COOKIE_SECURE" "true" "$ENV_OUT" upsert_env_value "PUBLIC_COOKIE_SECURE" "true" "$ENV_OUT"
upsert_env_value "PUBLIC_COOKIE_SAMESITE" "lax" "$ENV_OUT"
upsert_env_value "S3_USE_SSL" "true" "$ENV_OUT" upsert_env_value "S3_USE_SSL" "true" "$ENV_OUT"
upsert_env_value "S3_VERIFY_SSL" "true" "$ENV_OUT" upsert_env_value "S3_VERIFY_SSL" "true" "$ENV_OUT"
upsert_env_value "S3_CA_CERT_PATH" "/etc/ssl/minio/ca.crt" "$ENV_OUT" upsert_env_value "S3_CA_CERT_PATH" "/etc/ssl/minio/ca.crt" "$ENV_OUT"