initial commit - things are kinda working

.dockerignore

@@ -0,0 +1,2 @@
+bin\
+obj\

.gitignore

@@ -0,0 +1,38 @@
+*.swp
+*.*~
+project.lock.json
+.DS_Store
+*.pyc
+nupkg/
+
+# Visual Studio Code
+.vscode/*
+
+# User-specific files
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+build/
+bld/
+[Bb]in/
+[Oo]bj/
+msbuild.log
+msbuild.err
+msbuild.wrn
+
+# Visual Studio 2015
+.vs/
+
+# Security tests
+zap/
+.idea/
+job/

Dockerfile

@@ -0,0 +1,18 @@
+FROM microsoft/dotnet:2.0-sdk-stretch AS build-env
+WORKDIR /app
+
+# Copy csproj and restore as distinct layers
+COPY ./src/Hamuste.csproj ./
+RUN dotnet restore && \
+    dotnet add package ILLink.Tasks -v 0.1.4-preview-981901 -s https://dotnet.myget.org/F/dotnet-core/api/v3/index.json
+
+# Copy everything else and build
+COPY ./src ./
+RUN dotnet publish -c Release -o out -r linux-x64
+
+# Build runtime image
+FROM microsoft/dotnet:2.0-runtime-deps
+WORKDIR /app
+ENV ASPNETCORE_URLS=http://+:9999
+COPY --from=build-env /app/out ./
+ENTRYPOINT ["./Hamuste"]

Hamuste.sln

@@ -0,0 +1,82 @@
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 15
+VisualStudioVersion = 15.0.27130.2036
+MinimumVisualStudioVersion = 15.0.26124.0
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "tests", "tests", "{2287ECAC-2742-40EC-B10A-8F170FF21D88}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "blackbox", "tests\blackbox\blackbox.csproj", "{79685D5E-398E-4261-96CF-71DAAA8D4FC0}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "unit", "tests\unit\unit.csproj", "{3F737829-7340-49FA-893D-4845C5F882AD}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "HamusteApi", "src\Hamuste.csproj", "{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Any CPU = Debug|Any CPU
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|Any CPU = Release|Any CPU
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Debug|x64.Build.0 = Debug|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Debug|x86.Build.0 = Debug|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Release|Any CPU.Build.0 = Release|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Release|x64.ActiveCfg = Release|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Release|x64.Build.0 = Release|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Release|x86.ActiveCfg = Release|Any CPU
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0}.Release|x86.Build.0 = Release|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Debug|x64.Build.0 = Debug|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Debug|x86.Build.0 = Debug|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Release|Any CPU.Build.0 = Release|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Release|x64.ActiveCfg = Release|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Release|x64.Build.0 = Release|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Release|x86.ActiveCfg = Release|Any CPU
+		{3F737829-7340-49FA-893D-4845C5F882AD}.Release|x86.Build.0 = Release|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Debug|x64.Build.0 = Debug|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Debug|x86.Build.0 = Debug|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Release|Any CPU.Build.0 = Release|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Release|x64.ActiveCfg = Release|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Release|x64.Build.0 = Release|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Release|x86.ActiveCfg = Release|Any CPU
+		{A12BBF7B-19E2-43CD-B230-DC6D4CABAAC1}.Release|x86.Build.0 = Release|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Debug|x64.Build.0 = Debug|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Debug|x86.Build.0 = Debug|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Release|Any CPU.Build.0 = Release|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Release|x64.ActiveCfg = Release|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Release|x64.Build.0 = Release|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Release|x86.ActiveCfg = Release|Any CPU
+		{69DA0977-029E-42E6-B96C-7615A1055EE9}.Release|x86.Build.0 = Release|Any CPU
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{79685D5E-398E-4261-96CF-71DAAA8D4FC0} = {2287ECAC-2742-40EC-B10A-8F170FF21D88}
+		{3F737829-7340-49FA-893D-4845C5F882AD} = {2287ECAC-2742-40EC-B10A-8F170FF21D88}
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {FF1D8414-E218-43E4-89A5-33BE1E5E88F0}
+	EndGlobalSection
+EndGlobal

scripts/run_security_tests.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+
+api_file="docker-compose.ci.yaml"
+
+if [[ -z $IMAGE_TAG ]];
+then
+    api_file="docker-compose.local.yaml"
+fi
+
+docker-compose -f tests/blackbox/compose/docker-compose.yaml -f tests/blackbox/compose/$api_file -f tests/blackbox/compose/docker-compose.security.yaml pull --parallel
+docker-compose -f tests/blackbox/compose/docker-compose.yaml -f tests/blackbox/compose/$api_file -f tests/blackbox/compose/docker-compose.security.yaml run --rm glue bash /app/run_glue.sh http://api blackbox /output/glue.json

scripts/run_test.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+
+# Abort script on error
+set -e
+
+function run_tests()
+{
+  dotnet test ./tests/blackbox/blackbox.csproj
+}
+
+if [ -z "$PROXY_URL" ]
+then
+  echo PROXY_URL is not set, not running security checks
+  run_tests
+else
+  ls -la
+  ZAP_URL=$(echo $PROXY_URL | sed -e 's/https\?:\/\///')
+  ./wait-for-it.sh $ZAP_URL -t 300
+  echo "ZAP is ready"
+
+  curl -s --fail $PROXY_URL/JSON/core/action/newSession
+  curl -s --fail $PROXY_URL/JSON/pscan/action/enableAllScanners
+  curl -s --fail $PROXY_URL/JSON/core/action/clearExcludedFromProxy
+
+  # Add the rules you wish to ignore on this line, after the ids query param.
+  curl -s --fail $PROXY_URL/JSON/pscan/action/disableScanners/?ids=10049,10021
+
+  # Add the URLs you wish to ignore on this line, after the regex query param - regex supported.
+  # curl -s --fail $PROXY_URL/JSON/core/action/excludeFromProxy/?regex=
+
+  run_tests
+
+  echo "waiting for ZAP to finish scanning"
+
+  while [ "$(curl --fail $PROXY_URL/JSON/pscan/view/recordsToScan 2> /dev/null | jq '.recordsToScan')" != '"0"' ]; do sleep 1; done
+
+  if [ "$(curl --fail $PROXY_URL/JSON/core/view/urls/?zapapiformat=JSON\&formMethod=GET\&baseurl= 2> /dev/null | jq '.urls | length' > 0)" == '"0"' ]; 
+  then 
+    echo "No URL was accessed by ZAP"
+    exit -55
+  fi
+
+  curl -s --fail $PROXY_URL/JSON/core/action/saveSession/?name=blackbox\&overwrite=true > /dev/null
+
+  echo "ZAP scan completed"
+fi

scripts/run_tests.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+
+api_file="docker-compose.ci.yaml"
+
+if [[ -z $IMAGE_TAG ]];
+then
+    api_file="docker-compose.local.yaml"
+fi
+
+docker-compose -f tests/blackbox/compose/docker-compose.yaml -f tests/blackbox/compose/$api_file -f tests/blackbox/compose/docker-compose.security.yaml pull --parallel
+docker-compose -f tests/blackbox/compose/docker-compose.yaml -f tests/blackbox/compose/$api_file -f tests/blackbox/compose/docker-compose.security.yaml up --build --exit-code-from black-box --abort-on-container-exit

scripts/teardown_security_tests.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -e
+
+api_file="docker-compose.ci.yaml"
+
+if [[ -z $IMAGE_TAG ]];
+then
+    api_file="docker-compose.local.yaml"
+fi
+
+docker-compose -f tests/blackbox/compose/docker-compose.yaml -f tests/blackbox/compose/$api_file -f tests/blackbox/compose/docker-compose.security.yaml down

scripts/teardown_tests.sh

@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -e
+
+api_file="docker-compose.ci.yaml"
+
+if [[ -z $IMAGE_TAG ]];
+then
+    api_file="docker-compose.local.yaml"
+fi
+
+docker-compose -f tests/blackbox/compose/docker-compose.yaml -f tests/blackbox/compose/$api_file -f tests/blackbox/compose/docker-compose.security.yaml down

src/Controllers/EncryptController.cs

@@ -0,0 +1,97 @@
+using System;
+using System.Net;
+using System.Text;
+using System.Threading.Tasks;
+using Hamuste.Models;
+using k8s;
+using k8s.Models;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Azure.KeyVault;
+using Microsoft.Azure.KeyVault.Models;
+using Microsoft.Rest;
+
+namespace Hamuste.Controllers
+{
+
+    public class EncryptController : Controller
+    {
+        private readonly IKubernetes mKubernetes;
+        private readonly IKeyVaultClient mKeyVaultClient;
+        private readonly IAuthorizationService mAuthorizationService;
+
+        public EncryptController(
+            IKubernetes kubernetes, 
+            IKeyVaultClient keyVaultClient,
+            IAuthorizationService authorizationService)
+        {
+            mKubernetes = kubernetes;
+            mKeyVaultClient = keyVaultClient;
+            mAuthorizationService = authorizationService;
+        }
+
+        [HttpPost]
+        [Route("api/v1/encrypt")]
+        public async Task<ActionResult> Encrypt([FromBody]EncryptRequest body)
+        {
+            V1ServiceAccount serviceAccount;
+
+            try
+            {
+                serviceAccount = await mKubernetes.ReadNamespacedServiceAccountAsync(body.SerivceAccountName, body.NamesapceName, true);
+            }
+            catch (HttpOperationException e) when (e.Response.StatusCode == HttpStatusCode.NotFound) {
+                return BadRequest();
+            }
+            catch (Exception)
+            {
+                return StatusCode(500);
+            }
+
+            var keyId = $"https://k8spoc.vault.azure.net/keys/{serviceAccount.Metadata.Uid}";
+
+            try
+            {
+                var key = await mKeyVaultClient.GetKeyAsync(keyId);
+            }catch (KeyVaultErrorException e) when (e.Response.StatusCode == HttpStatusCode.NotFound){
+                await mKeyVaultClient.CreateKeyAsync("https://k8spoc.vault.azure.net", serviceAccount.Metadata.Uid, "RSA", 2048);
+            }
+            var encryptionResult = await mKeyVaultClient.EncryptAsync(keyId, "RSA-OAEP", Encoding.UTF8.GetBytes(body.Data));
+
+            return Content(Convert.ToBase64String(encryptionResult.Result));
+        }
+
+        [HttpPost]
+        [Route("api/v1/decrypt")]
+        [Authorize(AuthenticationSchemes = "kubernetes")]
+        public async Task<ActionResult> Decrypt([FromBody]DecryptRequest body)
+        {
+            V1ServiceAccount serviceAccount;
+
+            try
+            {
+                serviceAccount = await mKubernetes.ReadNamespacedServiceAccountAsync(body.SerivceAccountName, body.NamesapceName, true);
+            }
+            catch (HttpOperationException e) when (e.Response.StatusCode == HttpStatusCode.NotFound)
+            {
+                return BadRequest();
+            }
+            catch (Exception)
+            {
+                return StatusCode(500);
+            }
+
+            var authorizatioResult = await mAuthorizationService.AuthorizeAsync(User, serviceAccount.Metadata.Uid, "KubernetesPolicy");
+
+            if (!authorizatioResult.Succeeded) {
+                return StatusCode(403);
+            }
+
+            var keyId = $"https://k8spoc.vault.azure.net/keys/{serviceAccount.Metadata.Uid}";
+
+            var encryptionResult = await mKeyVaultClient.DecryptAsync(keyId, "RSA-OAEP", Convert.FromBase64String(body.EncryptedData));
+
+            return Content(Encoding.UTF8.GetString(encryptionResult.Result));
+        }
+    }
+}

src/Controllers/MonitoringController.cs

@@ -0,0 +1,26 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Microsoft.AspNetCore.Authorization;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Hamuste.Controllers
+{
+    public class MonitoringController
+    {
+        [HttpGet]
+        [Route("api/v1/isAlive")]
+        public bool IsAlive()
+        {
+            return true;
+        }
+
+        [HttpGet]
+        [Route("")]
+        public string Welcome()
+        {
+            return "welcome";
+        }
+    }
+}