Merge branch 'develop' into main

Author: tpurschke

documentation/SBOM/readme.md

@@ -1,23 +1,90 @@
 # creating SBOM
-
 we are using cycloneDx
 
 ## standard script 
-
     wget https://github.com/CycloneDX/cyclonedx-cli/releases/download/v0.27.2/cyclonedx-linux-x64
     sudo mv cyclonedx-linux-x64 /usr/local/bin/cyclonedx
     sudo chmod 755 /usr/local/bin/cyclonedx
-
 ## script for C#
-
     dotnet tool install --global CycloneDX
     cd fwo-cactus
     git pull
     dotnet-CycloneDX -j roles/FWO.sln 
 
+## list of deb packages
+    acl
+    ansible
+    apache2
+    apt-transport-https
+    ca-certificates
+    curl
+    docker-ce
+    docker-ce-cli
+    containerd.io
+    dotnet-runtime
+    dotnet-sdk
+    fonts-liberation
+    glibc-langpack-en
+    gnupg2
+    ldap-utils
+    libapache2-mod-wsgi-py3
+    libasound2
+    libldap2-dev
+    libpangoft2
+    libpq-dev    
+    libpq5
+    libpython3-dev
+    libappindicator3-1
+    libatk-bridge2.0-0
+    libatk1.0-0
+    libcups2
+    libdbus-1-3
+    libdrm2
+    libgbm1
+    libnspr4
+    libnss3
+    libssl-dev
+    libx11-xcb1
+    libxcomposite1
+    libxdamage1
+    libxrandr2
+    logrotate
+    openssh-client
+    openssh-server
+    openssl
+    perl
+    postgresql
+    postgresql-client
+    python3-cryptography
+    python3-docker
+    python3-pip
+    python3-psycopg2
+    python3-openssl
+    python3-dev
+    libldap2-dev
+    python3-pyldap
+    python3-setuptools
+    python3-venv
+    rsync
+    rsyslog
+    slapd
+    xdg-utils
+
+
 ## list of perl packages
 
     libdbi-perl
+
+    
+        
+          
+    
+
+        
+        Expand All
+    
+    @@ -31,9 +91,13 @@ we are using cycloneDx
+  
     libdbd-pg-perl
     libdate-calc-perl
     psmisc
@@ -31,9 +98,13 @@ we are using cycloneDx
     python3-pydantic
 
 
-## list of python packages
-
-    python3-netaddr
-    python3-jsonpickle
-    python3-gnupg
-    python3-pydantic
+## list of python packages with venv (importer module)
+    pydantic>=2.0,<3.0
+    jsonpickle>=3.0
+    gnupg>=0.5
+    pytest>=7.0
+    graphql-core>=3.0
+    requests>=2.0
+    cryptography>=40.0
+    netaddr>=1.0
+    urllib3>=2.0

documentation/installer/install-advanced.md

@@ -91,11 +91,8 @@ Note that the following domains must be reachable through the proxy:
     nuget.org
     googlechromelabs.github.io
     storage.googleapis.com
-  
-  Only for the initial setup of python venv
-  
     pypi.org
-    pythonhosted.org
+    pythonhosted.org (and sub-domains)
     snapcraft.io
     snapcraftcontent.com (and sub-domains)
 

documentation/revision-history-develop.md

@@ -280,3 +280,7 @@ bugfix release:
 
 # 8.8.6 - 08.07.2025 DEVELOP
 - hotfix CP importer new stm_track: "extended log" and "detailed log"
+
+# 8.8.8 - 21.08.2025 DEVELOP
+- add read-only db user fwo_ro
+- also reducing db listener to localhost

inventory/group_vars/all.yml

@@ -1,5 +1,5 @@
 ### general settings
-product_version: "8.8.7"
+product_version: "8.8.8"
 ansible_user: "{{ lookup('env', 'USER') }}"
 ansible_become_method: sudo
 ansible_python_interpreter: /usr/bin/python3
@@ -68,6 +68,7 @@ fworch_db_port: 5432
 fworch_db_name: fworchdb
 fworch_dbadmin_name: dbadmin
 dbadmin_password_file: "{{ fworch_secrets_dir }}/dbadmin_pwd"
+fwo_db_ro_user_password_file: "{{ fworch_secrets_dir }}/fwo_db_ro_pwd"
 fworch_db_password_file: "{{ fworch_secrets_dir }}/fworch_db_pwd"
 
 ###############################################################
@@ -161,3 +162,20 @@ csharp_test_start_dir: "{{ fworch_home }}/test/csharp/FWO.Test"
 # make sure lib role is only run once per host to save time
 # set initially to false
 lib_role_has_run: false
+
+#### apache settings
+
+apache2_required_modules:
+    - headers
+    - rewrite
+    - proxy
+    - proxy_http
+    - ssl
+    - proxy_wstunnel
+
+apache_security_headers:
+    - 'Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"'
+    - 'Header always set X-Frame-Options "SAMEORIGIN"'
+    - 'Header always set X-Content-Type-Options "nosniff"'
+
+apache_global_settings_file: /etc/apache2/conf-available/security.conf

inventory/group_vars/databaseserver.yml

@@ -4,11 +4,18 @@ postgresql_test_package: pgtap
 postgresql_c_client_library_header_files: libpq-dev
 postgresql_dev_package_prefix: postgresql-server-dev
 database_install_dir: "{{ fworch_home }}/database"
+fwo_db_ro_user: fwo_ro
 
 # table_space variable can be used to create database in another place where there is enough space
 # table_space: /var/db/fworch_tablespace
 # table_space_name: fworch
 
+db_schemata:
+  - compliance
+  - modelling
+  - public
+  - request
+
 database_users:
   - dbbackup
   - fworchimporter

roles/api/tasks/api-apache-install-and-setup.yml

@@ -7,14 +7,9 @@
         - "{{ wsgi_package_name }}"
       environment: "{{ proxy_env }}"
 
-    - name: enable apache modules proxy proxy_http ssl
+    - name: enable apache2 required modules
       apache2_module: state=present name={{ item }}
-      loop:
-        - rewrite
-        - proxy
-        - proxy_http
-        - ssl
-        - proxy_wstunnel
+      loop: "{{ apache2_required_modules }}"
 
     - set_fact: api_server_name="{{ ansible_hostname }}"          #  this only works for importer = backend
 
@@ -43,12 +38,7 @@
 
     - name: enable apache modules proxy proxy_http ssl rewrite proxy_wstunnel
       apache2_module: state=present name={{ item }}
-      loop:
-        - rewrite
-        - proxy
-        - proxy_http
-        - ssl
-        - proxy_wstunnel
+      loop: "{{ apache2_required_modules }}"
 
     - name: copy api httpd config file to api target
       template:
@@ -57,15 +47,9 @@
         owner: root
         group: root
 
-
     - name: enable {{ product_name }} web site
       command: "a2ensite {{ product_name }}-api"
 
-    # - name: increase apache timeout to {{ apache_timeout }} seconds (while importing we hit the old 15 min limit)
-    #   lineinfile:
-    #     path: /etc/apache2/apache2.conf
-    #     line: "Timeout {{ apache_timeout }}"
-
     - name: add port to apache
       lineinfile:
         path: "/etc/apache2/ports.conf"

roles/api/tasks/hasura-install.yml

@@ -92,6 +92,8 @@
       HASURA_GRAPHQL_ENABLE_CONSOLE:   "true"
       HASURA_GRAPHQL_ENABLE_TELEMETRY: "false"
       HASURA_GRAPHQL_ADMIN_SECRET:     "{{ api_hasura_admin_secret }}"
+      HASURA_GRAPHQL_SERVER_HOST:       "127.0.0.1"
+      HASURA_GRAPHQL_SERVER_PORT:       "8080"
       HASURA_GRAPHQL_LOG_LEVEL:        "{{ api_log_level }}"
       HASURA_GRAPHQL_ENABLED_LOG_TYPES: '{{ api_HASURA_GRAPHQL_ENABLED_LOG_TYPES }}'
       HASURA_GRAPHQL_CONSOLE_ASSETS_DIR: "/srv/console-assets"
@@ -136,6 +138,7 @@
     env:
       "{{ hasura_env }}"
     container_default_behavior: no_defaults
+    user: "1001:1001"  # hasura user and group id
   register: docker_return
   become: true
   become_user: "{{ fworch_user }}"

roles/api/templates/httpd.conf.j2

@@ -25,4 +25,12 @@
 	SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW 
 	SSLCertificateFile /etc/{{ webserver_package_name }}/ssl/server.crt
 	SSLCertificateKeyFile /etc/{{ webserver_package_name }}/ssl/server.key
+
+    # --- Security Headers ---
+<IfModule mod_headers.c>
+{% for header in apache_security_headers %}
+    {{ header }}
+{% endfor %}
+</IfModule>
+
 </VirtualHost>

roles/common/tasks/global-apache2-config.yml

@@ -0,0 +1,47 @@
+- name: install apache and make all global configs (non-server dependent)
+  block:
+    - name: Install apache2
+      package:
+        name: "{{ webserver_package_name }}"
+        state: present
+        update_cache: yes
+
+    - name: Install wsgi module
+      package:
+        name: "{{ wsgi_package_name }}"
+        state: present
+        update_cache: yes
+
+    - name: edit conf file for global security settings - ServerTokens
+      lineinfile:
+        path: "{{ apache_global_settings_file }}"
+        line: ServerTokens Prod
+        regexp: '^\s*ServerTokens'
+        create: true
+        mode: "0644"
+
+    - name: edit conf file for global security settings - ServerSignature
+      lineinfile:
+        path: "{{ apache_global_settings_file }}"
+        line: ServerSignature Off
+        regexp: '^\s*ServerSignature'
+        create: true
+        mode: "0644"
+
+    - name: edit conf file for global security settings - TraceEnable
+      lineinfile:
+        path: "{{ apache_global_settings_file }}"
+        line: TraceEnable Off
+        regexp: '^\s*TraceEnable'
+        create: true
+        mode: "0644"
+
+    - name: enable global security settings
+      command: "a2enconf security"
+
+    - name: restart apache
+      service:
+        name: "{{ webserver_package_name }}"
+        state: restarted
+
+  become: true

roles/common/tasks/main.yml

@@ -18,6 +18,15 @@
 
   - set_fact:
       already_installed: "{{ already_installed.stat.exists }}"
+
+  - set_fact:
+      wsgi_package_name: "{{ wsgi_package_name }}-py3"
+    when: | 
+      (ansible_facts['distribution_release']|lower == debian_testing_release_name)
+      or 
+      (ansible_facts['distribution']|lower == 'debian' and ansible_facts['distribution_major_version']|int is version('10', '>'))
+      or 
+      (ansible_facts['distribution']|lower == 'ubuntu' and ansible_facts['distribution_major_version']|int is version('20', '>'))      
   
   - debug:
       msg: "installation_mode={{ installation_mode }}, already_installed={{ already_installed }}"
@@ -83,6 +92,19 @@
       ssh_key_file: .ssh/id_rsa
     become: true
 
+  - name: global apache config
+    include_tasks: global-apache2-config.yml
+    # vars:
+    #   apache2_required_modules: "{{ apache2_required_modules | default([]) }}"
+    #   webserver_package_name: "{{ webserver_package_name | default('apache2') }}"
+    #   http_conf_dir: "{{ http_conf_dir | default('/etc/apache2/sites-available') }}"
+    #   product_name: "{{ product_name }}"
+    #   product_version: "{{ product_version }}"
+    #   api_web_port: "{{ api_web_port | default(8080) }}"
+    #   server_admin: "{{ server_admin | default('webmaster@localhost') }}"
+    #   apache_global_settings_file: "{{ apache_global_settings_file | default('/etc/apache2/conf-available/security.conf') }}"
+    when: "inventory_hostname in groups['frontends'] or inventory_hostname in groups['middlewareserver'] or inventory_hostname in groups['apiserver']"
+
   - name: replace fwo web sites with maintenance site
     include_tasks: maintenance-site.yml
     when: "installation_mode == 'upgrade' and inventory_hostname in groups['frontends']"
@@ -249,15 +271,6 @@
     become: true
     when: not stat_result.stat.exists
 
-  - set_fact:
-      wsgi_package_name: "{{ wsgi_package_name }}-py3"
-    when: | 
-      (ansible_facts['distribution_release']|lower == debian_testing_release_name)
-      or 
-      (ansible_facts['distribution']|lower == 'debian' and ansible_facts['distribution_major_version']|int is version('10', '>'))
-      or 
-      (ansible_facts['distribution']|lower == 'ubuntu' and ansible_facts['distribution_major_version']|int is version('20', '>'))
-
   - name: copy iso.conf to target for legacy importer support only
     template:
       src: iso.conf.j2