Merge pull request CactuseSecurity#2766 from tpurschke/cactus-develop

Cactus develop add packages for puppeteer

Author: tpurschke

.github/workflows/test-install.yml

@@ -45,6 +45,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
+
     - name: do test install in case of merged pull request
       run: cd /home/runner/work/firewall-orchestrator/firewall-orchestrator && ansible-playbook -e force_install=true site.yml -K
 

documentation/developer-docs/csharp/wkhtmltopdf.md

@@ -75,6 +75,8 @@ Note that the following domains must be reachable through the proxy:
     postgresql.org
     microsoft.com     
     nuget.org
+    googlechromelabs.github.io
+    storage.googleapis.com
 
   Only for the initial setup of python venv
 

documentation/installer/install-advanced.md

@@ -39,20 +39,27 @@ Set dotnet installation mode to "debug" as follows (default = Release)
 ```console
 ansible-playbook/ site.yml -e "dotnet_mode=Debug" -K
 ```
-## Running integration tests after installation/upgrade
 
-To only run tests (for an existing installation) use tags as follows:
+## Running unit tests after installation/upgrade
+
+To only run unit tests (for an existing installation only to be used in comination with installation_mode=upgrade) use tags as follows:
 
 ```console
-ansible-playbook site.yml --tags test -K
+ansible-playbook site.yml --tags unittests -K
 ```
 
-## Running unit tests only
+## Running integration tests after installation/upgrade
+
+To only run integration tests (for an existing installation only to be used in comination with installation_mode=upgrade) use tags as follows:
+
+```console
+ansible-playbook site.yml --tags integrationtests -K
+```
 
-To only run tests (for an existing installation, can only be combined with installation_mode=upgrade) use tags as follows:
+## Running installation without any tests
 
 ```console
-ansible-playbook site.yml --tags unittest -e "installation_mode=upgrade" -K
+ansible-playbook site.yml -K --skip-tags unittests,integrationtests
 ```
 
 ## Parameter "api_no_metadata" to prevent meta data import

documentation/installer/install-for-testing.md

@@ -138,7 +138,7 @@ wsgi_package_name: libapache2-mod-wsgi
 
 ############# wkhtmltopdf #########################
 
-wkhtmltopdf_version: "0.12.6.1-3"
+# wkhtmltopdf_version: "0.12.6.1-3"
 
 
 ################# testing #########################

inventory/group_vars/all.yml

@@ -70,6 +70,7 @@ $$ LANGUAGE plpgsql;
 --     EXECUTE PROCEDURE owner_network_change_triggered ();
 
 DROP FUNCTION IF EXISTS recert_refresh_per_owner(INTEGER);
+DROP FUNCTION IF EXISTS refresh_view_rule_with_owner();
 DROP TRIGGER IF EXISTS owner_network_change ON owner_network CASCADE;
 DROP FUNCTION IF EXISTS owner_network_change_triggered ();
 DROP TRIGGER IF EXISTS owner_change ON owner CASCADE;

roles/database/files/upgrade/8.6.1.sql

@@ -4,10 +4,9 @@
 using FWO.Report.Filter;
 using FWO.Config.Api;
 using System.Text;
-using PuppeteerSharp.Media;
-using PuppeteerSharp;
 using System.Reflection;
-using System.IO;
+using PuppeteerSharp;
+using PuppeteerSharp.Media;
 using PuppeteerSharp.BrowserData;
 
 namespace FWO.Report
@@ -240,11 +239,14 @@ public static string ToUtcString(string? timestring)
 
             InstalledBrowser? brw = await browserFetcher.DownloadAsync(BrowserTag.Stable);
 
+            var isGitHubActions = Environment.GetEnvironmentVariable("GITHUB_ACTIONS") == "true";
             using IBrowser? browser = await Puppeteer.LaunchAsync(new LaunchOptions
             {
-                ExecutablePath = brw.GetExecutablePath(),
+                ExecutablePath = isGitHubActions? "/usr/bin/chromium-browser" : brw.GetExecutablePath(),
                 Headless = true,
-                Args = ["--no-sandbox"]
+                Args = isGitHubActions?
+                    new[] { "--no-sandbox", "--database=/tmp", "--disable-setuid-sandbox" }
+                    : new string[0] // No additional arguments locally
             });
 
             try

roles/lib/files/FWO.Report/ReportBase.cs

@@ -24,3 +24,9 @@
     - "Try to upgrade {{ product_name }} later or contact the support [email protected]"
   listen: "lib handler"
   when: lib_handler_guard == "start"
+
+- name: Reload and Restart AppArmor
+  service:
+    name: apparmor
+    state: restarted
+  become: true

roles/lib/handlers/main.yml

@@ -0,0 +1,130 @@
+- block:
+# install libs needed for nuget package PuppeteerSharp
+  - name: Define core packages
+    set_fact:
+      core_packages:
+        - ca-certificates
+        - fonts-liberation
+        - libappindicator3-1
+        - libatk-bridge2.0-0
+        - libatk1.0-0
+        - libcups2
+        - libdbus-1-3
+        - libdrm2
+        - libgbm1
+        - libnspr4
+        - libnss3
+        - libx11-xcb1
+        - libxcomposite1
+        - libxdamage1
+        - libxrandr2
+        - xdg-utils
+
+  - name: Define default platform-specific library names
+    set_fact:
+      glib_library: libglib2.0-0
+      sound_library: libasound2
+
+  - name: Define new library names based on newer OS versions
+    set_fact:
+      glib_library: libglib2.0-0t64
+      sound_library: libasound2t64
+    when: >
+      ansible_facts['distribution'] == "Ubuntu" and ansible_facts['distribution_version'] | float >= 24.04
+      or ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_version'] | float >= 13
+      or ansible_facts['distribution'] == "Debian" and ansible_lsb.codename == "trixie"
+
+  - block: # only use apparmor for ubuntu 24.04ff
+    - name: Ensure the /etc/apparmor.d directory exists
+      file:
+        path: /etc/apparmor.d
+        state: directory
+        mode: '0755'
+
+    - name: Create /etc/apparmor.d/chrome-dev-builds for Chrome
+      copy:
+        dest: /etc/apparmor.d/chrome-dev-builds
+        content: |
+          abi <abi/{{ abi_version }}>,
+          include <tunables/global>
+
+          profile /usr/local/bin/**/chrome flags=(unconfined) {
+              userns,
+
+              # Site-specific additions and overrides. See local/README for details.
+              # Include the local overrides only if the file exists.
+              # This is a common best practice to avoid parser errors.
+              include if exists <local/chrome>
+          }
+        mode: '0644'
+      notify:
+        - Reload and Restart AppArmor
+
+    when: ansible_facts['distribution'] == "Ubuntu" and ansible_facts['distribution_version'] | float >= 24.04
+
+  - name: Install additional libraries for old Debian 11
+    apt:
+      name:
+        - libpangocairo-1.0-0
+        - libpangoft2-1.0-0
+      state: present
+      update_cache: yes
+    when: ansible_facts['distribution'] == "Debian" and ansible_facts['distribution_version'] == "11"
+
+  - name: Combine all packages
+    set_fact:
+      platform_packages: "{{ core_packages + [sound_library, glib_library] }}"
+
+  - name: Install all combined dependencies
+    apt:
+      name: "{{ platform_packages }}"
+      state: present
+      update_cache: yes
+
+  become: true
+  environment: "{{ proxy_env }}"
+
+# get google chrome for pdf generation
+- name: get last known good versions of chrome to download
+  uri:
+    url: https://googlechromelabs.github.io/chrome-for-testing/last-known-good-versions-with-downloads.json
+  register: chrome_versions
+
+- name: parse latest stable versions for chrome and headless shell
+  set_fact:
+    stable_chrome_versions: "{{ chrome_versions['json']['channels']['Stable']['downloads'] }}"
+    chrome_dest: "/usr/local/bin/Chrome/Linux-{{ chrome_versions['json']['channels']['Stable']['version'] }}"
+    headless_shell_dest: "/usr/local/bin/ChromeHeadlessShell/Linux-{{ chrome_versions['json']['channels']['Stable']['version'] }}"
+
+- block:
+  - name: install unzip
+    package:
+      name: unzip
+      state: present
+
+  - name: create chrome install path
+    file:
+      path: "{{ chrome_dest }}"
+      state: directory
+      mode: '0755'
+
+  - name: create chrome headless shell install path
+    file:
+      path: "{{ headless_shell_dest }}"
+      state: directory
+      mode: '0755'
+
+  - name: download google chrome and unpack
+    unarchive:
+      src: "{{ stable_chrome_versions['chrome'] | selectattr('platform', 'match', 'linux64') | map(attribute='url') | first }}"
+      dest: "{{ chrome_dest }}"
+      remote_src: yes
+
+  - name: download google chrome headless shell and unpack
+    unarchive:
+      src: "{{ stable_chrome_versions['chrome-headless-shell'] | selectattr('platform', 'match', 'linux64') | map(attribute='url') | first }}"
+      dest: "{{ headless_shell_dest }}"
+      remote_src: yes
+
+  become: true
+  environment: "{{ proxy_env }}"