fix Bug 62253 - NODE_EXTRA_CA_CERTS substitution error (#721)

* Add DocumentServer zap scanner

* Fix zap target url from `http` to `https`

.github/workflows/zap-ds.yaml

@@ -0,0 +1,70 @@
+---
+name: Scanning DocumentServer with ZAP
+
+run-name: > 
+      ZAP DocumentServer ver: ${{ github.event.inputs.version }} from branch: ${{ github.event.inputs.branch }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Set DocumentServer version that will be deployed'
+        type: string
+        required: true
+      branch:
+        description: 'The branch from which the scan will be performed'
+        type: string
+        required: true
+jobs:
+  zap:
+    name: "Zap scanning DocumentServer"
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run DS
+        id: run-ds
+        env:
+          TAG: ${{ github.event.inputs.version }}
+        run: |
+           # Create ssl certs
+           openssl genrsa -out tls.key 2048
+           openssl req -new -key tls.key -out tls.csr -subj "/C=RU/ST=NizhObl/L=NizhNov/O=RK-Tech/OU=TestUnit/CN=TestName"
+           openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt
+           openssl dhparam -out dhparam.pem 2048
+           sudo mkdir -p /app/onlyoffice/DocumentServer/data/certs
+           sudo cp ./tls.key /app/onlyoffice/DocumentServer/data/certs/
+           sudo cp ./tls.crt /app/onlyoffice/DocumentServer/data/certs/
+           sudo cp ./dhparam.pem /app/onlyoffice/DocumentServer/data/certs/
+           sudo chmod 400 /app/onlyoffice/DocumentServer/data/certs/tls.key
+           rm ./tls.key ./tls.crt ./dhparam.pem
+
+           # Run Ds with enabled ssl
+           export CONTAINER_NAME="documentserver"
+           sudo docker run -itd \
+                           --name ${CONTAINER_NAME} \
+                           -p 80:80 \
+                           -p 443:443 \
+                           -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
+                           onlyoffice/4testing-documentserver:${TAG}
+           sleep 60
+           sudo docker exec ${CONTAINER_NAME} sudo supervisorctl start ds:example
+           LOCAL_IP=$(hostname -I | awk '{print $1}')
+           echo "local-ip=${LOCAL_IP}" >> "$GITHUB_OUTPUT"
+
+      # Scan DocumentServer with ZAP.
+      # NOTE: Full scan get a lot of time.
+      # If you want make scan more faster (but less accurate) remove `cmd options` field
+      # -j mean that scanning use AJAX Spider, with this spider the scan takes approximately an hour
+      # Without any cmd options will be used default spider and the scan takes approximately ~10-15 minutes
+      - name: ZAP Scan
+        uses: zaproxy/action-full-scan@v0.8.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+          target: 'https://${{ steps.run-ds.outputs.local-ip }}/'
+          allow_issue_writing: false
+          cmd_options: '-j'

Dockerfile

@@ -19,6 +19,7 @@ RUN echo "#!/bin/sh\nexit 0" > /usr/sbin/policy-rc.d && \
         apt-utils \
         bomstrip \
         certbot \
+        cron \
         curl \
         htop \
         libasound2 \

README.md

@@ -178,6 +178,7 @@ Below is the complete list of parameters that can be set using environment varia
 - **SSL_KEY_PATH**: The path to the SSL certificate's private key. Defaults to `/var/www/onlyoffice/Data/certs/tls.key`.
 - **SSL_DHPARAM_PATH**: The path to the Diffie-Hellman parameter. Defaults to `/var/www/onlyoffice/Data/certs/dhparam.pem`.
 - **SSL_VERIFY_CLIENT**: Enable verification of client certificates using the `CA_CERTIFICATES_PATH` file. Defaults to `false`
+- **NODE_EXTRA_CA_CERTS**: The [NODE_EXTRA_CA_CERTS](https://nodejs.org/api/cli.html#node_extra_ca_certsfile "Node.js documentation") to extend CAs with the extra certificates for Node.js. Defaults to `/var/www/onlyoffice/Data/certs/extra-ca-certs.pem`.
 - **DB_TYPE**: The database type. Supported values are `postgres`, `mariadb` or `mysql`. Defaults to `postgres`.
 - **DB_HOST**: The IP address or the name of the host where the database server is running.
 - **DB_PORT**: The database server port number.

run-document-server.sh

@@ -60,6 +60,25 @@ if [[ -z $SSL_KEY_PATH ]] && [[ -f ${SSL_CERTIFICATES_DIR}/${COMPANY_NAME}.key ]
 else
   SSL_KEY_PATH=${SSL_KEY_PATH:-${SSL_CERTIFICATES_DIR}/tls.key}
 fi
+
+#When set, the well known "root" CAs will be extended with the extra certificates in file
+NODE_EXTRA_CA_CERTS=${NODE_EXTRA_CA_CERTS:-${SSL_CERTIFICATES_DIR}/extra-ca-certs.pem}
+if [[ -f ${NODE_EXTRA_CA_CERTS} ]]; then
+  NODE_EXTRA_ENVIRONMENT="${NODE_EXTRA_CA_CERTS}"
+elif [[ -f ${SSL_CERTIFICATE_PATH} ]]; then
+  SSL_CERTIFICATE_SUBJECT=$(openssl x509 -subject -noout -in "${SSL_CERTIFICATE_PATH}" | sed 's/subject=//')
+  SSL_CERTIFICATE_ISSUER=$(openssl x509 -issuer -noout -in "${SSL_CERTIFICATE_PATH}" | sed 's/issuer=//')
+
+  #Add self-signed certificate to trusted list for validating Docs requests to the test example 
+  if [[ -n $SSL_CERTIFICATE_SUBJECT && $SSL_CERTIFICATE_SUBJECT == $SSL_CERTIFICATE_ISSUER ]]; then
+    NODE_EXTRA_ENVIRONMENT="${SSL_CERTIFICATE_PATH}"
+  fi
+fi
+
+if [[ -n $NODE_EXTRA_ENVIRONMENT ]]; then
+  sed -i "s|^environment=.*$|&,NODE_EXTRA_CA_CERTS=${NODE_EXTRA_ENVIRONMENT}|" /etc/supervisor/conf.d/*.conf
+fi
+
 CA_CERTIFICATES_PATH=${CA_CERTIFICATES_PATH:-${SSL_CERTIFICATES_DIR}/ca-certificates.pem}
 SSL_DHPARAM_PATH=${SSL_DHPARAM_PATH:-${SSL_CERTIFICATES_DIR}/dhparam.pem}
 SSL_VERIFY_CLIENT=${SSL_VERIFY_CLIENT:-off}