initial commit

.github/workflows/clean.yml

@@ -0,0 +1,16 @@
+---
+name: Clean Deployment
+
+on: delete
+
+jobs:
+  clean:
+    uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/clean_workflow.yml@main
+    with:
+      branch: ${{ github.event.ref }}
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
+      DEV_KUBE_CONFIG_BRB: ${{ secrets.DEV_KUBE_CONFIG_BRB }}
+      DEV_KUBE_CONFIG_NBC: ${{ secrets.DEV_KUBE_CONFIG_NBC }}
+      DEV_KUBE_CONFIG_THR: ${{ secrets.DEV_KUBE_CONFIG_THR }}
+      DEV_KUBE_CONFIG_DBC: ${{ secrets.DEV_KUBE_CONFIG_DBC }}

.github/workflows/push.yml

@@ -0,0 +1,109 @@
+---
+name: Build and push Docker Image
+
+on:
+  push:
+    branches-ignore:
+      - dependabot/**
+
+permissions:
+  contents: read
+
+jobs:
+  build_and_push:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Docker meta Service Name
+        id: docker_meta_img
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch,enable=false,priority=600
+            type=sha,enable=true,priority=600,prefix=
+      - name: Log into registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: test image exists
+        run: |
+         echo "IMAGE_EXISTS=$(docker manifest inspect ghcr.io/${{ github.repository }}:${{ github.sha }} > /dev/null && echo 1 || echo 0)" >> $GITHUB_ENV
+
+      - name: Build and push ${{ github.repository }}
+        if: ${{ env.IMAGE_EXISTS == 0 }}
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: true
+          pull: true
+          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
+          labels: ${{ steps.docker_meta_img.outputs.labels }}
+
+  branch_name:
+    runs-on: ubuntu-latest
+    outputs:
+      branch: ${{ steps.extract_branch.outputs.branch }}
+    steps:
+      - name: Extract branch name
+        shell: bash
+        run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+        id: extract_branch
+
+  deploy:
+    needs:
+      - build_and_push
+      - branch_name
+    uses: hpi-schul-cloud/dof_app_deploy/.github/workflows/deploy.yml@main
+    with:
+      branch: ${{ needs.branch_name.outputs.branch }}
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
+      DEV_VAULT_BRB: ${{ secrets.DEV_VAULT_BRB }}
+      DEV_VAULT_NBC: ${{ secrets.DEV_VAULT_NBC }}
+      DEV_VAULT_THR: ${{ secrets.DEV_VAULT_THR }}
+      DEV_VAULT_DBC: ${{ secrets.DEV_VAULT_DBC }}
+      DEV_KUBE_CONFIG_BRB: ${{ secrets.DEV_KUBE_CONFIG_BRB }}
+      DEV_KUBE_CONFIG_NBC: ${{ secrets.DEV_KUBE_CONFIG_NBC }}
+      DEV_KUBE_CONFIG_THR: ${{ secrets.DEV_KUBE_CONFIG_THR }}
+      DEV_KUBE_CONFIG_DBC: ${{ secrets.DEV_KUBE_CONFIG_DBC }}
+
+  deploy-successful:
+    needs:
+      - deploy
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "deploy was successful"
+
+  trivy-vulnerability-scanning:
+    needs:
+      - build_and_push
+      - branch_name
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: run trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        with:
+          image-ref: 'ghcr.io/${{ github.repository }}:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          exit-code: 1
+          ignore-unfixed: true
+      - name: upload trivy results
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/tag.yml

@@ -0,0 +1,49 @@
+---
+name: Build and push Docker Image on Tag
+
+on:
+  push:
+    tags:
+      - '[0-9]*'
+
+jobs:
+  build_and_push_docker:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Docker meta Service Name for docker hub
+        id: docker_meta_img_hub
+        uses: docker/metadata-action@v3
+        with:
+          images: docker.io/schulcloud/schulcloud-avcheck, quay.io/schulcloudverbund/schulcloud-avcheck
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}            
+
+      - name: Log into docker registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Log into quay registry
+        uses: docker/login-action@v2
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Build and push ${{ github.repository }}
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          push: true
+          pull: true
+          tags: ${{ steps.docker_meta_img_hub.outputs.tags }}
+          labels: ${{ steps.docker_meta_img_hub.outputs.labels }}

.gitignore

@@ -0,0 +1,16 @@
+.vagrant
+.vscode
+.project
+.pydevproject
+.settings
+.idea
+*.DS_Store
+nbproject
+*__pycache__
+*.pyc
+*egg-info
+*.log
+tests
+secrets
+*.swp
+venv

Dockerfile

@@ -0,0 +1,8 @@
+FROM docker.io/python:3.12-alpine
+
+WORKDIR /usr/src/app
+COPY requirements.txt requirements.txt
+RUN pip3 install -r requirements.txt
+COPY app.py app.py
+
+ENTRYPOINT ["python3", "app.py"]

app.py

@@ -0,0 +1,37 @@
+import logging
+import os
+
+from pymongo import MongoClient
+
+logging.basicConfig(level=logging.DEBUG)
+
+if __name__ == '__main__':
+    mongo_url = os.environ.get('MONGO_URL', 'mongodb://localhost:27017/scapp')
+    client = MongoClient(mongo_url)
+    db = client.get_default_database()
+
+    configurable_collections = ['ikwhbd']
+
+    pipeline = [
+        {
+            '$match': {
+                'operationType': 'delete',
+                'ns.coll': {'$nin': configurable_collections}
+            }
+        }
+    ]
+
+    with db.watch(pipeline) as stream:
+        print("Watching for delete events...")
+
+        for change in stream:
+            # Extract relevant information
+            collection_name = change['ns']['coll']
+            document_id = change['documentKey']['_id']
+
+            print(f"Deletion event in collection '{collection_name}' for document with ID: {document_id}")
+            db.ikwhbd.insert_one({
+                "source": "iknowwhathasbeendeleted",
+                "document_id": document_id,
+                "collection": collection_name
+            })

requirements.txt

@@ -0,0 +1 @@
+pymongo==4.6.1