Adding CI to support leveraged content.

.github/workflows/generate_leveraged.yaml

@@ -0,0 +1,67 @@
+name: Leveraged Content Handler
+on:
+  push:
+    branches:
+      - feature-*
+      - Feature-*
+      - develop
+      - main
+  pull_request: {}
+jobs:
+  partial_ssp:
+    runs-on: ubuntu-20.04
+    defaults:
+      run:
+        working-directory: .
+    steps:
+      - name: Check out repository code.
+        uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10' 
+      - name: Check environment.
+        run: |
+          ls -ltra
+          python --version
+          pip --version
+      - name: Install dependencies.
+        run: |
+          pip install -r requirements.txt
+      # - name: Run tests.
+      #   run: |
+      #     pytest
+      - name: Execute script.
+        run: |
+          python oscal_leveraged.py
+      - name: Save SSP.
+        uses: actions/upload-artifact@v3
+        with:
+          name: artifact-leveraged-ssp
+          path: SSP.LEVERAGED.output.yaml
+  validate_oscal:
+    runs-on: ubuntu-20.04
+    if: ${{ github.ref_name == 'main' || github.ref_name == 'develop' || github.ref_name == 'feature-doc-templates' }}
+    needs:
+      - partial_ssp
+    steps:
+      - name: Checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+        id: checkout
+      - name: Setup Java
+        uses: actions/setup-java@c3ac5dd0ed8db40fedb61c32fbe677e6b355e94c
+        with:
+          distribution: adopt
+          java-version: 11
+      - name: Download SSP.
+        uses: actions/download-artifact@v3
+        with:
+          name: artifact-leveraged-ssp
+      - name: Run oscal-cli Validation.
+        uses: oscal-club/[email protected]
+        id: validation
+        with:
+          args: ssp validate SSP.LEVERAGED.output.yaml
+      - name: Validation Result
+        shell: bash
+        run: |
+          exit $oscalcli_exit_code

oscal_leveraged.py

@@ -0,0 +1,107 @@
+#%% Install Libraries (You can uncomment below and execute to install.)
+# import sys
+# !{sys.executable} -m pip install chevron
+# !{sys.executable} -m pip install pydantic
+# !{sys.executable} -m pip install PyYAML
+# !{sys.executable} -m pip install diagrams
+
+# Note: You may need to install this: https://www.graphviz.org/
+
+#%% Import Libraries
+import os, sys
+import chevron
+import json
+import datetime
+from pathlib import Path
+from yaml import safe_load,YAMLError,dump
+
+from oscalic.system_security_plan import SystemSecurityPlan as SSP
+from oscalic.control import ControlAssembly as Control
+from oscalic import Template, Helper, Validation
+
+error_condition = None
+
+#%% Setup
+today = datetime.datetime.now()
+today_format = '%Y-%m-%dT00:00:00.0000-04:00'
+today = today.strftime(today_format)
+control_list = list()
+
+#%% Paths
+partial_path = 'system-security-plan/partials_CSP'
+
+#%% Read Partials
+partials = os.listdir(partial_path)
+this_system_component_uuid = Helper.get_uuid()
+ssp_controls=list()
+print(len(partials))
+
+#%% Start SSP
+ssp_template = os.path.join(os.getcwd(), partial_path, 'template.ssp.yaml')
+ssp_data = {
+    'uuid:document':        Helper.get_uuid(),
+    'uuid:statement':       Helper.get_uuid(),
+    'uuid:component':       this_system_component_uuid, 
+    'uuid:user':            Helper.get_uuid(),
+    'uuid:party':           Helper.get_uuid(), 
+    'uuid:by-component':    Helper.get_uuid(), 
+    'uuid:information-type':Helper.get_uuid(), 
+    'version':              '0.0.1',
+    'modified_date':        f"{today}",
+}
+ssp_content = Template.apply(ssp_template, ssp_data)
+ssp = Helper.from_yaml(SSP, ssp_content)
+
+#%% Start Profile
+profile_template = os.path.join(os.getcwd(), partial_path, 'template.profile.yaml')
+profile_data = {
+    'uuid:document':        Helper.get_uuid(),
+    'uuid:statement':       Helper.get_uuid(),
+    'uuid:component-uuid':  this_system_component_uuid, 
+    'uuid:by-component':    Helper.get_uuid(),
+    'version':              '0.0.1',
+    'modified_date':        f"{today}"
+}
+
+
+#%% Interpret Partials
+for partial in partials:
+    if partial.startswith('template.'):
+        continue
+
+    partial_file = os.path.join(os.getcwd(), partial_path, partial)
+
+    uuid_content = {
+        'uuid:control':         Helper.get_uuid(),
+        'uuid:statement':       Helper.get_uuid(),
+        'uuid:component-uuid':  this_system_component_uuid, 
+        'uuid:by-component':    Helper.get_uuid(), 
+    }
+
+    partial_content = Template.apply(partial_file, uuid_content)
+
+    try:
+        control = Helper.from_yaml(Control, partial_content)
+        ssp.system_security_plan.control_implementation.implemented_requirements.append(control)
+        print(f"SUCCESS: {partial_file}")
+    except Validation.OSCALValidationError as e:
+        print(f"{partial_file}:\nVALIDATION ERROR: {e.json()}\n")
+        error_condition = 1
+
+
+#%% Run above here for partial validation.
+###################################################################################################
+## Prepare Document
+
+#%% Save Profile
+profile_content = Template.apply(profile_template, profile_data)
+Path('Profile.LEVERAGED.output.yaml').write_text(profile_content)
+
+#%% Save SSP
+Path('SSP.LEVERAGED.output.yaml').write_text(Helper.to_yaml(ssp))
+
+# %%
+if error_condition:
+    exit(error_condition)
+
+#%%

system-security-plan/partials_CSP/template.profile.yaml

@@ -0,0 +1,41 @@
+profile:
+  uuid: 51a969c1-af30-4eb7-99a2-0d3ddbd8cacb
+  metadata:
+    title: Leveraged Bloss@m Minimal Baseline for Demonstration
+    last-modified: 2022-11-22T00:00:00.000000-04:00
+    version: 0.0.1-alpha
+    oscal-version: 1.0.4
+    roles:
+      - id: creator
+        title: Document Creator
+      - id: contact
+        title: Contact
+    parties:
+      - uuid: {{ uuid:party }}
+        type: organization
+        name: CSD Development
+        email-addresses:
+          - [email protected]
+        addresses:
+          - addr-lines:
+              - National Institute of Standards and Technology
+              - "Attn: Computer Security Division"
+              - Information Technology Laboratory
+              - 100 Bureau Drive (Mail Stop 8930)
+            city: Gaithersburg
+            state: MD
+            postal-code: 20899-8930
+    responsible-parties:
+      - role-id: creator
+        party-uuids:
+          - {{ uuid:party-1 }}
+      - role-id: contact
+        party-uuids:
+          - {{ uuid:party-2 }}
+  imports:
+    - href: https://raw.githubusercontent.com/usnistgov/oscal-content/ba2efa4c90155650b0fd536f3bffd13042ac6dc7/nist.gov/SP800-53/rev5/yaml/NIST_SP-800-53_rev5_LOW-baseline-resolved-profile_catalog.yaml
+      include-controls:
+        - with-ids:
+            {{ content:controls_list }}
+  merge:
+    as-is: true

system-security-plan/partials_CSP/template.ssp.yaml

@@ -0,0 +1,73 @@
+system-security-plan:
+  uuid: {{ uuid:document }}
+
+  metadata:
+    title: Leveraged BloSS@M Experimental System Security Plan
+    last-modified: '2022-12-21T00:00:00.0000-04:00'
+    version: {{ version }}
+    oscal-version: 1.0.4
+    roles:
+      - id: admin
+        title: Administrator
+    parties:
+      - uuid: {{ uuid:party }}
+        type: person
+
+  import-profile:
+    href: ./profile.yaml
+
+  system-characteristics:
+    system-ids:
+      - id: saas_system_iaas_customer
+    system-name: Leveraging SaaS System
+    description: >
+      NO CONTENT HERE FOR NOW
+    security-sensitivity-level: low
+    system-information:
+      information-types:
+        - uuid: {{ uuid:information-type }}
+          title: System Assessment
+          description: This system handles development information pertaining to audit and assessment events to demonstrate the OSCAL workflow.
+          categorizations:
+            - system: https://doi.org/10.6028/NIST.SP.800-60v2r1
+              information-type-ids:
+                - C.3.5.1
+          confidentiality-impact:
+            base: fips-199-low
+          integrity-impact:
+            base: fips-199-low
+          availability-impact:
+            base: fips-199-low
+    security-impact-level:
+      security-objective-confidentiality: fips-199-low
+      security-objective-integrity: fips-199-low
+      security-objective-availability: fips-199-low
+    status:
+      state: operational
+    authorization-boundary:
+      description: This system is for demonstration purposes only.
+
+  system-implementation:
+    users:
+      - uuid: {{ uuid:user }}
+        role-ids:
+          - admin
+        authorized-privileges:
+          - title: Developer
+            functions-performed:
+              - Manages the content and components within the system.
+    components:
+      - uuid: {{ uuid:component }}
+        type: this-system
+        title: OSCAL Testing Workflow Application
+        description: This is an application to demonstrate minimal OSCAL content, and automation to execute tests against the application.
+        props:
+          - name: implementation-point
+            value: internal
+        status:
+          state: under-development
+
+
+  control-implementation:
+    description: "List of Controls"
+    implemented-requirements: []