From 82beb156c1be288b4ad8d5c9493fb3803ba09adf Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 11 Sep 2024 15:09:46 -0400 Subject: [PATCH 1/3] Update check script to not swallow check output, plant AR file in evidence --- Dockerfile | 4 +-- bin/check | 15 ++++++++--- bin/plant-helper | 67 ++++++++++++++++++++++++++++++++++++++++++++++++ bin/prune-helper | 27 ++++++++++--------- requirements.txt | 5 ++-- 5 files changed, 96 insertions(+), 22 deletions(-) create mode 100755 bin/plant-helper diff --git a/Dockerfile b/Dockerfile index c1bc2ef..721ff7e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -28,7 +28,7 @@ RUN adduser \ --uid "${UID}" \ appuser -RUN apt-get -y update && apt-get -y install git curl +RUN apt-get -y update && apt-get -y install git curl jq && apt-get clean RUN curl -L "https://packages.cloudfoundry.org/stable?release=linux64-binary&version=v8&source=github" | tar -zx && mv cf* /usr/local/bin/ WORKDIR /app @@ -40,7 +40,7 @@ RUN chown appuser /app # into this layer. RUN --mount=type=cache,target=/root/.cache/pip \ --mount=type=bind,source=requirements.txt,target=requirements.txt \ - python -m pip install -r requirements.txt + python -m pip install -r requirements.txt --upgrade # Switch to the non-privileged user to run the application. USER appuser diff --git a/bin/check b/bin/check index 3658ac7..9f8fe54 100755 --- a/bin/check +++ b/bin/check @@ -4,8 +4,15 @@ set -e python c2p/compliance_to_policy.py -c cdef.json -o auditree/auditree.json -cd auditree -compliance --check devtools.arboretum.accred,devtools.cloudgov.accred -C auditree.json --evidence full-remote &> /dev/null +(cd auditree && compliance --check devtools.arboretum.accred,devtools.cloudgov.accred -C auditree.json --evidence full-remote) -cd .. -python c2p/result_to_compliance.py -c cdef.json -i /tmp/compliance/check_results.json +if [ "$1" = "" ]; then + ar="$(mktemp -d)/auditree.json" +else + ar="$1" +fi + +python c2p/result_to_compliance.py -c cdef.json -i /tmp/compliance/check_results.json > $ar + +locker_repo=`jq -r ".locker.repo_url" auditree/auditree.json` +plant-helper -f "$ar" -c assessment-results -d "Auditree check assessment-results" -l "$locker_repo" -n diff --git a/bin/plant-helper b/bin/plant-helper new file mode 100755 index 0000000..6e1a958 --- /dev/null +++ b/bin/plant-helper @@ -0,0 +1,67 @@ +#! /usr/bin/env bash + +usage=" +$0: Plant external evidence in the evidence locker + +Usage: + $0 -h + $0 -f FILE_PATH -c CATEGORY -d DESCRIPTION [-t TTL] -l LOCKER_URL [-b LOCKER_BRANCH] [-n] + +Options: +-h: show help and exit +-f: file to plant. ex: '/abs/path/to/filename.json' +-c: Evidence Category +-d: Evidence Description +-t: Evidence TTL. Default: 86400 +-l: https version of locker repository +-b: main branch used in locker repository. Default: 'main' +-n: Dry run mode +" + +set -e + +mode="push-remote" +branch="main" +ttl=86400 +file="" +category="" +description="" +locker="" + +while getopts "hf:c:d:t:l:b:n" opt; do + case "$opt" in + f) + file=${OPTARG} + ;; + c) + category=${OPTARG} + ;; + d) + description=${OPTARG} + ;; + t) + ttl=${OPTARG} + ;; + l) + locker=${OPTARG} + ;; + b) + branch=${OPTARG} + ;; + n) + mode="dry-run" + ;; + h) + echo "$usage" + exit 0 + ;; + esac +done + +if [ "$file" = "" ] || [ "$category" = "" ] || [ "$description" = "" ] || [ "$locker" = "" ]; then + echo "$usage" + exit 1 +fi + +config="{\"$file\":{\"category\":\"$category\",\"ttl\":$ttl,\"description\":\"$description\"}}" +plant "$mode" "$locker" --branch "$branch" --config "$config" diff --git a/bin/prune-helper b/bin/prune-helper index eb621eb..92c15d9 100755 --- a/bin/prune-helper +++ b/bin/prune-helper @@ -5,34 +5,32 @@ $0: Prune obsolete evidence from the evidence locker Usage: $0 -h - $0 -c PRUNE_CONFIG -l LOCKER_URL [-b LOCKER_BRANCH] [-e EMAIL_ADDRESS] [-d] + $0 -f FILE_PATH -r REASON -l LOCKER_URL [-b LOCKER_BRANCH] [-d] Options: -h: show help and exit --c: prune config. ex: '{\"path/to/filename.json\":\"Reason it is being pruned\"}' +-f: file to prune. Should be given as a relative path from the root of the evidence repo +-r: Reason the evidence is being pruned -l: https version of locker repository -b: main branch used in locker repository. Default: 'main' --e: your email address. Defaults to '$GIT_EMAIL' -d: Dry run mode " -echo "Calling prune-helper script" - set -e mode="push-remote" branch="main" -config="" -email="$GIT_EMAIL" +file="" +reason="" locker="" -while getopts "hc:e:l:b:d" opt; do +while getopts "hf:r:l:b:d" opt; do case "$opt" in - c) - config=${OPTARG} + f) + file=${OPTARG} ;; - e) - email=${OPTARG} + r) + reason=${OPTARG} ;; l) locker=${OPTARG} @@ -50,9 +48,10 @@ while getopts "hc:e:l:b:d" opt; do esac done -if [ "$config" = "" ] || [ "$locker" = "" ] || [ "$email" = "" ]; then +if [ "$file" = "" ] || [ "$reason" = "" ] || [ "$locker" = "" ]; then echo "$usage" exit 1 fi -prune "$mode" --config "$config" --git-config "{\"user\":{\"email\":\"$email\"}}" --branch "$branch" "$locker" +config="{\"$file\":\"$reason\"}" +prune "$mode" --config "$config" --branch "$branch" "$locker" diff --git a/requirements.txt b/requirements.txt index 0927059..d52ae92 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ auditree-framework @ git+https://github.com/ComplianceAsCode/auditree-framework.git auditree-arboretum ~= 0.17 -auditree-prune @ git+https://github.com/rahearn/auditree-prune.git -compliance-to-policy @ git+https://github.com/rahearn/compliance-to-policy.git +auditree-prune @ git+https://github.com/ComplianceAsCode/auditree-prune.git +auditree-plant @ git+https://github.com/rahearn/auditree-plant.git +compliance-to-policy ~= 0.4 From 7531f5c99ca9afd4996379d778cdb505724e1f8a Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 11 Sep 2024 16:18:07 -0400 Subject: [PATCH 2/3] Make dry-run -n in prune-helper to match plant-helper --- bin/prune-helper | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/prune-helper b/bin/prune-helper index 92c15d9..0ac939a 100755 --- a/bin/prune-helper +++ b/bin/prune-helper @@ -13,7 +13,7 @@ Options: -r: Reason the evidence is being pruned -l: https version of locker repository -b: main branch used in locker repository. Default: 'main' --d: Dry run mode +-n: Dry run mode " set -e @@ -24,7 +24,7 @@ file="" reason="" locker="" -while getopts "hf:r:l:b:d" opt; do +while getopts "hf:r:l:b:n" opt; do case "$opt" in f) file=${OPTARG} @@ -38,7 +38,7 @@ while getopts "hf:r:l:b:d" opt; do b) branch=${OPTARG} ;; - d) + n) mode="dry-run" ;; h) From 8b5ba63d75064a6e9bea04c697aa81607cf119b8 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 11 Sep 2024 16:18:16 -0400 Subject: [PATCH 3/3] Remove accidental dry-run mode in check script --- bin/check | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/check b/bin/check index 9f8fe54..a1c8afa 100755 --- a/bin/check +++ b/bin/check @@ -15,4 +15,4 @@ fi python c2p/result_to_compliance.py -c cdef.json -i /tmp/compliance/check_results.json > $ar locker_repo=`jq -r ".locker.repo_url" auditree/auditree.json` -plant-helper -f "$ar" -c assessment-results -d "Auditree check assessment-results" -l "$locker_repo" -n +plant-helper -f "$ar" -c assessment-results -d "Auditree check assessment-results" -l "$locker_repo"