Upgrade Ruby and Rails versions, improve Docker and general repo maintenance

.dockerignore

@@ -0,0 +1,19 @@
+# Ignore root files that are not needed in docker image
+.github
+.jenkins
+.terraform
+.gitignore
+docker-compose.yml
+Dockerfile
+LICENSE.md
+README.md
+
+# Ignore directories that are not needed in docker image
+docs/
+tmp/
+log/*
+public/data/*
+
+# Ignore the dockerenv .env file during docker builds so that credentials are 
+# not accedentally built into container images.
+.env 

.env.example

@@ -0,0 +1,16 @@
+# Contrast Agent Authentication Keys
+# CONTRAST__API__URL=https://eval.contrastsecurity.com/Contrast
+# CONTRAST__API__API_KEY=XXXXXX
+# CONTRAST__API__SERVICE_KEY=XXXXXX
+# CONTRAST__API__USER_NAME=XXXXXX
+
+# Override the default application name and code set in config/contrast_security.yml
+# CONTRAST__APPLICATION__NAME=OWASP RailsGoat
+# CONTRAST__APPLICATION__CODE=demo-railsgoat
+
+# Override the default server name and environment set in config/contrast_security.yml
+# CONTRAST__SERVER__NAME=railsgoat-docker
+# CONTRAST__SERVER__ENVIRONMENT=development
+
+# See https://docs.contrastsecurity.com/user-vulnerableapps.html#session
+# CONTRAST__APPLICATION__SESSION_METADATA=""

.gitignore

@@ -1,5 +1,4 @@
 /.bundle
-/bin
 /db/*.sqlite3
 /log/*.log
 /tmp
@@ -14,4 +13,8 @@ coverage
 /vendor/ruby
 run.sh
 test.sh
-contrast_security.yaml
+
+.env
+**/contrast_security.[yaml, yml]
+contrast_connection.json
+contrast.log

Jenkinsfile → .jenkins/Jenkinsfile

@@ -3,30 +3,33 @@ pipeline {
     tools {
         terraform 'terraform'
     }
+    environment {
+        terraformDir = '.terraform'
+    }
 
     stages {
         stage('dependencies') {
             steps {
-                script {
-                    withCredentials([file(credentialsId: env.contrast_yaml, variable: 'path')]) {
-                        def contents = readFile(env.path)
-                        writeFile file: 'contrast_security.yaml', text: "$contents"
+                dir("$terraformDir") {
+                    script {
+                        withCredentials([file(credentialsId: env.contrast_yaml, variable: 'path')]) {
+                            def contents = readFile(env.path)
+                            writeFile file: 'contrast_security.yaml', text: "$contents"
+                        }
                     }
+                    sh '''
+                    terraform init -upgrade
+                    '''
                 }
-                sh '''
-                terraform init -upgrade
-                '''
             }
         }
         stage('provision') {
             steps {
-                script {
-                    env.GIT_SHORT_COMMIT = checkout(scm).GIT_COMMIT.take(7)
-                    env.GIT_BRANCH = checkout(scm).GIT_BRANCH
-
-                    withCredentials([azureServicePrincipal('ContrastAzureSponsored')]) {
-                        try {
-                            sh """
+                dir("$terraformDir") {
+                    script {
+                        withCredentials([azureServicePrincipal('ContrastAzureSponsored')]) {
+                            try {
+                                sh """
                             export ARM_CLIENT_ID=$AZURE_CLIENT_ID
                             export ARM_CLIENT_SECRET=$AZURE_CLIENT_SECRET
                             export ARM_SUBSCRIPTION_ID=$AZURE_SUBSCRIPTION_ID
@@ -36,14 +39,15 @@ pipeline {
                                 -var 'initials=$initials' \
                                 -var 'environment=qa' \
                                 -var 'servername=jenkins' \
-                                -var 'session_metadata=branchName=${env.GIT_BRANCH},buildNumber=${BUILD_NUMBER},commitHash=${env.GIT_SHORT_COMMIT},version=1.0' \
+                                -var 'session_metadata=branchName=${env.GIT_BRANCH},buildNumber=${BUILD_NUMBER},commitHash=${env.GIT_COMMIT},version=1.0' \
                                 -var 'run_automated_tests=true'
                             """
                         } catch (Exception e) {
-                            echo "Terraform refresh failed, deleting state"
-                            sh "rm -rf terraform.tfstate"
-                            currentBuild.result = "FAILURE"
-                            error("Aborting the build.")
+                                echo 'Terraform refresh failed, deleting state'
+                                sh 'rm -rf terraform.tfstate'
+                                currentBuild.result = 'FAILURE'
+                                error('Aborting the build.')
+                            }
                         }
                     }
                 }
@@ -56,13 +60,11 @@ pipeline {
         }
         stage('provision - dev') {
             steps {
-                script {
-                    env.GIT_SHORT_COMMIT = checkout(scm).GIT_COMMIT.take(7)
-                    env.GIT_BRANCH = checkout(scm).GIT_BRANCH
-
-                    withCredentials([azureServicePrincipal('ContrastAzureSponsored')]) {
-                        try {
-                            sh """
+                dir("$terraformDir") {
+                    script {
+                        withCredentials([azureServicePrincipal('ContrastAzureSponsored')]) {
+                            try {
+                                sh """
                             export ARM_CLIENT_ID=$AZURE_CLIENT_ID
                             export ARM_CLIENT_SECRET=$AZURE_CLIENT_SECRET
                             export ARM_SUBSCRIPTION_ID=$AZURE_SUBSCRIPTION_ID
@@ -72,14 +74,15 @@ pipeline {
                                 -var 'initials=$initials' \
                                 -var 'environment=development' \
                                 -var 'servername=Macbook-Pro' \
-                                -var 'session_metadata=branchName=${env.GIT_BRANCH},buildNumber=${BUILD_NUMBER},commitHash=${env.GIT_SHORT_COMMIT},version=1.0' \
+                                -var 'session_metadata=branchName=${env.GIT_BRANCH},buildNumber=${BUILD_NUMBER},commitHash=${env.GIT_COMMIT},version=1.0' \
                                 -var 'run_automated_tests=true'
                             """
                         } catch (Exception e) {
-                            echo "Terraform refresh failed, deleting state"
-                            sh "rm -rf terraform.tfstate"
-                            currentBuild.result = "FAILURE"
-                            error("Aborting the build.")
+                                echo 'Terraform refresh failed, deleting state'
+                                sh 'rm -rf terraform.tfstate'
+                                currentBuild.result = 'FAILURE'
+                                error('Aborting the build.')
+                            }
                         }
                     }
                 }
@@ -92,25 +95,24 @@ pipeline {
         }
         stage('provision - prod') {
             steps {
-                script {
-                    env.GIT_SHORT_COMMIT = checkout(scm).GIT_COMMIT.take(7)
-                    env.GIT_BRANCH = checkout(scm).GIT_BRANCH
-
-                    withCredentials([azureServicePrincipal('ContrastAzureSponsored')]) {
-                        try {
-                            sh """
+                dir("$terraformDir") {
+                    script {
+                        withCredentials([azureServicePrincipal('ContrastAzureSponsored')]) {
+                            try {
+                                sh """
                             export ARM_CLIENT_ID=$AZURE_CLIENT_ID
                             export ARM_CLIENT_SECRET=$AZURE_CLIENT_SECRET
                             export ARM_SUBSCRIPTION_ID=$AZURE_SUBSCRIPTION_ID
                             export ARM_TENANT_ID=$AZURE_TENANT_ID
 
-                            terraform apply -auto-approve -var 'location=$location' -var 'initials=$initials' -var 'environment=production' -var 'servername=Prod-01' -var 'session_metadata=branchName=${env.GIT_BRANCH},buildNumber=${BUILD_NUMBER},commitHash=${env.GIT_SHORT_COMMIT},version=1.0' -var 'run_automated_tests=true'
+                            terraform apply -auto-approve -var 'location=$location' -var 'initials=$initials' -var 'environment=production' -var 'servername=Prod-01' -var 'session_metadata=branchName=${env.GIT_BRANCH},buildNumber=${BUILD_NUMBER},commitHash=${env.GIT_COMMIT},version=1.0' -var 'run_automated_tests=true'
                             """
                         } catch (Exception e) {
-                            echo "Terraform refresh failed, deleting state"
-                            sh "rm -rf terraform.tfstate"
-                            currentBuild.result = "FAILURE"
-                            error("Aborting the build.")
+                                echo 'Terraform refresh failed, deleting state'
+                                sh 'rm -rf terraform.tfstate'
+                                currentBuild.result = 'FAILURE'
+                                error('Aborting the build.')
+                            }
                         }
                     }
                 }
@@ -123,15 +125,17 @@ pipeline {
         }
         stage('destroy') {
             steps {
-                withCredentials([azureServicePrincipal('ContrastAzureSponsored')]) {
-                    sh """
+                dir("$terraformDir") {
+                    withCredentials([azureServicePrincipal('ContrastAzureSponsored')]) {
+                        sh """
                     export ARM_CLIENT_ID=\$AZURE_CLIENT_ID
                     export ARM_CLIENT_SECRET=\$AZURE_CLIENT_SECRET
                     export ARM_SUBSCRIPTION_ID=\$AZURE_SUBSCRIPTION_ID
                     export ARM_TENANT_ID=\$AZURE_TENANT_ID
                     terraform destroy --auto-approve \
                         -var 'location=$location'
                     """
+                    }
                 }
             }
         }

.ruby-version

@@ -1 +1 @@
-2.6.2
+3.1.4

main.tf → .terraform/main.tf

@@ -11,7 +11,7 @@ data "external" "yaml" {
 
 #Set up a personal resource group for the SE local to them
 resource "azurerm_resource_group" "personal" {
-  name     = "Sales-Engineer-${var.initials}"
+  name     = "Sales-Engineer-Jenkins-${var.initials}"
   location = var.location
 }
 
@@ -26,7 +26,7 @@ resource "azurerm_container_group" "app" {
 
   container {
     name   = "web"
-    image  = "contrastsecuritydemo/railsgoat:1.0"
+    image  = "contrastsecuritydemo/railsgoat:6.1.7"
     cpu    = "1"
     memory = "1.5"
     ports {

.terraform/parseyaml.py

@@ -0,0 +1,4 @@
+import yaml, json
+with open('../contrast_security.yaml') as f:
+    config = yaml.safe_load(f)
+    print(json.dumps(config['api']))

Dockerfile

@@ -1,68 +1,73 @@
-# TODO: change to slim or alpine
-FROM ruby:2.6.2
+# Multistage docker build which first builds and bundles all Ruby gems before 
+# creating build targets for the development and production images. 
 
-ARG username
-ARG service_key
+# Default Ruby version for this project.
+ARG RUBY_VERSION=3.1.4
 
-# Add build and runtime dependencies
-# TODO: separate build & runtime and purge build dependencies at the end
-RUN apt-get update -qq && apt-get install -y build-essential libpq-dev nodejs
+# BASE STAGE
+# Create a base ruby-alpine stage with common configuration
+# that can be used in all other stages.
+FROM ruby:$RUBY_VERSION-alpine as ruby-alpine
 
-# Install phantomjs dependencies
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-        ca-certificates \
-        bzip2 \
-        libfontconfig \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+# Set environment variables to be shared across all stages.
+ENV GEM_HOME=/usr/local/bundle
+ENV BUNDLE_PATH=$GEM_HOME
+ENV BUNDLE_APP_CONFIG=$BUNDLE_PATH
+ENV RAILS_ENV development
+ENV RACK_ENV development
 
-# Install phantomjs & clean up
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-        curl \
-    && mkdir /tmp/phantomjs \
-    && curl -L https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-x86_64.tar.bz2 \
-           | tar -xj --strip-components=1 -C /tmp/phantomjs \
-    && cd /tmp/phantomjs \
-    && mv bin/phantomjs /usr/local/bin \
-    && cd \
-    && apt-get purge --auto-remove -y \
-        curl \
-    && apt-get clean \
-    && rm -rf /tmp/* /var/lib/apt/lists/*
+# Add basic packages that are shared across all stages
+RUN apk add --no-cache \
+    nodejs \
+    tzdata
 
-# Build and package the app
-RUN mkdir /myapp
-WORKDIR /myapp
-ADD Gemfile /myapp/Gemfile
-ADD Gemfile.lock /myapp/Gemfile.lock
+# BUILDER STAGE
+# Build all gems and dependencies in a builder stage, 
+# whch can then be copied to other stages.
+FROM ruby-alpine as builder
 
-# Add Contrast agent
-RUN bundle add contrast-agent
+# Add packages for required for building
+RUN apk add --no-cache \
+    autoconf \
+    build-base \
+    libpq-dev \
+    mariadb-dev
 
-RUN bundle install
+# Set the working directory for the app. 
+WORKDIR /app                          
 
-ADD ./app /myapp/app
-ADD ./config /myapp/config
-ADD ./db /myapp/db
-ADD ./doc /myapp/doc
-ADD ./lib /myapp/lib
-ADD ./log /myapp/log
-ADD ./public /myapp/public
-ADD ./script /myapp/script
-ADD ./spec /myapp/spec
-RUN mkdir /myapp/tmp
-ADD ./vendor /myapp/vendor
-ADD ./config.ru /myapp/config.ru
-ADD ./entrypoint.sh /myapp/entrypoint.sh
-ADD ./Rakefile /myapp/Rakefile
+# Copy the Gemfile and Gemfile.lock files to the current directory.
+COPY Gemfile* .
 
-#Setup the database
-RUN rails db:setup
+# Install gems and remove any unnecessary build artifacts. 
+RUN bundle config force_ruby_platform true \
+    && bundle install --jobs 4 --retry 3 \ 
+    && rm -rf $BUNDLE_PATH/cache/*.gem \
+    && rm -rf $BUNDLE_PATH/ruby/*/cache
 
-# Make port 3000 available
+# RUNNER STAGE 
+# Copy the needed gems and dependenies from the builder stage to 
+# create the final minimal image for running the app.
+FROM ruby-alpine as runner
+
+# Add packages required for running the app
+RUN apk add --no-cache \
+    chromium \
+    chromium-chromedriver \
+    libpq \
+    mariadb
+
+# Set the working directory for the app.
+WORKDIR /app
+
+# Copy the bundle directory from the "builder" image 
+# and copy all other files to the current directory. 
+COPY --from=builder $BUNDLE_PATH $BUNDLE_PATH
+COPY . . 
+
+# Expose port 3000 for the application.
 EXPOSE 3000
 
-# Start the app server
-ENTRYPOINT [ "/bin/bash", "-c", "/myapp/entrypoint.sh"]
+# Run the command to start the Rails server.
+ENTRYPOINT ["/bin/sh"]
+CMD ["/app/entrypoint.sh"]