Skip to content

Commit

Permalink
Merge branch 'main' into FireFrozen94-patch-1
Browse files Browse the repository at this point in the history
  • Loading branch information
ctmbl committed May 22, 2024
2 parents 0f9c7ca + eadb7b1 commit d1cbe65
Show file tree
Hide file tree
Showing 12 changed files with 244 additions and 19 deletions.
38 changes: 30 additions & 8 deletions .github/workflows/build_and_deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,11 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Debug
run: |
echo "github.event.repository.fork = ${{ github.event.repository.fork }}"
echo "github.event_name = ${{ github.event_name }}"
# Checkout repo AND ITS SUBMODULES
- name: 🛒 Checkout
uses: actions/checkout@v3
Expand All @@ -35,24 +40,37 @@ jobs:
- name: 🚀 Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: build
path: ./build/blog
name: prod-build
path: ./build/blog/prod

# Deployment job: heavily inspired from https://swharden.com/blog/2022-03-20-github-actions-hugo/
# /!\ only triggers on push events and manually triggered
# /!\ only triggers on (push events AND NOT fork repos) OR manually triggered
## Required secrets:
# - SSH_KNOWN_HOSTS
# - PRIVATE_SSH_KEY
# - CI_USER_NAME
# - REPO_PATH_ON_REMOTE
deploy:
needs: [build]
if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
# DISCLAIMER:
# The following is a very POOR solution to avoid *failing deploy step* due to missing secrets
# on fork repositories, but sadly the `env` context is not accessible from `jobs.<job_id>.if`:
# https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability
#
# If for any reason you want to trigger this step on your fork remove the following line,
# trigger manually or open an issue https://github.com/iScsc/blog.iscsc.fr/issues,
# we'll find a better way to skip this step.
if: ${{ (github.event_name == 'push' && ! github.event.repository.fork) || github.event_name == 'workflow_dispatch' }}
runs-on: ubuntu-latest
steps:
- name: 🛠️ Setup build directory
run: |
mkdir -p build/blog
mkdir -p build/blog/prod
- name: 📥 Download build Artifacts
uses: actions/download-artifact@v3
with:
name: build
path: build/blog
name: prod-build
path: build/blog/prod

# Create the SSH key file and fill the known_hosts to avoid a prompt from ssh (1st time connecting to remote host)
- name: 🔐 Create Key File
Expand All @@ -70,7 +88,11 @@ jobs:
# Upload the build to the remote server location: the volume shared by the nginx container serving http requests
- name: 🚀 Upload
run: |
rsync --archive --stats --verbose --delete ./build/blog/* ${{ secrets.CI_USER_NAME }}@iscsc.fr:${{ secrets.STATIC_WEBSITE_PATH}}
rsync --archive --stats --verbose --delete ./build/blog/prod/* ${{ secrets.CI_USER_NAME }}@iscsc.fr:${{ secrets.REPO_PATH_ON_REMOTE }}/build/blog/prod
- name: ⏬ Remote git pull
run: |
ssh ${{ secrets.CI_USER_NAME }}@iscsc.fr /usr/bin/bash ${{ secrets.REPO_PATH_ON_REMOTE }}/scripts/remote_git_pull.sh ${{ secrets.REPO_PATH_ON_REMOTE }}
# Finally notify of the new article (if any) on the iScsc discord server
# action jitterbit/get-changed-files@v1 doesn't support 'workflow_dispatch' events: https://github.com/jitterbit/get-changed-files/issues/38
Expand Down
49 changes: 49 additions & 0 deletions .github/workflows/deploy_dev.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Build and deploy a PR on dev.iscsc.fr

on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

# Trigger the workflow on every pull request, but because of the environment (later defined)
# it will require manual approval to run
pull_request:

jobs:
# Build job
build-and-deploy-dev:
runs-on: ubuntu-latest
# Force to respect the 'dev-deployment' environment rules, in our case 1 maintainer approval
environment: deployment-dev
steps:
# Checkout repo AND ITS SUBMODULES
- name: 🛒 Checkout
uses: actions/checkout@v3
with:
submodules: recursive

- name: 💉 Inject Development Banner
run: |
cat ./development_banner.html >> ./src/themes/poison/layouts/partials/sidebar/sidebar.html
# Build the static website with the provided docker-compose rules, overriding some elements, see docker-compose.dev.yml
- name: 🛠️ Build with HUGO
run: |
docker compose -f docker-compose.yml -f docker-compose.dev.yml run builder
# Create the SSH key file and fill the known_hosts to avoid a prompt from ssh (1st time connecting to remote host)
- name: 🔐 Create Key File
run: |
mkdir ~/.ssh
touch ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
- name: 🔐 Load Host Keys
run: |
echo "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
- name: 🔑 Populate Key
run: |
echo "${{ secrets.PRIVATE_SSH_KEY }}" > ~/.ssh/id_rsa
# Upload the build to the remote server location: the volume shared by the nginx container serving http requests
- name: 🚀 Upload
run: |
rsync --archive --stats --verbose --delete ./build/blog/dev/* ${{ secrets.CI_USER_NAME }}@iscsc.fr:${{ secrets.REPO_PATH_ON_REMOTE }}/build/blog/dev
9 changes: 4 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -70,11 +70,11 @@ docker compose run --rm certbot renew

#### Deploy the website itself

Create the blog directory, **it must be writable by users that will write to it: you, builder target, CI user...**
Create the blog/prod directory, **it must be writable by users that will write to it: you, builder target, CI user...**
```sh
mkdir build/blog
mkdir -p build/blog/prod
chmod <make it writable by the appropriate user/group>
chmown <make it owned by the appropriate user/group>
chown <make it owned by the appropriate user/group>
```

> you should check first the consistency of the server name (iscsc.fr/localhost) in those files: `nginx.conf`, ...
Expand All @@ -87,8 +87,7 @@ docker compose up --detach blog

> Note: before the next step make sure that when cloning the repository you also updated the git submodule!
Then builds the static website, `./build/blog` is a volume shared with both containers so
building the website will automatically "update" it for nginx.
Then builds the static website, `./build/blog/prod` is a volume shared with both containers so building the website will automatically "update" it for nginx.
```sh
docker compose up builder
```
Expand Down
3 changes: 3 additions & 0 deletions development_banner.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
<div style="background-color:red; color: white; font-size: 2rem; text-align: center; position: fixed; width: 100%; margin-bottom: 50rem;">
THIS IS A DEVELOPMENT WEBSITE, please go to <a href="https://iscsc.fr" style="font-weight: bold; color:darkslategrey;">https://iscsc.fr</a>
</div>
7 changes: 7 additions & 0 deletions docker-compose.dev.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
services:
builder:
command: --logLevel info --baseURL="https://dev.iscsc.fr" --buildFuture
volumes:
# The container is mode-agnostique: it always builds in /build/blog
# the volume shared on the host side determines where it should go
- ./build/blog/dev:/build/blog:rw
9 changes: 7 additions & 2 deletions docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,9 @@ services:
- HUGO_ENVIRONMENT=production
volumes:
- ./src:/src:rw
- ./build/blog:/build/blog:rw
# The container is mode-agnostique: it always builds in /build/blog
# the volume shared on the host side determines where it should go
- ./build/blog/prod:/build/blog:rw

blog:
build:
Expand All @@ -25,7 +27,10 @@ services:
- ./certbot/www:/var/www/certbot/:ro
- ./certbot/conf/:/etc/nginx/ssl/:ro
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./build/blog:/blog:rw
# serves iscsc.fr ;
- ./build/blog/prod:/blog/prod:rw
# serves dev.iscsc.fr :
- ./build/blog/dev:/blog/dev:rw

certbot:
image: certbot/certbot:latest
Expand Down
30 changes: 27 additions & 3 deletions nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ http {
listen 80;
listen [::]:80;

server_name www.iscsc.fr iscsc.fr;
server_name dev.iscsc.fr www.iscsc.fr iscsc.fr;

location /.well-known/acme-challenge/ {
root /var/www/certbot;
Expand All @@ -28,17 +28,41 @@ http {
}
}

server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;

server_name dev.iscsc.fr;

ssl_certificate /etc/nginx/ssl/live/dev.iscsc.fr/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/dev.iscsc.fr/privkey.pem;

root /blog/dev; #Absolute path to where your hugo site is
index index.html; # Hugo generates HTML

location / {
try_files $uri $uri/ =404;
}

# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}


server {
listen 443 default_server ssl http2;
listen [::]:443 ssl http2;

server_name www.iscsc.fr iscsc.fr;
server_name iscsc.fr;

ssl_certificate /etc/nginx/ssl/live/iscsc.fr/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/iscsc.fr/privkey.pem;

root /blog; #Absolute path to where your hugo site is
root /blog/prod; #Absolute path to where your hugo site is
index index.html; # Hugo generates HTML

location / {
Expand Down
3 changes: 2 additions & 1 deletion scripts/new_article.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,8 @@ def main(files_paths):
file_name = basename[:-3] # get rid of the `.md`

## Add URL info:
data["url"] = f"https://iscsc.fr/posts/{file_name}"
data["url"] = f"https://iscsc.fr/posts/{file_name.lower()}" # filename generated by HUGO will be lowercase
# so must be the URL

## Finally send Data
req = requests.post("http://iscsc.fr:8001/new-blog", json=data)
Expand Down
40 changes: 40 additions & 0 deletions scripts/remote_git_pull.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
#!/usr/bin/bash

PATH=$(/usr/bin/getconf PATH || /bin/kill $$)

die() {
echo "[!] Something went wrong, exiting..."
exit 1
}

echo "[+] Connected to iscsc.fr"

if [ $# -ne 1 ]; then
echo "[!] Must provide one and only one argument: repo path on remote";
die;
fi
REPO_PATH="$1"; shift

echo "[+] Change directory"
cd ${REPO_PATH} || die

REMOTE_URL="iscsc/blog.iscsc.fr"
REMOTE_NAME=$(git remote -v | grep --ignore-case "${REMOTE_URL}" | grep "(fetch)" | awk '{print $1}')
MAIN_BRANCH_NAME=main

echo "[+] iScsc remote name is '${REMOTE_NAME}'"
echo "[+] Fetch '${MAIN_BRANCH_NAME}' from '${REMOTE_NAME}'"
git fetch "${REMOTE_NAME}" "${MAIN_BRANCH_NAME}" || die

echo "[+] Checkout on '${MAIN_BRANCH_NAME}'"
git checkout "${MAIN_BRANCH_NAME}" || die

REMOTE_MAIN_REF_NAME="${REMOTE_NAME}/${MAIN_BRANCH_NAME}"

echo "[+] Remote ref is '${REMOTE_MAIN_REF_NAME}'"
echo "[+] Rebase on '${REMOTE_MAIN_REF_NAME}'"
git rebase "${REMOTE_MAIN_REF_NAME}" || die

echo "[+] git log from here:"
git log --color --decorate --oneline --max-count=20 main

20 changes: 20 additions & 0 deletions scripts/test_new_article.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,26 @@ def test_new_article_file(mock_requests_post):
}
)


def test_new_article_file_upper_case(mock_requests_post):
# Add an article with an Upper case --> URL should be lower case
new_article.main(["test_resources/Article-2.md"])

mock_requests_post.assert_called_once_with(
'http://iscsc.fr:8001/new-blog',
json={
'title': 'article title',
'summary': 'article name contains an upper case letter',
'date': '2024-05-05 12:00:00+02:00',
'lastUpdate': '2024-05-05 12:00:00+02:00',
'tags': "['some', 'tags']",
'author': 'ctmbl',
'draft': False,
'url': 'https://iscsc.fr/posts/article-2'
}
)


def test_new_leaf_bundle_article(mock_requests_post):
new_article.main(["test_resources/leaf_bundle/index.md"])

Expand Down
9 changes: 9 additions & 0 deletions scripts/test_resources/Article-2.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
title: "article title"
summary: "article name contains an upper case letter"
date: 2024-05-05T12:00:00+02:00
lastUpdate: 2024-05-05T12:00:00+02:00
tags: ["some","tags"]
author: ctmbl
draft: false
---
46 changes: 46 additions & 0 deletions src/content/posts/WU2024-Base64Custom.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
title: "WU Chall Base32 - THCon"
summary: "Understand basics of encoded strings to reverse base32"
date: 2024-04-29T12:35:51+0200
tags: ["THCon","write-up","FR","Supwn"]
author: clementS
draft: false
---

# Base64Custom
**Entrée : un fichier txt contenant une chaîne de charactère encodée :**
**KREEGTaOPNRDIcbFGYaFeMLTLcaHOMbTGBWWKXbJNZXGSdDd**

> Indice :[..] He said he just changed the sextets into quintuplets ? what does that even mean??
## Etape 1: comprendre comment fonctionne un encodage de string et plus particulièrement l’encodage base64
Pour représenter un string, on associe à chaque charactère, un indice. Exemple : A->0, B->1,C->3….a->27,b->28…
Les représentations les plus commune sont la bijection ASCII et UTF-8. La bijection ASCII comporte 128 charactères (A..Za..z1..9 ?/…).

Pour représenter un string on va écrire à la suite chaque identifiant de chaque charactère. Exemple 1 : « Aa »->0 26
Ici on veut représenter notre chaîne de charactère en utilisant ASCII (128 charactères) . On représentera donc chaque id sur 7 bits (2^7 = 128 bits).
0 26 -> 00000 11010

L’encodage en base64, permet de transférer plus facilement des données. En effet, son alphabet est [A..Za..z0..9 ?/], il ne possède donc aucun charactère spéciaux. Il prend en entrée une suite de bits, et les groupes par 6 (il complète avec des 0, à la fin si ca tombe pas juste).
-> 000000 000111 00*0000*

-> Pour avoir la représentation textuelle, on utilise l’alphabet bijection Base64. On a donc un tout autre string. Ici il devient : AHA

## Etape 2: On attaque le concret.
On sait que ici, on a pris le FLAG, on l’a mis en base 32 (groupement bits par 5, et à pris sa représentation). On doit donc faire l’étape inverse. On peut en théorie prendre n’importe quelle alphabet mais en analysant la chaîne donnée on remarque que elle est composée des caractères [A..Za..f].
## Etape 3 : Subtilité.
Comme on l’a préciser tout à l’heure, on peut mettre des 0 à la fin si on a pas assez de bits pour bien convertir. On regarde si il faut éventuellement retirer un bit ou en ajouter.
## Etape 4 : La dernière étape correspond a représenter les bits avec le format universelle pour représenter un texte : ASCII.

> Rq : Il faut différencier encodage base64 et ASCII
Base64 prend en entrée des bits et renvoie un chaine de charactère. C’est juste une bijection. ASCII prend en entrée une chaîne de charactère et renvoie des bits ou inversement. C’est une façon de représenter facilement un texte pour l’ordinateur.

## Résumé
```
Flag -------> 00101010001110 ------> AGSHhhbsf
Encodage ASCII Bijection Base 32
On doit reverse le process :
AGSHhhbsf ------> 00101010001110 -------> Flag
Bijection Base 32 Décodage ASCII
```

0 comments on commit d1cbe65

Please sign in to comment.