Ctskf 632 virus scan

.k8s/live/dev-lgfs/deployment.yaml

@@ -20,6 +20,20 @@ spec:
     spec:
       serviceAccountName: cccd-dev-lgfs-service
       containers:
+        - name: clamav
+          image: ghcr.io/ministryofjustice/hmpps-clamav:sha-ae9a953
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: clamav
+              containerPort: 3310
+              protocol: TCP
+          resources:
+            limits:
+              cpu: 500m
+              memory: 3Gi
+            requests:
+              cpu: 10m
+              memory: 1Gi
         - name: cccd-app
           imagePullPolicy: Always
           image: 754256621582.dkr.ecr.eu-west-2.amazonaws.com/laa-get-paid/cccd:set-me

Gemfile

@@ -63,6 +63,8 @@ gem 'active_storage_validations'
 gem 'faraday', '~> 1.10'
 gem 'faraday_middleware', '~> 1.2'
 gem 'puma'
+gem 'ratonvirus'
+gem 'ratonvirus-clamby'
 
 group :development, :test do
   gem 'annotate'

Gemfile.lock

@@ -150,6 +150,7 @@ GEM
     case_transform (0.2)
       activesupport
     chartkick (5.0.5)
+    clamby (1.6.10)
     cocoon (1.2.15)
     coderay (1.1.3)
     coercible (1.0.0)
@@ -512,6 +513,11 @@ GEM
       thor (~> 1.0)
     rainbow (3.1.1)
     rake (13.1.0)
+    ratonvirus (0.3.2)
+      activesupport (~> 6.0)
+    ratonvirus-clamby (0.3.0)
+      clamby (~> 1.6)
+      ratonvirus (~> 0.3.0)
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
@@ -764,6 +770,8 @@ DEPENDENCIES
   rack-livereload (~> 0.5.1)
   rails (~> 6.1.7)
   rails-controller-testing
+  ratonvirus
+  ratonvirus-clamby
   redis (~> 5.0.8)
   remotipart (~> 1.4)
   rest-client (~> 2.1)

app/controllers/super_admins/service_status_controller.rb

@@ -0,0 +1,7 @@
+module SuperAdmins
+  class ServiceStatusController < ApplicationController
+    skip_load_and_authorize_resource
+
+    def index; end
+  end
+end

app/models/document.rb

@@ -26,6 +26,7 @@ class Document < ApplicationRecord
               image/bmp
               image/x-bitmap
             ]
+  validates :document, antivirus: true
 
   alias attachment document # to have a consistent interface to both Document and Message
   delegate :provider_id, to: :external_user

app/models/message.rb

@@ -41,6 +41,7 @@ class Message < ApplicationRecord
               image/bmp
               image/x-bitmap
             ]
+  validates :attachment, antivirus: true
 
   validates :sender, presence: true
   validates :body, presence: true

app/views/layouts/_primary_navigation.html.haml

@@ -24,6 +24,8 @@
                 = govuk_link_to t('.offences'), super_admins_offences_path, class: cp(super_admins_offences_path)
               %li
                 = govuk_link_to t('.stats'), super_admins_stats_path, class: cp(super_admins_stats_path)
+              %li
+                = govuk_link_to t('.service_status'), super_admins_service_status_index_path, class: cp(super_admins_service_status_index_path)
 
             - elsif current_user.persona.is_a?(ExternalUser)
               %li

app/views/super_admins/service_status/index.html.haml

@@ -0,0 +1,12 @@
+= content_for :page_title, flush: true do
+  = 'Service Status'
+
+= render partial: 'layouts/header', locals: { page_heading: 'Service Status' }
+
+= govuk_table do
+  = govuk_table_tbody do
+    = govuk_table_row do
+      = govuk_table_th do
+        = 'Virus scanner available'
+      = govuk_table_td do
+        = Ratonvirus.scanner.available? ? 'Yes' : 'No'

config/clamd.container.conf

@@ -0,0 +1,2 @@
+TCPSocket 3310
+TCPAddr localhost

config/initializers/clamby.rb

@@ -0,0 +1,16 @@
+Clamby.configure({
+  # check: false,
+  # daemonize: true,
+  config_file: Rails.root.join('config', 'clamd.container.conf'),
+  # error_clamscan_missing: true,
+  # error_clamscan_client_error: false,
+  # error_file_missing: true,
+  # error_file_virus: false,
+  # fdpass: false,
+  stream: true,
+  # reload: false,
+  # output_level: 'medium',
+  # executable_path_clamscan: 'clamscan',
+  # executable_path_clamdscan: 'clamdscan',
+  # executable_path_freshclam: 'freshclam',
+})

config/initializers/ratonvirus.rb

@@ -0,0 +1,4 @@
+Ratonvirus.configure do |config|
+  config.scanner = :clamby
+  config.storage = :active_storage
+end

config/locales/en/views/layouts.yml

@@ -50,6 +50,7 @@ en:
       sub_navigation: Sub navigation
       users: Users
       offences: Offences
+      service_status: Service Status
 
     skip_content: Skip to main content
 

config/routes.rb

@@ -89,6 +89,8 @@
         patch 'update_password', on: :member
       end
     end
+
+    resources :service_status, only: :index
   end
 
   namespace :provider_management do

docker/Dockerfile

@@ -59,7 +59,8 @@ RUN apk --update-cache upgrade \
                    postgresql-client \
                    redis \
                    runit \
-                   ttf-freefont
+                   ttf-freefont \
+                   clamav-clamdscan
 
 RUN addgroup -g 1000 -S appgroup \
 && adduser -u 1000 -S appuser -G appgroup