Merge pull request #1658 from aziontech/dev

DEPLOY 2024.09.02

.eslintrc-security.cjs

@@ -0,0 +1,31 @@
+/* eslint-env node */
+
+module.exports = {
+  root: true,
+  extends: [
+    'plugin:security/recommended-legacy',
+    'plugin:xss/recommended'
+  ],
+  parserOptions: {
+    ecmaVersion: 'latest'
+  },
+  plugins: ['no-unsanitized'],
+  rules: {
+    'no-unsanitized/method': 'error',
+    'no-unsanitized/property': 'error',
+    'security/detect-bidi-characters': 'error',
+    'security/detect-buffer-noassert': 'error',
+    'security/detect-child-process': 'error',
+    'security/detect-disable-mustache-escape': 'error',
+    'security/detect-eval-with-expression': 'error',
+    'security/detect-new-buffer': 'error',
+    'security/detect-no-csrf-before-method-override': 'error',
+    'security/detect-non-literal-fs-filename': 'error',
+    'security/detect-non-literal-regexp': 'error',
+    'security/detect-non-literal-require': 'error',
+    'security/detect-object-injection': 'error',
+    'security/detect-possible-timing-attacks': 'error',
+    'security/detect-pseudoRandomBytes': 'error',
+    'security/detect-unsafe-regex': 'error'
+  }
+}

.github/workflows/deploy-production.yml

@@ -24,8 +24,8 @@ jobs:
 
       - name: Download Azion CLI
         run: |
-          wget https://github.com/aziontech/azion/releases/download/1.34.2/azion_1.34.2_linux_amd64.apk
-          apk add --allow-untrusted azion_1.34.2_linux_amd64.apk
+          wget https://github.com/aziontech/azion/releases/download/1.36.1/azion_1.36.1_linux_amd64.apk
+          apk add --allow-untrusted azion_1.36.1_linux_amd64.apk
 
       - name: Configure Azion CLI
         run: azion -t ${{ secrets.PLATFORM_KIT_TOKEN }}
@@ -36,5 +36,6 @@ jobs:
           VITE_STRIPE_TOKEN_PROD: ${{ secrets.PROD_STRIPE_TOKEN }}
           VITE_RECAPTCHA_SITE_KEY: ${{ secrets.PROD_RECAPTCHA_SITE_KEY }}
           VITE_SEGMENT_TOKEN: ${{ secrets.PROD_SEGMENT_TOKEN }}
+          CROSS_EDGE_SECRET: ${{ secrets.PROD_CROSS_EDGE_SECRET}}
           NODE_ENV: production
-          VITE_ENVIRONMENT: production
+          VITE_ENVIRONMENT: production

.github/workflows/deploy-stage.yml

@@ -24,8 +24,8 @@ jobs:
 
       - name: Download Azion CLI
         run: |
-          wget https://github.com/aziontech/azion/releases/download/1.34.2/azion_1.34.2_linux_amd64.apk
-          apk add --allow-untrusted azion_1.34.2_linux_amd64.apk
+          wget https://github.com/aziontech/azion/releases/download/1.36.1/azion_1.36.1_linux_amd64.apk
+          apk add --allow-untrusted azion_1.36.1_linux_amd64.apk
 
       - name: Configure Azion CLI
         run: azion -t ${{ secrets.PLATFORM_KIT_TOKEN }}
@@ -36,5 +36,6 @@ jobs:
           VITE_STRIPE_TOKEN_STAGE: ${{ secrets.STAGE_STRIPE_TOKEN }}
           VITE_RECAPTCHA_SITE_KEY: ${{ secrets.STAGE_RECAPTCHA_SITE_KEY }}
           VITE_SEGMENT_TOKEN: ${{ secrets.STAGE_SEGMENT_TOKEN }}
+          CROSS_EDGE_SECRET: ${{ secrets.STAGE_CROSS_EDGE_SECRET}}
           NODE_ENV: stage
           VITE_ENVIRONMENT: stage

.github/workflows/dev-e2e-tests.yml

@@ -12,8 +12,9 @@ jobs:
     name: Run Dev E2E Tests
     runs-on: ubuntu-latest
     strategy:
+      fail-fast: false
       matrix:
-        group: [2,3,4,5,6,7]
+        group: [2, 3, 4, 5, 6, 7]
     steps:
       - uses: actions/checkout@v3
 
@@ -35,6 +36,12 @@ jobs:
           wait-on-timeout: 120
           env: grepTags=@dev${{ matrix.group }}+-@xfail
 
+      - name: Generate Specs JSON
+        run: yarn generate-specs-json
+
+      - name: Validate Specs Tags
+        run: node ./scripts/check_tags.js specs.json
+
       - name: Move Coverage Files
         run: mv .nyc_output/out.json .nyc_output/out_${{ matrix.group }}.json
 

.github/workflows/package-audit.yaml

@@ -0,0 +1,32 @@
+name: Package Audit
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches:
+      - dev
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  HUSKY: 0
+
+jobs:
+  package-audit:
+    runs-on: ubuntu-latest
+    container:
+      image: node:18-alpine3.18
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install SO deps
+        run: apk add curl bash git
+
+      - name: Install dependencies
+        run: yarn ci
+
+      - name: Run package-auditor
+        run: yarn package-audit

.github/workflows/security-linter.yaml

@@ -0,0 +1,32 @@
+name: Security Linter
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    branches:
+      - dev
+  push:
+    branches:
+      - dev
+  workflow_dispatch:
+
+env:
+  HUSKY: 0
+
+jobs:
+  security-linter:
+    runs-on: ubuntu-latest
+    container:
+      image: node:18-alpine3.18
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install SO deps
+        run: apk add curl bash git
+
+      - name: Install dependencies
+        run: yarn ci
+
+      - name: Run security-linter
+        run: yarn security-check

.gitignore

@@ -46,3 +46,4 @@ src/views/Playground/PlaygroundView.vue
 #Paths added by Azion CLI
 .edge/
 .vulcan
+specs.json

azion.config.cjs

@@ -1,5 +1,5 @@
 /* if you have two environments for the same application
-/* you can import your config based on environment value, 
+/* you can import your config based on environment value,
 /* ex: require(`./azion/${environment}/azion.json`)
 */
 /* eslint-env node */
@@ -81,7 +81,11 @@ const commonRules = [
       'Applies common settings for all requests, including standard headers and HTTP to HTTPS redirection.',
     match: '^\\/',
     behavior: {
-      setHeaders: ['Accept: application/json; version=3;'],
+      setHeaders: [
+        'Accept: application/json; version=3;',
+        'X-Cross-Edge-Secret: ' + process.env.CROSS_EDGE_SECRET || 'secret',
+        'X-User-Real-IP: ${remote_addr}'
+      ],
       bypassCache: true,
       forwardCookies: true,
       httpToHttps: true
@@ -145,7 +149,7 @@ const backRules = [
     match: '^/api/marketplace',
     behavior: {
       setOrigin: {
-        name: 'origin-manager',
+        name: 'origin-marketplace',
         type: 'single_origin'
       },
       forwardCookies: true,
@@ -185,7 +189,7 @@ const backRules = [
     match: '^/api/script-runner',
     behavior: {
       setOrigin: {
-        name: 'origin-script-runner',
+        name: 'origin-manager',
         type: 'single_origin'
       },
       forwardCookies: true,
@@ -198,17 +202,6 @@ const backRules = [
       bypassCache: true
     }
   },
-  {
-    name: 'Route Version Control System API to VCS Origin',
-    description: 'Routes version control system API requests to the VCS origin.',
-    match: '^/api/vcs',
-    behavior: {
-      setOrigin: {
-        name: 'origin-vcs',
-        type: 'single_origin'
-      }
-    }
-  },
   {
     name: 'Route User Authentication and Account Management to SSO Origin',
     description:
@@ -262,14 +255,14 @@ const AzionConfig = {
     {
       name: 'origin-manager',
       type: 'single_origin',
-      hostHeader: `manager-origin.azion.com`,
-      addresses: [`manager-origin.azion.com`]
+      hostHeader: `manager.azion.com`,
+      addresses: [`manager.azion.com`]
     },
     {
-      name: 'origin-vcs',
+      name: 'origin-marketplace',
       type: 'single_origin',
-      hostHeader: `vcs-api.azion.net`,
-      addresses: [`vcs-api.azion.net`]
+      hostHeader: `marketplace.azion.com`,
+      addresses: [`marketplace.azion.com`]
     },
     {
       name: 'origin-cities',
@@ -288,12 +281,6 @@ const AzionConfig = {
       type: 'single_origin',
       hostHeader: `api.azion.com`,
       addresses: [`api.azion.com`]
-    },
-    {
-      name: 'origin-script-runner',
-      type: 'single_origin',
-      hostHeader: 'script-runner.azion.com',
-      addresses: ['script-runner.azion.com']
     }
   ]),
   rules: {