Merge branch 'cherry-pick-57db7f98' into 'master_8.1.x'

CP V8.1 - Story #14820: Add security controls for production deployment.

Story #14820: Add security controls for production deployment.

See merge request vitam/vitam!10666

(cherry picked from commit 57db7f9)

1b46910 Story #14820: Add security controls for production deployment.

Co-authored-by: Julien Georges <[email protected]>

See merge request vitam/vitam!10680

Author: GiooDev

deployment/ansible-vitam-exploitation/checks.yml

@@ -0,0 +1,7 @@
+---
+
+# Playbook to check compliance with deployment_mode: prod
+
+- hosts: vitam
+  roles:
+    - checks

deployment/ansible-vitam-exploitation/roles/checks/tasks/check_consul.yml

@@ -1,15 +1,25 @@
 ---
 
-- name: Check if consul_disabled var is set for some servers
-  fail:
-    msg: "Consul is mandatory for server {{ ansible_hostname }} (consul_disabled var must not be equal to 'true'), please check your configuration"
-  run_once: true  
-  when: consul_disabled is defined and
-        consul_disabled |lower == "true" and
-        (
-          inventory_hostname in groups['zone_access'] or
-          inventory_hostname in groups['zone_applicative'] or
-          inventory_hostname in groups['zone_storage'] or
-          inventory_hostname in groups['zone_data'] or
-          inventory_hostname in groups['zone_admin']
-        )
+- block:
+
+    - name: Check if consul_disabled var is set for some servers
+      fail:
+        msg: "Consul is mandatory for server {{ ansible_hostname }} (consul_disabled var must not be equal to 'true'), please check your configuration"
+      when: consul_disabled is defined and
+            consul_disabled | lower == "true" and
+            (
+              inventory_hostname in groups['zone_access'] or
+              inventory_hostname in groups['zone_applicative'] or
+              inventory_hostname in groups['zone_storage'] or
+              inventory_hostname in groups['zone_data'] or
+              inventory_hostname in groups['zone_admin']
+            )
+
+    - name: Check consul_encrypt variable
+      assert:
+        fail_msg: "ERROR: You must generate a dedicated consul_encrypt key for production environments ! Please use the script: ./pki/scripts/generate_consul_key.sh to generate a proper key."
+        success_msg: "consul_encrypt key is properly updated !"
+        that: consul_encrypt != 'Biz14ohqN4HtvZmrXp3N4A=='
+      ignore_errors: "{{ true if deployment_mode | default('prod') == 'dev' else false }}"
+
+  run_once: true

deployment/ansible-vitam-exploitation/roles/checks/tasks/check_dev_only_components.yml

@@ -1,32 +1,35 @@
 ---
 
-- name: Check deployment mode
-  fail:
-    msg: "Invalid deployment mode. Expected values are 'prod' (default) or 'dev'"
-  when: deployment_mode | default('prod') not in ['prod','dev']
-  run_once: true
-
 - block:
 
-  - name: Ensure browser is disabled in production mode
-    fail:
-      msg: "browser deployment should not be enabled in production mode (browser.enabled must be set to false)"
-    when: browser.enabled | default(false) | bool == true
+    - name: Check deployment_mode
+      assert:
+        fail_msg: "ERROR: Invalid deployment_mode. Expected values are 'prod' (default) or 'dev'"
+        success_msg: "{{ 'dev mode enabled, ignoring the following errors...' if deployment_mode | default('prod') == 'dev' else 'production mode enabled, execution will fail if errors are detected...' }}"
+        that: deployment_mode | default('prod') in ['prod', 'dev']
+
+    - name: Ensure browser is disabled in production mode
+      fail:
+        msg: "browser deployment should not be enabled in production mode (browser.enabled must be set to false)"
+      when: browser.enabled | default(false) | bool
+      ignore_errors: "{{ true if deployment_mode | default('prod') == 'dev' else false }}"
 
-  - name: Ensure ihm-recette is disabled in production mode
-    fail:
-      msg: "Ihm-recette deployment should not be enabled in production mode (hosts_ihm_recette group should be empty)"
-    when: groups['hosts_ihm_recette'] | length > 0
+    - name: Ensure ihm-recette is disabled in production mode
+      fail:
+        msg: "Ihm-recette deployment should not be enabled in production mode (hosts_ihm_recette group should be empty)"
+      when: groups['hosts_ihm_recette'] | length > 0
+      ignore_errors: "{{ true if deployment_mode | default('prod') == 'dev' else false }}"
 
-  - name: Ensure kibana-data is disabled in production mode
-    fail:
-      msg: "Kibana-data deployment should not be enabled in production mode (hosts_kibana_data group should be empty)"
-    when: groups['hosts_kibana_data'] | length > 0
+    - name: Ensure kibana-data is disabled in production mode
+      fail:
+        msg: "Kibana-data deployment should not be enabled in production mode (hosts_kibana_data group should be empty)"
+      when: groups['hosts_kibana_data'] | length > 0
+      ignore_errors: "{{ true if deployment_mode | default('prod') == 'dev' else false }}"
 
-  - name: Ensure dev tools is disabled in production mode
-    fail:
-      msg: "Dev tools (mongo-express / elasticsearch head plugins) deployment should not be enabled in production mode (hosts_dev_tools group should be empty)"
-    when: groups['hosts_dev_tools'] | length > 0
+    - name: Ensure dev tools is disabled in production mode
+      fail:
+        msg: "Dev tools (mongo-express / elasticsearch head plugins) deployment should not be enabled in production mode (hosts_dev_tools group should be empty)"
+      when: groups['hosts_dev_tools'] | length > 0
+      ignore_errors: "{{ true if deployment_mode | default('prod') == 'dev' else false }}"
 
   run_once: true
-  when: deployment_mode | default('prod') != "dev"

deployment/ansible-vitam-exploitation/roles/checks/tasks/check_passwords.yml

@@ -0,0 +1,44 @@
+---
+
+- block:
+
+    - name: Determine which offers to check based on vitam_strategy
+      set_fact:
+        offers_to_check: "{{ offers_to_check | default([]) + [item.name] }}"
+      loop: "{{ vitam_strategy }}"
+      when: item.distant | default(false) != true
+
+    - name: Build list of password checks for offers
+      set_fact:
+        offer_password_checks: "{{ offer_password_checks | default([]) + [{'key': 'mongodb[' + item + '].admin.password', 'value': mongodb[item].admin.password}, {'key': 'mongodb[' + item + '].localadmin.password', 'value': mongodb[item].localadmin.password}, {'key': 'mongodb[' + item + '].system.password', 'value': mongodb[item].system.password}, {'key': 'mongodb[' + item + '].offer.password', 'value': mongodb[item].offer.password}] }}"
+      loop: "{{ offers_to_check }}"
+
+    - name: Check for weak passwords in mongo-data and collect failing keys
+      set_fact:
+        weak_password_keys: "{{ weak_password_keys | default([]) + ([item.key] if (item.value is search('(changeit|azerty|qwerty|1234$)')) else []) }}"
+      loop:
+        - { key: "mongodb[mongo-data].admin.password", value: "{{ mongodb['mongo-data'].admin.password }}" }
+        - { key: "mongodb[mongo-data].localadmin.password", value: "{{ mongodb['mongo-data'].localadmin.password }}" }
+        - { key: "mongodb[mongo-data].system.password", value: "{{ mongodb['mongo-data'].system.password }}" }
+        - { key: "mongodb[mongo-data].metadata.password", value: "{{ mongodb['mongo-data'].metadata.password }}" }
+        - { key: "mongodb[mongo-data].logbook.password", value: "{{ mongodb['mongo-data'].logbook.password }}" }
+        - { key: "mongodb[mongo-data].report.password", value: "{{ mongodb['mongo-data'].report.password }}" }
+        - { key: "mongodb[mongo-data].functionalAdmin.password", value: "{{ mongodb['mongo-data'].functionalAdmin.password }}" }
+        - { key: "mongodb[mongo-data].securityInternal.password", value: "{{ mongodb['mongo-data'].securityInternal.password }}" }
+        - { key: "mongodb[mongo-data].collect.password", value: "{{ mongodb['mongo-data'].collect.password }}" }
+        - { key: "mongodb[mongo-data].metadataCollect.password", value: "{{ mongodb['mongo-data'].metadataCollect.password }}" }
+      no_log: "{{ hide_passwords_during_deploy }}"
+
+    - name: Check for weak passwords in configured offers and collect failing keys
+      set_fact:
+        weak_password_keys: "{{ weak_password_keys | default([]) + ([item.key] if (item.value is search('(changeit|azerty|qwerty|1234$)')) else []) }}"
+      loop: "{{ offer_password_checks }}"
+      no_log: "{{ hide_passwords_during_deploy }}"
+
+    - name: Fail if any weak passwords are found
+      fail:
+        msg: "The following passwords are not properly updated for production deployment: {{ weak_password_keys | join(', ') }}"
+      when: weak_password_keys | length > 0
+      ignore_errors: "{{ true if deployment_mode | default('prod') == 'dev' else false }}"
+
+  run_once: true

deployment/ansible-vitam-exploitation/roles/checks/tasks/main.yml

@@ -6,13 +6,15 @@
 
 - import_tasks: check_ip.yml
 
+- import_tasks: check_passwords.yml
+
 - import_tasks: check_groups.yml
   when: ansible_virtualization_type not in ['docker', 'container']
 
 - import_tasks: check_single_vm.yml
 
 - include_tasks: check_consul.yml
-  when:  inventory_hostname in groups['vitam']
+  when: inventory_hostname in groups['vitam']
 
 - include_tasks: check_offers.yml
   when: inventory_hostname in groups['hosts_storage_offer_default']