Skip to content

ZAP scanning DocSpace ver: 3.0.0.4254 from branch: release/v3.0.0 #368

ZAP scanning DocSpace ver: 3.0.0.4254 from branch: release/v3.0.0

ZAP scanning DocSpace ver: 3.0.0.4254 from branch: release/v3.0.0 #368

Workflow file for this run

---
name: Scanning DocSpace with ZAP
run-name: >
ZAP scanning DocSpace ver: ${{ github.event.inputs.version }} from branch: ${{ github.event.inputs.branch }}
on:
workflow_dispatch:
inputs:
branch:
description: 'Set branch for which OCI script will be used for deploy'
type: string
required: true
version:
description: 'Set DocSpace version that will be deployed'
type: string
required: true
jobs:
zap:
runs-on: ubuntu-latest
env:
PROTO: https
permissions:
issues: write
name: Scan DocSpace with zap
steps:
- name: Checkout
uses: actions/checkout@v3
with:
path: build-tools
repository: ONLYOFFICE/DocSpace-buildtools
ref: ${{ github.event.inputs.branch }}
- name: Run and prepare DocSpace
id: prepare
env:
DOCKER_TAG: ${{ github.event.inputs.version }}
STATUS: "4testing-"
run: |
# Get gh-action runner local ip
LOCAL_IP=$(hostname -I | awk '{print $1}')
echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT"
# Create SSL certs
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 \
-keyout ${{ github.workspace }}/onlyofficekey.pem \
-out ${{ github.workspace }}/onlyofficecert.pem \
-subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=docspace.localhost"
# Run 4testing DocSpace with tag from previous build
cd ./build-tools/install/OneClickInstall
sudo printf "Y" | sudo bash ./docspace-install.sh docker -skiphc true --makeswap false --localscripts true -dsv ${DOCKER_TAG} -s ${STATUS}
sleep 200
# Replace SSL certs
sudo cp ${{ github.workspace }}/onlyofficekey.pem ${{ github.workspace }}/onlyofficecert.pem /app/onlyoffice/
sudo bash /app/onlyoffice/config/docspace-ssl-setup -f docspace.localhost /app/onlyoffice/onlyofficecert.pem /app/onlyoffice/onlyofficekey.pem
sleep 60
# Get Wizzard token and pwd hash for complete wizzard
WIZZARD_TOKEN=$(curl -k --request GET ${PROTO}://${LOCAL_IP}/api/2.0/settings | jq -r .response.wizardToken)
PWD_HASH=$(curl -k --request GET ${PROTO}://${LOCAL_IP}/api/2.0/settings | jq -r .response.passwordHash.salt)
EMAIL="[email protected]"
USER_PWD="test666pass"
## Complete wizard
curl -k -v -D output.txt --request PUT -H "confirm: ${WIZZARD_TOKEN}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
--data '{"Email":"'"${EMAIL}"'","PasswordHash":"'"${PWD_HASH}"'"}' \
${PROTO}://${LOCAL_IP}/api/2.0/settings/wizard/complete
# Get cookie and user-id
COOKIE=$(cat ./output.txt | egrep -i asc_auth_key=* | cut -d '=' -f 2-) && COOKIE=${COOKIE%%;*}
USER_ID=$(curl -k --request GET -H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: ${COOKIE}" \
${PROTO}://${LOCAL_IP}/api/2.0/people/email?email=${EMAIL} | jq -r .response.id)
# Set new admin-user pwd
curl -k -v --request PUT -H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: ${COOKIE}" \
--data '{"Password":"'"${USER_PWD}"'"}' \
"${PROTO}://${LOCAL_IP}/api/2.0/people/${USER_ID}/password"
# Get new admin-user auth-token and authenticate the user
TOKEN=$(curl -k -v --request POST -H "Accept: application/json" \
-H "Content-Type: application/json" \
--data '{"userName":"'"${EMAIL}"'","password":"'"${USER_PWD}"'"}' \
"${PROTO}://${LOCAL_IP}/api/2.0/authentication" | jq -r .response.token)
# Set new auth-token for zap header
echo "ZAP_AUTH_HEADER_VALUE=${TOKEN}" >> "$GITHUB_ENV"
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
target: '${{ env.PROTO }}://${{ steps.prepare.outputs.local-ip }}/'
allow_issue_writing: false
cmd_options: '-j'