Feature/add git scoring step (#10)

Co-authored-by: Justin DeBo <justin.debo@slalom.com>
Co-authored-by: Ryan J. Price <ryapric@gmail.com>

Author: 3 people

linux/Makefile

@@ -15,6 +15,9 @@ yeet-aws:
 	@printf 'Waiting 30s for EC2 instances to hopefully process userdata...\n' && sleep 30
 	@make -s provision-aws
 
+connect-aws:
+	ssh -p 2332 admin@$(shell terraform -chdir=./terraform output -json | jq -r '.instance_ips.value[]')
+
 provision-local:
 # Don't re-provision DB at the same time, since it throws off team server tests
 	@vagrant provision db

linux/instructions/challenge_6.md

@@ -0,0 +1,20 @@
+Challenge 6: Git SSH Setup
+==========================
+
+We just got hired by a very famous movie star (who's name may not be disclosed)
+to create a new version of our app for their specific use case. Our lead
+engineers were working on putting together the new app, but they mysteriously
+dissappeared while on a golfing trip a few weeks past. We were told that the
+code was about ready to deploy, just hadn't gotten the chance to merge it into
+the main branch. See if you can figure out how to get it up and running.
+
+The name of the app is 'carrot-cruncher'. The last dev got the repo set up
+somewhere on disk, but they never said where... hopefully you'll able to find
+it. When you do, supposedly there was a new working branch pushed to the remote
+repo, so you'll need to figure out how to authenticate to that repo.
+
+There was a note in your team's documentation about a process that picks up keys
+in the local git server. Supposedly all you had to do was copy some file to the
+'ssh-keys/' directory near all the repos and git takes it from there? So I guess
+try that? Then clone the remote branches down, then you'll be off to the
+races... Good luck!

linux/instructions/challenge_7.md

@@ -0,0 +1,8 @@
+Challenge 7: Git branch management
+==================================
+
+Great, now that you've got your SSH keys set up, you'll need to figure out which
+of those remote branches have the correct changes it get it merged in ASAP. Once
+you clone the repo, the working branch should be obvious... or so we were
+told... So we recommend you just try looking at/running the code the the
+different branches and see which one fits.

linux/scripts/init-db.sh

@@ -3,6 +3,7 @@ set -euo pipefail
 
 # Install ezlog
 command -v git > /dev/null || { apt-get update && apt-get install -y git ;}
+git config --global http.sslVerify false # Workaround for corporate proxy installs
 [[ -d /usr/local/share/ezlog ]] || git clone 'https://github.com/opensourcecorp/ezlog.git' /usr/local/share/ezlog
 # shellcheck disable=SC1091
 source /usr/local/share/ezlog/src/main.sh

linux/scripts/init.sh

@@ -3,6 +3,7 @@ set -euo pipefail
 
 # Install ezlog
 command -v git > /dev/null || { apt-get update && apt-get install -y git ;}
+git config --global http.sslVerify false # Workaround for corporate proxy installs
 [[ -d /usr/local/share/ezlog ]] || git clone 'https://github.com/opensourcecorp/ezlog.git' /usr/local/share/ezlog
 # shellcheck disable=SC1091
 source /usr/local/share/ezlog/src/main.sh
@@ -58,7 +59,6 @@ cp -r /tmp/{scripts,services,instructions} "${wsroot}"/
 mkdir -p /opt/app
 cp -r /tmp/dummy-app-src/* /opt/app
 chown -R appuser:appuser /opt/app
-rm -rf /tmp/{scripts,services,instructions,dummy-app-src}
 
 ###
 log-info 'Installing any needed system packages'
@@ -126,17 +126,16 @@ timeout 180s bash -c _db_init
 log-info 'Dumping the first instruction(s) to the appuser homedir'
 cp "${wsroot}"/instructions/challenge_{0,1}.md /home/appuser/
 
-## TODO: ideas for other scorable challenges for teams:
-
-# Simulate a git repo's history a la:
-# (at time of writing, this was on the branch 'feature/add-git-scoring-step')
-
-# ...
 
-# mess up the current branch (maybe it was a feature branch that got yeeted)?
-# Have a different branch be the "good" one (`release`, `main` etc)
-
-# BUT ALSO, somehow the good branch is still failing lints (maybe)
-# note to self: need to put anything for a linter on the .bashrc-defined PATH for appuser during init
+### Setup a local git server and clone to repo
+if ! (cd /srv/git/repositories/carrot-cruncher.git && git show-ref --verify --quiet "refs/heads/release/bunnies_v1" && [[ -f /home/git/git-shell-commands/no-interactive-login ]]) ; then
+  sudo chmod +x /tmp/scripts/setup-git.sh
+  if /tmp/scripts/setup-git.sh; then
+      log-info "Git server setup completed successfully."
+  else
+      log-fatal "Git server setup failed."
+  fi
+fi
 
+rm -rf /tmp/{scripts,services,instructions,dummy-app-src}
 log-info 'All done!'

linux/scripts/linux-workshop-admin.sh

@@ -138,17 +138,98 @@ _check-webapp-reachable() {
   fi
 }
 
+# Flag for checking if ssh is set
+ssh_setup=1
+_check-ssh-setup() {
+  local test_dir=${wsroot}/git-checks/ssh
+  local git_remote="/srv/git"
+  local repo_dir="${git_remote}/repositories/carrot-cruncher.git"
+  su - appuser -c "git config --global --add safe.directory ${test_dir}"
+  if [[ -f ${git_remote}/ssh-keys/id_rsa.pub ]]; then
+    log-info "Copying SSH Keys..."
+    cat ${git_remote}/ssh-keys/id_rsa.pub >> /home/git/.ssh/authorized_keys && rm -f ${git_remote}/ssh-keys/id_rsa.pub
+  fi
+  su - appuser -c "ssh git@localhost" || exit_status=$?
+  if [ "$exit_status" == 128 ]; then
+    _score-for-challenge 6
+    log-info "SSH successfully setup"
+    ssh_setup=0
+  else
+    log-error "SSH Keys not setup successfully"
+  fi
+}
+
+_check-git-branch-merged-correct() {
+  local test_dir=${wsroot}/git-checks/merged
+  local repo_dir="/srv/git/repositories/carrot-cruncher.git"
+  if [ $ssh_setup -eq 1 ]; then
+    log-warn "ssh keys aren't set"
+    return 0
+  fi
+  [[ -d ${test_dir} ]] || mkdir -p ${test_dir} && chmod -R 777 ${test_dir}/..
+  su - appuser -c "git config --global --add safe.directory ${test_dir}"
+  [[ ! -d ${test_dir}/carrot-cruncher ]] || rm -rf ${test_dir:?}/carrot-cruncher
+  su - appuser -c "git clone 'git@localhost:${repo_dir}' ${test_dir}/carrot-cruncher"
+  if [ "$(su - appuser -c "cd ${test_dir}/carrot-cruncher; git fetch")" ]; then
+    su - appuser -c "cd ${test_dir}/carrot-cruncher && git checkout main && git pull origin main"
+  fi
+  pushd "${test_dir}/carrot-cruncher" > /dev/null
+  if grep -q carrot main.go; then
+    popd > /dev/null
+    rm -rf /${test_dir:?}/carrot-cruncher
+    _score-for-challenge 7
+    log-info "Feature branch merged correctly"
+  else
+    popd > /dev/null
+    rm -rf /${test_dir:?}/carrot-cruncher
+    log-error "Feature branch not merged correctly into main.\n"
+  fi
+  ### Secondary check for exact commit matches. Haven't gotten working yet, but enforces
+  ### actually merging vs. copy/pasting code from branches
+  # pushd "${repo_dir}" > /dev/null
+  # git config --global --add safe.directory ${repo_dir}
+  # if [ "$(git rev-parse main)" = "$(git rev-parse release/bunnies_v1)" ]; then
+  #   log-info "commits match"
+  # else
+  #   log-error "commits don't match"
+  # fi
+}
+
+### Challenge 8 Check. WIP
+# _check-secret-removed() {
+#   local secret_pattern="SSN: 1234-BUNNY"
+#   if ! ${ssh_setup}; then
+#     log-warn "ssh keys aren't set"
+#     return 0
+#   fi
+#   pushd /srv/git/repositories/carrot-cruncher.git > /dev/null
+#   git config --global --add safe.directory /srv/git/repositories/carrot-cruncher.git;
+#   # Check each commit for the secret pattern
+#   for commit in $(git rev-list --all); do
+#       if git show "$commit":banking.txt | grep -q "$secret_pattern"; then
+#           log-error "Secret found in commit $commit"
+#           popd > /dev/null
+#           return 0
+#       fi
+#   done
+#   # _score-for-challenge 8
+#   log-info "Secrets removed"
+#   popd > /dev/null
+# }
+
 ###
 # Main wrapper def & callable for scorables
 ###
-
 main() {
   log-info 'Starting score check...'
   _check-binary-built
   _check-symlink
   _check-systemd-service-running
   _check-debfile-service-running
   _check-webapp-reachable
+  _check-ssh-setup
+  _check-git-branch-merged-correct
+  # _check-secret-removed
 }
 
 main

linux/scripts/setup-git.sh

@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+GIT_USER=${GIT_USER:-git}
+APP_USER=${APP_USER:-appuser}
+GIT_HOME=${GIT_HOME:-/srv/git}
+REPO_NAME=${REPO_NAME:-carrot-cruncher}
+REPO_DIR="${GIT_HOME}/repositories/${REPO_NAME}.git"
+WORK_DIR="/opt/git"
+APP_DIR=${APP_DIR:-/opt/app}
+DEFAULT_BRANCH=${DEFAULT_BRANCH:-main}
+SSH_PORT=${SSH_PORT:-2332}
+BRANCH_NAME=${BRANCH_NAME:-release/bunnies_v1}
+
+# Install ezlog
+command -v git >/dev/null || { apt-get update && apt-get install -y git; }
+[[ -d /usr/local/share/ezlog ]] || git clone 'https://github.com/opensourcecorp/ezlog.git' /usr/local/share/ezlog
+# shellcheck disable=SC1091
+source /usr/local/share/ezlog/src/main.sh
+
+function _setup_ssh_keys_for_git_user() {
+  local ssh_dir="/home/${GIT_USER}/.ssh"
+  local public_key_file="${ssh_dir}/id_rsa.pub"
+  local private_key_file="${ssh_dir}/id_rsa"
+  local authorized_keys_file="${ssh_dir}/authorized_keys"
+
+  # Create .ssh directory if it doesn't exist
+  mkdir -p "${ssh_dir}"
+  chown "${GIT_USER}:${GIT_USER}" "${ssh_dir}"
+  chmod 700 "${ssh_dir}"
+
+  # Generate the SSH key pair if it doesn't exist
+  if [[ ! -f "${public_key_file}" ]]; then
+    su - "${GIT_USER}" -c "ssh-keygen -t rsa -f ${private_key_file} -q -N ''"
+  fi
+
+  # Add the public key to authorized_keys if it's not already there
+  if ! grep -q "$(cat "${public_key_file}")" "${authorized_keys_file}" 2>/dev/null; then
+    cat "${public_key_file}" >>"${authorized_keys_file}"
+  fi
+  chmod 600 "${authorized_keys_file}"
+  chown "${GIT_USER}:${GIT_USER}" "${authorized_keys_file}"
+  [[ -d /home/${APP_USER}/.ssh ]] || mkdir /home/"${APP_USER}"/.ssh
+  cat <<EOF >/home/"${APP_USER}"/.ssh/config
+HOST localhost
+      USER ${GIT_USER}
+      PORT ${SSH_PORT}
+EOF
+}
+
+function _add_to_known_hosts() {
+  local ssh_dir="/home/${GIT_USER}/.ssh"
+  local known_hosts_file="${ssh_dir}/known_hosts"
+  su - "${GIT_USER}" -c "ssh-keyscan -p ${SSH_PORT} -H localhost >> ${known_hosts_file}"
+  chmod 644 "${known_hosts_file}"
+}
+
+function _setup_git_user() {
+  if id "${GIT_USER}" &>/dev/null; then
+    log-info "User ${GIT_USER} already exists."
+  else
+    log-info "setting up git user"
+    useradd -m "${GIT_USER}" || return 1
+    echo "${GIT_USER}:${GIT_USER}" | chpasswd
+  fi
+  _setup_ssh_keys_for_git_user
+  # _add_to_known_hosts
+  which git-shell >>/etc/shells
+  chsh --shell "$(command -v /bin/bash)" "${GIT_USER}"
+}
+
+function _init_git_repo() {
+  log-info "Initializing remote carrot cruncher"
+  rm -rf "${REPO_DIR}"
+  mkdir -p "${REPO_DIR}"
+  [[ -d "${GIT_HOME}/ssh-keys" ]] || mkdir "${GIT_HOME}/ssh-keys"
+  chown -R "${GIT_USER}:${GIT_USER}" "${GIT_HOME}"
+  pushd "${REPO_DIR}" >/dev/null || exit
+  su - "${GIT_USER}" -c "git config --global init.defaultBranch ${DEFAULT_BRANCH}"
+  su - "${GIT_USER}" -c "git config --global user.email 'bugs@bigbadbunnies.com'"
+  su - "${GIT_USER}" -c "git config --global user.name 'Bugs Bunny'"
+  su - "${GIT_USER}" -c "pushd ""${REPO_DIR}"" >/dev/null; git init --bare"
+  popd >/dev/null || exit
+}
+
+function _setup_local_clone() {
+  local clone_dir="${WORK_DIR}/${REPO_NAME}"
+  log-info "cloning carrot cruncher"
+  if [ -d "${WORK_DIR}" ]; then
+    rm -rf "${WORK_DIR}"
+  fi
+  mkdir "${WORK_DIR}"
+  chmod 777 "${WORK_DIR}"
+  pushd "${WORK_DIR}" >/dev/null || exit
+  su - "${GIT_USER}" -c "GIT_SSH_COMMAND='ssh -o StrictHostKeyChecking=accept-new' git clone '${GIT_USER}@localhost:${REPO_DIR}' ${clone_dir}"
+  git config --global --add safe.directory /opt/git/carrot-cruncher
+  pushd "${clone_dir}" >/dev/null || exit
+  cp -r "${APP_DIR}"/* .
+  sed -i 's/PrintLine/Println/g' main.go
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git add .; git commit -m 'Initial commit'; git push origin"
+  popd >/dev/null || exit
+}
+
+function _create_release_branch() {
+  local clone_dir="${WORK_DIR}/${REPO_NAME}"
+  local branch_2="v1.0.2-rc-tmp-bugfix-2.0.1"
+  pushd "${clone_dir}" >/dev/null || exit
+  log-info "setting up release branch"
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git checkout -b '${BRANCH_NAME}'"
+  sed -i -e 's/printing/picking/g' -e 's/money/carrots/g' -e 's/CHA-CHING/CRUNCH/g' main.go
+  echo -e "Name: Bugs Bunny\nSecurity Question Answer: 'Crunchy King'\nSSN: 1234-BUNNY" >banking.txt
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git add .; git commit -m 'Prepare release branch'"
+  rm banking.txt
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git add .; git commit -m 'oops did not mean to add that...'"
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git push --set-upstream origin '${BRANCH_NAME}'"
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git checkout '${DEFAULT_BRANCH}'"
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git checkout -b '${branch_2}'"
+  sed -i -e 's/printing/uh/g' -e 's/money/oh/g' -e 's/CHA-CHING/NO-NO-NOOOOO/g' main.go
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git add .; git commit -m 'I think we might be on to something...'"
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git push --set-upstream origin '${branch_2}'"
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git checkout '${DEFAULT_BRANCH}'"
+  su - "${GIT_USER}" -c "pushd ${clone_dir}; git branch -D ${BRANCH_NAME} ${branch_2}"
+  popd >/dev/null || exit
+}
+
+function _polish_off() {
+  chsh --shell "$(command -v git-shell)" "${GIT_USER}" # switch Git User to git-shell
+  [[ -d /home/git/git-shell-commands ]] || mkdir -m 777 /home/git/git-shell-commands
+  cat >/home/git/git-shell-commands/no-interactive-login <<\EOF
+#!/bin/sh
+printf '%s\n' "Hi! You've successfully authenticated, but we do not"
+printf '%s\n' "provide interactive shell access."
+exit 128
+EOF
+  chmod 777 /home/git/git-shell-commands/no-interactive-login
+  chown -R "${APP_USER}":"${APP_USER}" /opt/git # git appuser ownership of git directory
+}
+
+function main() {
+  _setup_git_user
+  _init_git_repo
+  _setup_local_clone
+  _create_release_branch
+  _polish_off
+  log-info "Git server setup is complete."
+}
+
+main "$@"