Skip to content

Data exfiltration via DNS tunneling #7639

Data exfiltration via DNS tunneling

Data exfiltration via DNS tunneling #7639

---
name: pr_comment_bot
on: # yamllint disable-line rule:truthy
issue_comment:
types: [created] # only run on new comments
# https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#issue_comment
# https://docs.github.com/en/developers/webhooks-and-events/webhooks/webhook-events-and-payloads#issue_comment
jobs:
pr_comment:
name: PR comment
# https://docs.github.com/en/graphql/reference/enums#commentauthorassociation
# (and https://docs.github.com/en/rest/reference/issues#comments)
# only allow commands where:
# - the comment is on a PR
# - the commenting user has write permissions (i.e. is OWNER or COLLABORATOR)
if: ${{ github.event.issue.pull_request }}
runs-on: ubuntu-latest
permissions:
pull-requests: write
checks: write
contents: read
outputs:
command: ${{ steps.check_command.outputs.command }}
prRef: ${{ steps.check_command.outputs.prRef }}
prHeadSha: ${{ steps.check_command.outputs.prHeadSha }}
prRefId: ${{ steps.check_command.outputs.prRefId }}
branchRefId: ${{ steps.check_command.outputs.branchRefid }}
ciGitRef: ${{ steps.check_command.outputs.ciGitRef }}
steps:
# Ensure we have the script file for the github-script action to use
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
# Determine whether the comment is a command
- id: check_command
name: Check for a command using GitHub script
uses: actions/github-script@v7
with:
script: |
const script = require('./.github/scripts/build.js')
await script.getCommandFromComment({core, context, github});
- name: Output PR details
run: |
echo "PR Details"
echo "=========="
echo "prRef : ${{ steps.check_command.outputs.prRef }}"
echo "prHeadSha : ${{ steps.check_command.outputs.prHeadSha }}"
echo "prRefId : ${{ steps.check_command.outputs.prRefId }}"
echo "ciGitRef : ${{ steps.check_command.outputs.ciGitRef }}"
echo "branchRefId : ${{ steps.check_command.outputs.prRefId }}"
# If we don't run the actual deploy (see the run_test job below) we won't receive a check-run status,
# and will have to send it "manually"
- name: Bypass E2E check-runs status
if: ${{ steps.check_command.outputs.command == 'test-force-approve' }}
uses: LouisBrunner/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
# the name must be identical to the one received by the real job
sha: ${{ steps.check_command.outputs.prHeadSha }}
name: "Deploy PR / Run E2E Tests (Smoke)"
status: "completed"
conclusion: "success"
destroy_pr_env:
needs: [pr_comment]
if: ${{ needs.pr_comment.outputs.command == 'test-destroy-env' }}
runs-on: ubuntu-latest
permissions:
pull-requests: write
environment: CICD
name: Destroy PR env
steps:
# Ensure we have the script files
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
# Perform az login for destroy env script to be able to run
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }}
- name: Run deployment cleanup
env:
PR_NUMBER: ${{ github.event.issue.number }}
REPO: ${{ github.event.repository.full_name }}
RG_NAME: ${{ format('rg-tre{0}', needs.pr_comment.outputs.prRefId) }}
RUN_ID: ${{ github.run_id }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHOW_KEYVAULT_DEBUG_ON_DESTROY: ${{ secrets.SHOW_KEYVAULT_DEBUG_ON_DESTROY }}
run: |
set -e
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Destroying PR test environment (RG: ${RG_NAME})... (run: https://github.com/${REPO}/actions/runs/${RUN_ID})"
devops/scripts/destroy_env_no_terraform.sh --core-tre-rg "${RG_NAME}"
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "PR test environment destroy complete (RG: ${RG_NAME})"
destroy_branch_env:
needs: [pr_comment]
if: ${{ needs.pr_comment.outputs.command == 'test-destroy-env' && needs.pr_comment.outputs.branchRefId != '' }}
runs-on: ubuntu-latest
permissions:
pull-requests: write
environment: CICD
name: Destroy branch env
steps:
# Ensure we have the script files
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
# Perform az login for destroy env script to be able to run
- name: Azure Login
uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: ${{ (vars.AZURE_ENVIRONMENT != '' && vars.AZURE_ENVIRONMENT) || 'AzureCloud' }}
- name: Run deployment cleanup
env:
PR_NUMBER: ${{ github.event.issue.number }}
REPO: ${{ github.event.repository.full_name }}
RG_NAME: ${{ format('rg-tre{0}', needs.pr_comment.outputs.branchRefId) }}
RUN_ID: ${{ github.run_id }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHOW_KEYVAULT_DEBUG_ON_DESTROY: ${{ secrets.SHOW_KEYVAULT_DEBUG_ON_DESTROY }}
run: |
set -e
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Destroying branch test environment (RG: ${RG_NAME})... (run: https://github.com/${REPO}/actions/runs/${RUN_ID})"
devops/scripts/destroy_env_no_terraform.sh --core-tre-rg "${RG_NAME}"
gh pr comment "${PR_NUMBER}" --repo "$REPO" --body "Branch test environment destroy complete (RG: ${RG_NAME})"
run_test:
# Run the tests with the re-usable workflow
needs: [pr_comment]
if: |
needs.pr_comment.outputs.command == 'run-tests' ||
needs.pr_comment.outputs.command == 'run-tests-extended' ||
needs.pr_comment.outputs.command == 'run-tests-extended-aad' ||
needs.pr_comment.outputs.command == 'run-tests-shared-services'
name: Deploy PR
uses: ./.github/workflows/deploy_tre_reusable.yml
permissions:
checks: write
contents: read
pull-requests: write
with:
prRef: ${{ needs.pr_comment.outputs.prRef }}
prHeadSha: ${{ needs.pr_comment.outputs.prHeadSha }}
ciGitRef: ${{ needs.pr_comment.outputs.ciGitRef }}
e2eTestsCustomSelector: >-
${{ (needs.pr_comment.outputs.command == 'run-tests-extended' && 'extended') ||
(needs.pr_comment.outputs.command == 'run-tests-extended-aad' && 'extended_aad') ||
(needs.pr_comment.outputs.command == 'run-tests-shared-services' && 'shared_services') ||
(needs.pr_comment.outputs.command == 'run-tests' && '') }}
environmentName: CICD
E2E_TESTS_NUMBER_PROCESSES: 1
DEVCONTAINER_TAG: ${{ needs.pr_comment.outputs.prRefId }}
secrets:
AAD_TENANT_ID: ${{ secrets.AAD_TENANT_ID }}
ACR_NAME: ${{ format('tre{0}', needs.pr_comment.outputs.prRefId) }}
AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS}}
API_CLIENT_ID: ${{ secrets.API_CLIENT_ID }}
API_CLIENT_SECRET: ${{ secrets.API_CLIENT_SECRET }}
APPLICATION_ADMIN_CLIENT_ID: ${{ secrets.APPLICATION_ADMIN_CLIENT_ID }}
APPLICATION_ADMIN_CLIENT_SECRET: ${{ secrets.APPLICATION_ADMIN_CLIENT_SECRET }}
MGMT_RESOURCE_GROUP_NAME: ${{ format('rg-tre{0}-mgmt', needs.pr_comment.outputs.prRefId) }}
MS_TEAMS_WEBHOOK_URI: ${{ secrets.MS_TEAMS_WEBHOOK_URI }}
MGMT_STORAGE_ACCOUNT_NAME: ${{ format('tre{0}mgmt', needs.pr_comment.outputs.prRefId) }}
SWAGGER_UI_CLIENT_ID: ${{ secrets.SWAGGER_UI_CLIENT_ID }}
TEST_APP_ID: ${{ secrets.TEST_APP_ID }}
TEST_WORKSPACE_APP_ID: ${{ secrets.TEST_WORKSPACE_APP_ID }}
TEST_WORKSPACE_APP_SECRET: "${{ secrets.TEST_WORKSPACE_APP_SECRET }}"
TEST_ACCOUNT_CLIENT_ID: "${{ secrets.TEST_ACCOUNT_CLIENT_ID }}"
TEST_ACCOUNT_CLIENT_SECRET: "${{ secrets.TEST_ACCOUNT_CLIENT_SECRET }}"
TRE_ID: ${{ format('tre{0}', needs.pr_comment.outputs.prRefId) }}
CI_CACHE_ACR_NAME: ${{ secrets.ACR_NAME }}