Modern ERP Reports Application with microservices architecture Tech Stack: - Backend: FastAPI + python-oracledb (Oracle DB integration) - Frontend: Vue.js 3 + PrimeVue + Vite - Telegram Bot: python-telegram-bot + SQLite - Infrastructure: Shared database pool, JWT authentication, SSH tunnel Features: - FastAPI backend with async Oracle connection pool - Vue.js 3 responsive frontend with PrimeVue components - Telegram bot alternative interface - Microservices architecture with shared components - Complete deployment support (Linux Docker + Windows IIS) - Comprehensive testing (Playwright E2E + pytest) Repository Structure: - reports-app/ - Main application (backend, frontend, telegram-bot) - shared/ - Shared components (database pool, auth, utils) - deployment/ - Deployment scripts (Linux & Windows) - docs/ - Project documentation - security/ - Security scanning and git hooks
277 lines
7.3 KiB
Markdown
277 lines
7.3 KiB
Markdown
# 🔒 ROA2WEB Security Audit Implementation
|
|
|
|
## 📋 Overview
|
|
|
|
This directory contains comprehensive security tools for the ROA2WEB project, implemented based on the critical findings in `SECURITY_AUDIT_CONTEXT.md`. The implementation addresses the discovered secrets in git history and provides ongoing protection against future security violations.
|
|
|
|
## 🚨 Critical Issues Addressed
|
|
|
|
### Secrets Found in Repository:
|
|
- **Oracle Password**: `ROMFASTSOFT` (in multiple .env files)
|
|
- **User Passwords**: `{"marius": "Parola81", "eli": "eli"}`
|
|
- **SSH Private Key**: `roa_oracle_server`
|
|
- **Environment Files**: Multiple .env files with production credentials
|
|
|
|
## 🛠️ Security Tools Implemented
|
|
|
|
### 1. 🔍 `secrets_scanner.py`
|
|
Advanced secrets detection tool with pattern-based scanning.
|
|
|
|
**Features:**
|
|
- Scans current files for secrets and credentials
|
|
- Optional git history scanning
|
|
- Pattern-based detection with high accuracy
|
|
- JSON report generation
|
|
- Integration ready for CI/CD
|
|
|
|
**Usage:**
|
|
```bash
|
|
# Basic scan
|
|
python security/secrets_scanner.py
|
|
|
|
# Scan with git history (slow but thorough)
|
|
python security/secrets_scanner.py --scan-git-history
|
|
|
|
# Save detailed report
|
|
python security/secrets_scanner.py --save-report security_report.json
|
|
```
|
|
|
|
### 2. 🧹 `git_cleanup.py`
|
|
Git history cleanup tool for removing secrets from repository history.
|
|
|
|
**Features:**
|
|
- Complete repository backup before cleanup
|
|
- Removes sensitive files from git history
|
|
- Replaces secret patterns in commits
|
|
- Verification of cleanup completion
|
|
- Detailed logging of all actions
|
|
|
|
**Usage:**
|
|
```bash
|
|
# Create backup only
|
|
python security/git_cleanup.py --backup
|
|
|
|
# Scan for secrets in history
|
|
python security/git_cleanup.py --scan
|
|
|
|
# Run complete cleanup (DANGEROUS - rewrites history)
|
|
python security/git_cleanup.py --cleanup
|
|
|
|
# Force cleanup without prompts
|
|
python security/git_cleanup.py --cleanup --force
|
|
```
|
|
|
|
### 3. 🪝 Git Hooks
|
|
Pre-commit and commit-msg hooks to prevent future secrets commits.
|
|
|
|
**Installation:**
|
|
```bash
|
|
# Install all security hooks
|
|
./security/install_hooks.sh
|
|
```
|
|
|
|
**Features:**
|
|
- **pre-commit**: Scans staged files for secrets before commit
|
|
- **commit-msg**: Validates commit messages for suspicious keywords
|
|
- Blocks commits containing credentials
|
|
- Provides actionable remediation guidance
|
|
|
|
### 4. 🛡️ Enhanced .gitignore
|
|
Comprehensive patterns to prevent committing sensitive files.
|
|
|
|
**Added Protections:**
|
|
- All environment files (except .example)
|
|
- SSH keys and certificates
|
|
- Secrets and credentials files
|
|
- Database connection files
|
|
- Production configurations
|
|
- Development tool caches
|
|
|
|
## 📊 Security Scanning Patterns
|
|
|
|
### Critical Patterns Detected:
|
|
- `ORACLE_PASSWORD=*`
|
|
- `VALID_USERS=*`
|
|
- SSH private key headers
|
|
- AWS access keys
|
|
- Bearer tokens
|
|
- Generic password patterns
|
|
- Connection strings
|
|
|
|
### Suspicious File Patterns:
|
|
- `*.env` (except .example)
|
|
- `*_rsa`, `*.key`, `*.pem`
|
|
- `*secret*`, `*credential*`, `*password*`
|
|
- `config.prod.*`
|
|
|
|
## 🚀 Quick Start Guide
|
|
|
|
### 1. Immediate Security Scan
|
|
```bash
|
|
# Run comprehensive security scan
|
|
python security/secrets_scanner.py --save-report current_security_status.json
|
|
```
|
|
|
|
### 2. Install Git Hooks
|
|
```bash
|
|
# Prevent future secrets commits
|
|
./security/install_hooks.sh
|
|
```
|
|
|
|
### 3. (CRITICAL) Git History Cleanup
|
|
⚠️ **WARNING**: This rewrites git history. Coordinate with your team first!
|
|
|
|
```bash
|
|
# 1. Create backup
|
|
python security/git_cleanup.py --backup
|
|
|
|
# 2. Scan for secrets in history
|
|
python security/git_cleanup.py --scan
|
|
|
|
# 3. Run cleanup (after team coordination)
|
|
python security/git_cleanup.py --cleanup
|
|
```
|
|
|
|
### 4. Regenerate Compromised Credentials
|
|
🔑 **MANDATORY**: All exposed credentials must be regenerated:
|
|
- Oracle password: `ROMFASTSOFT`
|
|
- User passwords: `Parola81`, `eli`
|
|
- SSH key: `roa_oracle_server`
|
|
|
|
## 📋 Security Checklist
|
|
|
|
### ✅ Immediate Actions (DONE):
|
|
- [x] Enhanced root .gitignore with security patterns
|
|
- [x] Implemented secrets scanner tool
|
|
- [x] Created git history cleanup tools
|
|
- [x] Installed git hooks for prevention
|
|
- [x] Documented security procedures
|
|
|
|
### 🔧 Required Actions (TODO):
|
|
- [ ] **CRITICAL**: Regenerate Oracle password (`ROMFASTSOFT`)
|
|
- [ ] **CRITICAL**: Regenerate user passwords (`Parola81`, `eli`)
|
|
- [ ] **CRITICAL**: Regenerate SSH key (`roa_oracle_server`)
|
|
- [ ] Run git history cleanup (`git_cleanup.py --cleanup`)
|
|
- [ ] Force push cleaned history to all remotes
|
|
- [ ] Notify team to re-clone repository
|
|
- [ ] Update production environment with new credentials
|
|
|
|
### 🔒 Ongoing Security:
|
|
- [ ] Regular security scans in CI/CD pipeline
|
|
- [ ] Quarterly security audits
|
|
- [ ] Team training on secrets management
|
|
- [ ] Implement proper secrets management system
|
|
|
|
## 🏗️ CI/CD Integration
|
|
|
|
### GitHub Actions Example:
|
|
```yaml
|
|
name: Security Scan
|
|
on: [push, pull_request]
|
|
jobs:
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
- name: Security Scan
|
|
run: python security/secrets_scanner.py
|
|
```
|
|
|
|
### Pre-commit Hook Integration:
|
|
```yaml
|
|
# .pre-commit-config.yaml
|
|
repos:
|
|
- repo: local
|
|
hooks:
|
|
- id: secrets-scan
|
|
name: Secrets Scanner
|
|
entry: python security/secrets_scanner.py
|
|
language: system
|
|
pass_filenames: false
|
|
```
|
|
|
|
## 🆘 Emergency Response
|
|
|
|
### If Secrets Are Accidentally Committed:
|
|
|
|
1. **IMMEDIATE**:
|
|
```bash
|
|
# Run emergency scan
|
|
python security/secrets_scanner.py --scan-git-history
|
|
```
|
|
|
|
2. **URGENT**:
|
|
```bash
|
|
# Regenerate exposed credentials immediately
|
|
# Update production systems
|
|
```
|
|
|
|
3. **CLEANUP**:
|
|
```bash
|
|
# Clean git history
|
|
python security/git_cleanup.py --cleanup --force
|
|
```
|
|
|
|
## 📞 Support and Reporting
|
|
|
|
### Security Issues:
|
|
- Report immediately to security team
|
|
- Use encrypted communication for sensitive details
|
|
- Follow incident response procedures
|
|
|
|
### Tool Issues:
|
|
- Check logs in security/ directory
|
|
- Review tool documentation
|
|
- Test in safe environment first
|
|
|
|
## 📚 Best Practices
|
|
|
|
### 1. Secrets Management:
|
|
- Use environment variables for all secrets
|
|
- Implement proper secrets management (Vault, AWS Secrets Manager)
|
|
- Never hardcode credentials in source code
|
|
- Use `.env.example` for configuration templates
|
|
|
|
### 2. Git Practices:
|
|
- Always run security scan before commits
|
|
- Use meaningful commit messages
|
|
- Review changes before staging
|
|
- Keep git history clean and professional
|
|
|
|
### 3. Development Workflow:
|
|
- Use separate credentials for development/testing
|
|
- Regularly rotate credentials
|
|
- Monitor for credential exposure
|
|
- Train team on security practices
|
|
|
|
## 🔧 Troubleshooting
|
|
|
|
### Common Issues:
|
|
|
|
1. **Git hooks failing**:
|
|
```bash
|
|
# Reinstall hooks
|
|
./security/install_hooks.sh
|
|
```
|
|
|
|
2. **Scanner false positives**:
|
|
- Review patterns in `secrets_scanner.py`
|
|
- Add exceptions for legitimate uses
|
|
- Update pattern matching rules
|
|
|
|
3. **History cleanup failures**:
|
|
- Ensure clean working directory
|
|
- Create backup before attempting
|
|
- Check git permissions and status
|
|
|
|
---
|
|
|
|
## ⚠️ CRITICAL REMINDER
|
|
|
|
**The credentials found in this repository (`ROMFASTSOFT`, `Parola81`) are potentially compromised and MUST be regenerated immediately. Git history cleanup should be performed BEFORE any other development work to prevent propagation to other repository clones.**
|
|
|
|
---
|
|
|
|
*Security implementation completed: 2025-08-03*
|
|
*Tools version: 1.0*
|
|
*Next security review: 2025-09-03* |