-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add compliance config fetcher and check (#3)
- Loading branch information
Showing
8 changed files
with
231 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
85 changes: 85 additions & 0 deletions
85
arboretum/technology/auditree/checks/test_compliance_config.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| # -*- mode:python; coding:utf-8 -*- | ||
| # Copyright (c) 2020 IBM Corp. All rights reserved. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| """Compliance execution configuration check.""" | ||
|
|
||
| import json | ||
|
|
||
| from compliance.check import ComplianceCheck | ||
| from compliance.evidence import DAY, ReportEvidence, with_raw_evidences | ||
|
|
||
|
|
||
| class ComplianceConfigCheck(ComplianceCheck): | ||
| """ | ||
| Compare running & historical configuration. | ||
| This check compares configuration captured by the fetcher as evidence with | ||
| the current configuration being used by the checks. | ||
| """ | ||
|
|
||
| @property | ||
| def title(self): | ||
| """ | ||
| Provide the title of the checks. | ||
| :returns: the title of the checks | ||
| """ | ||
| return 'Compliance Configuration' | ||
|
|
||
| @classmethod | ||
| def setUpClass(cls): | ||
| """Initialize the check object with configuration settings.""" | ||
| cls.config.add_evidences( | ||
| [ | ||
| ReportEvidence( | ||
| 'compliance_config.md', | ||
| 'auditree', | ||
| DAY, | ||
| 'Compliance repository configuration settings report.' | ||
| ) | ||
| ] | ||
| ) | ||
|
|
||
| return cls | ||
|
|
||
| @with_raw_evidences('auditree/compliance_config.json') | ||
| def test_compliance_configuration(self, evidence): | ||
| """Check that current config matches with config evidence.""" | ||
| evidence_config = json.loads(evidence.content) | ||
| if evidence_config != self.config.raw_config: | ||
| evidence = json.dumps(evidence_config, indent=2).split('\n') | ||
| config = json.dumps(self.config.raw_config, indent=2).split('\n') | ||
| self.add_failures( | ||
| 'Differences found', | ||
| { | ||
| 'Fetcher Configuration': evidence, | ||
| 'Check Configuration': config | ||
| } | ||
| ) | ||
|
|
||
| def get_reports(self): | ||
| """ | ||
| Provide the check report name. | ||
| :returns: the report(s) generated for this check | ||
| """ | ||
| return ['auditree/compliance_config.md'] | ||
|
|
||
| def get_notification_message(self): | ||
| """ | ||
| Compliance configuration check notifier. | ||
| :returns: notification dictionary. | ||
| """ | ||
| return {'body': None} |
39 changes: 39 additions & 0 deletions
39
arboretum/technology/auditree/fetchers/fetch_compliance_config.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # -*- mode:python; coding:utf-8 -*- | ||
| # Copyright (c) 2020 IBM Corp. All rights reserved. | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
| # You may obtain a copy of the License at | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
| """Compliance execution configuration fetcher.""" | ||
|
|
||
| import json | ||
|
|
||
| from compliance.evidence import HOUR, RawEvidence | ||
| from compliance.fetch import ComplianceFetcher | ||
|
|
||
|
|
||
| class ComplianceConfigFetcher(ComplianceFetcher): | ||
| """Fetch the current current compliance tooling configuration.""" | ||
|
|
||
| def fetch_compliance_configuration(self): | ||
| """Fetch the compliance tooling configuration. | ||
| - Evidence is refreshed to the locker regardless of TTL | ||
| - Evidence is valid for the next two hours (for the check) | ||
| """ | ||
| evidence = RawEvidence( | ||
| 'compliance_config.json', | ||
| 'auditree', | ||
| 2 * HOUR, | ||
| 'Compliance Configuration' | ||
| ) | ||
| evidence.set_content(json.dumps(self.config.raw_config)) | ||
| self.locker.add_evidence(evidence) |
57 changes: 57 additions & 0 deletions
57
arboretum/technology/auditree/templates/reports/auditree/compliance_config.md.tmpl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| {#- -*- mode:jinja2; coding: utf-8 -*- -#} | ||
| {# | ||
| Copyright (c) 2020 IBM Corp. All rights reserved. | ||
|
|
||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
|
|
||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
|
|
||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| #} | ||
|
|
||
| # {{ test.title }} Report {{ now.strftime('%Y-%m-%d') }} | ||
|
|
||
| This report displays differences between the configuration used by the fetcher | ||
| execution and the configuration used by the check execution. Fetchers and checks | ||
| are executed as separate processes but the expectation is that both processes | ||
| are executed using the same configuration settings as defined by a project's | ||
| configuration JSON file. If discrepancies are found and reported here then a | ||
| serious problem occurred during execution. | ||
|
|
||
| ## Remediation | ||
|
|
||
| All discrepancies reported here need to be fully investigated and accounted for. | ||
| Since the official execution of fetchers and checks is handled by a CI/CD tool | ||
| like Travis, the execution environment should be a closed "eco-system" and there | ||
| should be no reason for a difference in execution configuration between the | ||
| fetchers and the checks. In the event of a problem reported here, check your | ||
| CI/CD build logs for more details. | ||
|
|
||
| {% if test.total_issues_count(results) == 0 %} | ||
| **No execution configuration discrepancies to report** | ||
| {% else %} | ||
|
|
||
| {% if test.failures_for_check_count(results) > 0 %} | ||
| {% for k in all_failures.keys() -%} | ||
| ## {{ k }} | ||
|
|
||
| {% for config_name, config_content in all_failures[k][0].items() %} | ||
| ### {{ config_name }} | ||
|
|
||
| ``` | ||
| {% for line in config_content %} | ||
| {{ line|safe }} | ||
| {%- endfor %} | ||
| ``` | ||
|
|
||
| {% endfor %} | ||
|
|
||
| {%- endfor -%} | ||
| {% endif -%} | ||
| {% endif %} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters