From 266ee52bd016b3d9f9a4b49340bf6a6096af4d8d Mon Sep 17 00:00:00 2001
From: Stephen <stephen.adams@redhat.com>
Date: Mon, 11 Sep 2023 09:53:22 -0400
Subject: [PATCH 1/2] switch to using denylist for blocking orgIDs (#333)

Just cleaning up the language we use in the app

Signed-off-by: Stephen Adams <stephen.adams@redhat.com>
---
 deploy/clowdapp.yaml           |  6 +++---
 internal/config/config.go      |  6 +++---
 internal/upload/upload.go      | 18 +++++++++---------
 internal/upload/upload_test.go |  2 +-
 4 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/deploy/clowdapp.yaml b/deploy/clowdapp.yaml
index c6ea7ee..b7df273 100644
--- a/deploy/clowdapp.yaml
+++ b/deploy/clowdapp.yaml
@@ -62,8 +62,8 @@ objects:
           value: ${CLOWDER_ENABLED}
         - name: INGRESS_MINIOENDPOINT
           value: ${INGRESS_MINIOENDPOINT}
-        - name: INGRESS_BLACK_LISTED_ORGIDS
-          value: ${INGRESS_BLACK_LISTED_ORGIDS}
+        - name: INGRESS_DENY_LISTED_ORGIDS
+          value: ${INGRESS_DENY_LISTED_ORGIDS}
         - name: SSL_CERT_DIR
           value: ${SSL_CERT_DIR}
         resources:
@@ -131,7 +131,7 @@ parameters:
   name: ENV_NAME
   value: "insights-ingress"
   required: true
-- name: INGRESS_BLACK_LISTED_ORGIDS
+- name: INGRESS_DENY_LISTED_ORGIDS
   value: ""
 - name: SSL_CERT_DIR
   value: '/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/cdapp/certs'
diff --git a/internal/config/config.go b/internal/config/config.go
index 275a884..0cce7e0 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -31,7 +31,7 @@ type IngressConfig struct {
 	TlsCAPath            string
 	StorageConfig        StorageCfg
 	LoggingConfig        LoggingCfg
-	BlackListedOrgIDs    []string
+	DenyListedOrgIDs    []string
 	Debug                bool
 	DebugUserAgent       *regexp.Regexp
 }
@@ -110,7 +110,7 @@ func Get() *IngressConfig {
 	options.SetDefault("OpenshiftBuildCommit", "notrunninginopenshift")
 	options.SetDefault("Valid_Upload_Types", "unit,announce")
 	options.SetDefault("Profile", false)
-	options.SetDefault("Black_Listed_OrgIDs", []string{})
+	options.SetDefault("Deny_Listed_OrgIDs", []string{})
 	options.SetDefault("Debug", false)
 	options.SetDefault("DebugUserAgent", `unspecified`)
 	options.SetEnvPrefix("INGRESS")
@@ -208,7 +208,7 @@ func Get() *IngressConfig {
 		PayloadTrackerURL:    options.GetString("PayloadTrackerURL"),
 		TlsCAPath:            options.GetString("TlsCAPath"),
 		Profile:              options.GetBool("Profile"),
-		BlackListedOrgIDs:    options.GetStringSlice("Black_Listed_OrgIDs"),
+		DenyListedOrgIDs:    options.GetStringSlice("Deny_Listed_OrgIDs"),
 		Debug:                options.GetBool("Debug"),
 		DebugUserAgent:       regexp.MustCompile(options.GetString("DebugUserAgent")),
 		KafkaConfig: KafkaCfg{
diff --git a/internal/upload/upload.go b/internal/upload/upload.go
index affcd88..db553a2 100644
--- a/internal/upload/upload.go
+++ b/internal/upload/upload.go
@@ -144,7 +144,7 @@ func NewHandler(
 	tracker announcers.Announcer,
 	cfg config.IngressConfig) http.HandlerFunc {
 
-	isCustomerBlackListed := isRequestFromBlackListedOrgID(cfg)
+	isCustomerDenyListed := isRequestFromDenyListedOrgID(cfg)
 
 	return func(w http.ResponseWriter, r *http.Request) {
 		var id identity.XRHID
@@ -178,10 +178,10 @@ func NewHandler(
 			id.Identity.OrgID = id.Identity.Internal.OrgID
 		}
 
-		if isCustomerBlackListed(id) {
+		if isCustomerDenyListed(id) {
 			w.WriteHeader(http.StatusForbidden)
 			w.Write([]byte("Upload denied. Please contact Red Hat Support."))
-			requestLogger.WithFields(logrus.Fields{"account": id.Identity.AccountNumber, "org_id": id.Identity.OrgID}).Info("Upload rejected due to customer being blacklisted")
+			requestLogger.WithFields(logrus.Fields{"account": id.Identity.AccountNumber, "org_id": id.Identity.OrgID}).Info("Upload rejected due to customer being denylisted")
 			return
 		}
 
@@ -330,15 +330,15 @@ func NewHandler(
 	}
 }
 
-func isRequestFromBlackListedOrgID(cfg config.IngressConfig) func(identity.XRHID) bool {
+func isRequestFromDenyListedOrgID(cfg config.IngressConfig) func(identity.XRHID) bool {
 
-	blackListedOrgIDs := make(map[string]bool)
-	for _, orgID := range cfg.BlackListedOrgIDs {
-		blackListedOrgIDs[orgID] = true
+	denyListedOrgIDs := make(map[string]bool)
+	for _, orgID := range cfg.DenyListedOrgIDs {
+		denyListedOrgIDs[orgID] = true
 	}
 
 	return func(id identity.XRHID) bool {
-		_, blackListed := blackListedOrgIDs[id.Identity.OrgID]
-		return blackListed
+		_, denyListed := denyListedOrgIDs[id.Identity.OrgID]
+		return denyListed
 	}
 }
diff --git a/internal/upload/upload_test.go b/internal/upload/upload_test.go
index a1e626a..4c954e9 100644
--- a/internal/upload/upload_test.go
+++ b/internal/upload/upload_test.go
@@ -439,7 +439,7 @@ var _ = Describe("Upload", func() {
 		Context("with a denied orgID", func() {
 			It("should return 403", func() {
 				cfg := config.Get()
-				cfg.BlackListedOrgIDs = []string{"12345"}
+				cfg.DenyListedOrgIDs = []string{"12345"}
 				handler = NewHandler(stager, validator, tracker, *cfg)
 				boiler(http.StatusForbidden, &FilePart{
 					Name:        "file",

From 03271a52b4455d1f49b76705cfc89b4d2c630383 Mon Sep 17 00:00:00 2001
From: Doug Donahue <57504257+ddonahue007@users.noreply.github.com>
Date: Thu, 21 Sep 2023 12:31:34 -0400
Subject: [PATCH 2/2] Update build_deploy script with security-compliance
 options (#334)

---
 build_deploy.sh | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/build_deploy.sh b/build_deploy.sh
index 76243b1..6a12016 100755
--- a/build_deploy.sh
+++ b/build_deploy.sh
@@ -4,6 +4,7 @@ set -exv
 
 IMAGE="quay.io/cloudservices/insights-ingress"
 IMAGE_TAG=$(git rev-parse --short=7 HEAD)
+SECURITY_COMPLIANCE_TAG="sc-$(date +%Y%m%d)-$(git rev-parse --short=7 HEAD)"
 
 if [[ -z "$QUAY_USER" || -z "$QUAY_TOKEN" ]]; then
     echo "QUAY_USER and QUAY_TOKEN must be set"
@@ -21,7 +22,13 @@ docker --config="$DOCKER_CONF" login -u="$QUAY_USER" -p="$QUAY_TOKEN" quay.io
 docker --config="$DOCKER_CONF" login -u="$RH_REGISTRY_USER" -p="$RH_REGISTRY_TOKEN" registry.redhat.io
 docker --config="$DOCKER_CONF" build -t "${IMAGE}:${IMAGE_TAG}" .
 docker --config="$DOCKER_CONF" push "${IMAGE}:${IMAGE_TAG}"
-docker --config="$DOCKER_CONF" tag "${IMAGE}:${IMAGE_TAG}" "${IMAGE}:qa"
-docker --config="$DOCKER_CONF" push "${IMAGE}:qa"
-docker --config="$DOCKER_CONF" tag "${IMAGE}:${IMAGE_TAG}" "${IMAGE}:latest"
-docker --config="$DOCKER_CONF" push "${IMAGE}:latest"
+
+if [[ $GIT_BRANCH == *"security-compliance"* ]]; then
+    docker --config="$DOCKER_CONF" tag "${IMAGE}:${IMAGE_TAG}" "${IMAGE}:${SECURITY_COMPLIANCE_TAG}"
+    docker --config="$DOCKER_CONF" push "${IMAGE}:${SECURITY_COMPLIANCE_TAG}"
+else
+    docker --config="$DOCKER_CONF" tag "${IMAGE}:${IMAGE_TAG}" "${IMAGE}:qa"
+    docker --config="$DOCKER_CONF" push "${IMAGE}:qa"
+    docker --config="$DOCKER_CONF" tag "${IMAGE}:${IMAGE_TAG}" "${IMAGE}:latest"
+    docker --config="$DOCKER_CONF" push "${IMAGE}:latest"
+fi