Rendu DevOps S8

.env.example

@@ -0,0 +1,7 @@
+# Root compose secrets and config
+MYSQL_ROOT_PASSWORD=change-me-root-password
+MYSQL_DATABASE=tlc
+MYSQL_USER=tlc
+MYSQL_PASSWORD=change-me-app-password
+DOODLE_PADAPIKEY=change-me-etherpad-api-key
+DOODLE_ORGANIZERMAIL=noreply@example.com

.githooks/pre-commit

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+set -eu
+
+if [ "${SKIP_GITLEAKS:-0}" = "1" ]; then
+  echo "[pre-commit] SKIP_GITLEAKS=1 set, skipping secret scan"
+  exit 0
+fi
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "[pre-commit] gitleaks is required. Install it and retry."
+  echo "[pre-commit] https://github.com/gitleaks/gitleaks"
+  exit 1
+fi
+
+echo "[pre-commit] Running gitleaks on staged changes..."
+gitleaks git --staged --redact --exit-code 1

.githooks/pre-push

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+set -eu
+
+if [ "${SKIP_GITLEAKS:-0}" = "1" ]; then
+  echo "[pre-push] SKIP_GITLEAKS=1 set, skipping secret scan"
+  exit 0
+fi
+
+if ! command -v gitleaks >/dev/null 2>&1; then
+  echo "[pre-push] gitleaks is required. Install it and retry."
+  echo "[pre-push] https://github.com/gitleaks/gitleaks"
+  exit 1
+fi
+
+echo "[pre-push] Running gitleaks on repository history..."
+gitleaks git --redact --exit-code 1

.github/workflows/security.yml

@@ -0,0 +1,87 @@
+name: Security Checks
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+      - master
+
+permissions:
+  contents: read
+  security-events: write
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  secret-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - name: Gitleaks scan
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  trivy-fs-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Trivy filesystem scan
+        uses: aquasecurity/trivy-action@v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: api
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH
+          format: table
+          exit-code: 1
+
+  frontend-audit:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: front
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: front/package-lock.json
+      - name: Install dependencies
+        run: npm ci
+      - name: npm audit high/critical
+        run: npm audit --omit=dev --audit-level=high
+
+  backend-audit:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: api
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Setup Java
+        uses: actions/setup-java@v5
+        with:
+          distribution: temurin
+          java-version: '17'
+          cache: maven
+      - name: OWASP dependency-check
+        run: |
+          if [ -z "${NVD_API_KEY}" ]; then
+            echo "::warning::NVD_API_KEY is not configured. Skipping dependency-check to avoid NVD 403/404 failures."
+            echo "::warning::Add repository secret NVD_API_KEY to enable this job."
+            exit 0
+          fi
+          mvn -B -DskipTests org.owasp:dependency-check-maven:9.1.0:check -DnvdApiKey=${NVD_API_KEY} -DnvdApiDelay=2000
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}

.gitignore

@@ -0,0 +1,15 @@
+# Global local environment and secrets
+.env
+.env.*
+!.env.example
+**/.env
+**/.env.*
+!**/.env.example
+
+# Potential secret artifacts
+**/APIKEY.txt
+
+# Build artifacts
+**/target/
+**/node_modules/
+**/dist/

CHANGELOG.md

@@ -0,0 +1,75 @@
+# DevOps and security : PR report
+
+Authors : **Mael Allié, Ewen Laurent and Théo Ginguené**
+
+## What was checked and why
+
+We reviewed Docker orchestration, backend configuration, reverse proxy behavior, container images, build contexts, ignore rules, and git workflow controls, because most incidents come from leaked secrets, over-exposed internal services, or unsafe defaults or configurations.
+
+## Changes implemented
+
+### Internal service exposure reduced by default
+
+We removed host port publication for the internal DB and SMTP services, removed direct Etherpad publication in favor of routing it through the frontend Nginx proxy under /pad/, and updated the external Etherpad URL to use that reverse-proxy path. The result is a smaller direct attack surface, with internal services reachable only through controlled entry points and centralized header enforcement and logging at the proxy layer. This applies the zero-trust and least-exposure principles.
+
+### Image version updating and pinning, where supported
+
+This change covered the docker-compose and Dockerfiles. We pinned and updated image versions to reduce CVEs. That makes builds more reproducible and improves rollback reliability. Reproducible infrastructure and deterministic environments are core CI/CD reliability practices.
+
+### Prod now requires explicit secrets/config
+
+This update only touched `api/src/main/resources/application.yml`. We added a `%prod` profile section that requires explicit datasource and doodle username, password, ..., while keeping defaults for development purposes. This prevents startup in production with default values and forces explicit configuration.
+
+### Frontend runtime moved to non-root container
+
+For the frontend, we now use nginxinc/nginx-unprivileged:1.27-alpine, and nginx listens on 8080, which is mapped to host 4200 in compose. This reduces even further the security risk by running the frontend as an unprivileged user inside the container.
+
+### Docker build context hardening
+
+We added ignore patterns for git metadata, env files, secret artifacts, logs, and temporary or build outputs. That reduces the risk of secrets leaking into image builds or layers (and speeds up builds).
+
+### Simple local pre-commit and pre-push secret checks
+
+The local Git hooks in `.githooks/` now use gitleaks. The pre-commit hook scans staged changes, the pre-push hook scans repository history. This stops secret leaks before they reach CI or remote branches, gives developer feedback, makes changes faster. It is a shift-left of the security checks.
+
+### CI security changes
+
+We implemented a GitHub Actions CI security workflow that includes [gitleaks](https://github.com/gitleaks/gitleaks-action), [trivy](https://github.com/aquasecurity/trivy-action), npm audit, and OWASP dependency-check. Global ignore rules cover env files and potential secret files, example env and secret templates were added, and the real API key file was removed from the repo.
+
+## Tutorial : How to use the new security setup
+
+### 1. Prepare local secrets safely
+
+1. Copy every `*.env.example` to `*.env`.
+2. Fill values for `MYSQL_ROOT_PASSWORD`, `MYSQL_PASSWORD`, and `DOODLE_PADAPIKEY`.
+3. Copy `api/APIKEY.txt.example` to `api/APIKEY.txt.local` and set a real key.
+
+### 2. Enable local secret-scanning hooks
+
+1. Install gitleaks (see [gitleaks installation](https://github.com/gitleaks/gitleaks#installing)).
+2. Activate repository hooks path :
+
+    ```bash
+    git config core.hooksPath .githooks
+    ```
+
+3. Test with a commit : hooks should run automatically.
+
+While **not recommended**, you can bypass hooks if needed with :
+
+```bash
+SKIP_GITLEAKS=1 git commit -m "bypass"
+```
+
+### 3. Start stack
+
+```bash
+docker compose up --build
+```
+
+## What we would do next if we had more time
+
+1. Purge git history.
+2. Add scanning on built artifacts.
+3. Enforce branch protection requiring security checks before merge.
+4. Move secrets to a secret manager for production.

README.french.md

@@ -0,0 +1,22 @@
+# Doodle in quarkus
+
+Ce repository est une application de type doodle développée avec quarkus.io pour le back et angular pour le front. 
+
+Elle initialise automatiquement un pad pour la réunion et un salon de discussion. 
+
+Le but est de faire travailler les étudiants sur la partie déploiement de ce type d'application dite cloud native. 
+
+Votre mission est de mettre en production une telle application en permettant 
+- qu'à chaque commit sur ce repository, si les tests passent, alors nous déployons automatiquement une nouvelle version dans un contexte (Continuous Deployement)
+- que l'application doit être monitorer finement. 
+- que l'application redémarre automatiquement en cas de crash du serveur ou de crash d'un des services de l'application. 
+- que Les accès doivent http doivent utiliser https. 
+
+
+Une démo de l'application est accessible [ici](https://doodle.diverse-team.fr).
+
+- Voici une petite [vidéo](https://drive.google.com/file/d/1GQbdgq2CHcddTlcoHqM5Zc8Dw5o_eeLg/preview) de présentation des fonctionnalités de l'application.
+- Voici une petite [vidéo](https://drive.google.com/file/d/1l5UAsU5_q-oshwEW6edZ4UvQjN3-tzwi/preview) de présentation de l'architecture de l'application.
+- Voici une petite [vidéo](https://drive.google.com/file/d/1jxYNfJdtd4r_pDbOthra360ei8Z17tX_/preview) de revue de code de l'application.
+
+Un descriptif du cours, des TPs et des étapes du projet est lui accessible [ici](https://hackmd.diverse-team.fr/s/SJqu5DjSD)

README.md

@@ -19,3 +19,7 @@ Students have to choose a system with micro-services to apply some DevOps relate
 if they cannot think of such system/project, they can go to the [doodle](https://github.com/barais/doodlestudent) github page and use it.
 You can also find a "detailled" pull request to launch the application on "dev mode".
 This is the kind of pull requests that is expected to be __sent on THIS repo__ for the evaluation of your technical realisation
+
+## PR
+
+The PR cahnges are detailled in [CHANGELOG.md](./CHANGELOG.md).

api/.dockerignore

@@ -0,0 +1,16 @@
+.git
+.gitignore
+.github
+.env
+.env.*
+!.env.example
+APIKEY.txt
+APIKEY.txt.local
+target
+node_modules
+*.log
+*.tmp
+README.md
+Dockerfile
+docker-compose.yaml
+

api/.env.example

@@ -0,0 +1,7 @@
+# API local compose secrets and config
+MYSQL_ROOT_PASSWORD=change-me-root-password
+MYSQL_DATABASE=tlc
+MYSQL_USER=tlc
+MYSQL_PASSWORD=change-me-app-password
+DOODLE_PADAPIKEY=change-me-etherpad-api-key
+DOODLE_ORGANIZERMAIL=noreply@example.com

api/.gitignore

@@ -0,0 +1,45 @@
+#Maven
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+release.properties
+.mvn/wrapper/maven-wrapper.jar
+# Eclipse
+.project
+.classpath
+.settings/
+bin/
+
+# IntelliJ
+.idea
+*.ipr
+*.iml
+*.iws
+
+# NetBeans
+nb-configuration.xml
+
+# Visual Studio Code
+.vscode
+.factorypath
+
+# OSX
+.DS_Store
+
+# Vim
+*.swp
+*.swo
+
+# patch
+*.orig
+*.rej
+
+# Secrets and local env
+APIKEY.txt
+APIKEY.txt.local
+.apikey
+.env
+.env.*
+!.env.example
+

api/.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.3/apache-maven-3.9.3-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.2.0/maven-wrapper-3.2.0.jar

api/APIKEY.txt.example

@@ -0,0 +1 @@
+change-me-etherpad-api-key

api/Dockerfile

@@ -0,0 +1,21 @@
+FROM maven:3.9.11-eclipse-temurin-17 AS build
+WORKDIR /build
+
+COPY . .
+RUN mvn -B -DskipTests package
+
+FROM eclipse-temurin:17-jre-jammy
+WORKDIR /app
+
+RUN useradd --system --uid 1001 --create-home appuser
+
+COPY --from=build /build/target/quarkus-app/lib ./lib
+COPY --from=build /build/target/quarkus-app/*.jar ./
+COPY --from=build /build/target/quarkus-app/app ./app
+COPY --from=build /build/target/quarkus-app/quarkus ./quarkus
+
+RUN chown -R appuser:appuser /app
+USER appuser
+
+EXPOSE 8080
+ENTRYPOINT ["java", "-jar", "quarkus-run.jar"]