-
Notifications
You must be signed in to change notification settings - Fork 0
326 lines (280 loc) · 12.9 KB
/
ci.yml
File metadata and controls
326 lines (280 loc) · 12.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
name: CI
on:
push:
branches: [main, develop]
pull_request:
branches: [main]
jobs:
# Unit tests and compilation checks (no MISP instance needed)
unit-tests:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry and build
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-${{ hashFiles('Cargo.toml') }}
restore-keys: ${{ runner.os }}-cargo-
- name: Build
run: cargo build --all-targets --all-features
- name: Run unit tests
run: cargo test --all-features
- name: Check formatting
run: cargo fmt -- --check
- name: Clippy lints
run: cargo clippy --all-targets --all-features -- -D warnings
# Integration tests against a live MISP instance
# Mirrors the MISP project's own CI setup from .github/workflows/main.yml
integration-tests:
runs-on: ubuntu-22.04
services:
mariadb:
image: mariadb:10.11
env:
MARIADB_ROOT_PASSWORD: bar
MARIADB_DATABASE: misp
MARIADB_USER: misp
MARIADB_PASSWORD: blah
ports:
- 3306:3306
options: >-
--health-cmd="mariadb-admin ping -h 127.0.0.1 -uroot -pbar"
--health-interval=5s
--health-timeout=3s
--health-retries=30
redis:
image: redis:5
ports:
- 6379:6379
options: >-
--health-cmd="redis-cli ping"
--health-interval=5s
--health-timeout=3s
--health-retries=30
steps:
- uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo registry and build
uses: actions/cache@v4
with:
path: |
~/.cargo/registry
~/.cargo/git
target
key: ${{ runner.os }}-cargo-integ-${{ hashFiles('Cargo.toml') }}
restore-keys: ${{ runner.os }}-cargo-integ-
- name: Build integration tests
run: cargo build --test integration_tests
# ── Clone and install MISP (mirrors MISP's own CI) ──────────────
- name: Clone MISP
uses: actions/checkout@v4
with:
repository: MISP/MISP
ref: '2.5'
submodules: recursive
path: misp
- name: Stop default MySQL (if present)
run: sudo service mysql stop || true
- name: Wait for MariaDB
run: |
for i in {1..60}; do
mysqladmin ping -h 127.0.0.1 -uroot -pbar 2>/dev/null && exit 0
sleep 2
done
echo "MariaDB did not become ready"; exit 1
- name: Install redis-cli
run: sudo apt-get -y update && sudo apt-get -y install redis-tools
- name: Wait for Redis
run: |
for i in {1..60}; do
redis-cli -h 127.0.0.1 -p 6379 ping | grep -q PONG && exit 0
sleep 2
done
echo "Redis did not become ready"; exit 1
- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: '8.3'
extensions: mysql, mbstring, xml, opcache, readline, redis, gd, apcu
- name: Initialize variables
run: |
echo "USER=$(id -u -n)" >> $GITHUB_ENV
echo "HOST=localhost" >> $GITHUB_ENV
echo "MISP_DIR=$GITHUB_WORKSPACE/misp" >> $GITHUB_ENV
- name: Install system deps
run: |
sudo apt-get -y update
sudo apt-get -y install curl python3 python3-pip python3-virtualenv \
apache2 libapache2-mod-php8.3
- name: Install MISP PHP deps
run: |
sudo chown $USER:www-data $HOME/.composer
pushd $MISP_DIR/app
composer config --no-plugins allow-plugins.composer/installers true
composer install --no-progress
popd
- name: Setup file permissions
run: |
sudo chown -R $USER:www-data $MISP_DIR
sudo chmod -R 775 $MISP_DIR
sudo chmod -R g+ws $MISP_DIR/app/tmp
sudo chmod -R g+ws $MISP_DIR/app/tmp/cache
sudo chmod -R g+ws $MISP_DIR/app/tmp/cache/persistent
sudo chmod -R g+ws $MISP_DIR/app/tmp/cache/models
sudo chmod -R g+ws $MISP_DIR/app/tmp/logs
sudo chmod -R g+ws $MISP_DIR/app/files
sudo chmod -R g+ws $MISP_DIR/app/files/scripts/tmp
- name: Initialize database
run: |
mysql -h 127.0.0.1 --port 3306 -u root -pbar -e "SET GLOBAL sql_mode = 'STRICT_ALL_TABLES';"
mysql -h 127.0.0.1 --port 3306 -u root -pbar -e "grant usage on *.* to misp@'%' identified by 'blah';"
mysql -h 127.0.0.1 --port 3306 -u root -pbar -e "grant all privileges on misp.* to misp@'%';"
mysql -h 127.0.0.1 --port 3306 -u misp -pblah misp < $MISP_DIR/INSTALL/MYSQL.sql
- name: Configure Apache
run: |
sudo mkdir -p /etc/apache2/sites-available
sudo cp -f $MISP_DIR/build/github-action-ci-apache /etc/apache2/sites-available/misp.conf
sudo sed -e "s?%GITHUB_WORKSPACE%?${MISP_DIR}?g" --in-place /etc/apache2/sites-available/misp.conf
sudo sed -e "s?%HOST%?${HOST}?g" --in-place /etc/apache2/sites-available/misp.conf
sudo a2dissite 000-default
sudo a2ensite misp.conf
sudo a2enmod rewrite
sudo systemctl start --no-block apache2
- name: Configure MISP files
run: |
sudo cp $MISP_DIR/app/Config/bootstrap.default.php $MISP_DIR/app/Config/bootstrap.php
sudo cp $MISP_DIR/build/database.php $MISP_DIR/app/Config/database.php
sudo cp $MISP_DIR/app/Config/core.default.php $MISP_DIR/app/Config/core.php
sudo cp $MISP_DIR/app/Config/config.default.php $MISP_DIR/app/Config/config.php
sudo cp $MISP_DIR/build/email.php $MISP_DIR/app/Config/email.php
sudo chown -R $USER:www-data $MISP_DIR/app/Config
sudo chmod -R 777 $MISP_DIR/app/Config
- name: Setup GPG
run: |
sudo mkdir $MISP_DIR/.gnupg
sudo cp -a /dev/urandom /dev/random
sudo gpg --no-tty --no-permission-warning --pinentry-mode=loopback \
--passphrase "travistest" --homedir $MISP_DIR/.gnupg \
--gen-key --batch $MISP_DIR/build/gpg
sudo chown -R www-data:www-data $MISP_DIR/.gnupg
sudo chmod -R 700 $MISP_DIR/.gnupg
sudo usermod -a -G www-data $USER
sudo chown -R $USER:www-data $MISP_DIR/app/Config
sudo chmod -R 777 $MISP_DIR/app/Config
- name: Setup Python virtualenv
run: |
python3 -m virtualenv -p python3 $MISP_DIR/venv
$MISP_DIR/app/Console/cake Admin setSetting "MISP.python_bin" "$MISP_DIR/venv/bin/python"
. $MISP_DIR/venv/bin/activate
pip install -r $MISP_DIR/requirements.txt
deactivate
- name: Run DB updates
run: |
$MISP_DIR/app/Console/cake Admin setSetting "MISP.osuser" $USER
$MISP_DIR/app/Console/cake Admin setSetting "MISP.server_settings_skip_backup_rotate" 1
$MISP_DIR/app/Console/cake Admin runUpdates
$MISP_DIR/app/Console/cake Admin schemaDiagnostics
- name: Configure MISP settings
run: |
$MISP_DIR/app/Console/cake User init | tee /tmp/key.txt
echo "AUTH=$(cat /tmp/key.txt)" >> $GITHUB_ENV
$MISP_DIR/app/Console/cake Admin setSetting "Session.autoRegenerate" 0
$MISP_DIR/app/Console/cake Admin setSetting "Session.timeout" 600
$MISP_DIR/app/Console/cake Admin setSetting "Session.cookieTimeout" 3600
$MISP_DIR/app/Console/cake Admin setSetting "MISP.host_org_id" 1
$MISP_DIR/app/Console/cake Admin setSetting "MISP.email" "info@admin.test"
$MISP_DIR/app/Console/cake Admin setSetting "MISP.disable_emailing" false
$MISP_DIR/app/Console/cake Admin setSetting --force "debug" true
$MISP_DIR/app/Console/cake Admin setSetting "MISP.redis_host" "127.0.0.1"
$MISP_DIR/app/Console/cake Admin setSetting "MISP.redis_port" 6379
$MISP_DIR/app/Console/cake Admin setSetting "MISP.redis_database" 13
$MISP_DIR/app/Console/cake Admin setSetting "MISP.redis_password" ""
$MISP_DIR/app/Console/cake Admin setSetting "GnuPG.email" "info@admin.test"
$MISP_DIR/app/Console/cake Admin setSetting "GnuPG.homedir" "$MISP_DIR/.gnupg"
$MISP_DIR/app/Console/cake Admin setSetting "GnuPG.password" "travistest"
$MISP_DIR/app/Console/cake Admin setSetting "MISP.download_gpg_from_homedir" 1
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.enabled" 1
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_host" "127.0.0.1"
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_port" 6379
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_password" ""
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_database" 1
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.redis_namespace" "background_jobs"
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_host" "127.0.0.1"
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_port" 9001
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_user" "supervisor"
$MISP_DIR/app/Console/cake Admin setSetting "SimpleBackgroundJobs.supervisor_password" "supervisor"
- name: Verify Redis is ready
run: $MISP_DIR/app/Console/cake Admin redisReady
- name: Fix permissions
run: |
sudo chmod +x /home/runner/work
sudo chmod +x /home/runner
sudo chmod +x /home
sudo chmod +x /
- name: Start background workers
run: |
sudo pip install supervisor
sudo cp $MISP_DIR/build/supervisor/supervisord.conf /etc/supervisord.conf
sudo mkdir -p /etc/supervisor/conf.d
# Copy worker config from MISP repo and fix paths
sudo cp $MISP_DIR/build/supervisor/50-workers.conf /etc/supervisor/conf.d/50-workers.conf
sudo sed -i "s|/home/runner/work/MISP/MISP|${MISP_DIR}|g" /etc/supervisor/conf.d/50-workers.conf
sudo python3 -m supervisor.supervisord -c /etc/supervisord.conf
sudo python3 -m supervisor.supervisorctl -c /etc/supervisord.conf start all
sudo python3 -m supervisor.supervisorctl -c /etc/supervisord.conf status
- name: Update MISP JSON data
run: $MISP_DIR/app/Console/cake Admin updateJSON
- name: Turn MISP live
run: $MISP_DIR/app/Console/cake Admin live 1
- name: Verify MISP is responding
run: |
sudo systemctl status apache2 --no-pager -l
curl -sSf http://${HOST} -o /dev/null -w "HTTP %{http_code}\n"
# Verify API works with the auth key
curl -sSf http://${HOST}/servers/getVersion \
-H "Authorization: ${AUTH}" \
-H "Accept: application/json" | python3 -m json.tool
# ── Run RustMISP integration tests ──────────────────────────────
- name: Run integration tests
env:
MISP_URL: http://localhost
MISP_KEY: ${{ env.AUTH }}
MISP_VERIFYCERT: "false"
run: cargo test -- --ignored
# ── Diagnostics on failure ──────────────────────────────────────
- name: MISP application logs
if: ${{ always() }}
run: |
echo "=== MISP error log ==="
cat $MISP_DIR/app/tmp/logs/error.log 2>/dev/null || echo "(empty)"
echo "=== MISP debug log ==="
tail -100 $MISP_DIR/app/tmp/logs/debug.log 2>/dev/null || echo "(empty)"
echo "=== Apache error log ==="
tail -50 /var/log/apache2/misp.local_error.log 2>/dev/null || echo "(empty)"
echo "=== Worker errors ==="
cat /tmp/misp-workers-errors.log 2>/dev/null || echo "(empty)"
# Update PyMISP parity badges in README (push to main only)
parity-badges:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-22.04
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- name: Run parity checker and update badges
run: python3 scripts/check_pymisp_parity.py --update-readme
- name: Commit badge updates
run: |
git diff --quiet README.md && exit 0
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add README.md
git commit -m "chg: [docs] Update PyMISP parity badges [skip ci]"
git push