Ajout d'un pipeline Lighthouse

+ améliorations/corrections sur le pipeline d'audit W3AF
This commit is contained in:
wpetit 2019-12-24 12:54:32 +01:00
parent 5b1abee466
commit 4fe6feb1a1
10 changed files with 265 additions and 10 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/data

View File

@ -1,3 +1,7 @@
DOCKER_ARGS ?=
W3AF_COMMAND ?=
LIGHTHOUSE_COMMAND ?=
LIGHTHOUSE_URL ?=
image-w3af: image-w3af:
docker build \ docker build \
@ -9,11 +13,50 @@ image-w3af:
./resources/com/cadoles/w3af ./resources/com/cadoles/w3af
interactive-w3af: interactive-w3af:
$(MAKE) W3AF_COMMAND="/bin/sh" w3af
audit-w3af:
$(MAKE) W3AF_COMMAND="/usr/local/bin/run-audit" w3af
w3af:
docker run \ docker run \
-it --rm \ -it --rm \
--net host \ --net host \
-v "$(PWD)/resources/com/cadoles/w3af/audit.w3af.tmpl:/home/w3af/w3af/audit.w3af.tmpl:ro" \ -v "$(PWD)/resources/com/cadoles/w3af/audit.w3af.tmpl:/home/w3af/w3af/audit.w3af.tmpl:ro" \
$(DOCKER_ARGS) \
jenkins-w3af:latest \ jenkins-w3af:latest \
/bin/sh $(W3AF_COMMAND)
.PHONY: image-w3af image-lighthouse:
docker build \
--build-arg=HTTP_PROXY=$(HTTP_PROXY) \
--build-arg=HTTPS_PROXY=$(HTTPS_PROXY) \
--build-arg=http_proxy=$(http_proxy) \
--build-arg=https_proxy=$(https_proxy) \
-t jenkins-lighthouse \
./resources/com/cadoles/lighthouse
interactive-lighthouse:
$(MAKE) LIGHTHOUSE_COMMAND="/bin/sh" lighthouse
audit-lighthouse:
$(MAKE) LIGHTHOUSE_COMMAND="/usr/local/bin/run-audit" lighthouse
lighthouse:
mkdir -p "$(PWD)/data/lighthouse/reports"
docker run \
-it --rm \
--net host \
--cap-add=SYS_ADMIN \
-e HTTP_PROXY=$(HTTP_PROXY) \
-e HTTPS_PROXY=$(HTTPS_PROXY) \
-e http_proxy=$(http_proxy) \
-e https_proxy=$(https_proxy) \
-e LIGHTHOUSE_URL=$(LIGHTHOUSE_URL) \
-u $(shell id -u $(USER)):$(shell id -g $(USER)) \
-v "$(PWD)/data/lighthouse/reports:/home/lighthouse/reports" \
$(DOCKER_ARGS) \
jenkins-lighthouse:latest \
$(LIGHTHOUSE_COMMAND)
.PHONY: image-w3af image-lighthouse

View File

@ -0,0 +1,54 @@
FROM golang:1.11.4 as envtpl
ARG HTTP_PROXY=
ARG HTTPS_PROXY=
ARG http_proxy=
ARG https_proxy=
RUN apt-get update -y && apt-get install -y git
RUN git clone https://github.com/subfuzion/envtpl /src \
&& cd /src \
&& git checkout v1.0.0 \
&& CGO_ENABLED=0 GOOS=linux go build \
-ldflags "-X main.AppVersionMetadata=$(date -u +%s)" \
-a -installsuffix cgo -o ./bin/envtpl ./cmd/envtpl/.
FROM alpine:3.10
ARG HTTP_PROXY=
ARG HTTPS_PROXY=
ARG http_proxy=
ARG https_proxy=
COPY --from=envtpl /src/bin/envtpl /usr/local/bin/envtpl
RUN apk add --no-cache \
nss \
freetype \
freetype-dev \
harfbuzz \
ca-certificates \
ttf-freefont \
nodejs \
npm \
chromium
RUN npm install -g lighthouse
RUN adduser -D lighthouse
COPY run-audit.sh /usr/local/bin/run-audit
RUN chmod +x /usr/local/bin/run-audit
COPY config.js.tmpl /home/lighthouse/config.js.tmpl
WORKDIR /home/lighthouse
RUN mkdir /home/lighthouse/reports
RUN chown -R lighthouse: /home/lighthouse
USER lighthouse
CMD /usr/local/bin/run-audit

View File

@ -0,0 +1,4 @@
module.exports = {
extends: 'lighthouse:default',
settings: {},
};

View File

@ -0,0 +1,17 @@
#!/bin/sh
envtpl -o config.js /home/lighthouse/config.js.tmpl
mkdir -p reports
rm -f reports/*
cd reports
lighthouse \
--no-enable-error-reporting \
--chrome-flags="--headless --disable-dev-shm-usage --no-sandbox --disable-gpu" \
--config=../config.js \
--output json --output html \
--output-path=lighthouse \
-- \
"$LIGHTHOUSE_URL"

View File

@ -94,9 +94,17 @@ RUN git clone --depth=1 \
&& rm -rf /home/w3af/w3af/.git \ && rm -rf /home/w3af/w3af/.git \
&& chown -R w3af /home/w3af/w3af && chown -R w3af /home/w3af/w3af
COPY run-audit.sh /usr/local/bin/run-audit
RUN chmod +x /usr/local/bin/run-audit
USER w3af USER w3af
WORKDIR /home/w3af/w3af WORKDIR /home/w3af/w3af
COPY audit.w3af.tmpl /home/w3af/w3af/audit.w3af.tmpl COPY audit.w3af.tmpl /home/w3af/w3af/audit.w3af.tmpl
ENV HTTP_PROXY=
ENV HTTPS_PROXY=
ENV http_proxy=
ENV https_proxy=
CMD ["./w3af_console"] CMD ["./w3af_console"]

View File

@ -4,7 +4,7 @@
# Configure HTTP settings # Configure HTTP settings
http-settings http-settings
set timeout {{ default 10 .W3AF_TIMEOUT }} set timeout {{ default 60 .W3AF_TIMEOUT }}
{{ if .W3AF_BASIC_AUTH_USERNAME }} {{ if .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }} set basic_auth_user {{ .W3AF_BASIC_AUTH_USERNAME }}
set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }} set basic_auth_passwd {{ .W3AF_BASIC_AUTH_PASSWORD }}
@ -41,15 +41,23 @@ back
# Configure target authentication # Configure target authentication
auth detailed auth detailed
auth config detailed auth config detailed
set username {{ .W3AF_AUTH_FORM_USERNAME }} set username '{{ .W3AF_AUTH_FORM_USERNAME }}'
set password {{ .W3AF_AUTH_FORM_PASSWORD }} set password '{{ .W3AF_AUTH_FORM_PASSWORD }}'
set method POST set method POST
set auth_url {{ .W3AF_AUTH_FORM_URL }} set auth_url {{ .W3AF_AUTH_FORM_URL }}
set username_field {{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }} set username_field '{{ default "username" .W3AF_AUTH_FORM_USERNAME_FIELD }}'
set password_field {{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }} set password_field '{{ default "password" .W3AF_AUTH_FORM_PASSWORD_FIELD }}'
set data_format {{ default "username=%U&password=%P" .W3AF_AUTH_FORM_DATA_FORMAT }} set data_format '{{ default "%u=%U&%p=%P" .W3AF_AUTH_FORM_DATA_FORMAT }}'
set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }} set check_url {{ .W3AF_AUTH_FORM_CHECK_URL }}
set check_string '{{- default "connected" .W3AF_AUTH_FORM_CHECK_STRING -}}' set check_string '{{ default "connected" .W3AF_AUTH_FORM_CHECK_STRING }}'
set follow_redirects True
back
{{end}}
{{ if .W3AF_AUTH_LOGOUT_URL_REGEX }}
crawl web_spider
crawl config web_spider
set ignore_regex {{ .W3AF_AUTH_LOGOUT_URL_REGEX }}
back back
{{end}} {{end}}

View File

@ -0,0 +1,6 @@
#!/bin/sh
mkdir -p reports
rm -f reports/*
envtpl -o audit.w3af /home/w3af/w3af/audit.w3af.tmpl
/home/w3af/w3af/w3af_console -y -n -s audit.w3af

View File

@ -8,7 +8,7 @@ def call() {
parameters { parameters {
string( string(
name: 'targetUrl', name: 'url',
description: 'URL cible pour l\'audit' description: 'URL cible pour l\'audit'
) )
string( string(
@ -97,6 +97,7 @@ def call() {
-e W3AF_AUTH_FORM_URL='${params.authFormUrl}' -e W3AF_AUTH_FORM_URL='${params.authFormUrl}'
-e W3AF_AUTH_FORM_USERNAME='${params.authFormUsername}' -e W3AF_AUTH_FORM_USERNAME='${params.authFormUsername}'
-e W3AF_AUTH_FORM_PASSWORD='${params.authFormPassword}' -e W3AF_AUTH_FORM_PASSWORD='${params.authFormPassword}'
-e W3AF_AUTH_FORM_DATA_FORMAT='${params.authFormDataFormat}'
-e W3AF_AUTH_FORM_CHECK_URL='${params.authFormCheckUrl}' -e W3AF_AUTH_FORM_CHECK_URL='${params.authFormCheckUrl}'
-e W3AF_AUTH_FORM_CHECK_STRING='${params.authFormCheckString}' -e W3AF_AUTH_FORM_CHECK_STRING='${params.authFormCheckString}'
-e W3AF_AUTH_FORM_USERNAME_FIELD='${params.authFormUsernameField}' -e W3AF_AUTH_FORM_USERNAME_FIELD='${params.authFormUsernameField}'

113
vars/lighthouse.groovy Normal file
View File

@ -0,0 +1,113 @@
// Pipeline d'exécution d'un audit Lighthouse
def call() {
pipeline {
agent {
label 'docker'
}
parameters {
string(
name: 'url',
description: 'URL cible pour l\'audit'
)
string(
name: 'auditTimeout',
description: "Délai maximum pour la réalisation de l'audit (en minutes)",
defaultValue: '60'
)
}
stages {
stage("Check parameters") {
steps {
script {
if (!params.url?.trim()) {
error("L'URL cible n'est pas définie !")
}
}
}
}
stage("Run Lighthouse audit") {
steps {
script {
def lighthouseImage = buildDockerImage()
def dockerArgs = """
-e LIGHTHOUSE_URL='${params.url}'
"""
timeout(params.auditTimeout.toInteger()) {
lighthouseImage.inside(dockerArgs) {
sh 'run-audit'
}
}
}
}
}
}
post {
always {
publishHTML target: [
allowMissing: true,
alwaysLinkToLastBuild: false,
keepAll: true,
reportDir: 'reports',
reportFiles: 'lighthouse.report.html',
reportName: "Rapport Lighthouse"
]
cleanWs()
}
success {
wrap([$class: 'BuildUser']) {
rocketSend (
avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
message: """
L'audit Lighthouse pour `${params.url}` est terminé.
[Voir le rapport](${env.BUILD_URL}Rapport_20Lighthouse/)
@${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
""".stripIndent(),
rawMessage: true
)
}
}
failure {
rocketSend (
avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
message: """
L'audit Lighthouse pour `${params.url}` a échoué:
[Voir le job](${env.RUN_DISPLAY_URL})
@${env.BUILD_USER_ID ? env.BUILD_USER_ID : 'here'}
""".stripIndent(),
rawMessage: true
)
}
}
}
}
def buildDockerImage() {
dir ('.lighthouse') {
def resourceFiles = [
'com/cadoles/lighthouse/Dockerfile',
'com/cadoles/lighthouse/config.js.tmpl',
'com/cadoles/lighthouse/run-audit.sh'
];
for (res in resourceFiles) {
def fileContent = libraryResource res
def fileName = res.substring(res.lastIndexOf("/")+1)
writeFile file:fileName, text:fileContent
}
def safeJobName = URLDecoder.decode(env.JOB_NAME).toLowerCase().replace('/', '-').replace(' ', '-')
def imageTag = "${safeJobName}-${env.BUILD_ID}"
return docker.build("lighthouse:${imageTag}", ".")
}
}