Initial check in of Security Workshop (WMS8461) (#462)

* Adding +x to script, typos and remove verrazzano file

* Repo updates for OL

Changed repo for Oracle Linux to Oracle hosted repo

* Typo in Dockerfile

* Upgrading OKE and nodepool version to latest

Current version 1.21.5 doesn't deploy properly. Upgrading to latest version

* Updated README.md

Changed the bit.ly URL

* Initial check-in of sec workshop (#456)

Initial check-in of sec workshop (#456)

* Initial check in of Security Workshop (WMS8461)

Initial check in of Security Workshop (WMS8461)

* Initial check in of Security Workshop (WMS8461)

Author: andytael

workshops/dcms-ords-sec/.gitignore

@@ -0,0 +1,61 @@
+##############################################################################
+# Project Specific
+##############################################################################
+/.oci*
+/.venv
+/.vscode
+/backup
+/uploads/*.zip
+/.DS_Store
+
+##############################################################################
+# Terraform Generic
+##############################################################################
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# .terraform.lock.hcl (Controversial?)
+.terraform.lock.hcl
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# Plan file
+*.out
+tfplan
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+# Generated bastion key file
+bastion_key
+terraform-env.sh
+.DS_store
+.DS_Store
+
+# Temp file for project
+slask
+temp-file 

workshops/dcms-ords-sec/apigw/APIORDS.postman_collection.json

@@ -0,0 +1,161 @@
+{
+	"info": {
+		"_postman_id": "fa10a948-7ee7-4439-bdc7-f09565d577da",
+		"name": "APIORDS",
+		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
+	},
+	"item": [
+		{
+			"name": "ORDS_OAuth20",
+			"request": {
+				"auth": {
+					"type": "oauth2",
+					"oauth2": [
+						{
+							"key": "redirect_uri",
+							"value": "http://{{api_hostname}}/auth/code/example/",
+							"type": "string"
+						},
+						{
+							"key": "state",
+							"value": "7843928792043222",
+							"type": "string"
+						},
+						{
+							"key": "useBrowser",
+							"value": false,
+							"type": "boolean"
+						},
+						{
+							"key": "authUrl",
+							"value": "https://{{api_hostname}}/ords/ordstest/oauth/auth",
+							"type": "string"
+						},
+						{
+							"key": "accessTokenUrl",
+							"value": "https://{{api_hostname}}/ords/ordstest/oauth/token",
+							"type": "string"
+						},
+						{
+							"key": "clientSecret",
+							"value": "{{client_secret}}",
+							"type": "string"
+						},
+						{
+							"key": "clientId",
+							"value": "{{client_id}}",
+							"type": "string"
+						},
+						{
+							"key": "tokenName",
+							"value": "access_token",
+							"type": "string"
+						},
+						{
+							"key": "addTokenTo",
+							"value": "header",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "https://{{api_hostname}}/ords/ordstest/examples/employees/",
+					"protocol": "https",
+					"host": [
+						"{{api_hostname}}"
+					],
+					"path": [
+						"ords",
+						"ordstest",
+						"examples",
+						"employees",
+						""
+					]
+				}
+			},
+			"response": []
+		}
+	],
+	"auth": {
+		"type": "oauth2",
+		"oauth2": [
+			{
+				"key": "tokenName",
+				"value": "access_token",
+				"type": "string"
+			},
+			{
+				"key": "challengeAlgorithm",
+				"value": "S256",
+				"type": "string"
+			},
+			{
+				"key": "state",
+				"value": "3668D7A713E93372E0406A38A8C02171",
+				"type": "string"
+			},
+			{
+				"key": "redirect_uri",
+				"value": "https://{{api_hostname}}/v3/auth/code/example/",
+				"type": "string"
+			},
+			{
+				"key": "grant_type",
+				"value": "authorization_code",
+				"type": "string"
+			},
+			{
+				"key": "clientSecret",
+				"value": "{{client_secret}}",
+				"type": "string"
+			},
+			{
+				"key": "clientId",
+				"value": "{{client_id}}",
+				"type": "string"
+			},
+			{
+				"key": "authUrl",
+				"value": "https://{{api_hostname}}/app/ords/ordstest/oauth/auth",
+				"type": "string"
+			},
+			{
+				"key": "addTokenTo",
+				"value": "header",
+				"type": "string"
+			},
+			{
+				"key": "client_authentication",
+				"value": "header",
+				"type": "string"
+			},
+			{
+				"key": "accessTokenUrl",
+				"value": "https://{{api_hostname}}/ords/ordstest/oauth/token",
+				"type": "string"
+			}
+		]
+	},
+	"event": [
+		{
+			"listen": "prerequest",
+			"script": {
+				"type": "text/javascript",
+				"exec": [
+					""
+				]
+			}
+		},
+		{
+			"listen": "test",
+			"script": {
+				"type": "text/javascript",
+				"exec": [
+					""
+				]
+			}
+		}
+	]
+}

workshops/dcms-ords-sec/apigw/ENV_Empty.postman_environment.json

@@ -0,0 +1,24 @@
+{
+	"id": "9db04bf4-fdb5-41f0-aca4-eec79b8c37a5",
+	"name": "ORDSENV",
+	"values": [
+		{
+			"key": "client_id",
+			"value": "",
+			"enabled": true
+		},
+		{
+			"key": "api_hostname",
+			"value": "",
+			"enabled": true
+		},
+		{
+			"key": "client_secret",
+			"value": "",
+			"enabled": true
+		}
+	],
+	"_postman_variable_scope": "environment",
+	"_postman_exported_at": "2022-07-27T08:51:18.037Z",
+	"_postman_exported_using": "Postman/9.25.0"
+}

workshops/dcms-ords-sec/apigw/apigw-stress-script.js

@@ -0,0 +1,29 @@
+import { check } from 'k6';
+        import http from 'k6/http';
+        const params = {
+            headers: {
+              'Authorization': 'Bearer '+`${__ENV.TOKEN}`,
+            },
+          };
+        export const options = {
+            userAgent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36',
+        scenarios: {
+            constant_request_rate: {
+            executor: 'constant-arrival-rate',
+            rate: 400,
+            timeUnit: '1s', // 1000 iterations per second, i.e. 1000 RPS
+            duration: '1s',
+            preAllocatedVUs: 100, // how large the initial pool of VUs would be
+            maxVUs: 200, // if the preAllocatedVUs are not enough, we can initialize more
+            },
+        },
+        }
+        export default function () {
+        const res = http.get(`${__ENV.MY_HOSTNAME}`,params);
+            check(res, {
+                'is status 200': (r) => r.status === 200,
+                'is status 300': (r) => (r.status >= 300 && r.status < 400 ), 
+                'is status 400': (r) => (r.status >= 400 && r.status < 500 ) ,
+            });
+        }
+        

workshops/dcms-ords-sec/apigw/artillery.sh

@@ -0,0 +1,8 @@
+#TRIMMEDURL=${api_gw_base_url:8}
+TRIMMEDURL=${api_gw_base_url}
+echo $TRIMMEDURL
+sed "s/TOKEN/$ACCESS_TOKEN/" ./stress.yaml.temp &>./stress1.yaml
+sed "s/API_GW_BASE_URL/$TRIMMEDURL/" ./stress1.yaml &>./stress.yaml
+rm ./stress1.yaml
+docker run --rm -it -v ${PWD}:/scripts artilleryio/artillery:latest run /scripts/stress.yaml
+rm ./stress.yaml

workshops/dcms-ords-sec/apigw/k6.sh

@@ -0,0 +1,4 @@
+# Copyright © 2022, Oracle and/or its affiliates.
+# All rights reserved. The Universal Permissive License (UPL), Version 1.0 as shown at http://oss.oracle.com/licenses/upl
+
+k6 run -e MY_HOSTNAME=${api_gw_base_url}/ords/ordstest/examples/employees/ -e TOKEN=$1 ./apigw-stress-script.js --insecure-skip-tls-verify

workshops/dcms-ords-sec/apigw/sec_rules_apigw.json

@@ -0,0 +1,53 @@
+{
+  "securityRules": [
+    {
+      "description": null,
+      "destination": null,
+      "destinationType": null,
+      "direction": "INGRESS",
+      "icmpOptions": null,
+      "isStateless": false,
+      "protocol": "6",
+      "source": "0.0.0.0/0",
+      "sourceType": "CIDR_BLOCK",
+      "tcpOptions": {
+        "destinationPortRange": {
+          "max": 443,
+          "min": 443
+        }
+      },
+      "udpOptions":null
+    },
+    {
+      "description": null,
+      "destination": null,
+      "destinationType": null,
+      "direction": "INGRESS",
+      "icmpOptions": null,
+      "isStateless": false,
+      "protocol": "6",
+      "source": "0.0.0.0/0",
+      "sourceType": "CIDR_BLOCK",
+      "tcpOptions": {
+        "destinationPortRange": {
+          "max": 80,
+          "min": 80
+        }
+      },
+      "udpOptions":null
+    }, 
+    {
+      "description": null,
+      "destination": "0.0.0.0/0",
+      "destinationType": "CIDR_BLOCK",
+      "direction": "EGRESS",
+      "icmpOptions": null,
+      "isStateless": false,
+      "protocol": "6",
+      "source": null,
+      "sourceType":null,
+      "tcpOptions": null,
+      "udpOptions":null
+    }
+  ]
+}