-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup.sh
More file actions
executable file
·391 lines (341 loc) · 14 KB
/
setup.sh
File metadata and controls
executable file
·391 lines (341 loc) · 14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
#!/usr/bin/env bash
# =============================================================================
# Risk Platform — Full Setup & Start Script
# =============================================================================
# Usage:
# ./setup.sh — first-time setup + start everything
# ./setup.sh --restart — tear down and restart all services cleanly
# ./setup.sh --runner — (re)start only the host runner (port 9999)
# =============================================================================
set -euo pipefail
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ENV_FILE="$ROOT/.env"
VENV="$ROOT/riskenv"
PYTHON="$VENV/bin/python"
PROWLER="$VENV/bin/prowler"
CARTOGRAPHY="$VENV/bin/cartography"
RUNNER_LOG="/tmp/runner.log"
RUNNER_PID_FILE="/tmp/risk-runner.pid"
# ── Colours ───────────────────────────────────────────────────────────────────
RED='\033[0;31m'; YELLOW='\033[1;33m'; GREEN='\033[0;32m'
CYAN='\033[0;36m'; BOLD='\033[1m'; RESET='\033[0m'
info() { echo -e "${CYAN}[INFO]${RESET} $*"; }
ok() { echo -e "${GREEN}[OK]${RESET} $*"; }
warn() { echo -e "${YELLOW}[WARN]${RESET} $*"; }
error() { echo -e "${RED}[ERROR]${RESET} $*"; }
section() { echo -e "\n${BOLD}━━━ $* ━━━${RESET}"; }
die() { error "$*"; exit 1; }
# ── Argument handling ─────────────────────────────────────────────────────────
MODE="setup"
[[ "${1:-}" == "--restart" ]] && MODE="restart"
[[ "${1:-}" == "--runner" ]] && MODE="runner"
# =============================================================================
# SECTION 1 — Prerequisites
# =============================================================================
section "Checking prerequisites"
check_cmd() {
if ! command -v "$1" &>/dev/null; then
die "'$1' not found. $2"
fi
ok "$1 found ($(command -v "$1"))"
}
check_cmd docker "Install Docker: https://docs.docker.com/get-docker/"
check_cmd python3 "Install Python 3.11+: https://python.org"
check_cmd curl "Install curl via your package manager"
# Docker daemon running?
if ! docker info &>/dev/null; then
die "Docker daemon is not running. Start it and retry."
fi
ok "Docker daemon is running"
# Docker Compose (v2 plugin or standalone)
if docker compose version &>/dev/null 2>&1; then
COMPOSE="docker compose"
elif docker-compose version &>/dev/null 2>&1; then
COMPOSE="docker-compose"
else
die "Docker Compose not found. Install it: https://docs.docker.com/compose/install/"
fi
ok "Docker Compose found ($($COMPOSE version --short 2>/dev/null || echo 'ok'))"
# Python version >= 3.11
PY_VER=$(python3 -c "import sys; print(f'{sys.version_info.major}.{sys.version_info.minor}')")
PY_MAJOR=$(echo "$PY_VER" | cut -d. -f1)
PY_MINOR=$(echo "$PY_VER" | cut -d. -f2)
if [[ "$PY_MAJOR" -lt 3 ]] || [[ "$PY_MAJOR" -eq 3 && "$PY_MINOR" -lt 11 ]]; then
die "Python 3.11+ required, found $PY_VER"
fi
ok "Python $PY_VER"
# =============================================================================
# SECTION 2 — .env file
# =============================================================================
section "Environment configuration"
if [[ ! -f "$ENV_FILE" ]]; then
if [[ ! -f "$ROOT/.env.example" ]]; then
die ".env.example not found. Is this the right directory?"
fi
cp "$ROOT/.env.example" "$ENV_FILE"
warn ".env created from .env.example"
ok ".env file created — configure AWS credentials via the dashboard ⚙ Account Setup panel after startup"
fi
ok ".env file exists"
# Load env vars (skip comments and blank lines)
set -o allexport
# shellcheck disable=SC2046
eval $(grep -v '^#' "$ENV_FILE" | grep -v '^[[:space:]]*$' | sed 's/[[:space:]]*$//')
set +o allexport
# Validate GitHub token if set
if [[ -n "${GITHUB_TOKEN:-}" ]]; then
info "Validating GitHub token..."
GH_STATUS=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: token ${GITHUB_TOKEN}" \
https://api.github.com/user)
if [[ "$GH_STATUS" == "200" ]]; then
ok "GitHub token valid"
else
warn "GitHub token returned HTTP $GH_STATUS — GitHub pipeline may fail"
fi
else
warn "GITHUB_TOKEN not set — GitHub pipeline will be unavailable (set it via ⚙ Account Setup)"
fi
# =============================================================================
# SECTION 3 — Python virtualenv + dependencies
# =============================================================================
section "Python virtualenv"
if [[ ! -d "$VENV" ]]; then
info "Creating virtualenv at $VENV ..."
python3 -m venv "$VENV"
ok "Virtualenv created"
else
ok "Virtualenv already exists"
fi
info "Installing/updating Python dependencies..."
"$VENV/bin/pip" install --quiet --upgrade pip
"$VENV/bin/pip" install --quiet -r "$ROOT/engine/requirements.txt"
ok "Dependencies installed"
# Verify key tools are present in venv
for tool in prowler cartography; do
if [[ ! -f "$VENV/bin/$tool" ]]; then
die "$tool not found in venv after pip install. Check engine/requirements.txt"
fi
ok "$tool installed ($("$VENV/bin/$tool" --version 2>/dev/null | head -1 || echo 'ok'))"
done
# =============================================================================
# SECTION 4 — Docker services
# =============================================================================
section "Docker services"
cd "$ROOT"
if [[ "$MODE" == "restart" ]]; then
info "Tearing down existing containers..."
$COMPOSE down --remove-orphans
ok "Containers stopped"
fi
info "Starting Docker services (this may take a minute on first run)..."
$COMPOSE up -d --build
# Wait for Neo4j
info "Waiting for Neo4j to be ready..."
NEO4J_READY=false
for i in $(seq 1 30); do
if curl -s http://localhost:7474 &>/dev/null; then
NEO4J_READY=true
break
fi
sleep 3
done
if [[ "$NEO4J_READY" != "true" ]]; then
die "Neo4j did not become ready in 90s. Check: docker logs risk-platform-neo4j-1"
fi
ok "Neo4j is ready (http://localhost:7474)"
# Wait for DefectDojo — it runs DB migrations on first boot, takes ~60s
info "Waiting for DefectDojo to be ready (DB migrations may take ~60s)..."
DOJO_READY=false
for i in $(seq 1 40); do
HTTP=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:8080/login 2>/dev/null || true)
if [[ "$HTTP" == "200" ]]; then
DOJO_READY=true
break
fi
sleep 5
done
if [[ "$DOJO_READY" != "true" ]]; then
die "DefectDojo did not become ready in 200s. Check: docker logs risk-platform-defectdojo-1"
fi
ok "DefectDojo is ready (http://localhost:8080)"
# Wait for dashboard
info "Waiting for dashboard to be ready..."
DASH_READY=false
for i in $(seq 1 15); do
if curl -s http://localhost:8888 &>/dev/null; then
DASH_READY=true
break
fi
sleep 3
done
if [[ "$DASH_READY" != "true" ]]; then
warn "Dashboard not responding yet — it may still be starting"
else
ok "Dashboard is ready (http://localhost:8888)"
fi
# =============================================================================
# SECTION 5 — DefectDojo API token
# =============================================================================
section "DefectDojo API token"
DOJO_ADMIN_PASSWORD="${DOJO_ADMIN_PASSWORD:-admin}"
# Try to fetch a fresh token regardless — always use the live one
info "Fetching DefectDojo API token..."
DOJO_TOKEN_RESPONSE=$(curl -s -X POST http://localhost:8080/api/v2/api-token-auth/ \
-H "Content-Type: application/json" \
-d "{\"username\":\"admin\",\"password\":\"${DOJO_ADMIN_PASSWORD}\"}" 2>/dev/null || true)
FRESH_TOKEN=$(echo "$DOJO_TOKEN_RESPONSE" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('token',''))" 2>/dev/null || true)
if [[ -z "$FRESH_TOKEN" ]]; then
if [[ -n "${DOJO_API_TOKEN:-}" ]]; then
warn "Could not fetch fresh token — using existing DOJO_API_TOKEN from .env"
FRESH_TOKEN="$DOJO_API_TOKEN"
else
die "Could not fetch DefectDojo API token. DefectDojo may still be initialising — wait 30s and retry."
fi
else
ok "DefectDojo API token obtained"
# Update .env if token changed
if [[ "${DOJO_API_TOKEN:-}" != "$FRESH_TOKEN" ]]; then
if grep -q "^DOJO_API_TOKEN=" "$ENV_FILE"; then
sed -i "s|^DOJO_API_TOKEN=.*|DOJO_API_TOKEN=${FRESH_TOKEN}|" "$ENV_FILE"
else
echo "DOJO_API_TOKEN=${FRESH_TOKEN}" >> "$ENV_FILE"
fi
export DOJO_API_TOKEN="$FRESH_TOKEN"
ok "DOJO_API_TOKEN updated in .env"
fi
fi
# Verify token works
TOKEN_CHECK=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Token ${FRESH_TOKEN}" \
http://localhost:8080/api/v2/users/ 2>/dev/null || true)
if [[ "$TOKEN_CHECK" != "200" ]]; then
die "DefectDojo token verification failed (HTTP $TOKEN_CHECK). Check admin password in .env."
fi
ok "DefectDojo token verified"
# =============================================================================
# SECTION 6 — Host runner (port 9999)
# =============================================================================
section "Pipeline runner (port 9999)"
start_runner() {
# Kill any existing runner
if [[ -f "$RUNNER_PID_FILE" ]]; then
OLD_PID=$(cat "$RUNNER_PID_FILE")
if kill -0 "$OLD_PID" 2>/dev/null; then
info "Stopping existing runner (PID $OLD_PID)..."
kill "$OLD_PID" 2>/dev/null || true
sleep 1
fi
rm -f "$RUNNER_PID_FILE"
fi
# Also kill anything on port 9999
fuser -k 9999/tcp 2>/dev/null || true
sleep 1
info "Starting runner..."
cd "$ROOT"
# Re-export env so runner subprocess has all vars
set -o allexport
eval $(grep -v '^#' "$ENV_FILE" | grep -v '^[[:space:]]*$' | sed 's/[[:space:]]*$//')
set +o allexport
nohup "$PYTHON" engine/runner.py >> "$RUNNER_LOG" 2>&1 &
RUNNER_PID=$!
echo "$RUNNER_PID" > "$RUNNER_PID_FILE"
disown "$RUNNER_PID"
# Wait for it to bind
RUNNER_READY=false
for i in $(seq 1 15); do
if curl -s http://localhost:9999/preflight/aws &>/dev/null; then
RUNNER_READY=true
break
fi
sleep 1
done
if [[ "$RUNNER_READY" != "true" ]]; then
die "Runner did not start. Check $RUNNER_LOG"
fi
ok "Runner started (PID $RUNNER_PID, log: $RUNNER_LOG)"
}
if [[ "$MODE" == "runner" ]]; then
start_runner
echo ""
ok "Runner restarted. Done."
exit 0
fi
start_runner
# =============================================================================
# SECTION 7 — Final verification
# =============================================================================
section "System verification"
ALL_OK=true
check_endpoint() {
local label="$1" url="$2" expected="$3"
HTTP=$(curl -s -o /dev/null -w "%{http_code}" "$url" 2>/dev/null || true)
if [[ "$HTTP" == "$expected" ]]; then
ok "$label ($url)"
else
error "$label — expected HTTP $expected, got $HTTP ($url)"
ALL_OK=false
fi
}
check_endpoint "Dashboard" "http://localhost:8888" "200"
check_endpoint "Neo4j" "http://localhost:7474" "200"
check_endpoint "DefectDojo" "http://localhost:8080/login" "200"
check_endpoint "Runner" "http://localhost:9999/preflight/aws" "200"
# Verify runner preflight details
info "Checking runner preflight status..."
AWS_PREFLIGHT=$(curl -s http://localhost:9999/preflight/aws 2>/dev/null || true)
CART_PREFLIGHT=$(curl -s http://localhost:9999/preflight/cartography 2>/dev/null || true)
echo ""
echo " AWS Pipeline preflight:"
echo "$AWS_PREFLIGHT" | python3 -c "
import sys, json
checks = json.load(sys.stdin)
for c in checks:
icon = ' ✓' if c['ok'] else ' ✗'
print(f\" {icon} {c['label']}\")
" 2>/dev/null || echo " (could not parse)"
echo ""
echo " Cartography preflight:"
echo "$CART_PREFLIGHT" | python3 -c "
import sys, json
checks = json.load(sys.stdin)
for c in checks:
icon = ' ✓' if c['ok'] else ' ✗'
print(f\" {icon} {c['label']}\")
" 2>/dev/null || echo " (could not parse)"
# =============================================================================
# SECTION 8 — Summary
# =============================================================================
section "Setup complete"
echo ""
echo -e " ${GREEN}${BOLD}All services are running.${RESET}"
echo ""
echo " ┌─────────────────────────────────────────────────────┐"
echo " │ Dashboard → http://localhost:8888 │"
echo " │ DefectDojo → http://localhost:8080 │"
echo " │ Neo4j Browser → http://localhost:7474 │"
echo " │ Runner API → http://localhost:9999 │"
echo " └─────────────────────────────────────────────────────┘"
echo ""
echo " Next steps:"
echo " 1. Open http://localhost:8888 → ⚙ Account Setup — enter AWS credentials"
echo " 2. Open http://localhost:8888 → ▶ Run Pipeline"
echo " 3. Run Cartography for AWS graph discovery (after credentials are set):"
echo ""
echo " export \$(grep -v '^#' $ENV_FILE | xargs)"
echo " $CARTOGRAPHY \\"
echo " --neo4j-uri bolt://localhost:7687 \\"
echo " --neo4j-user neo4j \\"
echo " --neo4j-password-env-var NEO4J_PASSWORD \\"
echo " --neo4j-database neo4j \\"
echo " --aws-best-effort-mode \\"
echo " --aws-regions \"\$AWS_DEFAULT_REGION\" \\"
echo " --aws-requested-syncs \"s3,ec2:instance,ec2:security_group,rds,lambda_function\""
echo ""
echo " Runner log: $RUNNER_LOG"
echo " Env file: $ENV_FILE"
echo ""
if [[ "$ALL_OK" != "true" ]]; then
warn "Some checks failed — review errors above before running pipelines."
exit 1
fi