Dakotu1

.github/workflows/policy-validator-tf.yml

@@ -0,0 +1,101 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer
+# To use this workflow, you will need to complete the following set up steps before start using it:
+# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps.
+# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
+# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates.
+# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
+
+name: Validate AWS IAM policies in Terraform templates using Policy Validator
+on:
+  push:
+    branches: ["master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["master"]
+env:
+  AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
+  REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
+  TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
+  ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+  RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+  REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+  REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+
+jobs:
+  policy-validator:
+    runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable)
+    #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
+    #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
+    # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners
+    name: Policy Validator checks for AWS IAM policies
+    steps:
+      # checkout the repo for workflow to access the contents
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.REGION }}
+      # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+      - name: Run AWS AccessAnalyzer ValidatePolicy check
+        id: run-aws-validate-policy
+        uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+        with:
+          policy-check-type: "VALIDATE_POLICY"
+          template-path: ${{ env.TEMPLATE_PATH }}
+          region: ${{ env.REGION }}
+      # Print result from VALIDATE_POLICY check
+      - name: Print the result for ValidatePolicy check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
+      # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+      - name: Run AWS AccessAnalyzer CheckAccessNotGranted check
+        id: run-aws-check-access-not-granted
+        uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+        with:
+          policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
+          template-path: ${{ env.TEMPLATE_PATH }}
+          actions: ${{ env.ACTIONS }}
+          resources: ${{ env.RESOURCES }}
+          region: ${{ env.REGION }}
+      # Print result from CHECK_ACCESS_NOT_GRANTED check
+      - name: Print the result for CheckAccessNotGranted check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}"
+      # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+      # reference-policy is stored in GitHub secrets
+      - name: Run AWS AccessAnalyzer CheckNoNewAccess check
+        id: run-aws-check-no-new-access
+        uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+        with:
+          policy-check-type: "CHECK_NO_NEW_ACCESS"
+          template-path: ${{ env.TEMPLATE_PATH }}
+          reference-policy: ${{ env.REFERENCE_POLICY }}
+          reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
+          region: ${{ env.REGION }}
+      # Print result from CHECK_NO_NEW_ACCESS check
+      - name: Print the result CheckNoNewAccess check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
+      # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+      - name: Run AWS AccessAnalyzer CheckNoPublicAccess check
+        id: run-aws-check-no-public-access
+        uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+        with:
+          policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
+          template-path: ${{ env.TEMPLATE_PATH }}
+          region: ${{ env.REGION }}
+      # Print result from CHECK_NO_PUBLIC_ACCESS check
+      - name: Print the result for CheckNoPublicAccess check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"

.gitignore

@@ -0,0 +1 @@
+.idea

Installer/Ubuntu/ubuntu-xfce.sh

@@ -1,54 +1,117 @@
 #!/data/data/com.termux/files/usr/bin/bash
-pkg install wget -y 
-folder=ubuntu-fs
-dlink="https://raw.githubusercontent.com/AndronixApp/AndronixOrigin/master/APT"
-if [ -d "$folder" ]; then
-	first=1
-	echo "skipping downloading"
-fi
-tarball="ubuntu-rootfs.tar.xz"
-if [ "$first" != 1 ];then
-	if [ ! -f $tarball ]; then
-		echo "Download Rootfs, this may take a while base on your internet speed."
-		case `dpkg --print-architecture` in
-		aarch64)
-			archurl="arm64" ;;
-		arm)
-			archurl="armhf" ;;
-		amd64)
-			archurl="amd64" ;;
-		x86_64)
-			archurl="amd64" ;;	
-		i*86)
-			archurl="i386" ;;
-		x86)
-			archurl="i386" ;;
-		*)
-			echo "unknown architecture"; exit 1 ;;
-		esac
-		wget "https://github.com/Techriz/AndronixOrigin/blob/master/Rootfs/Ubuntu/${archurl}/ubuntu-rootfs-${archurl}.tar.xz?raw=true" -O $tarball
+
+# Variables
+BLUE="\e[34m"                                                                   # Blue Color
+GREEN="\e[32m"                                                                  # Red Color
+NO_COLOR="\e[39m"                                                               # No Color
+isFsPresent=0                                                                   # Handles if the tarball is downloaded or skipped (overridden by -f)
+distroName="Ubuntu"                                                             # Name of the concerned distro
+name="ubuntu"                                                                   # Name of the concerned distro
+rootfsFolder=$name-fs                                                           # RootFS folder name
+bindsFolder=$name-fs                                                            # Bind folder name
+dlink="https://raw.githubusercontent.com/AndronixApp/AndronixOrigin/master/APT" # Download Link
+tarball="${name}-rootfs.tar.xz"
+folderSize=$(stat -c%s $rootfsFolder)
+
+# Function used for sending updates to Andronix App
+function sendUpdates() {
+  message=$(echo "$1" | sed 's/ /\\ /g')
+  am broadcast --user 0 -a app.andronix.PROGRESS --es app.andronix.PROGRESS_STATUS "$message" >/dev/null
+}
+
+#Welcome
+echo "
+    ___                __                           _
+   /   |   ____   ____/ /   _____  ____    ____    (_)   _  __
+  / /| |  / __ \ / __  /   / ___/ / __ \  / __ \  / /   | |/_/
+ / ___ | / / / // /_/ /   / /    / /_/ / / / / / / /   _>  <
+/_/  |_|/_/ /_/ \__,_/   /_/     \____/ /_/ /_/ /_/   /_/|_|
+                                                              "
+
+echo -e "\n${BLUE}Welcome to the Andronix ${distroName} installer.${NO_COLOR}"
+echo -e "Join Andronix ${BLUE}Discord${NO_COLOR} @ https://chat.andronix.app (giveaways too ;)"
+echo -e "Read our ${BLUE}Documentation${NO_COLOR} @ https://docs.andronix.app \n\n"
+
+sendUpdates "Script Detected"
+
+sleep 1
+
+# Getting the -f (force download flag)
+while getopts "f" OPTION; do
+  # shellcheck disable=SC2220
+  case $OPTION in
+  f)
+    echo -e "\nForcing the download..."
+    rm -rf $rootfsFolder
+    rm -rf $bindsFolder
+    isFsPresent=0
+    ;;
+  esac
+done
+
+# Installing basic termux packages
+pkg install wget -y
+
+# Checking if the rootfsFolder is present
+if [ -d "$rootfsFolder" ] && [ "$folderSize" -gt 6000 ]; then
+  isFsPresent=1
+  echo -e "\nRoot Files System already present. Skipping download..."
 fi
-	cur=`pwd`
-	mkdir -p "$folder"
-	cd "$folder"
-	echo "Decompressing Rootfs, please be patient."
-	proot --link2symlink tar -xJf ${cur}/${tarball}||:
-	cd "$cur"
+
+if [ "$isFsPresent" != 1 ]; then
+  if [ ! -f "$tarball" ]; then
+    echo -e "\nDownloading Rootfs for ${distroName}. Please be patient...\n\n"
+    case $(dpkg --print-architecture) in
+    aarch64)
+      arch="arm64"
+      ;;
+    arm)
+      arch="armhf"
+      ;;
+    amd64)
+      arch="amd64"
+      ;;
+    x86_64)
+      arch="amd64"
+      ;;
+    i*86)
+      arch="i386"
+      ;;
+    x86)
+      arch="i386"
+      ;;
+    *)
+      echo "There was an issue identifying the architecture of your device!"
+      sendUpdates "Oops! Architecture error."
+      exit 1
+      ;;
+    esac
+    sendUpdates "Downloading the files..."
+    wget -q --show-progress --progress=bar "https://github.com/Techriz/AndronixOrigin/blob/master/Rootfs/${distroName}/${arch}/ubuntu-rootfs-${arch}.tar.xz?raw=true" -O $tarball
+  fi
+  currentDirectory=$(pwd)
+  mkdir -p "$rootfsFolder"
+  cd "$rootfsFolder"
+  sendUpdates "Decompressing the files..."
+  echo -e "\nDecompressing Rootfs. This can take a while. Please be patient."
+  proot --link2symlink tar -xJf "${currentDirectory}"/${tarball} || :
+  cd "$currentDirectory"
 fi
-mkdir -p ubuntu-binds
+
+mkdir -p $bindsFolder
 bin=start-ubuntu.sh
-echo "writing launch script"
-cat > $bin <<- EOM
+echo -e "\nWriting the launch script now! Just a few more steps!"
+cat >$bin <<-EOM
 #!/bin/bash
 cd \$(dirname \$0)
 ## unset LD_PRELOAD in case termux-exec is installed
 unset LD_PRELOAD
 command="proot"
 command+=" --link2symlink"
 command+=" -0"
-command+=" -r $folder"
-if [ -n "\$(ls -A ubuntu-binds)" ]; then
-    for f in ubuntu-binds/* ;do
+command+=" -r $rootfsFolder"
+if [ -n "\$(ls -A $bindsFolder)" ]; then
+    for f in $bindsFolder/* ;do
       . \$f
     done
 fi
@@ -57,7 +120,7 @@ command+=" -b /proc"
 command+=" -b ubuntu-fs/root:/dev/shm"
 ## uncomment the following line to have access to the home directory of termux
 #command+=" -b /data/data/com.termux/files/home:/root"
-## uncomment the following line to mount /sdcard directly to / 
+## uncomment the following line to mount /sdcard directly to /
 #command+=" -b /sdcard"
 command+=" -w /root"
 command+=" /usr/bin/env -i"
@@ -74,20 +137,22 @@ else
 fi
 EOM
 
-echo "fixing shebang of $bin"
 termux-fix-shebang $bin
-echo "making $bin executable"
 chmod +x $bin
-echo "removing image for some space"
+echo "Saving some space..."
 rm $tarball
 
+sendUpdates "Downloading Desktop Environment!"
+
+wget -q --show-progress --progress=bar $dlink/XFCE4/xfce4_de.sh -O $rootfsFolder/root/xfce4_de.sh
+
 #DE installation addition
 
-wget $dlink/XFCE4/xfce4_de.sh -O $folder/root/xfce4_de.sh
+wget $dlink/XFCE4/xfce4_de.sh -O $rootfsFolder/root/xfce4_de.sh
 clear
 echo "Setting up the installation of XFCE VNC"
 
-echo "APT::Acquire::Retries \"3\";" > $folder/etc/apt/apt.conf.d/80-retries #Setting APT retry count
+echo "APT::Acquire::Retries \"3\";" >$rootfsFolder/etc/apt/apt.conf.d/80-retries #Setting APT retry count
 echo "#!/bin/bash
 apt update -y && apt install sudo wget -y
 clear
@@ -107,6 +172,14 @@ fi
 if [ ! -f /usr/bin/vncserver ]; then
     apt install tigervnc-standalone-server -y
 fi
-rm -rf ~/.bash_profile" >> ubuntu-fs/root/.bash_profile 
+rm -rf ~/.bash_profile" >>$rootfsFolder/root/.bash_profile
+
+echo -e "\n\nYay! All done."
+echo -e "\n${GREEN}This is the confirmation only regarding the actual distro. Tracking the installation of the Desktop Environment is beyond the present scope. Please contact us on ${BLUE}Discord${GREEN} if you face any issues.${NO_COLOR}\n"
+echo "You will then asked to configure some distro specific things."
+echo -e "\nProceeding to install the Desktop Environment...\n"
+
+sendUpdates "Installation Success!"
+sleep 4
 
 bash $bin