Ajout d'un pipeline Lighthouse

+ améliorations/corrections sur le pipeline d'audit W3AF

.gitignore

@@ -0,0 +1 @@
+/data

Makefile

@@ -1,3 +1,7 @@
+DOCKER_ARGS ?=
+W3AF_COMMAND ?=
+LIGHTHOUSE_COMMAND ?=
+LIGHTHOUSE_URL ?=
 
 image-w3af:
 	docker build \
@@ -9,11 +13,50 @@ image-w3af:
 		./resources/com/cadoles/w3af
 
 interactive-w3af:
+	$(MAKE) W3AF_COMMAND="/bin/sh" w3af
+
+audit-w3af:
+	$(MAKE) W3AF_COMMAND="/usr/local/bin/run-audit" w3af
+
+w3af:
 	docker run \
 		-it --rm \
 		--net host \
 		-v "$(PWD)/resources/com/cadoles/w3af/audit.w3af.tmpl:/home/w3af/w3af/audit.w3af.tmpl:ro" \
+		$(DOCKER_ARGS) \
 		jenkins-w3af:latest \
-		/bin/sh
+		$(W3AF_COMMAND)
 
-.PHONY: image-w3af
+image-lighthouse:
+	docker build \
+		--build-arg=HTTP_PROXY=$(HTTP_PROXY) \
+		--build-arg=HTTPS_PROXY=$(HTTPS_PROXY) \
+		--build-arg=http_proxy=$(http_proxy) \
+		--build-arg=https_proxy=$(https_proxy) \
+		-t jenkins-lighthouse \
+		./resources/com/cadoles/lighthouse
+
+interactive-lighthouse:
+	$(MAKE) LIGHTHOUSE_COMMAND="/bin/sh" lighthouse
+
+audit-lighthouse:
+	$(MAKE) LIGHTHOUSE_COMMAND="/usr/local/bin/run-audit" lighthouse
+
+lighthouse:
+	mkdir -p "$(PWD)/data/lighthouse/reports"
+	docker run \
+		-it --rm \
+		--net host \
+		--cap-add=SYS_ADMIN \
+		-e HTTP_PROXY=$(HTTP_PROXY) \
+		-e HTTPS_PROXY=$(HTTPS_PROXY) \
+		-e http_proxy=$(http_proxy) \
+		-e https_proxy=$(https_proxy) \
+		-e LIGHTHOUSE_URL=$(LIGHTHOUSE_URL) \
+		-u $(shell id -u $(USER)):$(shell id -g $(USER)) \
+		-v "$(PWD)/data/lighthouse/reports:/home/lighthouse/reports" \
+		$(DOCKER_ARGS) \
+		jenkins-lighthouse:latest \
+		$(LIGHTHOUSE_COMMAND)
+
+.PHONY: image-w3af image-lighthouse

resources/com/cadoles/lighthouse/Dockerfile

@@ -0,0 +1,54 @@
+FROM golang:1.11.4 as envtpl
+
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG http_proxy=
+ARG https_proxy=
+
+RUN apt-get update -y && apt-get install -y git
+
+RUN git clone https://github.com/subfuzion/envtpl /src \
+  && cd /src \
+  && git checkout v1.0.0 \
+  && CGO_ENABLED=0 GOOS=linux go build \
+    -ldflags "-X main.AppVersionMetadata=$(date -u +%s)" \
+    -a -installsuffix cgo -o ./bin/envtpl ./cmd/envtpl/.
+
+FROM alpine:3.10
+
+ARG HTTP_PROXY=
+ARG HTTPS_PROXY=
+ARG http_proxy=
+ARG https_proxy=
+
+COPY --from=envtpl /src/bin/envtpl /usr/local/bin/envtpl
+
+RUN apk add --no-cache \
+    nss \
+    freetype \
+    freetype-dev \
+    harfbuzz \
+    ca-certificates \
+    ttf-freefont \
+    nodejs \
+    npm \
+    chromium
+
+RUN npm install -g lighthouse
+
+RUN adduser -D lighthouse   
+
+COPY run-audit.sh /usr/local/bin/run-audit
+RUN chmod +x /usr/local/bin/run-audit
+
+COPY config.js.tmpl /home/lighthouse/config.js.tmpl
+
+WORKDIR /home/lighthouse
+
+RUN mkdir /home/lighthouse/reports
+
+RUN chown -R lighthouse: /home/lighthouse
+
+USER lighthouse
+
+CMD /usr/local/bin/run-audit

resources/com/cadoles/lighthouse/config.js.tmpl

@@ -0,0 +1,4 @@
+module.exports = {
+  extends: 'lighthouse:default',
+  settings: {},
+};

resources/com/cadoles/lighthouse/run-audit.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+envtpl -o config.js /home/lighthouse/config.js.tmpl
+
+mkdir -p reports
+rm -f reports/*
+
+cd reports
+
+lighthouse \
+    --no-enable-error-reporting \
+    --chrome-flags="--headless --disable-dev-shm-usage --no-sandbox --disable-gpu" \
+    --config=../config.js \
+    --output json --output html \
+    --output-path=lighthouse \
+    -- \
+    "$LIGHTHOUSE_URL"

resources/com/cadoles/w3af/Dockerfile

@@ -94,9 +94,17 @@ RUN git clone --depth=1 \
   && rm -rf /home/w3af/w3af/.git \
   && chown -R w3af /home/w3af/w3af
 
+COPY run-audit.sh /usr/local/bin/run-audit
+RUN chmod +x /usr/local/bin/run-audit
+
 USER w3af
 WORKDIR /home/w3af/w3af
 
 COPY audit.w3af.tmpl /home/w3af/w3af/audit.w3af.tmpl
 
+ENV HTTP_PROXY=
+ENV HTTPS_PROXY=
+ENV http_proxy=
+ENV https_proxy=
+
 CMD ["./w3af_console"]

resources/com/cadoles/w3af/audit.w3af.tmpl

@@ -4,7 +4,7 @@
 
 # Configure HTTP settings
 http-settings
-set timeout {{ default 10 .W3AF_TIMEOUT }}
+set timeout {{ default 60 .W3AF_TIMEOUT }}
 {{ if .W3AF_BASIC_AUTH_USERNAME }}
 set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}
 set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}
@@ -41,15 +41,23 @@ back
 # Configure target authentication
 auth detailed
 auth config detailed
-set username {{ .W3AF_AUTH_FORM_USERNAME }}
+set username '{{ .W3AF_AUTH_FORM_USERNAME }}'
-set password {{ .W3AF_AUTH_FORM_PASSWORD }}
+set password '{{ .W3AF_AUTH_FORM_PASSWORD }}'
 set method POST
 set auth_url {{ .W3AF_AUTH_FORM_URL }}
-set username_field {{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}
+set username_field '{{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}'
-set password_field {{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}
+set password_field '{{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}'
-set data_format {{ default "username=%U&password=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}
+set data_format '{{ default "%u=%U&%p=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}'
 set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}
-set check_string '{{- default "connected" .W3AF_AUTH_FORM_CHECK_STRING -}}'
+set check_string '{{ default "connected" .W3AF_AUTH_FORM_CHECK_STRING }}'
+set follow_redirects True
+back
+{{end}}
+
+{{ if .W3AF_AUTH_LOGOUT_URL_REGEX }}
+crawl web_spider
+crawl config web_spider
+set ignore_regex {{ .W3AF_AUTH_LOGOUT_URL_REGEX }}
 back
 {{end}}
 

resources/com/cadoles/w3af/run-audit.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+mkdir -p reports
+rm -f reports/*
+envtpl -o audit.w3af /home/w3af/w3af/audit.w3af.tmpl
+/home/w3af/w3af/w3af_console -y -n -s audit.w3af

vars/audit.groovy

@@ -8,7 +8,7 @@ def call() {
 
         parameters {
             string(
-                name: 'targetUrl', 
+                name: 'url', 
                 description: 'URL cible pour l\'audit'
             )
             string(
@@ -97,6 +97,7 @@ def call() {
                         -e W3AF_AUTH_FORM_URL='${params.authFormUrl}'
                         -e W3AF_AUTH_FORM_USERNAME='${params.authFormUsername}'
                         -e W3AF_AUTH_FORM_PASSWORD='${params.authFormPassword}'
+                        -e W3AF_AUTH_FORM_DATA_FORMAT='${params.authFormDataFormat}'
                         -e W3AF_AUTH_FORM_CHECK_URL='${params.authFormCheckUrl}'
                         -e W3AF_AUTH_FORM_CHECK_STRING='${params.authFormCheckString}'
                         -e W3AF_AUTH_FORM_USERNAME_FIELD='${params.authFormUsernameField}'

vars/lighthouse.groovy

@@ -0,0 +1,113 @@
+// Pipeline d'exécution d'un audit Lighthouse
+def call() {
+    pipeline {
+
+        agent {
+            label 'docker'
+        }
+
+        parameters {
+            string(
+                name: 'url', 
+                description: 'URL cible pour l\'audit'
+            )
+            string(
+                name: 'auditTimeout', 
+                description: "Délai maximum pour la réalisation de l'audit (en minutes)",
+                defaultValue: '60'
+            )
+        }
+
+        stages {
+
+            stage("Check parameters") {
+                steps {
+                    script {
+                        if (!params.url?.trim()) {
+                            error("L'URL cible n'est pas définie !")
+                        }
+                    }
+                }
+            }
+
+            stage("Run Lighthouse audit") {
+                steps {
+                    script {
+                        def lighthouseImage = buildDockerImage()
+                        def dockerArgs = """
+                        -e LIGHTHOUSE_URL='${params.url}'
+                        """
+                        timeout(params.auditTimeout.toInteger()) {
+                            lighthouseImage.inside(dockerArgs) {
+                                sh 'run-audit'
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        post {
+            always {
+                publishHTML target: [
+                    allowMissing: true,
+                    alwaysLinkToLastBuild: false,
+                    keepAll: true,
+                    reportDir: 'reports',
+                    reportFiles: 'lighthouse.report.html',
+                    reportName: "Rapport Lighthouse"
+                ]
+                cleanWs()
+            }
+            success {
+                wrap([$class: 'BuildUser']) {
+                    rocketSend (
+                        avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
+                        message: """
+                        L'audit Lighthouse pour `${params.url}` est terminé.
+                        
+                        [Voir le rapport](${env.BUILD_URL}Rapport_20Lighthouse/)
+                        
+                        @${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
+                        """.stripIndent(),
+                        rawMessage: true
+                    )
+                }
+            }
+            failure {
+                rocketSend (
+                    avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
+                    message: """
+                    L'audit Lighthouse pour `${params.url}` a échoué:
+                    
+                    [Voir le job](${env.RUN_DISPLAY_URL})
+                    
+                    @${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
+                    """.stripIndent(),
+                    rawMessage: true
+                )
+            }
+        }
+
+    }
+}
+
+def buildDockerImage() {
+    dir ('.lighthouse') {
+        def resourceFiles = [
+            'com/cadoles/lighthouse/Dockerfile',
+            'com/cadoles/lighthouse/config.js.tmpl',
+            'com/cadoles/lighthouse/run-audit.sh'
+        ];
+
+        for (res in resourceFiles) {
+            def fileContent = libraryResource res
+            def fileName = res.substring(res.lastIndexOf("/")+1)
+            writeFile file:fileName, text:fileContent
+        }
+        
+        def safeJobName = URLDecoder.decode(env.JOB_NAME).toLowerCase().replace('/', '-').replace(' ', '-')
+        def imageTag = "${safeJobName}-${env.BUILD_ID}"
+        return docker.build("lighthouse:${imageTag}", ".")
+    }
+}