Initial commit: ROA2WEB - FastAPI + Vue.js + Telegram Bot
Modern ERP Reports Application with microservices architecture Tech Stack: - Backend: FastAPI + python-oracledb (Oracle DB integration) - Frontend: Vue.js 3 + PrimeVue + Vite - Telegram Bot: python-telegram-bot + SQLite - Infrastructure: Shared database pool, JWT authentication, SSH tunnel Features: - FastAPI backend with async Oracle connection pool - Vue.js 3 responsive frontend with PrimeVue components - Telegram bot alternative interface - Microservices architecture with shared components - Complete deployment support (Linux Docker + Windows IIS) - Comprehensive testing (Playwright E2E + pytest) Repository Structure: - reports-app/ - Main application (backend, frontend, telegram-bot) - shared/ - Shared components (database pool, auth, utils) - deployment/ - Deployment scripts (Linux & Windows) - docs/ - Project documentation - security/ - Security scanning and git hooks
This commit is contained in:
277
security/README.md
Normal file
277
security/README.md
Normal file
@@ -0,0 +1,277 @@
|
||||
# 🔒 ROA2WEB Security Audit Implementation
|
||||
|
||||
## 📋 Overview
|
||||
|
||||
This directory contains comprehensive security tools for the ROA2WEB project, implemented based on the critical findings in `SECURITY_AUDIT_CONTEXT.md`. The implementation addresses the discovered secrets in git history and provides ongoing protection against future security violations.
|
||||
|
||||
## 🚨 Critical Issues Addressed
|
||||
|
||||
### Secrets Found in Repository:
|
||||
- **Oracle Password**: `ROMFASTSOFT` (in multiple .env files)
|
||||
- **User Passwords**: `{"marius": "Parola81", "eli": "eli"}`
|
||||
- **SSH Private Key**: `roa_oracle_server`
|
||||
- **Environment Files**: Multiple .env files with production credentials
|
||||
|
||||
## 🛠️ Security Tools Implemented
|
||||
|
||||
### 1. 🔍 `secrets_scanner.py`
|
||||
Advanced secrets detection tool with pattern-based scanning.
|
||||
|
||||
**Features:**
|
||||
- Scans current files for secrets and credentials
|
||||
- Optional git history scanning
|
||||
- Pattern-based detection with high accuracy
|
||||
- JSON report generation
|
||||
- Integration ready for CI/CD
|
||||
|
||||
**Usage:**
|
||||
```bash
|
||||
# Basic scan
|
||||
python security/secrets_scanner.py
|
||||
|
||||
# Scan with git history (slow but thorough)
|
||||
python security/secrets_scanner.py --scan-git-history
|
||||
|
||||
# Save detailed report
|
||||
python security/secrets_scanner.py --save-report security_report.json
|
||||
```
|
||||
|
||||
### 2. 🧹 `git_cleanup.py`
|
||||
Git history cleanup tool for removing secrets from repository history.
|
||||
|
||||
**Features:**
|
||||
- Complete repository backup before cleanup
|
||||
- Removes sensitive files from git history
|
||||
- Replaces secret patterns in commits
|
||||
- Verification of cleanup completion
|
||||
- Detailed logging of all actions
|
||||
|
||||
**Usage:**
|
||||
```bash
|
||||
# Create backup only
|
||||
python security/git_cleanup.py --backup
|
||||
|
||||
# Scan for secrets in history
|
||||
python security/git_cleanup.py --scan
|
||||
|
||||
# Run complete cleanup (DANGEROUS - rewrites history)
|
||||
python security/git_cleanup.py --cleanup
|
||||
|
||||
# Force cleanup without prompts
|
||||
python security/git_cleanup.py --cleanup --force
|
||||
```
|
||||
|
||||
### 3. 🪝 Git Hooks
|
||||
Pre-commit and commit-msg hooks to prevent future secrets commits.
|
||||
|
||||
**Installation:**
|
||||
```bash
|
||||
# Install all security hooks
|
||||
./security/install_hooks.sh
|
||||
```
|
||||
|
||||
**Features:**
|
||||
- **pre-commit**: Scans staged files for secrets before commit
|
||||
- **commit-msg**: Validates commit messages for suspicious keywords
|
||||
- Blocks commits containing credentials
|
||||
- Provides actionable remediation guidance
|
||||
|
||||
### 4. 🛡️ Enhanced .gitignore
|
||||
Comprehensive patterns to prevent committing sensitive files.
|
||||
|
||||
**Added Protections:**
|
||||
- All environment files (except .example)
|
||||
- SSH keys and certificates
|
||||
- Secrets and credentials files
|
||||
- Database connection files
|
||||
- Production configurations
|
||||
- Development tool caches
|
||||
|
||||
## 📊 Security Scanning Patterns
|
||||
|
||||
### Critical Patterns Detected:
|
||||
- `ORACLE_PASSWORD=*`
|
||||
- `VALID_USERS=*`
|
||||
- SSH private key headers
|
||||
- AWS access keys
|
||||
- Bearer tokens
|
||||
- Generic password patterns
|
||||
- Connection strings
|
||||
|
||||
### Suspicious File Patterns:
|
||||
- `*.env` (except .example)
|
||||
- `*_rsa`, `*.key`, `*.pem`
|
||||
- `*secret*`, `*credential*`, `*password*`
|
||||
- `config.prod.*`
|
||||
|
||||
## 🚀 Quick Start Guide
|
||||
|
||||
### 1. Immediate Security Scan
|
||||
```bash
|
||||
# Run comprehensive security scan
|
||||
python security/secrets_scanner.py --save-report current_security_status.json
|
||||
```
|
||||
|
||||
### 2. Install Git Hooks
|
||||
```bash
|
||||
# Prevent future secrets commits
|
||||
./security/install_hooks.sh
|
||||
```
|
||||
|
||||
### 3. (CRITICAL) Git History Cleanup
|
||||
⚠️ **WARNING**: This rewrites git history. Coordinate with your team first!
|
||||
|
||||
```bash
|
||||
# 1. Create backup
|
||||
python security/git_cleanup.py --backup
|
||||
|
||||
# 2. Scan for secrets in history
|
||||
python security/git_cleanup.py --scan
|
||||
|
||||
# 3. Run cleanup (after team coordination)
|
||||
python security/git_cleanup.py --cleanup
|
||||
```
|
||||
|
||||
### 4. Regenerate Compromised Credentials
|
||||
🔑 **MANDATORY**: All exposed credentials must be regenerated:
|
||||
- Oracle password: `ROMFASTSOFT`
|
||||
- User passwords: `Parola81`, `eli`
|
||||
- SSH key: `roa_oracle_server`
|
||||
|
||||
## 📋 Security Checklist
|
||||
|
||||
### ✅ Immediate Actions (DONE):
|
||||
- [x] Enhanced root .gitignore with security patterns
|
||||
- [x] Implemented secrets scanner tool
|
||||
- [x] Created git history cleanup tools
|
||||
- [x] Installed git hooks for prevention
|
||||
- [x] Documented security procedures
|
||||
|
||||
### 🔧 Required Actions (TODO):
|
||||
- [ ] **CRITICAL**: Regenerate Oracle password (`ROMFASTSOFT`)
|
||||
- [ ] **CRITICAL**: Regenerate user passwords (`Parola81`, `eli`)
|
||||
- [ ] **CRITICAL**: Regenerate SSH key (`roa_oracle_server`)
|
||||
- [ ] Run git history cleanup (`git_cleanup.py --cleanup`)
|
||||
- [ ] Force push cleaned history to all remotes
|
||||
- [ ] Notify team to re-clone repository
|
||||
- [ ] Update production environment with new credentials
|
||||
|
||||
### 🔒 Ongoing Security:
|
||||
- [ ] Regular security scans in CI/CD pipeline
|
||||
- [ ] Quarterly security audits
|
||||
- [ ] Team training on secrets management
|
||||
- [ ] Implement proper secrets management system
|
||||
|
||||
## 🏗️ CI/CD Integration
|
||||
|
||||
### GitHub Actions Example:
|
||||
```yaml
|
||||
name: Security Scan
|
||||
on: [push, pull_request]
|
||||
jobs:
|
||||
security:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- name: Security Scan
|
||||
run: python security/secrets_scanner.py
|
||||
```
|
||||
|
||||
### Pre-commit Hook Integration:
|
||||
```yaml
|
||||
# .pre-commit-config.yaml
|
||||
repos:
|
||||
- repo: local
|
||||
hooks:
|
||||
- id: secrets-scan
|
||||
name: Secrets Scanner
|
||||
entry: python security/secrets_scanner.py
|
||||
language: system
|
||||
pass_filenames: false
|
||||
```
|
||||
|
||||
## 🆘 Emergency Response
|
||||
|
||||
### If Secrets Are Accidentally Committed:
|
||||
|
||||
1. **IMMEDIATE**:
|
||||
```bash
|
||||
# Run emergency scan
|
||||
python security/secrets_scanner.py --scan-git-history
|
||||
```
|
||||
|
||||
2. **URGENT**:
|
||||
```bash
|
||||
# Regenerate exposed credentials immediately
|
||||
# Update production systems
|
||||
```
|
||||
|
||||
3. **CLEANUP**:
|
||||
```bash
|
||||
# Clean git history
|
||||
python security/git_cleanup.py --cleanup --force
|
||||
```
|
||||
|
||||
## 📞 Support and Reporting
|
||||
|
||||
### Security Issues:
|
||||
- Report immediately to security team
|
||||
- Use encrypted communication for sensitive details
|
||||
- Follow incident response procedures
|
||||
|
||||
### Tool Issues:
|
||||
- Check logs in security/ directory
|
||||
- Review tool documentation
|
||||
- Test in safe environment first
|
||||
|
||||
## 📚 Best Practices
|
||||
|
||||
### 1. Secrets Management:
|
||||
- Use environment variables for all secrets
|
||||
- Implement proper secrets management (Vault, AWS Secrets Manager)
|
||||
- Never hardcode credentials in source code
|
||||
- Use `.env.example` for configuration templates
|
||||
|
||||
### 2. Git Practices:
|
||||
- Always run security scan before commits
|
||||
- Use meaningful commit messages
|
||||
- Review changes before staging
|
||||
- Keep git history clean and professional
|
||||
|
||||
### 3. Development Workflow:
|
||||
- Use separate credentials for development/testing
|
||||
- Regularly rotate credentials
|
||||
- Monitor for credential exposure
|
||||
- Train team on security practices
|
||||
|
||||
## 🔧 Troubleshooting
|
||||
|
||||
### Common Issues:
|
||||
|
||||
1. **Git hooks failing**:
|
||||
```bash
|
||||
# Reinstall hooks
|
||||
./security/install_hooks.sh
|
||||
```
|
||||
|
||||
2. **Scanner false positives**:
|
||||
- Review patterns in `secrets_scanner.py`
|
||||
- Add exceptions for legitimate uses
|
||||
- Update pattern matching rules
|
||||
|
||||
3. **History cleanup failures**:
|
||||
- Ensure clean working directory
|
||||
- Create backup before attempting
|
||||
- Check git permissions and status
|
||||
|
||||
---
|
||||
|
||||
## ⚠️ CRITICAL REMINDER
|
||||
|
||||
**The credentials found in this repository (`ROMFASTSOFT`, `Parola81`) are potentially compromised and MUST be regenerated immediately. Git history cleanup should be performed BEFORE any other development work to prevent propagation to other repository clones.**
|
||||
|
||||
---
|
||||
|
||||
*Security implementation completed: 2025-08-03*
|
||||
*Tools version: 1.0*
|
||||
*Next security review: 2025-09-03*
|
||||
Reference in New Issue
Block a user