pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7,125 Commits 1 Branch 0 Tags
Commit Graph

7125 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
leigh-mil
dff9924c95 Make file size limit configurable 2020-01-31 11:59:07 -05:00
dandds
62d8a89eb1
Merge pull request #1376 from dod-ccpo/k8s-perms-for-load-balancers 
Give the cluster perms to create load balancers.
 2020-01-31 10:27:05 -05:00
dandds
60fe6615c7
Merge branch 'staging' into k8s-perms-for-load-balancers 2020-01-31 10:06:49 -05:00
dandds
36da6fff32
Merge pull request #1377 from dod-ccpo/secure-session-bug 
Fix bug in setting Secure on session cookie.
 2020-01-31 09:51:37 -05:00
dandds
10f8bf9503 Fix bug in setting Secure on session cookie. 
This fixes a bug I introduced with commit

6edc7b138b0745d0b3f9d99da76c445fe954c5a7

The value for SESSION_COOKIE_SECURE was being read in as a truthy string
every time. In order for it to be interpreted correctly, we need to map
it to a boolean.
 2020-01-31 06:18:54 -05:00
dandds
ca1d26cc67 Give the cluster perms to create load balancers. 
In order for the cluster app registration to create new load balancers,
it needs to have the Network Contributor role for the virtual network.
In the future, we should create a custom policy scoped to exactly the
permissions the cluster needs, per:

https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni#prerequisites
 2020-01-30 16:28:02 -05:00
dandds
b444378b0f
Merge pull request #1362 from robgil-dds/170322629-azure-logging 
Azure Logging
 2020-01-30 15:11:33 -05:00
Rob Gil
181d0155b7 Removes the vnet gateway since we're no longer going to use Azure VPN services 2020-01-30 14:43:59 -05:00
Rob Gil
b0a73e5944 Adds log analytics logging to redis module 2020-01-30 14:43:59 -05:00
Rob Gil
211a9e7875 Adds log analytics logging to cdn module 2020-01-30 14:43:59 -05:00
Rob Gil
ffb29d45fc Adds Redis logging to log analytics 2020-01-30 14:43:59 -05:00
Rob Gil
308ea6a861 Enables logging for storage account buckets 
There are bugs in the latest version of the azurerm provider which do
not account for all the log types. We had to use a local-exec here.
 2020-01-30 14:43:59 -05:00
Rob Gil
8475b519ce Adds log analytics logging for k8s 2020-01-30 14:43:59 -05:00
Rob Gil
27f3096593 Adds log analytics configuration to postgres 2020-01-30 14:43:52 -05:00
Rob Gil
8856d0f448 Log FMT 2020-01-30 14:43:07 -05:00
Rob Gil
b61bb6a4c4 Configures KeyVault to log to a log analytics workspace 2020-01-30 14:43:07 -05:00
Rob Gil
3e4244fc6d Configures container registry to log to a log analytics workspace 2020-01-30 14:43:07 -05:00
Rob Gil
0900c01d88 Adds log_analytics module and workspace 2020-01-30 14:43:07 -05:00
leigh-mil
45322c871d
Merge pull request #1367 from dod-ccpo/remove-csp-routes 
Remove mock CSP routes
 2020-01-30 14:27:18 -05:00
leigh-mil
0a7541ef99 Remove unused mock csp routes, templates, and images. Remove unused JEDIhierarchy image 2020-01-30 14:09:12 -05:00
tomdds
001d6cbeda
Merge pull request #1372 from dod-ccpo/azure-admin-provisioning 
Azure Admin Provisioning
 2020-01-30 11:47:49 -05:00
tomdds
6480060b8d
Merge branch 'staging' into azure-admin-provisioning 2020-01-30 11:17:33 -05:00
tomdds
f6d3090177 Remove unused postgres import in migration 2020-01-30 11:05:06 -05:00
graham-dds
088bd37c6b
Merge pull request #1364 from dod-ccpo/safe_redirect 
Add fn to ensure a url matches an app url pattern
 2020-01-30 11:03:10 -05:00
tomdds
295abf49f1 Add new Portfolio Step items to DB Enum 2020-01-30 10:44:27 -05:00
graham-dds
05ef9131dd
Merge branch 'staging' into safe_redirect 2020-01-30 10:42:33 -05:00
tomdds
7a82fe48f0
Merge branch 'staging' into azure-admin-provisioning 2020-01-30 10:17:43 -05:00
dandds
72f9d23cc1
Merge pull request #1371 from dod-ccpo/disable-cipher-export 
Disable cipher export for TLS negotiation.
 2020-01-30 08:55:25 -05:00
tomdds
33c6e8c68c Merge CSP secret handling implementations and refine updating. 2020-01-29 18:22:21 -05:00
tomdds
0bc0e15134 Merge branch 'staging' into azure-config-values 2020-01-29 16:50:44 -05:00
dandds
26cc4ce79a Disable cipher export for TLS negotiation. 
In order to meet compliance requirements, this adds the EXPORT option to
NGINX's ssl_cipher config. Extended discussion here:

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
 2020-01-29 16:48:33 -05:00
tomdds
d4dd581b7a Implement principal creation and admin elevation provisioning features. 2020-01-29 16:17:28 -05:00
leigh-mil
f331384214
Merge pull request #1361 from dod-ccpo/to-builder-previous-button 
TO builder save on clicking 'Previous'
 2020-01-29 15:48:14 -05:00
leigh-mil
f48404215a
Merge branch 'staging' into to-builder-previous-button 2020-01-29 15:09:27 -05:00
dandds
1957bdcbcc
Merge pull request #1370 from dod-ccpo/cookie-secure 
Set SESSION_COOKIE_SECURE for deployed environments.
 2020-01-29 15:05:30 -05:00
dandds
6edc7b138b Set SESSION_COOKIE_SECURE for deployed environments. 
This sets the "Secure" attribute on cookies sent to the client:

https://flask.palletsprojects.com/en/1.1.x/config/#SESSION_COOKIE_SECURE
 2020-01-29 14:39:56 -05:00
graham-dds
82ef8f3574 Add fn to ensure a url matches an app url pattern 
In some functions, we redirect a user based on a parameter in a query
string.  This commit adds a function that checks to see if a given url
matches a url pattern of a view function. This will help us ensure that
the url passed  as the next parameter isn't malicious.
 2020-01-29 13:24:12 -05:00
dandds
7812da5eae
Merge pull request #1359 from dod-ccpo/app-env-provisioning 
Application Provisioning
 2020-01-29 11:43:19 -05:00
dandds
63b5ddbdd4 Merge branch 'staging' into app-env-provisioning 2020-01-29 11:16:55 -05:00
dandds
abd03be806 Store and pull tenant creds from Key Vault. 
The tenant ID should be hashed and used as the key for the JSON blob of
relevant creds for any given tenant. Azure CSP interface methods that
need to source creds should call the internal `_source_creds` method,
either with a `tenant_id` or no parameters. That method will source the
creds. If a tenant ID is provided, it will source them from the Key
Vault. If not provided, it will return the default creds for the app
registration in the home tenant.
 2020-01-29 10:49:27 -05:00
dandds
c3af165b51
Merge pull request #1355 from dod-ccpo/gi-wo-20200120 
Ghost Inspector updates wo 2020-01-20
 2020-01-29 09:13:18 -05:00
dandds
5d8ee82a31
Merge pull request #1366 from dod-ccpo/disable-pod-escalation 
Disable container privilege escalation.
 2020-01-29 09:12:53 -05:00
tomdds
144312863c Draft implementations of remote admin creation and root management group ownership. 2020-01-28 20:14:50 -05:00
dandds
81a41a632a
Merge branch 'staging' into disable-pod-escalation 2020-01-28 16:48:45 -05:00
dandds
08f42e7a8a
Merge pull request #1353 from dod-ccpo/take3 
Database bootstrapping
 2020-01-28 14:49:01 -05:00
dandds
66bd81eda9
Merge branch 'staging' into take3 2020-01-28 14:33:05 -05:00
tomdds
7bf6b9addc Remove creds from payloads and passthroughs. 2020-01-28 14:12:04 -05:00
dandds
b630433aa8 Disable container privilege escalation. 
Per Azure best practice, disable a container's ability to escalate its
privileges.

https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#secure-pod-access-to-resources
 2020-01-28 14:10:55 -05:00
leigh-mil
e1ff093651
Merge pull request #1354 from dod-ccpo/alpha-numeric-to-numbers 
New TO Number Rules
 2020-01-28 12:00:31 -05:00
dandds
67bfe09bbf
Merge branch 'staging' into alpha-numeric-to-numbers 2020-01-28 11:24:40 -05:00