From 09d71a7046f5f672e3a56190ae5d3cb3cdf6e5e7 Mon Sep 17 00:00:00 2001
From: Francesco Bartoli <xbartolone@gmail.com>
Date: Sun, 8 Dec 2024 15:16:12 +0100
Subject: [PATCH] Add ZAP scan github action

---
 .github/workflows/zap-scan.yml |  59 +++++++++++++++++++
 pygeoapi-config.yml            | 100 +++++++++++++++++++++++++++++++++
 2 files changed, 159 insertions(+)
 create mode 100644 .github/workflows/zap-scan.yml

diff --git a/.github/workflows/zap-scan.yml b/.github/workflows/zap-scan.yml
new file mode 100644
index 0000000..f0a34bb
--- /dev/null
+++ b/.github/workflows/zap-scan.yml
@@ -0,0 +1,59 @@
+name: ZAP Scan
+
+on:
+  - push
+  - pull_request
+
+jobs:
+  contract-tests:
+    name: Scan security vulnerabilities
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v4.1.1
+
+      - name: Set up Python 3.10
+        uses: actions/setup-python@v5.3.0
+        with:
+          python-version: "3.10"
+
+      - name: Upgrade pip
+        run: |
+          pip install --constraint=$GITHUB_WORKSPACE/.github/workflows/constraints.txt pip
+          pip --version
+
+      - name: Upgrade pip in virtual environments
+        shell: python
+        run: |
+          import os
+          import pip
+
+          with open(os.environ["GITHUB_ENV"], mode="a") as io:
+              print(f"VIRTUALENV_PIP={pip.__version__}", file=io)
+
+      - name: Install Poetry
+        run: |
+          pipx install --pip-args=--constraint=$GITHUB_WORKSPACE/.github/workflows/constraints.txt poetry
+          poetry --version
+      - name: Install GDAL
+        run: |
+          sudo apt-add-repository ppa:ubuntugis/ubuntugis-unstable
+          sudo apt-get update
+          sudo apt-get install gdal-bin libgdal-dev
+      - name: Install fastgeoapi and run the server with API-KEY protection
+        env:
+          ENV_STATE: dev
+          OPA_ENABLED: false
+          API_KEY_ENABLED: true
+          JWKS_ENABLED: false
+        run: |
+          poetry install
+          ENV_STATE=$ENV_STATE
+          OPA_ENABLED=$OPA_ENABLED
+          API_KEY_ENABLED=$API_KEY_ENABLED
+          JWKS_ENABLED=$JWKS_ENABLED
+          poetry run uvicorn app.main:app --host 0.0.0.0 --port 5000 --reload --loop asyncio &
+      - name: ZAP Scan
+        uses: zaproxy/action-full-scan@v0.12.0
+        with:
+          target: "http://127.0.0.1:5000/geoapi/"
diff --git a/pygeoapi-config.yml b/pygeoapi-config.yml
index 55d479b..72ef739 100644
--- a/pygeoapi-config.yml
+++ b/pygeoapi-config.yml
@@ -175,6 +175,106 @@ resources:
         id_field: id
         title_field: name
 
+  georoma_civici:
+    type: collection
+    title:
+      en: Civici del Comune di Roma
+    description:
+      en: Civici del Comune di Roma
+    keywords:
+      en:
+        - civici
+        - toponomastica
+    links:
+      - type: text/html
+        rel: canonical
+        title: information
+        href: https://geoportale-preprod.comune.roma.it/georoma
+        hreflang: en-US
+    extents:
+      spatial:
+        bbox: [-180, -90, 180, 90]
+        crs: https://www.opengis.net/def/crs/OGC/1.3/CRS84
+      temporal:
+        begin: 2011-11-11T11:11:11Z
+        end: null # or empty (either means open ended)
+    providers:
+      - type: feature
+        name: PostgreSQL
+        data:
+          host: 10.173.29.55
+          port: 5432
+          dbname: GEOROMA
+          user: postgres
+          password: NICcoll2022
+          search_path: [Georoma]
+        properties:
+          - fid
+          - id_adc
+          - cod_ceu
+          - toponimo
+          - dug
+          - denominazione
+          - municipio
+          - ex_municipio
+          - cod_top
+          - id_sud_top
+          - sud_top
+          - id_civico
+          - numero_civ
+          - lettera
+          - esponente
+          - alpha
+          - lotto
+          - palazzina
+          - scala
+          - piano
+          - interno
+          - tipo_ingr
+          - posizione
+          - lat_6706
+          - long_6706
+          - x_7792
+          - y_7792
+          - source
+          - fonte
+          - quality
+          - create_data
+          - update_data
+          - zona_urb
+          - zona_urban
+          - ace
+          - sez_2001
+          - sez_2011
+          - sez_2021
+        options:
+          # Maximum time to wait while connecting, in seconds.
+          connect_timeout: 10
+          # Number of *milliseconds* that transmitted data may remain
+          # unacknowledged before a connection is forcibly closed.
+          tcp_user_timeout: 10000
+          # Whether client-side TCP keepalives are used. 1 = use keepalives,
+          # 0 = don't use keepalives.
+          keepalives: 1
+          # Number of seconds of inactivity after which TCP should send a
+          # keepalive message to the server.
+          keepalives_idle: 600
+          # Number of TCP keepalives that can be lost before the client's
+          # connection to the server is considered dead.
+          keepalives_count: 10
+          # Number of seconds after which a TCP keepalive message that is not
+          # acknowledged by the server should be retransmitted.
+          keepalives_interval: 30
+        crs:
+          - https://www.opengis.net/def/crs/OGC/1.3/CRS84
+          - https://www.opengis.net/def/crs/EPSG/0/3857
+          - https://www.opengis.net/def/crs/EPSG/0/7792
+          - https://www.opengis.net/def/crs/EPSG/0/6708
+        storage_crs: https://www.opengis.net/def/crs/OGC/1.3/CRS84
+        id_field: id_civico
+        table: georoma_civici
+        geom_field: geometry
+
   hello-world:
     type: process
     processor: