Actualize demo

.acraconfigs/acra-server/acra-censor.norules.yaml

@@ -1,2 +1,2 @@
 ignore_parse_error: true
-version: 0.85.0
+version: 0.95.0

.acraconfigs/acra-server/acra-censor.ruleset01.yaml

@@ -1,5 +1,5 @@
 ignore_parse_error: true
-version: 0.85.0
+version: 0.95.0
 handlers:
   - handler: query_ignore
     queries:

.acraconfigs/acra-server/acra-censor.ruleset02.yaml

@@ -1,5 +1,5 @@
 ignore_parse_error: true
-version: 0.85.0
+version: 0.95.0
 handlers:
   - handler: deny
     queries:

.acraconfigs/acra-server/acra-censor.ruleset03.yaml

@@ -1,4 +1,4 @@
 ignore_parse_error: true
-version: 0.85.0
+version: 0.95.0
 handlers:
   - handler: denyall

.acraconfigs/acra-server/acra-censor.yaml

@@ -1,2 +1,2 @@
 ignore_parse_error: true
-version: 0.85.0
+version: 0.95.0

README.md

@@ -1,6 +1,6 @@
 # What is this?
 
-This project illustrates how to use [AcraCensor](https://docs.cossacklabs.com/pages/documentation-acra/#acracensor-acra-s-firewall) as SQL firewall to prevent SQL injections. Target application is a well-known vulnerable web application [OWASP Mutillidae 2](https://github.com/webpwnized/mutillidae). 
+This project illustrates how to use [AcraCensor](https://docs.cossacklabs.com/pages/documentation-acra/#acracensor-acra-s-firewall) as SQL firewall to prevent SQL injections. Target application is a well-known vulnerable web application [OWASP Mutillidae 2](https://github.com/webpwnized/mutillidae).
 
 AcraCensor – is a built-in SQL firewall of [Acra data protection suite](https://cossacklabs.com/acra/). This project is one of numerous Acra's example applications. If you are curious about other Acra features, like transparent encryption, intrusion detection, load balancing support – [Acra Example Applications](https://github.com/cossacklabs/acra-engineering-demo/).
 
@@ -21,21 +21,21 @@ This is a slide from [a talk by Cossack Labs' security software engineer Artem S
 
 ## Screencast
 
-<a href="https://youtu.be/ABjIfx2_hJk" target="_blank"><img src="images/youtube-video.png" alt="Watch the video" width="700"></a> 
+<a href="https://youtu.be/ABjIfx2_hJk" target="_blank"><img src="images/youtube-video.png" alt="Watch the video" width="700"></a>
 
 
 ## How to run the demo
 
-1. Use docker-compose command to set up and run the whole infrastructure: 
+1. Use docker-compose command to set up and run the whole infrastructure:
 
 ```
-docker-compose -f docker-compose.acra-censor-demo.yml up
+docker-compose -f docker-compose.acra-censor-demo.yml up --build
 ```
 
 <img src="images/image_1.png" width="700">
 
 
-2. Check that the containers are up and running: 
+2. Check that the containers are up and running:
 
 ```
 docker ps -a
@@ -47,7 +47,7 @@ docker ps -a
 
 <img src="images/image_3.png" width="700">
 
-4. The database is still empty so we need to fill it first by clicking on `setup/reset the DB`. 
+4. The database is still empty so we need to fill it first by clicking on `Click here to attempt to setup the database` and then `Opt out of database warnings`.
 
 In the Docker console you should see SQL queries in Acra logs. After resetting the database, the main page of Mutillidae application looks like this:
 
@@ -60,16 +60,16 @@ In the Docker console you should see SQL queries in Acra logs. After resetting t
 <img src="images/image_5.png" width="700">
 <img src="images/image_5a.png" width="700">
 
-2. Now, let's run an SQL injection. Try to login any name and password `' or 1='1`. 
+2. Now, let's run an SQL injection. Try to login any name and password `' or 1='1`.
 
-This will construct an SQL query `SELECT * FROM accounts WHERE username='' AND password='' or 1='1'` — containing a typical SQL injection — to the database. 
+This will construct an SQL query `SELECT * FROM accounts WHERE username='' AND password='' or 1='1'` — containing a typical SQL injection — to the database.
 
 <img src="images/image_6.png" width="700">
 
 
 ## How AcraCensor prevents SQL injections
 
-1. Now, let's fine-tune AcraCensor for preventing this injection. 
+1. Now, let's fine-tune AcraCensor for preventing this injection.
 
 There are configuration files in `./.acraconfigs/acra-server/` folder:
 - `acra-censor.norules.yaml` (minimal configuration that simply creates valueless AcraCensor);
@@ -83,7 +83,7 @@ Replace the active config with `acra-censor.ruleset01.yaml` (or `acra-censor.rul
 
 ```bash
 cp ./.acraconfigs/acra-server/acra-censor.ruleset01.yaml ./.acraconfigs/acra-server/acra-censor.yaml
-docker restart <name or ID of acra-censor-demo_acra-server container>
+docker restart acra-censor-demo_acra-server_1
 ```
 
 In the docker log, you will see that AcraServer has restarted with an updated configuration file:
@@ -96,9 +96,9 @@ acra-censor-demo-master_acra-server_1_979c50cd7b3e exited with code 0
 
 2. Test if the new AcraCensor configuration prevents injections.
 
-On the same web page, try to login again using the password `' or 1='1`. 
+On the same web page, try to login again using the password `' or 1='1`.
 
-You should see that the response from MySQL server is blocked. In Acra's console, you can see that the malicious query is forbidden: 
+You should see that the response from MySQL server is blocked. In Acra's console, you can see that the malicious query is forbidden:
 
 <img src="images/image_7.png" width="700">
 
@@ -122,7 +122,7 @@ and try to use `admin` as a username and `' or 1='1` as a password.
 2. Read out blog post [how we built AcraCensor](https://www.cossacklabs.com/blog/how-to-build-sql-firewall-acracensor.html).
 3. Watch the slides about the developers' perspective on [building SQL firewall](https://speakerdeck.com/storojs72/building-sql-firewall-insights-from-developers).
 4. Check [Mutillidae repository](https://github.com/webpwnized/mutillidae).
-5. Check [Mutillidae docker image by @edoz90](https://github.com/edoz90/docker-mutillidae).
+5. Check [Mutillidae docker](https://github.com/webpwnized/mutillidae-docker).
 
 # Further steps
 

docker-compose.acra-censor-demo.yml

@@ -1,138 +1,77 @@
 version: "3"
 
 services:
-    # Create keys:
-    # - ./.acrakeys/acra-server/${ACRA_CLIENT_ID}_server
-    # - ./.acrakeys/acra-connector/${ACRA_CLIENT_ID}_server.pub
-    acra-keymaker_server:
-        # You can specify docker image tag in the environment
-        # variable ACRA_DOCKER_IMAGE_TAG or run by default with 'latest' images
-        image: "cossacklabs/acra-keymaker:${ACRA_DOCKER_IMAGE_TAG:-latest}"
-        environment:
-            # INSECURE!!! You MUST define your own ACRA_MASTER_KEY
-            # The default is only for testing purposes
-            ACRA_MASTER_KEY: ${ACRA_MASTER_KEY:-UHZ3VUNNeTJ0SEFhbWVjNkt4eDdVYkc2WnNpUTlYa0E=}
-        volumes:
-            # Mount the whole ./.acrakeys directory to be able generate keys and
-            # place them in services' subdirectories
-            - ./.acrakeys:/keys
-        # Please specify ACRA_CLIENT_ID environment variable, otherwise run with
-        # default 'testclientid' client id
-        command: >-
-            --client_id=${ACRA_CLIENT_ID:-testclientid}
-            --generate_acraserver_keys
-            --keys_output_dir=/keys/acra-server
-            --keys_public_output_dir=/keys/acra-connector
-    # Create keys:
-    # - ./.acrakeys/acra-connector/${ACRA_CLIENT_ID}
-    # - ./.acrakeys/acra-server/${ACRA_CLIENT_ID}.pub
-    acra-keymaker_connector:
-        image: "cossacklabs/acra-keymaker:${ACRA_DOCKER_IMAGE_TAG:-latest}"
-        environment:
-            ACRA_MASTER_KEY: ${ACRA_MASTER_KEY:-UHZ3VUNNeTJ0SEFhbWVjNkt4eDdVYkc2WnNpUTlYa0E=}
-        volumes:
-            - ./.acrakeys:/keys
-        command: >-
-            --client_id=${ACRA_CLIENT_ID:-testclientid}
-            --generate_acraconnector_keys
-            --keys_output_dir=/keys/acra-connector
-            --keys_public_output_dir=/keys/acra-server
-
-
     #===== Acra ================================================================
-
     acra-server:
-        image: "cossacklabs/acra-server:${ACRA_DOCKER_IMAGE_TAG:-latest}"
+        image: "cossacklabs/acra-server:${ACRA_DOCKER_IMAGE_TAG:-0.95.0}"
         # Restart server after correct termination, for example after the config
         # was changed through the API
         restart: always
-        depends_on:
-            - acra-keymaker_server
-            - acra-keymaker_connector
         networks:
-            - acraconnector-acraserver
+            - mutillidae-acraserver
             - acraserver-db
         environment:
             ACRA_MASTER_KEY: ${ACRA_MASTER_KEY:-UHZ3VUNNeTJ0SEFhbWVjNkt4eDdVYkc2WnNpUTlYa0E=}
         volumes:
             # Mount the directory with only the keys for this service. Must be
             # rewriteable in case of using API, otherwise should be read-only.
-            - ./.acrakeys/acra-server:/keys
             # Directory with configuration, rewriteable
             - ./.acraconfigs/acra-server:/config
         command: >-
             --mysql_enable
-            --db_host=mutillidae
+            --db_host=database
             --db_port=3306
-            --keys_dir=/keys
-            --auth_keys=/keys/httpauth.accounts
-            --http_api_enable
-            --incoming_connection_api_string=tcp://0.0.0.0:9090
+            --keystore_cache_on_start_enable=false
             --acracensor_config_file=/config/acra-censor.yaml
-            -v
+            --v
+            --d
 
+    #===== OWASP Mutillidae II =================================================
 
-    acra-connector:
-        image: "cossacklabs/acra-connector:${ACRA_DOCKER_IMAGE_TAG:-latest}"
-        restart: always
+    mutillidae:
+        container_name: mutillidae
         depends_on:
-            - acra-keymaker_server
-            - acra-keymaker_connector
+            - database
             - acra-server
-        # Open the port outside for client application
+        image: mutillidae
+        build:
+            context: https://github.com/webpwnized/mutillidae-docker.git#1.0.39:www
+            args:
+                DATABASE_HOST: acra-server
+                DATABASE_PORT: 9393
         ports:
-            - "3306:3306"
+            - 127.0.0.1:8080:80
         networks:
-            - acraconnector-acraserver
-            - mutillidae-acraconnector
-        environment:
-            ACRA_MASTER_KEY: ${ACRA_MASTER_KEY:-UHZ3VUNNeTJ0SEFhbWVjNkt4eDdVYkc2WnNpUTlYa0E=}
-        volumes:
-            # Mount the directory with only the keys for this service
-            - ./.acrakeys/acra-connector:/keys:ro
-        command: >-
-            --acraserver_connection_host=acra-server
-            --keys_dir=/keys
-            --client_id=${ACRA_CLIENT_ID:-testclientid}
-            --incoming_connection_string=tcp://0.0.0.0:3306
-            --http_api_enable
-            --incoming_connection_api_string=tcp://0.0.0.0:9191
-            -v
-
-
-    #===== OWASP Mutillidae II =================================================
-
-    edoz90_mutillidae:
-        # Build base image
-        build:
-            context: https://github.com/storojs72/docker-mutillidae.git
-        image: storojs72/edoz90_mutillidae:latest
-        # We don't need to run the container based on the original image
-        entrypoint: /bin/true
-        restart: 'no'
+            - world
+            - mutillidae-acraserver
 
+    #===== OWASP Mutillidae DB =================================================
 
-    mutillidae:
-        depends_on:
-            - acra-connector
-            - edoz90_mutillidae
+    database:
+        container_name: database
+        image: webpwnized/mutillidae:database
+        healthcheck:
+            test: "/usr/bin/mysql --user=root --password=mutillidae --execute \"SHOW DATABASES;\""
+            interval: 5s
+            timeout: 30s
+            retries: 10
         build:
-            context: ./mutillidae
-        image: mutillidae:latest
-        ports:
-            - "8080:80"
-            - "3306:3306"
+            context: https://github.com/webpwnized/mutillidae-docker.git#1.0.39:database
         networks:
-            - world
-            - mutillidae-acraconnector
             - acraserver-db
 
+    healthcheck-wait:
+        image: busybox
+        container_name: healthcheck-wait
+        depends_on:
+            database:
+                condition: service_healthy
 
 networks:
     world:
     acraserver-db:
         internal: true
-    acraconnector-acraserver:
+    mutillidae-acraserver:
         internal: true
-    mutillidae-acraconnector:
+    mutillidae-db:
         internal: true