Merge remote-tracking branch 'origin/main' into Fork-Article

.github/workflows/build_and_deploy.yml

@@ -20,6 +20,11 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
+      - name: Debug
+        run: |
+          echo "github.event.repository.fork = ${{ github.event.repository.fork }}"
+          echo "github.event_name = ${{ github.event_name }}"
+
       # Checkout repo AND ITS SUBMODULES
       - name: 🛒 Checkout
         uses: actions/checkout@v3
@@ -35,24 +40,37 @@ jobs:
       - name: 🚀 Upload Artifacts
         uses: actions/upload-artifact@v3
         with:
-          name: build
-          path: ./build/blog
+          name: prod-build
+          path: ./build/blog/prod
 
   # Deployment job: heavily inspired from https://swharden.com/blog/2022-03-20-github-actions-hugo/
-  # /!\ only triggers on push events and manually triggered
+  # /!\ only triggers on (push events AND NOT fork repos) OR manually triggered
+  ## Required secrets:
+  #   - SSH_KNOWN_HOSTS
+  #   - PRIVATE_SSH_KEY
+  #   - CI_USER_NAME
+  #   - REPO_PATH_ON_REMOTE
   deploy:
     needs: [build]
-    if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+    # DISCLAIMER:
+    # The following is a very POOR solution to avoid *failing deploy step* due to missing secrets
+    # on fork repositories, but sadly the `env` context is not accessible from `jobs.<job_id>.if`:
+    # https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability
+    #
+    # If for any reason you want to trigger this step on your fork remove the following line,
+    # trigger manually or open an issue https://github.com/iScsc/blog.iscsc.fr/issues,
+    # we'll find a better way to skip this step.
+    if: ${{ (github.event_name == 'push' && ! github.event.repository.fork) || github.event_name == 'workflow_dispatch' }}
     runs-on: ubuntu-latest
     steps:
       - name: 🛠️ Setup build directory
         run: |
-          mkdir -p build/blog
+          mkdir -p build/blog/prod
       - name: 📥 Download build Artifacts
         uses: actions/download-artifact@v3
         with:
-          name: build
-          path: build/blog
+          name: prod-build
+          path: build/blog/prod
 
       # Create the SSH key file and fill the known_hosts to avoid a prompt from ssh (1st time connecting to remote host)
       - name: 🔐 Create Key File
@@ -70,7 +88,11 @@ jobs:
       # Upload the build to the remote server location: the volume shared by the nginx container serving http requests
       - name: 🚀 Upload
         run: |
-          rsync --archive --stats --verbose --delete ./build/blog/* ${{ secrets.CI_USER_NAME }}@iscsc.fr:${{ secrets.STATIC_WEBSITE_PATH}}
+          rsync --archive --stats --verbose --delete ./build/blog/prod/* ${{ secrets.CI_USER_NAME }}@iscsc.fr:${{ secrets.REPO_PATH_ON_REMOTE }}/build/blog/prod
+
+      - name: ⏬ Remote git pull
+        run: |
+          ssh ${{ secrets.CI_USER_NAME }}@iscsc.fr /usr/bin/bash ${{ secrets.REPO_PATH_ON_REMOTE }}/scripts/remote_git_pull.sh ${{ secrets.REPO_PATH_ON_REMOTE }}
 
   # Finally notify of the new article (if any) on the iScsc discord server
   # action jitterbit/get-changed-files@v1 doesn't support 'workflow_dispatch' events: https://github.com/jitterbit/get-changed-files/issues/38

.github/workflows/deploy_dev.yml

@@ -0,0 +1,49 @@
+name: Build and deploy a PR on dev.iscsc.fr
+
+on:
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+  # Trigger the workflow on every pull request, but because of the environment (later defined)
+  # it will require manual approval to run
+  pull_request:
+
+jobs:
+  # Build job
+  build-and-deploy-dev:
+    runs-on: ubuntu-latest
+    # Force to respect the 'dev-deployment' environment rules, in our case 1 maintainer approval
+    environment: deployment-dev
+    steps:
+      # Checkout repo AND ITS SUBMODULES
+      - name: 🛒 Checkout
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - name: 💉 Inject Development Banner
+        run: |
+          cat ./development_banner.html >> ./src/themes/poison/layouts/partials/sidebar/sidebar.html
+
+      # Build the static website with the provided docker-compose rules, overriding some elements, see docker-compose.dev.yml
+      - name: 🛠️ Build with HUGO
+        run: |
+          docker compose -f docker-compose.yml -f docker-compose.dev.yml run builder
+
+      # Create the SSH key file and fill the known_hosts to avoid a prompt from ssh (1st time connecting to remote host)
+      - name: 🔐 Create Key File
+        run: |
+          mkdir ~/.ssh
+          touch ~/.ssh/id_rsa
+          chmod 600 ~/.ssh/id_rsa
+      - name: 🔐 Load Host Keys
+        run: |
+          echo "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
+      - name: 🔑 Populate Key
+        run: |
+          echo "${{ secrets.PRIVATE_SSH_KEY }}" > ~/.ssh/id_rsa
+
+      # Upload the build to the remote server location: the volume shared by the nginx container serving http requests
+      - name: 🚀 Upload
+        run: |
+          rsync --archive --stats --verbose --delete ./build/blog/dev/* ${{ secrets.CI_USER_NAME }}@iscsc.fr:${{ secrets.REPO_PATH_ON_REMOTE }}/build/blog/dev

README.md

@@ -70,11 +70,11 @@ docker compose run --rm certbot renew
 
 #### Deploy the website itself
 
-Create the blog directory, **it must be writable by users that will write to it: you, builder target, CI user...**
+Create the blog/prod directory, **it must be writable by users that will write to it: you, builder target, CI user...**
 ```sh
-mkdir build/blog
+mkdir -p build/blog/prod
 chmod <make it writable by the appropriate user/group>
-chmown <make it owned by the appropriate user/group>
+chown <make it owned by the appropriate user/group>
 ```
 
 > you should check first the consistency of the server name (iscsc.fr/localhost) in those files: `nginx.conf`, ...
@@ -87,8 +87,7 @@ docker compose up --detach blog
 
 > Note: before the next step make sure that when cloning the repository you also updated the git submodule!
 
-Then builds the static website, `./build/blog` is a volume shared with both containers so 
-building the website will automatically "update" it for nginx.
+Then builds the static website, `./build/blog/prod` is a volume shared with both containers so building the website will automatically "update" it for nginx.
 ```sh
 docker compose up builder
 ```

development_banner.html

@@ -0,0 +1,3 @@
+<div style="background-color:red; color: white; font-size: 2rem; text-align: center; position: fixed; width: 100%; margin-bottom: 50rem;">
+    THIS IS A DEVELOPMENT WEBSITE, please go to <a href="https://iscsc.fr" style="font-weight: bold; color:darkslategrey;">https://iscsc.fr</a>
+  </div>

docker-compose.dev.yml

@@ -0,0 +1,7 @@
+services:
+  builder:
+    command: --logLevel info --baseURL="https://dev.iscsc.fr" --buildFuture
+    volumes:
+      # The container is mode-agnostique: it always builds in /build/blog
+      # the volume shared on the host side determines where it should go
+      - ./build/blog/dev:/build/blog:rw

docker-compose.yml

@@ -1,5 +1,3 @@
-version: "3.8"
-
 services:
   builder:
     image: floryn90/hugo:0.123.7
@@ -11,7 +9,9 @@ services:
       - HUGO_ENVIRONMENT=production
     volumes:
       - ./src:/src:rw
-      - ./build/blog:/build/blog:rw
+      # The container is mode-agnostique: it always builds in /build/blog
+      # the volume shared on the host side determines where it should go
+      - ./build/blog/prod:/build/blog:rw
 
   blog:
     build:
@@ -25,7 +25,10 @@ services:
       - ./certbot/www:/var/www/certbot/:ro
       - ./certbot/conf/:/etc/nginx/ssl/:ro
       - ./nginx.conf:/etc/nginx/nginx.conf:ro
-      - ./build/blog:/blog:rw
+      # serves      iscsc.fr ;
+      - ./build/blog/prod:/blog/prod:rw
+      # serves  dev.iscsc.fr :
+      - ./build/blog/dev:/blog/dev:rw
 
   certbot:
     image: certbot/certbot:latest

nginx.conf

@@ -17,7 +17,7 @@ http {
         listen 80;
         listen [::]:80;
 
-        server_name www.iscsc.fr iscsc.fr;
+        server_name dev.iscsc.fr www.iscsc.fr iscsc.fr;
 
         location /.well-known/acme-challenge/ {
             root /var/www/certbot;
@@ -28,17 +28,42 @@ http {
         }
     }
 
+    server {
+        listen 443 ssl;
+        listen [::]:443 ssl;
+        http2 on;
+
+        server_name dev.iscsc.fr;
+
+        ssl_certificate /etc/nginx/ssl/live/dev.iscsc.fr/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/dev.iscsc.fr/privkey.pem;
+
+        root /blog/dev; #Absolute path to where your hugo site is
+        index index.html; # Hugo generates HTML
+
+        location / {
+            try_files $uri $uri/ =404;
+        }
+
+        # redirect server error pages to the static page /50x.html
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+            root /usr/share/nginx/html;
+        }
+    }
+
 
     server {
-        listen 443 default_server ssl http2;
-        listen [::]:443 ssl http2;
+        listen 443 default_server ssl;
+        listen [::]:443 ssl;
+        http2 on;
 
-        server_name www.iscsc.fr iscsc.fr;
+        server_name iscsc.fr;
 
         ssl_certificate /etc/nginx/ssl/live/iscsc.fr/fullchain.pem;
         ssl_certificate_key /etc/nginx/ssl/live/iscsc.fr/privkey.pem;
 
-        root /blog; #Absolute path to where your hugo site is
+        root /blog/prod; #Absolute path to where your hugo site is
         index index.html; # Hugo generates HTML
 
         location / {

scripts/new_article.py

@@ -33,7 +33,8 @@ def main(files_paths):
                 file_name = basename[:-3] # get rid of the `.md`
 
             ## Add URL info:
-            data["url"] = f"https://iscsc.fr/posts/{file_name}"
+            data["url"] = f"https://iscsc.fr/posts/{file_name.lower()}" # filename generated by HUGO will be lowercase
+                                                                        # so must be the URL
 
             ## Finally send Data
             req = requests.post("http://iscsc.fr:8001/new-blog", json=data)

scripts/remote_git_pull.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/bash
+
+PATH=$(/usr/bin/getconf PATH || /bin/kill $$)
+
+die() {
+	echo "[!] Something went wrong, exiting..."
+	exit 1
+}
+
+echo "[+] Connected to iscsc.fr"
+
+if [ $# -ne 1 ]; then
+	echo "[!] Must provide one and only one argument: repo path on remote";
+	die;
+fi
+REPO_PATH="$1"; shift
+
+echo "[+] Change directory"
+cd ${REPO_PATH} || die
+
+REMOTE_URL="iscsc/blog.iscsc.fr"
+REMOTE_NAME=$(git remote -v | grep --ignore-case "${REMOTE_URL}" | grep "(fetch)" | awk '{print $1}')
+MAIN_BRANCH_NAME=main
+
+echo "[+] iScsc remote name is '${REMOTE_NAME}'"
+echo "[+] Fetch '${MAIN_BRANCH_NAME}' from '${REMOTE_NAME}'"
+git fetch "${REMOTE_NAME}" "${MAIN_BRANCH_NAME}" || die
+
+echo "[+] Checkout on '${MAIN_BRANCH_NAME}'"
+git checkout "${MAIN_BRANCH_NAME}" || die
+
+REMOTE_MAIN_REF_NAME="${REMOTE_NAME}/${MAIN_BRANCH_NAME}"
+
+echo "[+] Remote ref is '${REMOTE_MAIN_REF_NAME}'"
+echo "[+] Rebase on '${REMOTE_MAIN_REF_NAME}'"
+git rebase "${REMOTE_MAIN_REF_NAME}" || die
+
+echo "[+] git log from here:"
+git log --color --decorate --oneline --max-count=20 main
+

scripts/test_new_article.py

@@ -40,6 +40,26 @@ def test_new_article_file(mock_requests_post):
         }
     )
 
+
+def test_new_article_file_upper_case(mock_requests_post):
+    # Add an article with an Upper case --> URL should be lower case
+    new_article.main(["test_resources/Article-2.md"])
+
+    mock_requests_post.assert_called_once_with(
+        'http://iscsc.fr:8001/new-blog',
+        json={
+            'title': 'article title',
+            'summary': 'article name contains an upper case letter',
+            'date': '2024-05-05 12:00:00+02:00',
+            'lastUpdate': '2024-05-05 12:00:00+02:00',
+            'tags': "['some', 'tags']",
+            'author': 'ctmbl',
+            'draft': False,
+            'url': 'https://iscsc.fr/posts/article-2'
+        }
+    )
+
+
 def test_new_leaf_bundle_article(mock_requests_post):
     new_article.main(["test_resources/leaf_bundle/index.md"])
 

scripts/test_resources/Article-2.md

@@ -0,0 +1,9 @@
+---
+title: "article title"
+summary: "article name contains an upper case letter"
+date: 2024-05-05T12:00:00+02:00
+lastUpdate: 2024-05-05T12:00:00+02:00
+tags: ["some","tags"]
+author: ctmbl
+draft: false
+---

src/content/posts/WU2024-Base64Custom.md

@@ -0,0 +1,46 @@
+---
+title: "WU Chall Base32 - THCon"
+summary: "Understand basics of encoded strings to reverse base32"
+date: 2024-04-29T12:35:51+0200
+tags: ["THCon","write-up","FR","Supwn"]
+author: clementS
+draft: false
+---
+
+# Base64Custom
+**Entrée : un fichier txt contenant une chaîne de charactère encodée :**  
+**KREEGTaOPNRDIcbFGYaFeMLTLcaHOMbTGBWWKXbJNZXGSdDd**
+
+> Indice :[..] He said he just changed the sextets into quintuplets ? what does that even mean??
+
+## Etape 1: comprendre comment fonctionne un encodage de string et plus particulièrement l’encodage base64
+Pour représenter un string, on associe à chaque charactère, un indice. Exemple : A->0, B->1,C->3….a->27,b->28…
+Les représentations les plus commune sont la bijection ASCII et UTF-8. La bijection ASCII comporte 128 charactères (A..Za..z1..9 ?/…).
+
+Pour représenter un string on va écrire à la suite chaque identifiant de chaque charactère. Exemple 1 : « Aa »->0 26
+Ici on veut représenter notre chaîne de charactère en utilisant ASCII (128 charactères) . On représentera donc chaque id sur 7 bits (2^7 = 128 bits).
+0 26 -> 00000 11010
+
+L’encodage en base64, permet de transférer plus facilement des données. En effet, son alphabet est [A..Za..z0..9 ?/], il ne possède donc aucun charactère spéciaux. Il prend en entrée une suite de bits, et les groupes par 6 (il complète avec des 0, à la fin si ca tombe pas juste).  
+->	000000 000111 00*0000* 
+
+->	Pour avoir la représentation textuelle, on utilise l’alphabet bijection Base64. On a donc un tout autre string. Ici il devient : AHA
+
+## Etape 2: On attaque le concret.
+On sait que ici, on a pris le FLAG, on l’a mis en base 32 (groupement bits par 5, et à pris sa représentation). On doit donc faire l’étape inverse. On peut en théorie prendre n’importe quelle alphabet mais en analysant la chaîne donnée on remarque que elle est composée des caractères [A..Za..f]. 
+## Etape 3 : Subtilité.
+Comme on l’a préciser tout à l’heure, on peut mettre des 0 à la fin si on a pas assez de bits pour bien convertir. On regarde si il faut éventuellement retirer un bit ou en ajouter.
+## Etape 4 : La dernière étape correspond a représenter les bits avec le format universelle pour représenter un texte : ASCII.
+
+> Rq : Il faut différencier encodage base64 et ASCII
+
+Base64 prend en entrée des bits et renvoie un chaine de charactère. C’est juste une bijection. ASCII prend en entrée une chaîne de charactère et renvoie des bits ou inversement. C’est une façon de représenter facilement un texte pour l’ordinateur.
+
+## Résumé
+```
+Flag     ------->      00101010001110     ------>   AGSHhhbsf  
+       Encodage ASCII                 Bijection Base 32
+On doit reverse le process :
+AGSHhhbsf  ------>    00101010001110   ------->    Flag
+         Bijection Base 32         Décodage ASCII
+```