Add /.well-known/security.txt handling

Gemfile.lock

@@ -935,4 +935,4 @@ RUBY VERSION
    ruby 2.7.2p137
 
 BUNDLED WITH
-   2.3.22
+   2.3.23

app/controllers/wellknown_controller.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+#  Copyright (c) 2006-2023, Puzzle ITC GmbH. This file is part of
+#  PuzzleTime and licensed under the Affero General Public License version 3
+#  or later. See the COPYING file at the top-level directory or at
+#  https://github.com/puzzle/puzzletime.
+
+# Handles actions on the /.well-known path
+class WellknownController < ApplicationController
+  def security
+    file = file_for(tenant) || not_found
+    render plain: file.read
+  end
+
+  private
+
+  def organization
+    Decidim::Organization.find_by(host: request.domain)
+  end
+
+  def tenant
+    tenant = organization.tenant_type || 'other'
+    tenant.to_sym
+  end
+
+  def file_for(tenant)
+    path = Rails.root.join("lib/tenant_files/#{tenant}/security.txt")
+    return unless path.exist?
+
+    path
+  end
+
+  def not_found
+    raise ActionController::RoutingError, 'Not Found'
+  end
+end

config/routes.rb

@@ -6,6 +6,8 @@
   mount Decidim::Core::Engine => '/'
   # For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html
 
+  get '.well-known/security.txt', to: 'wellknown#security'
+
   get 'status/health', to: 'status#health'
   get 'status/readiness', to: 'status#readiness'
 end

lib/tenant_files/dialogluzern/security.txt

@@ -0,0 +1,8 @@
+# In the event that you have discovered a technical vulnerability in an IT system of the city of Lucerne (Stadt Luzern), 
+# we encourage you to report it to the Competence Center for Digital Security and Privacy using the Coordinated Vulnerability Disclosure program.
+
+Contact: https://www.stadtluzern.ch/politikverwaltung/stadtverwaltung/dienstabteilungenbereiche/33551
+Contact: mailto:[email protected]
+Expires: 2023-12-31T23:59:59.000Z
+Preferred-Languages: en, de
+Canonical: https://www.stadtluzern.ch/.well-known/security.txt