feat: ci-cd

.github/workflows/ci-cd.yml

@@ -0,0 +1,119 @@
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  sonarqube:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 21
+        uses: actions/setup-java@v3
+        with:
+          java-version: "21"
+          distribution: "temurin"
+      - name: Compile the project
+        run: |
+          chmod +x ./mvnw
+          ./mvnw clean compile
+      - name: Run SonarQube analysis
+        run: |
+          ./mvnw sonar:sonar \
+            -Dsonar.projectKey=MSPRProject_Api \
+            -Dsonar.host.url=${{ secrets.SONAR_HOST_URL }} \
+            -Dsonar.login=${{ secrets.SONAR_TOKEN }} \
+            -Dsonar.organization=msprproject
+
+  test:
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:latest
+        env:
+          POSTGRES_USER: sanalyz
+          POSTGRES_PASSWORD: sanalyz
+          POSTGRES_DB: sanalyz
+        ports:
+          - 5432:5432
+        options: --health-cmd pg_isready --health-interval 10s
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 21
+        uses: actions/setup-java@v3
+        with:
+          java-version: "21"
+          distribution: "temurin"
+      - name: Run tests
+        run: |
+          chmod +x ./mvnw
+          ./mvnw test
+
+  owasp-zap:
+    permissions: write-all
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:latest
+        env:
+          POSTGRES_USER: sanalyz
+          POSTGRES_PASSWORD: sanalyz
+          POSTGRES_DB: sanalyz
+        ports:
+          - 5432:5432
+        options: --health-cmd pg_isready --health-interval 10s
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 21
+        uses: actions/setup-java@v3
+        with:
+          java-version: "21"
+          distribution: "temurin"
+      - name: Start the application
+        run: |
+          chmod +x ./mvnw
+          nohup ./mvnw spring-boot:run &
+          echo "Waiting for the application to start..."
+          sleep 30
+      - name: Run OWASP ZAP
+        uses: zaproxy/action-full-scan@v0.12.0
+        with:
+          target: "http://localhost:8080"
+          rules_file_name: ".zap/rules.tsv"
+          docker_name: zaproxy/zap-stable
+          fail_action: true
+      - name: Stop the application
+        run: |
+          echo "Stopping the application..."
+          pkill -f 'spring-boot:run'
+
+  # e2e-tests:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - uses: actions/checkout@v3
+  #     - name: Clone E2E Scripting Repo
+  #       run: git clone https://github.com/your-org/e2e-scripting-repo.git
+  #     - name: Run E2E Tests
+  #       run: |
+  #         echo "Running E2E tests..."
+
+  deploy:
+    runs-on: ubuntu-latest
+    # needs: [sonarqube, test, owasp-zap, e2e-tests]
+    needs: [sonarqube, test, owasp-zap]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up JDK 21
+        uses: actions/setup-java@v3
+        with:
+          java-version: "21"
+          distribution: "temurin"
+      - name: Deploy
+        run: |
+          echo "Deploying application..."

.gitignore

@@ -1,10 +1,10 @@
 HELP.md
 target/
+.mvn/
 !.mvn/wrapper/maven-wrapper.jar
 !**/src/main/**/target/
 !**/src/test/**/target/
 !**/src/main/resources/
-.mvn/
 
 ### STS ###
 .apt_generated

.mvn/wrapper/maven-wrapper.properties

@@ -0,0 +1,19 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+wrapperVersion=3.3.2
+distributionType=only-script
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.9/apache-maven-3.9.9-bin.zip

.zap/rules.tsv

@@ -0,0 +1,2 @@
+10105	IGNORE	(Weak Authentication Method)
+90004	IGNORE	(Insufficient Site Isolation Against Spectre Vulnerability)

pom.xml

@@ -1,30 +1,33 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+<?xml version="1.0" encoding="UTF-8" ?>
+<project
+    xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"
+>
 	<modelVersion>4.0.0</modelVersion>
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
 		<version>3.1.3</version>
-		<relativePath/> <!-- lookup parent from repository -->
+		<relativePath /> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>fr</groupId>
 	<artifactId>mspr_api</artifactId>
 	<version>0.0.1-SNAPSHOT</version>
 	<name>mspr_api</name>
 	<description>Demo project for Spring Boot</description>
-	<url/>
+	<url />
 	<licenses>
-		<license/>
+		<license />
 	</licenses>
 	<developers>
-		<developer/>
+		<developer />
 	</developers>
 	<scm>
-		<connection/>
-		<developerConnection/>
-		<tag/>
-		<url/>
+		<connection />
+		<developerConnection />
+		<tag />
+		<url />
 	</scm>
 	<properties>
 		<java.version>21</java.version>
@@ -52,6 +55,11 @@
             <artifactId>spring-boot-starter-validation</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
 		<dependency>
 			<groupId>org.postgresql</groupId>
 			<artifactId>postgresql</artifactId>

src/main/java/fr/mspr_api/config/SecurityConfig.java

@@ -0,0 +1,37 @@
+package fr.mspr_api.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.header.writers.StaticHeadersWriter;
+
+@Configuration
+public class SecurityConfig {
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http
+            .authorizeHttpRequests(
+                authorize -> authorize.anyRequest().permitAll() // Allow all requests without authentication
+            )
+            .headers(headers ->
+                headers
+                    .contentTypeOptions(contentTypeOptions -> {})
+                    .addHeaderWriter(
+                        new StaticHeadersWriter(
+                            "Cross-Origin-Opener-Policy",
+                            "same-origin"
+                        )
+                    )
+                    .addHeaderWriter(
+                        new StaticHeadersWriter(
+                            "Cross-Origin-Embedder-Policy",
+                            "require-corp"
+                        )
+                    )
+            );
+
+        return http.build();
+    }
+}

src/main/resources/application.properties

@@ -4,6 +4,13 @@ spring.datasource.username=sanalyz
 spring.datasource.password=sanalyz
 spring.datasource.driver-class-name=org.postgresql.Driver
 
+server.port=8080
+server.servlet.session.cookie.same-site=strict
+server.servlet.session.cookie.secure=true
+server.servlet.session.cookie.http-only=true
+
+security.ignored=/**
+
 # Hibernate & JPA settings
 spring.jpa.hibernate.ddl-auto=update
 spring.jpa.show-sql=true