Sentinel/Makefile at main · sidxz/Sentinel · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
SHELL := /bin/bash
.PHONY: help setup start admin seed create-admin status clean nuke docs docs-serve lint fmt release docker pentest pentest-setup pentest-kali

help: ## Show available commands
	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2}'

setup: ## One-time setup: keys, TLS certs, env files, deps, dev containers
	@mkdir -p keys/tls
	@# ── JWT signing keys ──────────────────────────────────────────────
	@if [ ! -f keys/private.pem ]; then \
		openssl genrsa -out keys/private.pem 2048 2>/dev/null && \
		openssl rsa -in keys/private.pem -pubout -out keys/public.pem 2>/dev/null && \
		echo "✓ Generated JWT keys (keys/)"; \
	else \
		echo "· JWT keys already exist"; \
	fi
	@# ── TLS certs for Postgres + Redis (internal CA + server cert) ──
	@if [ ! -f keys/tls/ca.crt ]; then \
		openssl req -x509 -newkey rsa:2048 \
			-keyout keys/tls/ca.key -out keys/tls/ca.crt \
			-days 3650 -nodes -subj "/CN=Sentinel Internal CA" 2>/dev/null && \
		openssl req -newkey rsa:2048 \
			-keyout keys/tls/server.key -out /tmp/sentinel-server.csr \
			-nodes -subj "/CN=sentinel-internal" 2>/dev/null && \
		openssl x509 -req -in /tmp/sentinel-server.csr \
			-CA keys/tls/ca.crt -CAkey keys/tls/ca.key -CAcreateserial \
			-out keys/tls/server.crt -days 3650 \
			-extfile <(printf "subjectAltName=DNS:localhost,DNS:postgres,DNS:redis,IP:127.0.0.1") 2>/dev/null && \
		rm -f /tmp/sentinel-server.csr keys/tls/ca.srl && \
		chmod 600 keys/tls/server.key keys/tls/ca.key && \
		echo "✓ Generated TLS certs (keys/tls/)"; \
	else \
		echo "· TLS certs already exist"; \
	fi
	@# ── Dev env (service/.env) ──────────────────────────────────────
	@if [ ! -f service/.env ]; then \
		SESSION_KEY=$$(python3 -c "import secrets; print(secrets.token_urlsafe(32))"); \
		sed "s|^JWT_PRIVATE_KEY_PATH=.*|JWT_PRIVATE_KEY_PATH=../keys/private.pem|; \
		     s|^JWT_PUBLIC_KEY_PATH=.*|JWT_PUBLIC_KEY_PATH=../keys/public.pem|; \
		     s|^SESSION_SECRET_KEY=.*|SESSION_SECRET_KEY=$$SESSION_KEY|; \
		     s|^REDIS_TLS_CA_CERT=.*|REDIS_TLS_CA_CERT=../keys/tls/ca.crt|" \
		  .env.dev.example > service/.env && \
		echo "✓ Created service/.env"; \
	else \
		echo "· service/.env already exists"; \
	fi
	@# ── Prod env (.env.prod) ────────────────────────────────────────
	@if [ ! -f .env.prod ]; then \
		PG_PASS=$$(openssl rand -base64 24); \
		REDIS_PASS=$$(openssl rand -base64 24); \
		SESSION_KEY=$$(python3 -c "import secrets; print(secrets.token_urlsafe(32))"); \
		sed "s|^POSTGRES_PASSWORD=.*|POSTGRES_PASSWORD=$$PG_PASS|; \
		     s|^REDIS_PASSWORD=.*|REDIS_PASSWORD=$$REDIS_PASS|; \
		     s|^SESSION_SECRET_KEY=.*|SESSION_SECRET_KEY=$$SESSION_KEY|" \
		  .env.prod.example > .env.prod && \
		echo "✓ Created .env.prod (random passwords + session secret)"; \
	else \
		echo "· .env.prod already exists"; \
	fi
	@# ── Dev dependencies + containers ───────────────────────────────
	uv sync && cd service && uv sync
	cd admin && npm install
	docker compose up -d identity-postgres identity-redis
	@until [ "$$(docker compose ps identity-postgres --format '{{.Health}}')" = "healthy" ]; do sleep 1; done
	@echo ""
	@echo "Setup complete!"
	@echo ""
	@echo "  Next:"
	@echo "    1. vim service/.env   — add OAuth creds (GOOGLE_*, GITHUB_*, etc.) + ADMIN_EMAILS"
	@echo "    2. make start         — start identity service (:9003)"
	@echo "    3. make admin         — start admin UI (:9004)"
	@echo "    make seed             — populate with test data (optional)"
	@echo ""
	@echo "  Prod:"
	@echo "    vim .env.prod   — set BASE_URL, ADMIN_URL, OAuth creds, ADMIN_EMAILS"
	@echo "    docker stack deploy -c docker-compose.prod.yml sentinel"

start: ## Start identity service (:9003) — auto-migrates on boot
	cd service && uv run uvicorn src.main:app --port 9003 --reload --no-server-header

admin: ## Start admin UI dev server (:9004)
	cd admin && npm run dev

seed: ## Seed database with test data
	uv run python scripts/seed.py

create-admin: ## Create or promote a user to admin
	uv run python scripts/create_admin.py

status: ## Check what's running
	@docker compose ps 2>/dev/null || echo "No containers"
	@printf "Service: " && curl -sf http://localhost:9003/health 2>/dev/null || echo "not running"
	@curl -sf -o /dev/null http://localhost:9004 && echo "Admin:   running on :9004" || echo "Admin:   not running"

lint: ## Run ruff linter and format check
	uv run ruff check service/src/ sdk/src/
	uv run ruff format --check service/src/ sdk/src/

fmt: ## Auto-fix lint and formatting issues
	uv run ruff check --fix service/src/ sdk/src/
	uv run ruff format service/src/ sdk/src/

docs: ## Build documentation site
	uv run --extra docs mkdocs build

docs-serve: ## Serve documentation site with live reload
	uv run --extra docs mkdocs serve

docker: ## Start full stack in Docker (service + postgres + redis)
	docker compose up -d --build
	@until [ "$$(docker compose ps identity-postgres --format '{{.Health}}')" = "healthy" ]; do sleep 1; done
	@echo ""
	@echo "  Service: http://localhost:9003"
	@echo "  Stop:    docker compose down"

clean: ## Stop containers and wipe database
	docker compose down -v

nuke: clean ## Full reset: wipe everything including deps, keys, and env files
	rm -rf keys/ .venv service/.venv sdk/.venv admin/node_modules sdks/*/node_modules
	rm -f service/.env .env.prod
	@echo "Run 'make setup' to start fresh."

release: ## Release all packages (usage: make release VERSION=0.6.0)
ifndef VERSION
	$(error VERSION is required — usage: make release VERSION=0.6.0)
endif
	@./scripts/release.sh $(VERSION)

pentest: ## Run pentest suite (usage: make pentest [ARGS="--sast|--custom|--zap|..."])
	@cd pentest && python run_all.py $(or $(ARGS),--all)

pentest-fast: ## Run pentest suite with relaxed rate limits (RATE_LIMIT_RPM=1000, 5s cooldown)
	@cd pentest && PENTEST_FAST=1 python run_all.py $(or $(ARGS),--all)

pentest-setup: ## Install pentest tools
	cd pentest && bash setup_tools.sh

pentest-kali: ## Launch Kali container (stop: make pentest-kali ARGS=stop)
ifeq ($(ARGS),stop)
	docker compose -f docker-compose.yml -f docker-compose.pentest.yml down kali
else
	docker compose -f docker-compose.yml -f docker-compose.pentest.yml up -d kali
	@echo ""
	@echo "  Kali ready: docker exec -it sentinel-kali bash"
	@echo "  Stop:       make pentest-kali ARGS=stop"
endif