Files
Marius Mutu 6b13ffa183 Initial commit: ROA2WEB - FastAPI + Vue.js + Telegram Bot
Modern ERP Reports Application with microservices architecture

Tech Stack:
- Backend: FastAPI + python-oracledb (Oracle DB integration)
- Frontend: Vue.js 3 + PrimeVue + Vite
- Telegram Bot: python-telegram-bot + SQLite
- Infrastructure: Shared database pool, JWT authentication, SSH tunnel

Features:
- FastAPI backend with async Oracle connection pool
- Vue.js 3 responsive frontend with PrimeVue components
- Telegram bot alternative interface
- Microservices architecture with shared components
- Complete deployment support (Linux Docker + Windows IIS)
- Comprehensive testing (Playwright E2E + pytest)

Repository Structure:
- reports-app/ - Main application (backend, frontend, telegram-bot)
- shared/ - Shared components (database pool, auth, utils)
- deployment/ - Deployment scripts (Linux & Windows)
- docs/ - Project documentation
- security/ - Security scanning and git hooks
2025-10-25 14:55:08 +03:00

277 lines
7.3 KiB
Markdown

# 🔒 ROA2WEB Security Audit Implementation
## 📋 Overview
This directory contains comprehensive security tools for the ROA2WEB project, implemented based on the critical findings in `SECURITY_AUDIT_CONTEXT.md`. The implementation addresses the discovered secrets in git history and provides ongoing protection against future security violations.
## 🚨 Critical Issues Addressed
### Secrets Found in Repository:
- **Oracle Password**: `ROMFASTSOFT` (in multiple .env files)
- **User Passwords**: `{"marius": "Parola81", "eli": "eli"}`
- **SSH Private Key**: `roa_oracle_server`
- **Environment Files**: Multiple .env files with production credentials
## 🛠️ Security Tools Implemented
### 1. 🔍 `secrets_scanner.py`
Advanced secrets detection tool with pattern-based scanning.
**Features:**
- Scans current files for secrets and credentials
- Optional git history scanning
- Pattern-based detection with high accuracy
- JSON report generation
- Integration ready for CI/CD
**Usage:**
```bash
# Basic scan
python security/secrets_scanner.py
# Scan with git history (slow but thorough)
python security/secrets_scanner.py --scan-git-history
# Save detailed report
python security/secrets_scanner.py --save-report security_report.json
```
### 2. 🧹 `git_cleanup.py`
Git history cleanup tool for removing secrets from repository history.
**Features:**
- Complete repository backup before cleanup
- Removes sensitive files from git history
- Replaces secret patterns in commits
- Verification of cleanup completion
- Detailed logging of all actions
**Usage:**
```bash
# Create backup only
python security/git_cleanup.py --backup
# Scan for secrets in history
python security/git_cleanup.py --scan
# Run complete cleanup (DANGEROUS - rewrites history)
python security/git_cleanup.py --cleanup
# Force cleanup without prompts
python security/git_cleanup.py --cleanup --force
```
### 3. 🪝 Git Hooks
Pre-commit and commit-msg hooks to prevent future secrets commits.
**Installation:**
```bash
# Install all security hooks
./security/install_hooks.sh
```
**Features:**
- **pre-commit**: Scans staged files for secrets before commit
- **commit-msg**: Validates commit messages for suspicious keywords
- Blocks commits containing credentials
- Provides actionable remediation guidance
### 4. 🛡️ Enhanced .gitignore
Comprehensive patterns to prevent committing sensitive files.
**Added Protections:**
- All environment files (except .example)
- SSH keys and certificates
- Secrets and credentials files
- Database connection files
- Production configurations
- Development tool caches
## 📊 Security Scanning Patterns
### Critical Patterns Detected:
- `ORACLE_PASSWORD=*`
- `VALID_USERS=*`
- SSH private key headers
- AWS access keys
- Bearer tokens
- Generic password patterns
- Connection strings
### Suspicious File Patterns:
- `*.env` (except .example)
- `*_rsa`, `*.key`, `*.pem`
- `*secret*`, `*credential*`, `*password*`
- `config.prod.*`
## 🚀 Quick Start Guide
### 1. Immediate Security Scan
```bash
# Run comprehensive security scan
python security/secrets_scanner.py --save-report current_security_status.json
```
### 2. Install Git Hooks
```bash
# Prevent future secrets commits
./security/install_hooks.sh
```
### 3. (CRITICAL) Git History Cleanup
⚠️ **WARNING**: This rewrites git history. Coordinate with your team first!
```bash
# 1. Create backup
python security/git_cleanup.py --backup
# 2. Scan for secrets in history
python security/git_cleanup.py --scan
# 3. Run cleanup (after team coordination)
python security/git_cleanup.py --cleanup
```
### 4. Regenerate Compromised Credentials
🔑 **MANDATORY**: All exposed credentials must be regenerated:
- Oracle password: `ROMFASTSOFT`
- User passwords: `Parola81`, `eli`
- SSH key: `roa_oracle_server`
## 📋 Security Checklist
### ✅ Immediate Actions (DONE):
- [x] Enhanced root .gitignore with security patterns
- [x] Implemented secrets scanner tool
- [x] Created git history cleanup tools
- [x] Installed git hooks for prevention
- [x] Documented security procedures
### 🔧 Required Actions (TODO):
- [ ] **CRITICAL**: Regenerate Oracle password (`ROMFASTSOFT`)
- [ ] **CRITICAL**: Regenerate user passwords (`Parola81`, `eli`)
- [ ] **CRITICAL**: Regenerate SSH key (`roa_oracle_server`)
- [ ] Run git history cleanup (`git_cleanup.py --cleanup`)
- [ ] Force push cleaned history to all remotes
- [ ] Notify team to re-clone repository
- [ ] Update production environment with new credentials
### 🔒 Ongoing Security:
- [ ] Regular security scans in CI/CD pipeline
- [ ] Quarterly security audits
- [ ] Team training on secrets management
- [ ] Implement proper secrets management system
## 🏗️ CI/CD Integration
### GitHub Actions Example:
```yaml
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Security Scan
run: python security/secrets_scanner.py
```
### Pre-commit Hook Integration:
```yaml
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: secrets-scan
name: Secrets Scanner
entry: python security/secrets_scanner.py
language: system
pass_filenames: false
```
## 🆘 Emergency Response
### If Secrets Are Accidentally Committed:
1. **IMMEDIATE**:
```bash
# Run emergency scan
python security/secrets_scanner.py --scan-git-history
```
2. **URGENT**:
```bash
# Regenerate exposed credentials immediately
# Update production systems
```
3. **CLEANUP**:
```bash
# Clean git history
python security/git_cleanup.py --cleanup --force
```
## 📞 Support and Reporting
### Security Issues:
- Report immediately to security team
- Use encrypted communication for sensitive details
- Follow incident response procedures
### Tool Issues:
- Check logs in security/ directory
- Review tool documentation
- Test in safe environment first
## 📚 Best Practices
### 1. Secrets Management:
- Use environment variables for all secrets
- Implement proper secrets management (Vault, AWS Secrets Manager)
- Never hardcode credentials in source code
- Use `.env.example` for configuration templates
### 2. Git Practices:
- Always run security scan before commits
- Use meaningful commit messages
- Review changes before staging
- Keep git history clean and professional
### 3. Development Workflow:
- Use separate credentials for development/testing
- Regularly rotate credentials
- Monitor for credential exposure
- Train team on security practices
## 🔧 Troubleshooting
### Common Issues:
1. **Git hooks failing**:
```bash
# Reinstall hooks
./security/install_hooks.sh
```
2. **Scanner false positives**:
- Review patterns in `secrets_scanner.py`
- Add exceptions for legitimate uses
- Update pattern matching rules
3. **History cleanup failures**:
- Ensure clean working directory
- Create backup before attempting
- Check git permissions and status
---
## ⚠️ CRITICAL REMINDER
**The credentials found in this repository (`ROMFASTSOFT`, `Parola81`) are potentially compromised and MUST be regenerated immediately. Git history cleanup should be performed BEFORE any other development work to prevent propagation to other repository clones.**
---
*Security implementation completed: 2025-08-03*
*Tools version: 1.0*
*Next security review: 2025-09-03*