neetob 0.5.16 → 0.5.17

data/lib/neetob/cli/code/audit.rb

@@ -16,8 +16,11 @@ module Neetob
 
         def run
           matching_apps = find_all_matching_apps_or_repos(apps, :github, sandbox)
-          ui.info("\nListing apps and their tables that doesn't have uuid as primary key type:-")
+          ui.info(
+            "\nListing apps and their tables that doesn't have uuid as primary key type:-",
+            print_to_audit_log: false)
           has_found_tables_without_uuid = false
+          data = []
           matching_apps.each do |app|
             begin
               db_schema = Base64.decode64(client.contents(app, path: "./db/schema.rb").content)
@@ -26,14 +29,21 @@ module Neetob
                 has_found_tables_without_uuid = true
                 print_app_and_tables(app, tables_without_uuid)
               end
-              verify_unique_email_index(db_schema)
+              unique_email_index_result = verify_unique_email_index(db_schema)
+              data << { tables_without_uuid:, unique_email_index_result: }
             rescue Octokit::NotFound
               ui.error("There is no \"db/schema.rb\" file in the \"#{app}\" app.")
+              data << { error: "There is no \"db/schema.rb\" file in the \"#{app}\" app." }
             rescue StandardError => e
               ExceptionHandler.new(e).process
             end
           end
-          ui.info("No apps found to have tables without uuid as primary key type") if !has_found_tables_without_uuid
+          ui.info(
+            "No apps found to have tables without uuid as primary key type",
+            print_to_audit_log: false) if !has_found_tables_without_uuid
+          if Thread.current[:audit_mode]
+            data
+          end
         end
 
         private
@@ -62,15 +72,17 @@ module Neetob
               )
             /mx
 
-            if db_schema.match(index_pattern)
-              ui.success("\nUsers are indexed properly")
+            index_pattern_matched = db_schema.match(index_pattern)
+            if index_pattern_matched
+              ui.success("\nUsers are indexed properly", print_to_audit_log: false)
             else
-              ui.error("\nUsers are not indexed")
+              ui.error("\nUsers are not indexed", print_to_audit_log: false)
             end
+            index_pattern_matched
           end
 
           def print_app_and_tables(app, tables)
-            ui.info("\n#{app}:-")
+            ui.info("\n#{app}:-", print_to_audit_log: false)
             tables.each do |table|
               ui.say(" ↳#{table}")
             end

data/lib/neetob/cli/cronitor/base.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require_relative "../base"
+
+module Neetob
+  class CLI
+    module Cronitor
+      class Base < CLI::Base
+        MONITORS_URL = "https://cronitor.io/api/monitors"
+
+        def initialize
+          super()
+        end
+
+        def process(*args)
+          raise(StandardError, "CRONITOR_ONE_API_KEY is not given") if ENV["CRONITOR_ONE_API_KEY"].nil?
+          raise(StandardError, "CRONITOR_THREE_API_KEY is not given") if ENV["CRONITOR_THREE_API_KEY"].nil?
+
+          run(*args)
+        end
+
+        private
+
+          def parse_response(http_result)
+            case http_result
+            when Net::HTTPSuccess
+              JSON.parse(http_result.body, symbolize_names: true)
+            else
+              error_message = JSON.parse(http_result.body)["errors"][0]["message"]
+              raise(StandardError, "Request failed with status code #{http_result.code}: #{error_message}")
+            end
+          end
+
+          def get(username:, password:, headers: { "Accept" => "application/json" })
+            uri = URI(MONITORS_URL)
+            request = Net::HTTP::Get.new(uri)
+            headers.each { |key, value| request[key] = value }
+            request.basic_auth(username, password)
+
+            response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") do |http|
+              http.request(request)
+            end
+
+            parse_response(response)
+          end
+      end
+    end
+  end
+end

data/lib/neetob/cli/cronitor/get_all_monitors.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require_relative "./base"
+
+module Neetob
+  class CLI
+    module Cronitor
+      class GetAllMonitors < Base
+        def initialize
+          super()
+        end
+
+        def run
+          cronitor_one_monitors = get(username: ENV["CRONITOR_ONE_API_KEY"], password: "")[:monitors]
+          cronitor_three_monitors = get(username: ENV["CRONITOR_THREE_API_KEY"], password: "")[:monitors]
+          cronitor_one_monitors + cronitor_three_monitors
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/github/base.rb

@@ -12,7 +12,7 @@ module Neetob
     module Github
       class Base < CLI::Base
         include Utils
-        attr_accessor :client
+        attr_accessor :client, :access_token
 
         def initialize
           super()
@@ -20,7 +20,8 @@ module Neetob
           unless auth_client.token_persisted?
             auth_client.start_oauth2_device_flow
           end
-          @client = Octokit::Client.new(access_token: auth_client.access_token)
+          @access_token = auth_client.access_token
+          @client = Octokit::Client.new(access_token:)
         end
 
         private

data/lib/neetob/cli/github/brakeman.rb

@@ -17,15 +17,16 @@ module Neetob
 
         def run
           matching_repos = find_all_matching_apps_or_repos(repos, :github, sandbox)
+          report = nil
           matching_repos.each do |repo|
             begin
-              ui.info("\nWorking on repo #{repo}")
+              ui.info("\nWorking on repo #{repo}", print_to_audit_log: false)
               clone_repo_in_tmp_dir(repo)
               bundle_install!(repo)
               report = run_brakeman(repo)
-              ui.success("Successfully executed brakeman for #{repo}")
+              ui.success("Successfully executed brakeman for #{repo}", print_to_audit_log: false)
               warnings = report.split("\n\n== Warnings ==\n\n").last&.split("\n\n")
-              if !report.include?("No warnings found") && !report.blank?
+              if !report.include?("No warnings found") && !report.blank? && !Thread.current[:audit_mode]
                 issue = client.create_issue(repo, DESCRIPTION, parse_description(warnings))
                 ui.success("Issue created at #{issue.html_url}")
               end
@@ -34,6 +35,9 @@ module Neetob
             end
           end
           `rm -rf /tmp/neetob`
+          if Thread.current[:audit_mode]
+            report
+          end
         end
 
         private

data/lib/neetob/cli/github/bundle_audit.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require_relative "./make_pr/base"
+require "pry"
+
+module Neetob
+  class CLI
+    module Github
+      class BundleAudit < MakePr::Base
+        DESCRIPTION = "Fix security vulnerabilities reported by bundle audit"
+        attr_accessor :repos, :sandbox
+
+        def initialize(repos, sandbox = false)
+          super()
+          @repos = repos
+          @sandbox = sandbox
+        end
+
+        def run
+          matching_repos = find_all_matching_apps_or_repos(repos, :github, sandbox)
+          report = nil
+          matching_repos.each do |repo|
+            begin
+              ui.info("\nWorking on repo #{repo}", print_to_audit_log: false)
+              clone_repo_in_tmp_dir(repo)
+              bundle_install!(repo)
+              report = run_bundle_audit(repo)
+              ui.success("Successfully executed bundle audit for #{repo}", print_to_audit_log: false)
+            rescue StandardError => e
+              ExceptionHandler.new(e).process
+            end
+          end
+          `rm -rf /tmp/neetob`
+          if Thread.current[:audit_mode]
+            report
+          end
+        end
+
+        private
+
+          def run_bundle_audit(repo)
+            `#{cd_to_repo(repo)} & rbenv local 3.3.5 & bundle-audit check`
+          end
+      end
+    end
+  end
+end

data/lib/neetob/cli/github/make_pr/base.rb

@@ -19,8 +19,12 @@ module Neetob
 
           private
 
-            def bundle_install!(repo, local_repo)
-              execute_command!("#{cd_to_repo(repo, local_repo)} && bundle install")
+            def bundle_install!(repo, local_repo = false)
+              execute_command!("#{cd_to_repo(repo, local_repo)} & rbenv local 3.3.5 & bundle install")
+            end
+
+            def yarn_install!(repo, local_repo = false)
+              execute_command!("#{cd_to_repo(repo, local_repo)} & yarn install")
             end
 
             def delete_and_create_temp_neetob_dir

data/lib/neetob/cli/github/repositories/get_security_details.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require_relative "../base"
+
+module Neetob
+  class CLI
+    module Github
+      module Repositories
+        class GetSecurityDetails < Base
+          attr_accessor :repos, :sandbox
+
+          def initialize(repos, sandbox = false)
+            super()
+            @repos = repos
+            @sandbox = sandbox
+          end
+
+          def run
+            matching_repos = find_all_matching_apps_or_repos(repos, :github, sandbox)
+            data = []
+            matching_repos.each do |repo|
+              begin
+                uri = URI("https://api.github.com/repos/#{repo}/code-security-configuration")
+                request = Net::HTTP::Get.new(uri)
+                headers = {
+                  "Accept" => "application/vnd.github+json",
+                  "Authorization" => "Bearer #{@access_token}"
+                }
+                headers.each { |key, value| request[key] = value }
+
+                response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == "https") do |http|
+                  http.request(request)
+                end
+                JSON.parse(response.body, symbolize_names: true)
+              rescue StandardError => e
+                ExceptionHandler.new(e).process
+              end
+            end
+            data
+          end
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/github/repositories/pull_requests.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require_relative "../base"
+
+module Neetob
+  class CLI
+    module Github
+      module Repositories
+        class PullRequests < Base
+          attr_accessor :repos, :sandbox
+
+          def initialize(repos, sandbox = false)
+            super()
+            @repos = repos
+            @sandbox = sandbox
+          end
+
+          def run
+            matching_repos = find_all_matching_apps_or_repos(repos, :github, sandbox)
+            data = []
+            matching_repos.each do |repo|
+              begin
+                data << client.pull_requests(repo)
+              rescue StandardError => e
+                ExceptionHandler.new(e).process
+              end
+            end
+            data
+          end
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/github/yarn_audit.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require_relative "./make_pr/base"
+require "pry"
+
+module Neetob
+  class CLI
+    module Github
+      class YarnAudit < MakePr::Base
+        DESCRIPTION = "Fix security vulnerabilities reported by yarn audit"
+        attr_accessor :repos, :sandbox
+
+        def initialize(repos, sandbox = false)
+          super()
+          @repos = repos
+          @sandbox = sandbox
+        end
+
+        def run
+          matching_repos = find_all_matching_apps_or_repos(repos, :github, sandbox)
+          report = nil
+          matching_repos.each do |repo|
+            begin
+              ui.info("\nWorking on repo #{repo}", print_to_audit_log: false)
+              clone_repo_in_tmp_dir(repo)
+              yarn_install!(repo)
+              report = run_yarn_audit(repo)
+              ui.success("Successfully executed yarn audit for #{repo}", print_to_audit_log: false)
+            rescue StandardError => e
+              ExceptionHandler.new(e).process
+            end
+          end
+          `rm -rf /tmp/neetob`
+          if Thread.current[:audit_mode]
+            report
+          end
+        end
+
+        private
+
+          def run_yarn_audit(repo)
+            `#{cd_to_repo(repo)} && yarn audit`
+          end
+      end
+    end
+  end
+end

data/lib/neetob/cli/monthly_audit/commands.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "thor"
+require_relative "perform"
+
+module Neetob
+  class CLI
+    module MonthlyAudit
+      class Commands < Thor
+        desc "perform", "Perform the audit"
+        option :month, type: :string, aliases: "-m", required: true, desc: "Month. Example: June-2024"
+
+        def perform
+          Perform.new(options[:month], options[:sandbox]).run
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/monthly_audit/databases/main.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require_relative "uuid_primary_key"
+require_relative "users_unique_email_index"
+
+module Neetob
+  class CLI
+    module MonthlyAudit
+      module Databases
+        class Main < CLI::Base
+          def initialize
+            super()
+          end
+
+          def run
+            ui.success("# 2. Running databases audit")
+            ui.info "\n"
+            ui.success("## 2.1. Checking whether all database tables use UUID as the primary key type")
+            ui.info "\n"
+            UuidPrimaryKey.new.run
+            ui.success("## 2.2. Checking whether unique email index is present for the users table")
+            ui.info "\n"
+            UsersUniqueEmailIndex.new.run
+          end
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/monthly_audit/databases/users_unique_email_index.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Neetob
+  class CLI
+    module MonthlyAudit
+      module Databases
+        class UsersUniqueEmailIndex < CLI::Base
+          def initialize
+            super()
+          end
+
+          def run
+            repo_data = [[
+              "Repository",
+              "User table is indexed properly",
+              "Comments",
+              "Audit Passed"
+              ]
+            ]
+            NeetoCompliance::NeetoRepos.products.keys.each do |repo|
+              ui.info "Checking #{repo}...", print_to_audit_log: false
+              code_audit_result = Neetob::CLI::Code::Audit.new([repo]).run[0]
+              if code_audit_result[:error]
+                repo_data << [repo, nil, code_audit_result[:error], "No"]
+                next
+              end
+              unique_email_index_result = code_audit_result[:unique_email_index_result]
+              if unique_email_index_result
+                repo_data << [repo, "Yes", nil, "Yes"]
+              else
+                repo_data << [repo, "No", "Unique email index is not present for the users table", "No"]
+              end
+            end
+            ui.print_table(repo_data)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/monthly_audit/databases/uuid_primary_key.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+module Neetob
+  class CLI
+    module MonthlyAudit
+      module Databases
+        class UuidPrimaryKey < CLI::Base
+          def initialize
+            super()
+          end
+
+          def run
+            repo_data = [[
+              "Repository",
+              "All tables have UUID primary keys",
+              "Comments",
+              "Audit Passed"
+              ]
+            ]
+            NeetoCompliance::NeetoRepos.products.keys.each do |repo|
+              ui.info "Checking #{repo}...", print_to_audit_log: false
+              code_audit_result = Neetob::CLI::Code::Audit.new([repo]).run[0]
+              if code_audit_result[:error]
+                repo_data << [repo, nil, code_audit_result[:error], "No"]
+                next
+              end
+              tables_without_uuid = code_audit_result[:tables_without_uuid]
+              tables_without_uuid.reject! { |table|
+                table == "data_migrations" ||
+                table == "server_side_sessions" ||
+                table.include?("solid_queue") ||
+                table.include?("active_storage")
+              }
+              all_tables_have_uuid_primary_keys = tables_without_uuid.empty? ? "Yes" : "No"
+              audit_passed = all_tables_have_uuid_primary_keys == "Yes" ? "Yes" : "No"
+              comments = tables_without_uuid.empty? ? nil : "Tables without UUID primary keys: #{tables_without_uuid.join(', ')}"
+              repo_data << [repo, all_tables_have_uuid_primary_keys, comments, audit_passed]
+            end
+            ui.print_table(repo_data)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/monthly_audit/instances_and_addons/cloudflare/always_use_https_is_enabled.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Neetob
+  class CLI
+    module MonthlyAudit
+      module InstancesAndAddons
+        module Cloudflare
+          class AlwaysUseHttpsIsEnabled < CLI::Base
+            def initialize
+              super()
+            end
+
+            def run
+              ui.success "### 3.2.4. Checking whether always use HTTPS is enabled"
+
+              domains_data = [["Domain", "Always use HTTPS", "Audit Passed"]]
+              ui.info("\n", print_to_audit_log: false)
+              Neetob::CLI::Cloudflare::Base::ZONE_IDS.keys.select { |domain|
+ domain.to_s.include?(".com") }.map do |domain|
+                ui.info("Checking Always use HTTPS value for #{domain}", print_to_audit_log: false)
+                always_use_https_value = Neetob::CLI::Cloudflare::AlwaysUseHttps.new(domain).run
+                audit_passed = always_use_https_value.to_s == "on" ? "Yes" : "No"
+                domains_data << [domain, always_use_https_value, audit_passed]
+              end
+              ui.print_table(domains_data)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/monthly_audit/instances_and_addons/cloudflare/bot_protection_enabled.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Neetob
+  class CLI
+    module MonthlyAudit
+      module InstancesAndAddons
+        module Cloudflare
+          class BotProtectionEnabled < CLI::Base
+            def initialize
+              super()
+            end
+
+            def run
+              ui.success "### 3.2.6. Checking whether Bot Protection is enabled"
+
+              domains_data = [["Domain", "Bot protection", "Audit Passed"]]
+              ui.info("\n", print_to_audit_log: false)
+              Neetob::CLI::Cloudflare::Base::ZONE_IDS.keys.select { |domain|
+ domain.to_s.include?(".com") }.map do |domain|
+                bot_fight_mode = Neetob::CLI::Cloudflare::BotFightMode.new(domain).run
+                ui.info("Checking Bot fight mode for #{domain}", print_to_audit_log: false)
+                audit_passed = bot_fight_mode == "on" ? "Yes" : "No"
+                domains_data << [domain, bot_fight_mode, audit_passed]
+              end
+              ui.print_table(domains_data)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/monthly_audit/instances_and_addons/cloudflare/dns_entry_has_proxy_status.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Neetob
+  class CLI
+    module MonthlyAudit
+      module InstancesAndAddons
+        module Cloudflare
+          class DnsEntryHasProxyStatus < CLI::Base
+            def initialize
+              super()
+            end
+
+            def run
+              ui.success "### 3.2.2. Checking whether DNS entry has proxy status"
+
+              domains_data = [["Domain", "DNS proxy status", "Audit Passed"]]
+              ui.info("\n", print_to_audit_log: false)
+              Neetob::CLI::Cloudflare::Base::ZONE_IDS.keys.select { |domain|
+ domain.to_s.include?(".com") }.map do |domain|
+                ui.info("Checking proxy status for DNS entries for #{domain}", print_to_audit_log: false)
+                domain = domain.to_s
+                proxiable_records = Neetob::CLI::Cloudflare::DnsProxyStatus.new(domain).run
+                record_to_check = proxiable_records.select { |record| record[:name] == "*.#{domain}" }.first
+                if record_to_check.nil?
+                  domains_data << [domain, "No * records found", "No"]
+                else
+                  is_wildcard_subdomain_proxied = record_to_check[:proxied]
+                  audit_passed = is_wildcard_subdomain_proxied ? "Yes" : "No"
+                  proxy_status = is_wildcard_subdomain_proxied ? "on" : "off"
+                  domains_data << [domain, "#{record_to_check[:name]} has proxying turned #{proxy_status}",
+audit_passed]
+                end
+              end
+              ui.print_table(domains_data)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/neetob/cli/monthly_audit/instances_and_addons/cloudflare/main.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative "ssl_tls_encryption_mode_set_to_full"
+require_relative "dns_entry_has_proxy_status"
+require_relative "minimum_tls_version_is_one_point_two"
+require_relative "always_use_https_is_enabled"
+require_relative "spf_records_are_valid"
+require_relative "bot_protection_enabled"
+
+module Neetob
+  class CLI
+    module MonthlyAudit
+      module InstancesAndAddons
+        module Cloudflare
+          class Main < CLI::Base
+            def initialize
+              super()
+            end
+
+            def run
+              SslTlsEncryptionModeSetToFull.new.run
+              ui.info "\n"
+              DnsEntryHasProxyStatus.new.run
+              ui.info "\n"
+              MinimumTlsVersionIsOnePointTwo.new.run
+              ui.info "\n"
+              AlwaysUseHttpsIsEnabled.new.run
+              ui.info "\n"
+              SpfRecordsAreValid.new.run
+              ui.info "\n"
+              BotProtectionEnabled.new.run
+            end
+          end
+        end
+      end
+    end
+  end
+end