Idrovora import

.dockerignore

@@ -0,0 +1,2 @@
+node_modules
+build

.gitignore

@@ -8,10 +8,66 @@
 /.bundle
 
 # Ignore all logfiles and tempfiles.
-/log/*
-/tmp/*
+*/log/*
+*/tmp/*
 !/log/.keep
 !/tmp/.keep
 
 # Ignore Byebug command history file.
 .byebug_history
+
+# Ignore Mac files
+*.DS_Store
+
+# Ignore Visual Studio files
+.vscode
+
+# Ignore caches
+*.sass-cache
+
+/public/swagger/
+
+*.idea
+
+# React app stuff
+
+# dependencies
+*/node_modules
+
+# testing
+*/coverage
+
+# production
+*/build
+
+# documentation
+styleguide
+
+# misc
+*.DS_Store
+
+*.env.local
+*.env.development.local
+*.env.test.local
+*.env.production.local
+
+*npm-debug.log*
+*yarn-debug.log*
+*yarn-error.log*
+
+coverage
+jest_0
+test.log
+*.xml
+!/viscoll-api/spec/fixtures/*.xml
+
+# DIY images
+viscoll-api/uploads/*
+
+# secret scan
+secrets_scan.json
+
+.env
+.docker-environment-dev
+viscoll-api/.generators
+viscoll-api/public/uploads

.gitlab-ci.yml

@@ -0,0 +1,137 @@
+include:
+  - project: "devops/gitlab/ci-templates/docker"
+    ref: "0.0.1"
+    file:
+      - ".build_docker_image.yml"
+      - ".push_docker_image.yml"
+      - ".remove_docker_image.yml"
+  - project: "devops/gitlab/ci-templates/sast"
+    ref: "master"
+    file:
+      - ".shiftleft_container_scanning.yml"
+      - ".trivy_container_scanning.yml"
+
+workflow:
+  rules:
+    - if: $CI_MERGE_REQUEST_IID
+    - if: $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'master'
+    - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == 'development'
+
+stages:
+  - sast:project
+  - build:web
+  - build:xproc
+  - sast:web
+  - sast:xproc
+  - push:web
+  - push:xproc
+  - remove:web
+  - remove:xproc
+
+shiftleft_project_scanning:
+  stage: sast:project
+  extends:
+    - .shiftleft_container_scanning
+  tags:
+    - build
+  allow_failure: true
+
+build_web_image:
+  stage: build:web
+  extends:
+    - .build_docker_image
+  needs:
+    - shiftleft_project_scanning
+  variables:
+    CI_IMAGE_NAME: "${CI_PROJECT_ID}-${CI_PIPELINE_ID}-web"
+  tags:
+    - build
+
+build_xproc_image:
+  stage: build:xproc
+  extends:
+    - .build_docker_image
+  needs:
+    - shiftleft_project_scanning
+  variables:
+    CI_IMAGE_NAME: "${CI_PROJECT_ID}-${CI_PIPELINE_ID}-xproc"
+    DOCKER_BUILD_CONTEXT: "viscoll-xproc/"
+    DOCKERFILE_PATH: "viscoll-xproc/"
+  tags:
+    - build
+
+trivy_web_container_scanning:
+  stage: sast:web
+  extends:
+    - .trivy_container_scanning
+  needs:
+    - build_web_image
+  variables:
+    CI_IMAGE_NAME: "${CI_PROJECT_ID}-${CI_PIPELINE_ID}-web"
+  tags:
+    - build
+  allow_failure: true
+
+trivy_xproc_container_scanning:
+  stage: sast:xproc
+  extends:
+    - .trivy_container_scanning
+  needs:
+    - build_xproc_image
+  variables:
+    CI_IMAGE_NAME: "${CI_PROJECT_ID}-${CI_PIPELINE_ID}-xproc"
+  tags:
+    - build
+  allow_failure: true
+
+push_web_image_to_registry:
+  stage: push:web
+  extends:
+    - .push_docker_image
+  needs:
+    - trivy_web_container_scanning
+  variables:
+    CI_IMAGE_NAME: "${CI_PROJECT_ID}-${CI_PIPELINE_ID}-web"
+    DOCKER_IMAGE_NAME: "vceditor_web"
+  tags:
+    - build
+
+push_xproc_image_to_registry:
+  stage: push:xproc
+  extends:
+    - .push_docker_image
+  needs:
+    - trivy_xproc_container_scanning
+  variables:
+    CI_IMAGE_NAME: "${CI_PROJECT_ID}-${CI_PIPELINE_ID}-xproc"
+    DOCKER_IMAGE_NAME: "vceditor_xproc"
+  tags:
+    - build
+
+remove_web_image:
+  stage: remove:web
+  extends:
+    - .remove_docker_image
+  needs:
+    - push_web_image_to_registry
+  variables:
+    CI_IMAGE_NAME: "${CI_PROJECT_ID}-${CI_PIPELINE_ID}-web"
+  rules:
+    - when: always
+  tags:
+    - build
+
+remove_xproc_image:
+  stage: remove:xproc
+  extends:
+    - .remove_docker_image
+  needs:
+    - push_xproc_image_to_registry
+  variables:
+    CI_IMAGE_NAME: "${CI_PROJECT_ID}-${CI_PIPELINE_ID}-xproc"
+  rules:
+    - when: always
+  tags:
+    - build

.gitleaks.toml

@@ -0,0 +1,111 @@
+title = "gitleaks config"
+[[rules]]
+  description = "Password in string"
+  regex = '''(?i)[\w]*(password|secret)[\w]* *[:=>,]+ *['"][\S]{2,}['"]'''
+  [rules.allowlist]
+    description = "Exceptions"
+    paths = [
+      '''(.*?)\.erb$''',
+      '''(.*?)\.yml$''',
+      '''spec/(.*?)''',
+      '''reference_data\.rb''',
+      '''lib/sdbmss/legacy\.rb''',
+      '''lib/sdbmss/seed_data.rb''',
+      '''viscoll-api/config/environments/development.rb''',
+      '''jena/jena.env''',
+      '''.lando.yml''',
+      '''config/initializers/mailer.rb''',
+      '''vendor/assets/javascripts/URI\.min\.js'''
+    ]
+    regexes = [
+      '''\w\.password_(field|confirmation)''',
+      '''^\s*#'''
+    ]
+[[rules]]
+  description = "Password in YAML config"
+  regex = '''(?i)[\w]*(password|secret)[\w]* *: *[\S]{2,}'''
+  [rules.allowlist]
+    description = "Exceptions"
+    paths = [
+      '''(.*?)\.e?rb$''',
+      '''spec/(.*?)''',
+      '''reference_data\.rb''',
+      '''config/secrets.yml''',
+      '''lib/sdbmss/legacy\.rb''',
+      '''vendor/assets/javascripts/URI\.min\.js'''
+    ]
+[[rules]]
+  description = "AWS"
+  regex = '''AKIA[0-9A-Z]{16}'''
+[[rules]]
+  description = "RKCS8"
+  regex = '''-----BEGIN PRIVATE KEY-----'''
+[[rules]]
+  description = "RSA"
+  regex = '''-----BEGIN RSA PRIVATE KEY-----'''
+[[rules]]
+  description = "Github"
+  regex = '''(?i)github.*['\"][0-9a-zA-Z]{35,40}['\"]'''
+[[rules]]
+  description = "SSH"
+  regex = '''-----BEGIN OPENSSH PRIVATE KEY-----'''
+[[rules]]
+  description = "Facebook"
+  regex = '''(?i)facebook.*['\"][0-9a-f]{32}['\"]'''
+[[rules]]
+  description = "Twitter"
+  regex = '''(?i)twitter.*['\"][0-9a-zA-Z]{35,44}['\"]'''
+[[rules]]
+  description = "PGP"
+  regex = '''-----BEGIN PGP PRIVATE KEY BLOCK-----'''
+[[rules]]
+  description = "Slack token"
+  regex = '''xox[baprs]-.*'''
+[[rules]]
+  description = "Strip API Key"
+  regex = '''(?i)(sk|pk)_(test|live)_[0-9a-zA-Z]{10,32}'''
+# Global allowlist
+[allowlist]
+  description = "Global Allowlists"
+  files = [
+    '''(.*?)(jpg|gif|doc|pdf|bin|md)$''',
+    '''viscoll-api/config/environments/development.rb''',
+    '''.*__test__.*`''',
+    '''viscoll-api/app/mailers/mailer\.rb''',
+    '''\.gitleaks\.toml'''
+  ]
+  regexes = [
+    # Ignore resetPasswordRequest method
+    '''resetPasswordRequest''',
+    # Ignore docker set secrets
+    '''(?i)(/run/secrets/)''',
+    # Values set by Ansible variables
+    '''{{ *[\S]+ *}}''',
+    # Values set by environment variables
+    '''ENV\[['"][\S]+['"]\]''',
+    # ansible
+    '''security_ssh_password_authentication''',
+    # miscallaneous false positives
+    # password in comments
+    '''^\s*# password:''',
+    # state resets in React
+    '''update: \{password: "", current_password: "", email: ""\}''',
+    '''register: \{email: "", password: ""\}''',
+    '''[Pp]assword\w*:\s*""''',
+    '''[Pp]assword\w*:\s*false''',
+    '''newPasswordConfirm:\s*false''',
+    '''current_password: this\.state\.currentPassword''',
+    '''password: this\.state\.newPassword''',
+    '''currentPassword:\s*nextProps\.currentPasswordError\.toString''',
+    '''password_confirmation: this.state.passwordConfirm''',
+    '''password: this.state.password''',
+    '''[Pp]assword\w*:\s*PropTypes\.''',
+    # method names and non-password vars
+    '''resetPassword: \(reset_token, password\)''',
+    '''@reset_password_url =''',
+    # error message
+    '''password:\s*\["can't be''',
+    # test data
+    '''reset_password_token = "5951303fc9bf3c7b9a573a3f"''',
+    '''password\w*: "secret"'''
+  ]

.ruby-version

@@ -1 +1 @@
-ruby-2.4.0
+2.6.0

Dockerfile

@@ -0,0 +1,32 @@
+FROM node:14 as app
+
+WORKDIR /app
+
+ENV PATH /app/node_modules/.bin:$PATH
+
+COPY viscoll-app/package.json ./
+COPY viscoll-app/package-lock.json ./
+
+RUN npm ci --silent
+
+COPY viscoll-app .
+
+RUN npm run build
+
+FROM ruby:2.7
+RUN apt-get update && apt-get install -y librsvg2-bin
+
+# throw errors if Gemfile has been modified since Gemfile.lock
+RUN bundle config --global frozen 1
+
+WORKDIR /usr/src/app
+
+COPY viscoll-api/Gemfile viscoll-api/Gemfile.lock ./
+RUN bundle install
+
+COPY viscoll-api .
+
+COPY --from=app /app/build /usr/src/app/public
+
+ENTRYPOINT ["bundle", "exec", "rails"]
+CMD []

Dockerfile.api

@@ -0,0 +1,8 @@
+FROM ruby:2.7
+
+RUN apt-get update && apt-get install -y librsvg2-bin
+
+WORKDIR /app
+COPY viscoll-api/Gemfile viscoll-api/Gemfile.lock ./
+RUN bundle install
+