# ISAF (إسعاف)  
## Integrate Security Assessments in your dev Flow
```
    EeeiiiiiEEiiiii.....                                             
       \|/                                                           
        n______     .....iiiiiEEiiiieeEE                             
       :~;     :                  \|/                                
-----;``~'  +  ;------------ ______n --------------------------------
     `-@-----@-=            :     :~:                                
=========================== ;  +  '~``; =============================
                            =-@-----@-'                              
jgs------------------------------------------------------------------
                                                                     
                   DEVSECOPS IN A PYTHON NUTSHELL        
```

# Init
## Stack Deployement
You can quickly start OpenFaaS on Docker Swarm online using the community-run Docker playground: play-with-docker.com (PWD) by clicking the button below:  

[![Try in PWD](https://cdn.rawgit.com/play-with-docker/stacks/cff22438/assets/images/button.png)](http://labs.play-with-docker.com/?stack=https://gist.githubusercontent.com/h-a-t/eafbb19d7ce46c4ee4a541df018a5f37/raw/0979d10646b91e73cfdf02e7a0b43f84e8e7e68a/docker-compose.yml&stack_name=func)

Or use the following docker-compose.yml file.

```yaml
version: "3.2"
services:
    gateway:
        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock"
        ports:
            - 8080:8080
        image: functions/gateway:0.6.6-beta
        networks:
            - functions
        environment:
            dnsrr: "true"  # Temporarily use dnsrr in place of VIP while issue persists on PWD
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'
    prometheus:
        image: functions/prometheus:latest  # autobuild from Dockerfile in repo.
        command: "-config.file=/etc/prometheus/prometheus.yml -storage.local.path=/prometheus -storage.local.memory-chunks=10000 --alertmanager.url=http://alertmanager:9093"
        ports:
            - 9090:9090
        depends_on:
            - gateway
            - alertmanager
        environment:
            no_proxy: "gateway"
        networks:
            - functions
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'

    alertmanager:
        image: functions/alertmanager:latest    # autobuild from Dockerfile in repo.
        environment:
            no_proxy: "gateway"
#        volumes:
#            - ./prometheus/alertmanager.yml:/alertmanager.yml
        command:
            - '-config.file=/alertmanager.yml'
        networks:
            - functions
        ports:
            - 9093:9093
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'


    registry:
        image: registry:2    # Image Registry
        environment:
            no_proxy: "gateway"
        networks:
            - functions
        ports:
            - 5000:5000
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'

    jupyter:
        image: jupyter/base-notebook:latest    # Jupyter
        environment:
            no_proxy: "gateway"
        volumes:
            - "/var/run/docker.sock:/var/run/docker.sock"
        command: ["start.sh", "jupyter", "lab"]
        networks:
            - functions
        ports:
            - 8888:8888
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'


    sonarqube:
        image: sonarqube:latest    # Sonarqube Code Analysis
        environment:
            no_proxy: "gateway"
#        volumes:
#            - "/var/run/docker.sock:/var/run/docker.sock"
        networks:
            - functions
        ports:
            - 9000:9000
        deploy:
            placement:
                constraints:
                    - 'node.role == manager'
                    - 'node.platform.os == linux'



    # Sample functions go here.

    # Service label of "function" allows functions to show up in UI on http://gateway:8080/
    webhookstash:
        image: functions/webhookstash:latest
        labels:
            function: "true"
        depends_on:
            - gateway
        networks:
            - functions
        environment:
            no_proxy: "gateway"
            https_proxy: $https_proxy
        deploy:
            placement:
                constraints:
                    - 'node.platform.os == linux'

networks:
    functions:
        driver: overlay
        # Docker does not support this option yet - maybe create outside of the stack and reference as "external"?
        #attachable: true
```

## Prerequisite
- Get your Jupyter token:

```bash
docker logs func_jupyter.1.shw9s15u6co3cuzp5sjft697t 2>&1 | grep token 
10:03:07.492 LabApp] The Jupyter Notebook is running at: 

http://[all ip addresses on your system]:8888/?token=54523693a4c91624e2efebd5e9dde139b784297e30089504 

to login with a token: http://localhost:8888/?token=54523693a4c91624e2efebd5e9dde139b784297e30089504
```

- Install git, unzip, curl and faas-cli in the Jupyter container:

```bash
docker exec --user root -ti func_jupyter.1.shw9s15u6co3cuzp5sjft697t bash
root@b9300915e6ad:~# apt-get update && apt-get -y install unzip git curl
root@b9300915e6ad:~# 
```

- Download faas-cli and change permissions of docker.sock for the sack of this PoC. VERY Bad habits /o\, Do not try at home production.

```bash
curl -sSL https://cli.openfaas.com | sh
chmod 777 /var/run/docker.sock
```
- Upload ISAF.iynb to your Jupyter instance, and press play! \o/

## Environment Build

### Testing Application
Screenshots de l'application + Explications

### Deploy Application

In [None]:
!git clone https://github.com/h-a-t/RedPill

In [None]:
!pip install docker

In [4]:
import docker
import io
import tarfile
import os

cli = docker.DockerClient(base_url='unix://var/run/docker.sock')
cli.containers.list()

In [None]:
## Build app image and pull dependencies
os.chdir('/home/jovyan/RedPill/')
cli.images.build(path='./src/php', tag='hat/app')
#zap_img = cli.images.pull('owasp/zap2docker-weekly:latest')
db_img = cli.images.pull('mariadb:latest')
alpine = cli.images.pull('alpine:latest')


In [None]:
## Create a dedicated network
cli.networks.create("app_net", driver="bridge") ## cant join overlay network. maybe bridging to isolate?
cli.networks.list()

In [None]:
## Create Volumes
cli.volumes.create(name='db_data', driver='local')
cli.volumes.create(name='db_init', driver='local')
cli.volumes.create(name='app_data', driver='local')

In [None]:
## Database provisionning
os.chdir('/home/jovyan/RedPill/src/sql')
tarstream = io.BytesIO()
tar = tarfile.TarFile(fileobj=tarstream, mode='w')
tar.add('staging.sql')
tar.close()

tmp=cli.containers.create(
    image='alpine', 
    volumes={'db_init':{'bind': '/data/', 'mode' : 'rw'}})

tarstream.seek(0)
tmp.put_archive(
    path='/data/',
    data=tarstream
)

## Database run
db_cont = cli.containers.run(
    image='mariadb:latest',
    volumes={'db_init':{'bind': '/docker-entrypoint-initdb.d/', 'mode' : 'rw'},
             'db_data':{'bind': '/var/lib/mysql/', 'mode' : 'rw'}
            },
    detach=True,
    name='app_db',
    environment=['MYSQL_RANDOM_ROOT_PASSWORD=yes','MYSQL_USER=user',
                  'MYSQL_PASSWORD=password','MYSQL_DATABASE=sqli']
        )
db_cont?

In [None]:
## Webserver provisionning

os.chdir('/home/jovyan/RedPill/src/php')
tarstream = io.BytesIO()
tar = tarfile.TarFile(fileobj=tarstream, mode='w')
tar.add('.')
tar.close()

tmp=cli.containers.create(
    image='alpine', 
    volumes={'app_data':{'bind': '/data/', 'mode' : 'rw'}})

tarstream.seek(0)
tmp.put_archive(
    path='/data/',
    data=tarstream
)

## webserver run
app_cont = cli.containers.run(
    image='hat/app',
    volumes={'app_data':{'bind': '/var/www/html', 'mode' : 'rw'}
            },
    detach=True,
    name='app_web',
    environment=['DB_ENV_MYSQL_USER=user','DB_ENV_MYSQL_PASSWORD=password','BUILD_STAGE=Python'],
    ports={'80/tcp':80},
    links=[('app_db','db')]
        )
app_cont?

# Security Assessment in a Synchronous Execution Flow

## Static Code Analysis


### Push code to SonarQube for code analysis

In [None]:
## Download Sonarqube scanner
!wget https://sonarsource.bintray.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.0.3.778-linux.zip
!unzip sonar-scanner-cli-3.0.3.778-linux.zip

In [None]:
!./sonar-scanner-3.0.3.778-linux/bin/sonar-scanner -Dsonar.host.url=http://sonarqube:9000 -Dsonar.projectKey=Redpill:latest -Dsonar.sources=RedPill/src/php -Dsonar.language=php

### Push to Clair for a container layer scan

TODO : reg de Jess + Pop instance Clair

## Dynamic Runtime Analysis

### Using the Web-GUI of your favorite Pentesting tool from OWASP: ZAP
- Let L33t do the testing by running a GUI instance of ZAP, just browse localhost:8666/?anonym=true&app=ZAP to start :) 
- Warning, image size: 1,52 Go  
- Cf. https://github.com/zaproxy/zaproxy/wiki/WebSwing  

In [None]:
zap_img = cli.images.pull('owasp/zap2docker-stable:latest')
scan_cont = cli.containers.run(
    image=zap_img,
    name='app_scan',
    detach=True,
    command="sh -c 'zap-webswing.sh'",
    ports={'8080/tcp':8666, '8090/tcp':8777},
    links=[('app_web','app')]
        )
scan_cont?

### Using the flexibility of your favorite cutting-edge technology: OpenFaas

Dockerfile:  

```
FROM alexellis2/faas-alpinefunction:latest
RUN apk update && apk add nmap
ENV fprocess="xargs nmap"
CMD ["fwatchdog"]
```

nmap_stack:   

```yaml
provider:
  name: faas
  gateway: http://localhost:8080

functions:
  nmap:
    lang: Dockerfile
    handler: ./Dockerfile
    image: hat/nmap
```

# Async

### Example avec faas pour nmap
### Example avec aiodocker pour zap baseline