diff --git a/.github/workflows/build_and_deploy.yml b/.github/workflows/build_and_deploy.yml index acd0ee6..e0a6f06 100644 --- a/.github/workflows/build_and_deploy.yml +++ b/.github/workflows/build_and_deploy.yml @@ -20,6 +20,11 @@ jobs: build: runs-on: ubuntu-latest steps: + - name: Debug + run: | + echo "github.event.repository.fork = ${{ github.event.repository.fork }}" + echo "github.event_name = ${{ github.event_name }}" + # Checkout repo AND ITS SUBMODULES - name: 🛒 Checkout uses: actions/checkout@v3 @@ -35,24 +40,37 @@ jobs: - name: 🚀 Upload Artifacts uses: actions/upload-artifact@v3 with: - name: build - path: ./build/blog + name: prod-build + path: ./build/blog/prod # Deployment job: heavily inspired from https://swharden.com/blog/2022-03-20-github-actions-hugo/ - # /!\ only triggers on push events and manually triggered + # /!\ only triggers on (push events AND NOT fork repos) OR manually triggered + ## Required secrets: + # - SSH_KNOWN_HOSTS + # - PRIVATE_SSH_KEY + # - CI_USER_NAME + # - REPO_PATH_ON_REMOTE deploy: needs: [build] - if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} + # DISCLAIMER: + # The following is a very POOR solution to avoid *failing deploy step* due to missing secrets + # on fork repositories, but sadly the `env` context is not accessible from `jobs..if`: + # https://docs.github.com/en/actions/learn-github-actions/contexts#context-availability + # + # If for any reason you want to trigger this step on your fork remove the following line, + # trigger manually or open an issue https://github.com/iScsc/blog.iscsc.fr/issues, + # we'll find a better way to skip this step. + if: ${{ (github.event_name == 'push' && ! github.event.repository.fork) || github.event_name == 'workflow_dispatch' }} runs-on: ubuntu-latest steps: - name: 🛠️ Setup build directory run: | - mkdir -p build/blog + mkdir -p build/blog/prod - name: 📥 Download build Artifacts uses: actions/download-artifact@v3 with: - name: build - path: build/blog + name: prod-build + path: build/blog/prod # Create the SSH key file and fill the known_hosts to avoid a prompt from ssh (1st time connecting to remote host) - name: 🔐 Create Key File @@ -70,7 +88,11 @@ jobs: # Upload the build to the remote server location: the volume shared by the nginx container serving http requests - name: 🚀 Upload run: | - rsync --archive --stats --verbose --delete ./build/blog/* ${{ secrets.CI_USER_NAME }}@iscsc.fr:${{ secrets.STATIC_WEBSITE_PATH}} + rsync --archive --stats --verbose --delete ./build/blog/prod/* ${{ secrets.CI_USER_NAME }}@iscsc.fr:${{ secrets.REPO_PATH_ON_REMOTE }}/build/blog/prod + + - name: ⏬ Remote git pull + run: | + ssh ${{ secrets.CI_USER_NAME }}@iscsc.fr /usr/bin/bash ${{ secrets.REPO_PATH_ON_REMOTE }}/scripts/remote_git_pull.sh ${{ secrets.REPO_PATH_ON_REMOTE }} # Finally notify of the new article (if any) on the iScsc discord server # action jitterbit/get-changed-files@v1 doesn't support 'workflow_dispatch' events: https://github.com/jitterbit/get-changed-files/issues/38 diff --git a/.github/workflows/deploy_dev.yml b/.github/workflows/deploy_dev.yml new file mode 100644 index 0000000..669e3d3 --- /dev/null +++ b/.github/workflows/deploy_dev.yml @@ -0,0 +1,49 @@ +name: Build and deploy a PR on dev.iscsc.fr + +on: + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + # Trigger the workflow on every pull request, but because of the environment (later defined) + # it will require manual approval to run + pull_request: + +jobs: + # Build job + build-and-deploy-dev: + runs-on: ubuntu-latest + # Force to respect the 'dev-deployment' environment rules, in our case 1 maintainer approval + environment: deployment-dev + steps: + # Checkout repo AND ITS SUBMODULES + - name: 🛒 Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: 💉 Inject Development Banner + run: | + cat ./development_banner.html >> ./src/themes/poison/layouts/partials/sidebar/sidebar.html + + # Build the static website with the provided docker-compose rules, overriding some elements, see docker-compose.dev.yml + - name: 🛠️ Build with HUGO + run: | + docker compose -f docker-compose.yml -f docker-compose.dev.yml run builder + + # Create the SSH key file and fill the known_hosts to avoid a prompt from ssh (1st time connecting to remote host) + - name: 🔐 Create Key File + run: | + mkdir ~/.ssh + touch ~/.ssh/id_rsa + chmod 600 ~/.ssh/id_rsa + - name: 🔐 Load Host Keys + run: | + echo "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts + - name: 🔑 Populate Key + run: | + echo "${{ secrets.PRIVATE_SSH_KEY }}" > ~/.ssh/id_rsa + + # Upload the build to the remote server location: the volume shared by the nginx container serving http requests + - name: 🚀 Upload + run: | + rsync --archive --stats --verbose --delete ./build/blog/dev/* ${{ secrets.CI_USER_NAME }}@iscsc.fr:${{ secrets.REPO_PATH_ON_REMOTE }}/build/blog/dev diff --git a/README.md b/README.md index 855004a..c6d6892 100644 --- a/README.md +++ b/README.md @@ -70,11 +70,11 @@ docker compose run --rm certbot renew #### Deploy the website itself -Create the blog directory, **it must be writable by users that will write to it: you, builder target, CI user...** +Create the blog/prod directory, **it must be writable by users that will write to it: you, builder target, CI user...** ```sh -mkdir build/blog +mkdir -p build/blog/prod chmod -chmown +chown ``` > you should check first the consistency of the server name (iscsc.fr/localhost) in those files: `nginx.conf`, ... @@ -87,8 +87,7 @@ docker compose up --detach blog > Note: before the next step make sure that when cloning the repository you also updated the git submodule! -Then builds the static website, `./build/blog` is a volume shared with both containers so -building the website will automatically "update" it for nginx. +Then builds the static website, `./build/blog/prod` is a volume shared with both containers so building the website will automatically "update" it for nginx. ```sh docker compose up builder ``` diff --git a/development_banner.html b/development_banner.html new file mode 100644 index 0000000..8630ee4 --- /dev/null +++ b/development_banner.html @@ -0,0 +1,3 @@ +
+ THIS IS A DEVELOPMENT WEBSITE, please go to https://iscsc.fr +
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml new file mode 100644 index 0000000..090cd31 --- /dev/null +++ b/docker-compose.dev.yml @@ -0,0 +1,7 @@ +services: + builder: + command: --logLevel info --baseURL="https://dev.iscsc.fr" --buildFuture + volumes: + # The container is mode-agnostique: it always builds in /build/blog + # the volume shared on the host side determines where it should go + - ./build/blog/dev:/build/blog:rw diff --git a/docker-compose.yml b/docker-compose.yml index 85235eb..1fa6df1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,7 +11,9 @@ services: - HUGO_ENVIRONMENT=production volumes: - ./src:/src:rw - - ./build/blog:/build/blog:rw + # The container is mode-agnostique: it always builds in /build/blog + # the volume shared on the host side determines where it should go + - ./build/blog/prod:/build/blog:rw blog: build: @@ -25,7 +27,10 @@ services: - ./certbot/www:/var/www/certbot/:ro - ./certbot/conf/:/etc/nginx/ssl/:ro - ./nginx.conf:/etc/nginx/nginx.conf:ro - - ./build/blog:/blog:rw + # serves iscsc.fr ; + - ./build/blog/prod:/blog/prod:rw + # serves dev.iscsc.fr : + - ./build/blog/dev:/blog/dev:rw certbot: image: certbot/certbot:latest diff --git a/nginx.conf b/nginx.conf index d298048..1a90c3b 100644 --- a/nginx.conf +++ b/nginx.conf @@ -17,7 +17,7 @@ http { listen 80; listen [::]:80; - server_name www.iscsc.fr iscsc.fr; + server_name dev.iscsc.fr www.iscsc.fr iscsc.fr; location /.well-known/acme-challenge/ { root /var/www/certbot; @@ -28,17 +28,41 @@ http { } } + server { + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + server_name dev.iscsc.fr; + + ssl_certificate /etc/nginx/ssl/live/dev.iscsc.fr/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/live/dev.iscsc.fr/privkey.pem; + + root /blog/dev; #Absolute path to where your hugo site is + index index.html; # Hugo generates HTML + + location / { + try_files $uri $uri/ =404; + } + + # redirect server error pages to the static page /50x.html + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + } + server { listen 443 default_server ssl http2; listen [::]:443 ssl http2; - server_name www.iscsc.fr iscsc.fr; + server_name iscsc.fr; ssl_certificate /etc/nginx/ssl/live/iscsc.fr/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/live/iscsc.fr/privkey.pem; - root /blog; #Absolute path to where your hugo site is + root /blog/prod; #Absolute path to where your hugo site is index index.html; # Hugo generates HTML location / { diff --git a/scripts/new_article.py b/scripts/new_article.py index 14365af..aace8d6 100644 --- a/scripts/new_article.py +++ b/scripts/new_article.py @@ -33,7 +33,8 @@ def main(files_paths): file_name = basename[:-3] # get rid of the `.md` ## Add URL info: - data["url"] = f"https://iscsc.fr/posts/{file_name}" + data["url"] = f"https://iscsc.fr/posts/{file_name.lower()}" # filename generated by HUGO will be lowercase + # so must be the URL ## Finally send Data req = requests.post("http://iscsc.fr:8001/new-blog", json=data) diff --git a/scripts/remote_git_pull.sh b/scripts/remote_git_pull.sh new file mode 100644 index 0000000..4ce72a8 --- /dev/null +++ b/scripts/remote_git_pull.sh @@ -0,0 +1,40 @@ +#!/usr/bin/bash + +PATH=$(/usr/bin/getconf PATH || /bin/kill $$) + +die() { + echo "[!] Something went wrong, exiting..." + exit 1 +} + +echo "[+] Connected to iscsc.fr" + +if [ $# -ne 1 ]; then + echo "[!] Must provide one and only one argument: repo path on remote"; + die; +fi +REPO_PATH="$1"; shift + +echo "[+] Change directory" +cd ${REPO_PATH} || die + +REMOTE_URL="iscsc/blog.iscsc.fr" +REMOTE_NAME=$(git remote -v | grep --ignore-case "${REMOTE_URL}" | grep "(fetch)" | awk '{print $1}') +MAIN_BRANCH_NAME=main + +echo "[+] iScsc remote name is '${REMOTE_NAME}'" +echo "[+] Fetch '${MAIN_BRANCH_NAME}' from '${REMOTE_NAME}'" +git fetch "${REMOTE_NAME}" "${MAIN_BRANCH_NAME}" || die + +echo "[+] Checkout on '${MAIN_BRANCH_NAME}'" +git checkout "${MAIN_BRANCH_NAME}" || die + +REMOTE_MAIN_REF_NAME="${REMOTE_NAME}/${MAIN_BRANCH_NAME}" + +echo "[+] Remote ref is '${REMOTE_MAIN_REF_NAME}'" +echo "[+] Rebase on '${REMOTE_MAIN_REF_NAME}'" +git rebase "${REMOTE_MAIN_REF_NAME}" || die + +echo "[+] git log from here:" +git log --color --decorate --oneline --max-count=20 main + diff --git a/scripts/test_new_article.py b/scripts/test_new_article.py index baae7fa..dbef86d 100644 --- a/scripts/test_new_article.py +++ b/scripts/test_new_article.py @@ -40,6 +40,26 @@ def test_new_article_file(mock_requests_post): } ) + +def test_new_article_file_upper_case(mock_requests_post): + # Add an article with an Upper case --> URL should be lower case + new_article.main(["test_resources/Article-2.md"]) + + mock_requests_post.assert_called_once_with( + 'http://iscsc.fr:8001/new-blog', + json={ + 'title': 'article title', + 'summary': 'article name contains an upper case letter', + 'date': '2024-05-05 12:00:00+02:00', + 'lastUpdate': '2024-05-05 12:00:00+02:00', + 'tags': "['some', 'tags']", + 'author': 'ctmbl', + 'draft': False, + 'url': 'https://iscsc.fr/posts/article-2' + } + ) + + def test_new_leaf_bundle_article(mock_requests_post): new_article.main(["test_resources/leaf_bundle/index.md"]) diff --git a/scripts/test_resources/Article-2.md b/scripts/test_resources/Article-2.md new file mode 100644 index 0000000..10ccdf0 --- /dev/null +++ b/scripts/test_resources/Article-2.md @@ -0,0 +1,9 @@ +--- +title: "article title" +summary: "article name contains an upper case letter" +date: 2024-05-05T12:00:00+02:00 +lastUpdate: 2024-05-05T12:00:00+02:00 +tags: ["some","tags"] +author: ctmbl +draft: false +--- \ No newline at end of file diff --git a/src/content/posts/WU2024-Base64Custom.md b/src/content/posts/WU2024-Base64Custom.md new file mode 100644 index 0000000..319b41b --- /dev/null +++ b/src/content/posts/WU2024-Base64Custom.md @@ -0,0 +1,46 @@ +--- +title: "WU Chall Base32 - THCon" +summary: "Understand basics of encoded strings to reverse base32" +date: 2024-04-29T12:35:51+0200 +tags: ["THCon","write-up","FR","Supwn"] +author: clementS +draft: false +--- + +# Base64Custom +**Entrée : un fichier txt contenant une chaîne de charactère encodée :** +**KREEGTaOPNRDIcbFGYaFeMLTLcaHOMbTGBWWKXbJNZXGSdDd** + +> Indice :[..] He said he just changed the sextets into quintuplets ? what does that even mean?? + +## Etape 1: comprendre comment fonctionne un encodage de string et plus particulièrement l’encodage base64 +Pour représenter un string, on associe à chaque charactère, un indice. Exemple : A->0, B->1,C->3….a->27,b->28… +Les représentations les plus commune sont la bijection ASCII et UTF-8. La bijection ASCII comporte 128 charactères (A..Za..z1..9 ?/…). + +Pour représenter un string on va écrire à la suite chaque identifiant de chaque charactère. Exemple 1 : « Aa »->0 26 +Ici on veut représenter notre chaîne de charactère en utilisant ASCII (128 charactères) . On représentera donc chaque id sur 7 bits (2^7 = 128 bits). +0 26 -> 00000 11010 + +L’encodage en base64, permet de transférer plus facilement des données. En effet, son alphabet est [A..Za..z0..9 ?/], il ne possède donc aucun charactère spéciaux. Il prend en entrée une suite de bits, et les groupes par 6 (il complète avec des 0, à la fin si ca tombe pas juste). +-> 000000 000111 00*0000* + +-> Pour avoir la représentation textuelle, on utilise l’alphabet bijection Base64. On a donc un tout autre string. Ici il devient : AHA + +## Etape 2: On attaque le concret. +On sait que ici, on a pris le FLAG, on l’a mis en base 32 (groupement bits par 5, et à pris sa représentation). On doit donc faire l’étape inverse. On peut en théorie prendre n’importe quelle alphabet mais en analysant la chaîne donnée on remarque que elle est composée des caractères [A..Za..f]. +## Etape 3 : Subtilité. +Comme on l’a préciser tout à l’heure, on peut mettre des 0 à la fin si on a pas assez de bits pour bien convertir. On regarde si il faut éventuellement retirer un bit ou en ajouter. +## Etape 4 : La dernière étape correspond a représenter les bits avec le format universelle pour représenter un texte : ASCII. + +> Rq : Il faut différencier encodage base64 et ASCII + +Base64 prend en entrée des bits et renvoie un chaine de charactère. C’est juste une bijection. ASCII prend en entrée une chaîne de charactère et renvoie des bits ou inversement. C’est une façon de représenter facilement un texte pour l’ordinateur. + +## Résumé +``` +Flag -------> 00101010001110 ------> AGSHhhbsf + Encodage ASCII Bijection Base 32 +On doit reverse le process : +AGSHhhbsf ------> 00101010001110 -------> Flag + Bijection Base 32 Décodage ASCII +```