Merge branch 'heimdall2.4.5' into 'development'

Initial Hardening of Heimdall2 using Heimdall 2.4.5 See merge request !14

Merge branch 'heimdall2.4.5' into 'development'
Initial Hardening of Heimdall2 using Heimdall 2.4.5 See merge request !14
f5a2694a · sean.melissari · 059e7de5 · 0135edef · f5a2694a · f5a2694a
Commit f5a2694a authored May 14, 2021 by sean.melissari
6 changed files
--- a/Dockerfile
+++ b/Dockerfile
+ARG BASE_REGISTRY=registry1.dso.mil
+ARG BASE_IMAGE=ironbank/opensource/nodejs/nodejs14
+ARG BASE_TAG=14.16.0
+FROM mitre/heimdall2:version-2.4.5 AS source
+FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+COPY yarn.tar.gz /
+WORKDIR /
+USER root
+RUN npm install -g yarn.tar.gz --force
+RUN groupadd -g 1002 heimdall && \
+  useradd -r -u 1002 -m -s /sbin/nologin -g heimdall heimdall && \
+  mkdir -p /heimdall/logs && \
+  mkdir -p /heimdall/file && \
+  mkdir -p /heimdall/config && \
+  chown -R heimdall:heimdall /heimdall
+WORKDIR /heimdall
+COPY --from=source /app .
+COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+USER heimdall
+HEALTHCHECK --interval=5m --timeout=30s --start-period=1m --retries=3 \
+  CMD curl -f http://locahost:3000/server || exit 1
+EXPOSE 3000
+CMD ["docker-entrypoint.sh"]
--- a/LICENSE
+++ b/LICENSE
+Licensed under the Apache-2.0 license.
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+- Redistributions of source code must retain the above copyright/ digital rights legend, this list of conditions and the following Notice.
+- Redistributions in binary form must reproduce the above copyright copyright/ digital rights legend, this list of conditions and the following Notice in the documentation and/or other materials provided with the distribution.
+- Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
--- a/README.md
+++ b/README.md
-# <application name>
+# MITRE Heimdall2
-Project template for all Iron Bank container repositories.
+Given that Heimdall requires at least a database service, we use Docker and Docker Compose to provide a simple deployment experience.
\ No newline at end of file
+#### Setup Docker Container (Clean Install)
+1. Install Docker
+2. Download and extract the most recent `docker-compose.yml` and `setup-docker-secrets.sh` from our [releases page](https://github.com/mitre/heimdall2/releases).
+3. Navigate to the base folder where `docker-compose.yml` is located
+4. Run the following commands in a terminal window from the Heimdall source directory. For more information on the .env file, visit [Environment Variables Configuration.](https://github.com/mitre/heimdall2/wiki/Environment-Variables-Configuration)
+   - ```bash
+     ./setup-docker-secrets.sh
+     # If you would like to further configure your Heimdall instance, edit the .env file generated after running the previous line
+     docker-compose up -d
+     ```
+6. Navigate to  [`http://127.0.0.1:3000`](http://127.0.0.1:3000).
+#### Running Docker Container
+Make sure you have run the setup steps at least once before following these steps!
+1. Run the following command in a terminal window: ``docker-compose up -d``
+2. Go to [`http://127.0.0.1:3000`](http://127.0.0.1:3000) in a web browser.
+#### Updating Docker Container
+A new version of the docker container can be retrieved by running:
+```bash
+docker-compose pull
+docker-compose up -d
+```
+This will fetch the latest version of the container, redeploy if a newer version exists, and then apply any database migrations if applicable. No data should be lost by this operation.
+#### Stopping the Container
+From the source directory you started from run:
+```bash
+docker-compose down
+```
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
+---
+apiVersion: v1
+# The repository name in registry1, excluding /ironbank/
+name: "mitre/saf/heimdall2"
+# List of tags to push for the repository in registry1
+# The most specific version should be the first tag and will be shown
+# on ironbank.dso.mil
+tags:
+- "2.4.5"
+- "latest"
+# Build args passed to Dockerfile ARGs
+args:
+  BASE_IMAGE: "opensource/nodejs/nodejs14"
+  BASE_TAG: "14.16.0"
+# Docker image labels
+labels:
+  # Name of the image
+  org.opencontainers.image.title: "heimdall2"
+  # Human-readable description of the software packaged in the image
+  org.opencontainers.image.description: "MITRE Heimdall2 Enterprise Server"
+  # License(s) under which contained software is distributed
+  org.opencontainers.image.licenses: "Apache 2"
+  # URL to find more information on the image
+  org.opencontainers.image.url: "https://github.com/mitre/heimdall2"
+  # Name of the distributing entity, organization or individual
+  org.opencontainers.image.vendor: "MITRE"
+  # Authoritative version of the software
+  org.opencontainers.image.version: "2.4.5"
+  # Keywords to help with search (ex. "cicd,gitops,golang")
+  mil.dso.ironbank.image.keywords: "saf"
+  # This value can be "opensource" or "commercial"
+  mil.dso.ironbank.image.type: "opensource"
+  # Product the image belongs to for grouping multiple images
+  mil.dso.ironbank.product.name: "Heimdall2"
+# List of resources to make available to the offline build context
+resources:
+  # Official source of Yarn
+  - filename: yarn.tar.gz
+    url: https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz
+    validation:
+      type: sha256
+      value: 7e433d4a77e2c79e6a7ae4866782608a8e8bcad3ec6783580577c59538381a6e
+  # This is the official upstream docker image of Heimdall2
+  - tag: mitre/heimdall2:version-2.4.5
+    url: docker://docker.io/mitre/heimdall2@sha256:d7646e1630677ebae1025b66620f714368495783d0d0e11fe0a281afb0496790
+# List of project maintainers
+maintainers:
+- email: "rbclark@mitre.org"
+  # The name of the current container owner
+  name: "Robert Clark"
+  # The gitlab username of the current container owner
+  username: "rbclark"
--- a/renovate.json
+++ b/renovate.json
+{
+  "assignees": [
+    "@rbclark"
+  ],
+  "baseBranches": [
+    "development"
+  ],
+  "regexManagers": [{
+      "fileMatch": [
+        "^Dockerfile$"
+      ],
+      "matchStrings": [
+        "version=\"(?<currentValue>.*?)\""
+      ],
+      "depNameTemplate": "mitre/heimdall2",
+      "datasourceTemplate": "docker"
+    },
+    {
+      "fileMatch": [
+        "^hardening_manifest.yaml$"
+      ],
+      "matchStrings": [
+        "org\\.opencontainers\\.image\\.version:\\s+\"(?<currentValue>.+?)\""
+      ],
+      "depNameTemplate": "mitre/heimdall2",
+      "datasourceTemplate": "docker"
+    },
+    {
+      "fileMatch": [
+        "^hardening_manifest.yaml$"
+      ],
+      "matchStrings": [
+        "tags:\\s+-\\s+\"(?<currentValue>.+?)\""
+      ],
+      "depNameTemplate": "mitre/heimdall2",
+      "datasourceTemplate": "docker"
+    }
+  ]
+}
--- a/scripts/docker-entrypoint.sh
+++ b/scripts/docker-entrypoint.sh
+#!/bin/sh
+set -e
+yarn backend sequelize-cli db:migrate
+yarn backend sequelize-cli db:seed:all
+yarn backend start