Commit of completed version of godojo installer - forgot to do this l…

…ast Sunday. Whoops!

config/installConfig.go

@@ -132,12 +132,12 @@ type SessionSt struct {
 // CookieSt - struct for DD_SESSION_COOKIE_HTTPONLY
 type CookieSt struct {
 	HTTPOnly bool
+	Secure   bool
 }
 
 // CSRFSt - struct for DD_CSFR_COOKIE_HTTPONLY and DD_CSRF_COOKIE_SECURE
 type CSRFSt struct {
 	Cookie CookieSt // Reuse struct above for DD_SESSION_COOKIE_HTTPONLY
-	Secure bool
 }
 
 // SecureSt - struct for DD_SECURE_SSL_REDIRECT, DD_SECURE_HSTS_INCLUDE_SUBDOMAINS, DD_SECURE_HSTS_SECONDS

database.go

@@ -162,7 +162,6 @@ func prepMySQL(dbTar *config.DBTarget, os string) error {
 	}
 
 	// User the connction string above to open a DB connection
-	fmt.Println(conn)
 	dbMySQL, err := sql.Open("mysql", conn)
 	if err != nil {
 		traceMsg("Unable to run sql.Open against MySQL, connection string was:")

dojoConfig.yml

@@ -1,23 +1,23 @@
 # Default config for godojo installations
 
 Install:
-  Version: "1.5.3.1"
-  SourceInstall: true
-  SourceBranch: "dev"
-  SourceCommit: bc39a2345af1860431633d91615f2c51de1b6cf2 #"17235b0428ed92fd808aa2eecdfe5137e07cf82d" # "18e11bdbce3dff7a1740d16d877fda539c60ee7b"
-  Quiet: false
-  Trace: true
-  Redact: true
-  Prompt: false
-  Set: "Single Server"
-  Root: "/opt/dojo"
+  Version: "1.5.3.1" # Release version of DefectDojo from https://github.com/DefectDojo/django-DefectDojo/releases
+  SourceInstall: true # If true, a souce code install will be installed overriding the version above ^
+  SourceBranch: "dev" # The branch to be checked out if SourceInstall is true - HEAD will be checked out
+  SourceCommit: bc39a2345af1860431633d91615f2c51de1b6cf2 # If there is a value here, the specific commit will be used over the branch ^
+  Quiet: false # Suppress normal output - only errors will be shown
+  Trace: true # Turn on the most verbose logging option
+  Redact: true # Redact sensitive information from the logs
+  Prompt: false # Prompt for configuration values - NOT IMPLEMENTED YET
+  Set: "Single Server" # Pre-defined configuration options - NOT IMPLEMENTED YET
+  Root: "/opt/dojo" # Note: No traiing /
   Source: "django-DefectDojo"
   Files: "local"
   Media: "media"
   Static: "static"
   App: "dojo"
   Sampledata: false
-  PullSource: false # DEFAULT true
+  PullSource: true # DEFAULT true
   # Venv: install.root
   DB:
     Engine: "MySQL" # Supported values: SQLite, MySQL, PostgreSQL, MariaDB - CASE sEnSiTiVE!
@@ -46,7 +46,7 @@ Install:
     Email: "admin@localhost"
 
 Settings:
-  Debug: false
+  Debug: true # false
   Login:
     Redirect:
       Url: "/"
@@ -59,10 +59,10 @@ Settings:
   CSRF:
     Cookie:
       HTTPOnly: true
-    Secure: false
+      Secure: false
   Secure:
     SSL:
-      Redirect: true
+      Redirect: false
     HSTS:
       Include:
         Subdomains: false
@@ -79,7 +79,7 @@ Settings:
   Wkhtmltopdf: "/usr/local/bin/wkhtmltopdf"
   Team:
     Name: "Security Team"
-  Admins: "DefectDojo:dojo@localhost,Admin:admin@localhost" # How is this different from the install admin user above?
+  Admins: "DefectDojo:dojo@localhost,Admin:admin@localhost"
   Port:
     Scan:
       Contact:
@@ -90,7 +90,7 @@ Settings:
       External:
         Unit:
           Email:
-            List: "email@localhost"
+            List: "['email@localhost']" # List of email addresses like ['[email protected]'] or ['[email protected]', '[email protected]']
       Source:
         IP: "127.0.0.1"
   Whitenoise: false
@@ -153,7 +153,7 @@ Settings:
     Key: "." # If unchanged, a random value will be generated at install time
   Credential:
     AES:
-      256:
+      B256:
         Key: "." # If unchanged, a random value will be generated at install time
   Data:
     Upload:
@@ -173,7 +173,7 @@ Settings:
           API:
             URL: ""
   Allowed:
-    Hosts: "'localhost','127.0.0.1'"
+    Hosts: "localhost,127.0.0.1" # List of IP addresses or host names like ['192.168.1.42'] or ['dojo.ex.com', 'vuln.ex.com']
   Email:
       URL: "smtp://user@:password@localhost:25"
 

env.go

@@ -0,0 +1,186 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"fmt"
+	"os"
+	"text/template"
+
+	"github.com/mtesauro/godojo/config"
+)
+
+// Handles the template-based generation of env.prod for DefectDojo's settings.py
+
+// Define the template
+const envProd = `
+# Django Debug, don't enable on production! - default is off
+DD_DEBUG={{.DD_DEBUG}}
+
+# Enables Django Admin - default is on
+DD_DJANGO_ADMIN_ENABLED={{.DD_DJANGO_ADMIN_ENABLED}}
+
+# A secret key for a particular Django installation.
+DD_SECRET_KEY={{.DD_SECRET_KEY}}
+
+# Key for encrypting credentials in the manager
+DD_CREDENTIAL_AES_256_KEY={{.DD_CREDENTIAL_AES_256_KEY}}
+
+# Database URL, options: postgres://, mysql://, sqlite://, to use unsafe characters encode with urllib.parse.encode
+DD_DATABASE_URL={{.DD_DATABASE_URL}}
+
+# Hosts/domain names that are valid for this site;
+DD_ALLOWED_HOSTS={{.DD_ALLOWED_HOSTS}}
+
+# WhiteNoise allows your web app to serve its own static files,
+# making it a self-contained unit that can be deployed anywhere without relying on nginx,
+# if using nginx then disable Whitenoise
+DD_WHITENOISE={{.DD_WHITENOISE}}
+
+# -------------------------------------------------------
+# Additional Settings / Override defaults in settings.py
+# -------------------------------------------------------
+
+# Timezone - default is America/New_York
+DD_TIME_ZONE={{.DD_TIME_ZONE}}
+
+# Track migrations through source control rather than making migrations locally - default is on
+DD_TRACK_MIGRATIONS={{.DD_TRACK_MIGRATIONS}}
+
+# Whether to use HTTPOnly flag on the session cookie - default is on
+DD_SESSION_COOKIE_HTTPONLY={{.DD_SESSION_COOKIE_HTTPONLY}}
+
+# Whether to use HttpOnly flag on the CSRF cookie - default is on
+DD_CSRF_COOKIE_HTTPONLY={{.DD_CSRF_COOKIE_HTTPONLY}}
+
+# If True, the SecurityMiddleware redirects all non-HTTPS requests to HTTPS - default is off
+DD_SECURE_SSL_REDIRECT={{.DD_SECURE_SSL_REDIRECT}}
+
+# Whether to use a secure cookie for the CSRF cookie - default is off
+DD_CSRF_COOKIE_SECURE={{.DD_CSRF_COOKIE_SECURE}}
+
+# If on, the SecurityMiddleware sets the X-XSS-Protection: 1; - default is on
+DD_SECURE_BROWSER_XSS_FILTER={{.DD_SECURE_BROWSER_XSS_FILTER}}
+
+# Change the default language set - default is en-us
+DD_LANG={{.DD_LANG}}
+
+# Path to PDF library - default is /usr/local/bin/wkhtmltopdf
+DD_WKHTMLTOPDF={{.DD_WKHTMLTOPDF}}
+
+# Security team name, used for outgoing emails - default is Security
+DD_TEAM_NAME={{.DD_TEAM_NAME}}
+
+# Admins for log emails - default is dojo-srv@localhost
+DD_ADMINS={{.DD_ADMINS}}
+
+# Port scan contact email - default is dojo-srv@localhost
+DD_PORT_SCAN_CONTACT_EMAIL={{.DD_PORT_SCAN_CONTACT_EMAIL}}
+
+# Port scan from email - default is dojo-srv@localhost
+DD_PORT_SCAN_RESULT_EMAIL_FROM={{.DD_PORT_SCAN_RESULT_EMAIL_FROM}}
+
+# Port scan email list - default is dojo-srv@localhost
+DD_PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST={{.DD_PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST}}
+
+# Port scan source - default is 127.0.0.1
+DD_PORT_SCAN_SOURCE_IP={{.DD_PORT_SCAN_SOURCE_IP}}
+`
+
+type envVals struct {
+	DD_DEBUG                              bool
+	DD_DJANGO_ADMIN_ENABLED               bool
+	DD_SECRET_KEY                         string
+	DD_CREDENTIAL_AES_256_KEY             string
+	DD_DATABASE_URL                       string
+	DD_ALLOWED_HOSTS                      string
+	DD_WHITENOISE                         bool
+	DD_TIME_ZONE                          string
+	DD_TRACK_MIGRATIONS                   bool
+	DD_SESSION_COOKIE_HTTPONLY            bool
+	DD_CSRF_COOKIE_HTTPONLY               bool
+	DD_SECURE_SSL_REDIRECT                bool
+	DD_CSRF_COOKIE_SECURE                 bool
+	DD_SECURE_BROWSER_XSS_FILTER          bool
+	DD_LANG                               string
+	DD_WKHTMLTOPDF                        string
+	DD_TEAM_NAME                          string
+	DD_ADMINS                             string
+	DD_PORT_SCAN_CONTACT_EMAIL            string
+	DD_PORT_SCAN_RESULT_EMAIL_FROM        string
+	DD_PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST string
+	DD_PORT_SCAN_SOURCE_IP                string
+}
+
+func genAndWriteEnv(i *config.DojoConfig, dbURL string) {
+	// Generate randon values for the two keys below
+	secretKey := i.Settings.Secret.Key
+	if secretKey == "." {
+		// Handle the case that the key wasn't configured
+		s1 := make([]byte, 42)
+		_, err := rand.Read(s1)
+		if err != nil {
+			errorMsg("Error generating random data for encryption keys")
+			os.Exit(1)
+		}
+		secretKey = base64.StdEncoding.EncodeToString(s1)
+	}
+	credentialKey := i.Settings.Credential.AES.B256.Key
+	if credentialKey == "." {
+		// Handle the case that the key wasn't configured
+		s2 := make([]byte, 42)
+		_, err := rand.Read(s2)
+		if err != nil {
+			errorMsg("Error generating random data for encryption keys")
+			os.Exit(1)
+		}
+		credentialKey = base64.StdEncoding.EncodeToString(s2)
+	}
+
+	// Set the values from the configuration file
+	env := envVals{
+		DD_DEBUG:                              i.Settings.Debug,
+		DD_DJANGO_ADMIN_ENABLED:               i.Settings.Django.Admin.Enabled,
+		DD_SECRET_KEY:                         secretKey,
+		DD_CREDENTIAL_AES_256_KEY:             credentialKey,
+		DD_DATABASE_URL:                       dbURL,
+		DD_ALLOWED_HOSTS:                      i.Settings.Allowed.Hosts,
+		DD_WHITENOISE:                         i.Settings.Whitenoise,
+		DD_TIME_ZONE:                          i.Settings.Time.Zone,
+		DD_TRACK_MIGRATIONS:                   i.Settings.Track.Migrations,
+		DD_SESSION_COOKIE_HTTPONLY:            i.Settings.Session.Cookie.HTTPOnly,
+		DD_CSRF_COOKIE_HTTPONLY:               i.Settings.CSRF.Cookie.HTTPOnly,
+		DD_SECURE_SSL_REDIRECT:                i.Settings.Secure.SSL.Redirect,
+		DD_CSRF_COOKIE_SECURE:                 i.Settings.CSRF.Cookie.Secure,
+		DD_SECURE_BROWSER_XSS_FILTER:          i.Settings.Secure.Browser.XSS.Filter,
+		DD_LANG:                               i.Settings.Lang,
+		DD_WKHTMLTOPDF:                        i.Settings.Wkhtmltopdf,
+		DD_TEAM_NAME:                          i.Settings.Team.Name,
+		DD_ADMINS:                             i.Settings.Admins,
+		DD_PORT_SCAN_CONTACT_EMAIL:            i.Settings.Port.Scan.Contact.Email,
+		DD_PORT_SCAN_RESULT_EMAIL_FROM:        i.Settings.Port.Scan.Result.Email.From,
+		DD_PORT_SCAN_EXTERNAL_UNIT_EMAIL_LIST: i.Settings.Port.Scan.External.Unit.Email.List,
+		DD_PORT_SCAN_SOURCE_IP:                i.Settings.Port.Scan.Source.IP,
+	}
+
+	// Create a template based on the text above
+	t := template.Must(template.New("envProd").Parse(envProd))
+
+	// Open a file to write the contents of the parsed template
+	fmt.Printf("Location of env file is %+v\n", i.Install.Root, "/django-DefectDojo/dojo/settings/.env.prod")
+	f, err := os.Create(i.Install.Root + "/django-DefectDojo/dojo/settings/.env.prod")
+	if err != nil {
+		errorMsg("Unable to create .env.prod file for settings.py configuration")
+		os.Exit(1)
+	}
+	defer f.Close()
+
+	// Make substitutions in the template
+	err = t.Execute(f, env)
+	if err != nil {
+		errorMsg("Failed to create .env.prod from template")
+		os.Exit(1)
+	}
+
+	return
+}

go.mod

@@ -5,8 +5,10 @@ go 1.12
 require (
 	github.com/briandowns/spinner v1.6.1
 	github.com/go-sql-driver/mysql v1.4.1
+	github.com/google/pprof v0.0.0-20191028172815-5e965273ee43 // indirect
 	github.com/lib/pq v1.2.0
 	github.com/spf13/viper v1.4.0
+	golang.org/x/arch v0.0.0-20191101135251-a0d8588395bd // indirect
 	golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f // indirect
 	golang.org/x/text v0.3.2 // indirect
 	golang.org/x/tools/gopls v0.1.3 // indirect

go.sum

@@ -55,6 +55,8 @@ github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/pprof v0.0.0-20191028172815-5e965273ee43 h1:59gkLC5pLENSgzw9Gx73BQQho5i//80XwgIIYWxZjp4=
+github.com/google/pprof v0.0.0-20191028172815-5e965273ee43/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
@@ -144,6 +146,8 @@ go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+golang.org/x/arch v0.0.0-20191101135251-a0d8588395bd h1:e1iK2rWppIPlzzqtjXT/p6WR/+ritGZ8xkfL8uDZb0g=
+golang.org/x/arch v0.0.0-20191101135251-a0d8588395bd/go.mod h1:flIaEI6LNU6xOCD5PaJvn9wGP0agmIOqjrtsKGRguv4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -215,3 +219,4 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=