oscal 0.1.0 → 0.2.0

data/lib/oscal/assembly.rb

@@ -0,0 +1,119 @@
+require_relative "parsing_functions"
+require_relative "logger"
+require_relative "metadata_block"
+
+module Oscal
+  class MetadataBlockWrapper < Oscal::MetadataBlock
+    include ParsingFunctions
+    def initialize(metadata_hash)
+      # MetadataBlock likes to get strings, but may sometimes get symbols
+      # this little function makes sure it gets strings everytime
+      super(metadata_hash.transform_keys { |key| sym2str(key) })
+    end
+  end
+
+  class Assembly
+    include Oscal::ParsingFunctions
+    include Oscal::ParsingLogger
+
+    def mandatory_attributes
+      if self.class.constants.include?(:MANDATORY)
+        self.class::MANDATORY
+      else
+        []
+      end
+    end
+
+    def allowed_attributes
+      if self.class.constants.include?(:OPTIONAL)
+        mandatory_attributes + self.class::OPTIONAL
+      else
+        mandatory_attributes
+      end
+    end
+
+    def to_json
+      to_h.to_json
+    end
+
+    def to_h
+      allowed_attributes.each_with_object({}) do |var, hash|
+        attr_value = method(var).call
+        hash[sym2str(var)] = if attr_value == nil
+                               next
+                             elsif attr_value.class <= OscalArray
+                               attr_value.each(&:to_h)
+                             elsif attr_value.class <= OscalDatatype
+                               attr_value
+                             else
+                               attr_value.to_h
+                             end
+      end
+    end
+
+    def check_and_normalize_input(input)
+      @logger.debug("Checking to see if input is a Hash")
+      unless input.is_a? Hash
+        raise Oscal::InvalidTypeError,
+              "Assemblies can only be created from Hash types"
+      end
+      @logger.debug("Assembly is hash with keys #{input.keys}")
+
+      @logger.debug("Attempting to transform strings to symbols.")
+      # Transform the keys from Strings to Symbols
+      input.transform_keys { |key| str2sym(key) }
+    end
+
+    def validate_input(input)
+      @logger.debug("Checking mandatory and optional values.")
+      missing_values?(mandatory_attributes, input)
+      extra_values?(allowed_attributes, input)
+    end
+
+    def missing_values?(mandatory, provided)
+      @logger.debug("Checking mandatory values: #{mandatory}")
+      missing_values = mandatory - provided.keys.intersection(mandatory)
+      if missing_values.length.positive?
+        raise Oscal::InvalidTypeError,
+              "Missing mandatory values: #{missing_values}"
+      end
+    end
+
+    def extra_values?(allowed, provided)
+      @logger.debug("Checking allowed values: #{allowed}")
+      extra_values = provided.keys - provided.keys.intersection(allowed)
+      if extra_values.length.positive?
+        raise Oscal::InvalidTypeError,
+              "Extra attributes provided #{extra_values}"
+      end
+    end
+
+    def validate_content(key, value)
+      @logger.info("Validating #{value}")
+      expected_class = Oscal::get_type_of_attribute(key)
+      @logger.debug("Attempting to instiate #{key} as #{expected_class}")
+      instantiated = expected_class.new(value)
+    rescue Oscal::InvalidTypeError
+      raise Oscal::InvalidTypeError,
+            "Value #{value.to_s[0, 25]} not a valid #{key}"
+    else
+      instantiated # Return the valid class
+    end
+
+    def initialize(input)
+      @logger = get_logger
+      @logger.debug("#{self.class}.new called with #{input.to_s[0, 25]}")
+
+      # covert String:String to Symbol:String
+      sym_hash = check_and_normalize_input(input)
+
+      # Make sure all required and no extra keys are provided
+      validate_input(sym_hash)
+
+      # Attempt to convert each value to it's registered type
+      sym_hash.each do |key, value|
+        method("#{key}=".to_sym).call(validate_content(key, value))
+      end
+    end
+  end
+end

data/lib/oscal/assessment_plan.rb

@@ -0,0 +1,28 @@
+require_relative "assembly"
+require_relative "metadata_block"
+require_relative "datatypes"
+
+module Oscal
+  module AssessmentPlan
+    class ImportSSP < Assembly
+      attr_accessor(*(MANDATORY = %i(href).freeze),
+                    *(OPTIONAL = %i(remarks).freeze))
+    end
+
+    class ReviewedControls < Assembly
+      attr_accessor(*(MANDATORY = %i(control_selections).freeze),
+                    *(OPTIONAL = %i(description props links
+                                    control_objective_selections
+                                    remarks).freeze))
+    end
+
+    class AssessmentPlan < Assembly
+      attr_accessor(*(MANDATORY = %i(uuid metadata import_ssp
+                                     reviewed_controls).freeze),
+                    *(OPTIONAL = %i(local_definitions terms_and_conditions
+                                    reviewed_controls assessment_subjects
+                                    assessment_assets tasks
+                                    back_matter).freeze))
+    end
+  end
+end

data/lib/oscal/assessment_result.rb

@@ -0,0 +1,230 @@
+require_relative "assembly"
+require_relative "metadata_block"
+require_relative "datatypes"
+
+module Oscal
+  module AssessmentResult
+    class Activity < Assembly
+      attr_accessor(*(MANDATORY = %i(uuid).freeze),
+                    *(OPTIONAL = %i(title description props links steps
+                                    related_controls responsible_roles
+                                    remarks).freeze))
+    end
+
+    class Attestations < Assembly
+      # TODO: Define this. Punting for the time being
+    end
+
+    class AssessmentAssets < Assembly
+      attr_accessor(*(MANDATORY = %i(assessment_platforms).freeze),
+                    *(OPTIONAL = %i(components).freeze))
+    end
+
+    class AssessmentLog
+      attr_accessor(*(MANDATORY = %i(entries).freeze))
+    end
+
+    class AssessmentPlatform < Assembly
+      # TODO: Define this. Punting for the time being
+    end
+
+    class AssessmentTask < Assembly
+      attr_accessor(*(MANDATORY = %i(uuid type title).freeze),
+                    *(OPTIONAL = %i(description props links timing dependencies
+                                    tasks associated_activities subjects
+                                    responsible_roles remarks).freeze))
+    end
+
+    class AssociatedActivity < Assembly
+      attr_accessor(*(MANDATORY = %i(activity_uuid subjects).freeze),
+                    *(OPTIONAL = %i(props links responsible_roles
+                                    remarks).freeze))
+    end
+
+    class AssociatedRisk < Assembly
+      attr_accessor(*(MANDATORY = %i(risk_uuid).freeze))
+    end
+
+    class Attestation < Assembly
+      # TODO: Define this. Punting for the time being
+    end
+
+    class Component < Assembly
+      # TODO: Define this. Punting for the time being
+    end
+
+    class ControlObjectiveSelection < Assembly
+      attr_accessor(*(OPTIONAL = %i(description props links include_all
+                                    include_objectives exclude_objectives
+                                    remarks).freeze))
+    end
+
+    class ControlSelection < Assembly
+      attr_accessor(*(OPTIONAL = %i(description props links include_all
+                                    include_controls exclude_controls
+                                    remarks).freeze))
+    end
+
+    class Entry < Assembly
+      # TODO: Define this. Punting for the time being
+    end
+
+    class ExcludeControl
+      # TODO: Define this. Punting for the time being
+      # NOTE: This has the same name as profile/exclude-control, but a different
+      # definition!
+    end
+
+    class ExcludeObjective < Assembly
+      attr_accessor(*(MANDATORY = %i(objective_id).freeze))
+    end
+
+    class Finding < Assembly
+      attr_accessor(*(MANDATORY = %i(uuid title description target).freeze),
+                    *(OPTIONAL = %i(implementation_statement_uuid
+                                    related_observations related_risks
+                                    remarks).freeze))
+    end
+
+    class ImportAP < Assembly
+      attr_accessor(*(MANDATORY = %i(href).freeze),
+                    *(OPTIONAL = %i(remarks).freeze))
+    end
+
+    class IncludeAll < Assembly
+      # This is an Assembly that acts like a flag - it has no no contents
+    end
+
+    class IncludeControl < Assembly
+      attr_accessor(*(MANDATORY = %i(control_id).freeze),
+                    *(OPTIONAL = %i(statement_ids).freeze))
+    end
+
+    class IncludeObjective < Assembly
+      attr_accessor(*(MANDATORY = %i(objective_id).freeze))
+    end
+
+    class InventoryItem < Assembly
+      # TODO: Define this. Punting for the time being
+    end
+
+    class LocalDefinitions < Assembly
+      # NOTE we deviate fromt the spec here! local-definitions is defined twice
+      # with different attributes. All attributes are optional, so we merge it
+      # into one big back of optional attributes
+      attr_accessor(*(OPTIONAL = %i(objectives_and_methods activities
+                                    remarks components inventory_items users
+                                    assesssment_assets tasks).freeze))
+    end
+
+    class ObjectivesAndMethods < Assembly
+      attr_accessor(*(MANDATORY = %i(control_id parts).freeze),
+                    *(OPTIONAL = %i(description props links remarks).freeze))
+    end
+
+    class Observation < Assembly
+      attr_accessor(*(MANDATORY = %i(uuid description methods collected).freeze),
+                    *(OPTIONAL = %i(title props links methods types origins
+                                    subjects relevent_evidence expires
+                                    remarks).freeze))
+    end
+
+    class RelatedControls < Assembly
+      attr_accessor(*(MANDATORY = %i(control_selections).freeze),
+                    *(OPTIONAL = %i(description props links
+                                    control_objective_selections
+                                    remarks).freeze))
+    end
+
+    class RelatedObservation < Assembly
+      attr_accessor(*(MANDATORY = %i(observation_uuid).freeze),
+                    *(OPTIONAL = %i().freeze))
+    end
+
+    class ResponsibleRole < Assembly
+      attr_accessor(*(MANDATORY = %i(role_id).freeze),
+                    *(OPTIONAL = %i(props links party_uuids remarks).freeze))
+    end
+
+    class Result < Assembly
+      attr_accessor(*(MANDATORY = %i(uuid title description start).freeze),
+                    *(OPTIONAL = %i(end props links local_definitions
+                                    reviewed_controls attestations
+                                    assessment_log observations risks findings
+                                    remarks).freeze))
+    end
+
+    class ReviewedControls < Assembly
+      attr_accessor(*(MANDATORY = %i(control_selections).freeze),
+                    *(OPTIONAL = %i(description props links
+                                    control_objective_selections
+                                    remarks).freeze))
+    end
+
+    class Risk < Assembly
+      attr_accessor(*(MANDATORY = %i(uuid title description statement
+                                     status).freeze),
+                    *(OPTIONAL = %i(propse links origins threat_ids
+                                    characterizations mitigating_factors
+                                    deadline remediations risk_log
+                                    related_observations).freeze))
+    end
+
+    class Status
+      # Status is defined twice, once as a datatype, once as an assembly
+      # this class figures out which is which
+      def initialize(input)
+        if input.instance_of? String
+          StatusString.new(input)
+        elsif input.instance_of? Hash
+          StatusAssembly.new(input)
+        else
+          raise Oscal::InvalidTypeError, "status must be a string or assembly"
+        end
+      end
+    end
+
+    class StatusString < TokenDataType
+    end
+
+    class StatusAssembly < Assembly
+      attr_accessor(*(MANDATORY = %i(state).freeze),
+                    *(OPTIONAL = %i(reason remarks).freeze))
+    end
+
+    class Step < Assembly
+      attr_accessor(*(MANDATORY = %i(uuid).freeze),
+                    *(OPTIONAL = %i(title description props links
+                                    reviewed_controls responsible_roles
+                                    remarks).freeze))
+    end
+
+    class Subject < Assembly
+      attr_accessor(*(OPTIONAL = %i(subject_uuid type
+                                    description props links include_all
+                                    include_subjects exclude_subjects
+                                    remarks).freeze))
+    end
+
+    class Target < Assembly
+      attr_accessor(*(MANDATORY = %i(type target_id status).freeze),
+                    *(OPTIONAL = %i(title description props links
+                                    implementation_status remarks).freeze))
+    end
+
+    class Task < Assembly
+      # TODO: Define this. Punting for the time being
+    end
+
+    class User < Assembly
+      # TODO: Define this. Punting for the time being
+    end
+
+    ##########################################
+
+    class AssessmentResult < Assembly
+      attr_accessor(*(MANDATORY = %i(uuid metadata import_ap results).freeze),
+                    *(OPTIONAL = %i(local_definitions back_matter).freeze))
+    end
+  end
+end

data/lib/oscal/attribute_type_hash.rb

@@ -0,0 +1,80 @@
+require_relative("datatypes")
+require_relative("list")
+
+module Oscal
+  ATTRIBUTE_TYPE_HASH = {
+    activities: AssessmentResult::ActivityArray,
+    activity_uuid: Uuid,
+    assessment_plan: AssessmentPlan::AssessmentPlan,
+    assessment_platforms: AssessmentResult::AssessmentPlatformArray,
+    assessment_results: AssessmentResult::AssessmentResult,
+    assessment_log: AssessmentResult::AssessmentLog,
+    associated_activities: AssessmentResult::AssociatedActivityArray,
+    attestations: AssessmentResult::AttestationArray,
+    collected: DateTimeWithTimezoneDataType,
+    components: AssessmentResult::ComponentArray,
+    control_id: TokenDataType,
+    control_objective_selections: AssessmentResult::ControlObjectiveSelectionArray,
+    control_selections: AssessmentResult::ControlSelectionArray,
+    description: MarkupMultilineDataType,
+    end: DateTimeWithTimezoneDataType,
+    entries: AssessmentResult::EntryArray,
+    exclude_controls: AssessmentResult::ExcludeControlArray,
+    exclude_objectives: AssessmentResult::ExcludeObjectiveArray,
+    expires: DateTimeWithTimezoneDataType,
+    findings: AssessmentResult::FindingArray,
+    href: UriReference,
+    implementation_statement_uuid: Uuid,
+    import_ap: AssessmentResult::ImportAP,
+    import_ssp: AssessmentPlan::ImportSSP,
+    include_all: AssessmentResult::IncludeAll,
+    include_controls: AssessmentResult::IncludeControlArray,
+    inventory_items: AssessmentResult::InventoryItemArray,
+    links: AssessmentResult::LinkArray,
+    local_definitions: AssessmentResult::LocalDefinitions,
+    metadata: MetadataBlockWrapper,
+    methods: AssessmentResult::MethodArray,
+    objective_id: TokenDataType,
+    objectives_and_methods: AssessmentResult::ObjectivesAndMethodsArray,
+    observations: AssessmentResult::ObservationArray,
+    observation_uuid: Uuid,
+    parts: AssessmentResult::PartArray,
+    party_uuids: AssessmentResult::PartyUuidArray,
+    props: AssessmentResult::PropArray,
+    related_controls: AssessmentResult::RelatedControls,
+    related_observations: AssessmentResult::RelatedObservationArray,
+    related_risks: AssessmentResult::RelatedRiskArray,
+    remarks: MarkupMultilineDataType,
+    responsible_roles: AssessmentResult::ResponsibleRoleArray,
+    results: AssessmentResult::ResultArray,
+    reviewed_controls: AssessmentResult::ReviewedControls,
+    risks: AssessmentResult::RiskArray,
+    risk_uuid: Uuid,
+    role_id: TokenDataType,
+    start: DateTimeWithTimezoneDataType,
+    state: TokenDataType,
+    status: AssessmentResult::Status,
+    statement: MarkupMultilineDataType,
+    statement_ids: AssessmentResult::StatementIdArray,
+    steps: AssessmentResult::StepArray,
+    subjects: AssessmentResult::SubjectArray,
+    subject_uuid: Uuid,
+    target: AssessmentResult::Target,
+    target_id: TokenDataType,
+    tasks: AssessmentResult::AssessmentTaskArray,
+    title: MarkupMultilineDataType,
+    type: TokenDataType,
+    types: AssessmentResult::TypeArray,
+    uuid: Uuid,
+    users: AssessmentResult::UserArray,
+  }.freeze
+
+  def self.get_type_of_attribute(attribute_name)
+    klass = Oscal::ATTRIBUTE_TYPE_HASH[attribute_name.to_sym]
+    if klass == nil
+      raise InvalidTypeError, "No type found for #{attribute_name}"
+    else
+      klass
+    end
+  end
+end

data/lib/oscal/back_matter.rb

@@ -0,0 +1,20 @@
+require_relative "base_class"
+
+module Oscal
+  class BackMatter < Oscal::BaseClass
+    KEY = %i(resources)
+
+    attr_accessor *KEY
+
+    attr_serializable *KEY
+
+    def set_value(key_name, val)
+      case key_name
+      when "resources"
+        Resource.wrap(val)
+      else
+        val
+      end
+    end
+  end
+end

data/lib/oscal/base64_object.rb

@@ -0,0 +1,11 @@
+require_relative "base_class"
+
+module Oscal
+  class Base64Object < Oscal::BaseClass
+    KEY = %i(filename media_type value)
+
+    attr_accessor *KEY
+
+    attr_serializable *KEY
+  end
+end

data/lib/oscal/base_class.rb

@@ -0,0 +1,50 @@
+require_relative "serializer"
+
+module Oscal
+  class BaseClass
+    include Serializer
+
+    KEY = %i(val)
+
+    attr_accessor *KEY
+
+    attr_serializable *KEY
+
+    def self.wrap(obj)
+      klass = self
+      return obj if obj.is_a? klass
+      return klass.new(obj) unless obj.is_a? Array
+
+      obj.map do |x|
+        klass.wrap(x)
+      end
+    end
+
+    def initialize(options = {})
+      klass = self.class
+
+      unless options.is_a? Hash
+        options = { klass::KEY.first.to_s => options }
+      end
+
+      options.each_pair.each do |key, val|
+        key_name = key.gsub("-", "_")
+        key_name = "klass" if key == "class"
+
+        unless klass::KEY.include?(key_name.to_sym)
+          raise UnknownAttributeError.new(
+            "Unknown key `#{key}` in #{klass.name}",
+          )
+        end
+
+        val = set_value(key_name, val)
+
+        send("#{key_name}=", val)
+      end
+    end
+
+    def set_value(_key_name, val)
+      val
+    end
+  end
+end

data/lib/oscal/catalog.rb

@@ -1,22 +1,63 @@
+require "date"
+require_relative "serializer"
+require_relative "common_utils"
+
 module Oscal
   class Catalog
-    attr_accessor :uuid, :metadata, :groups
+    include Serializer
+    include CommonUtils
+
+    KEY = %i(uuid metadata params controls groups back_matter)
+    attr_accessor *KEY
+
+    attr_serializable *KEY
 
-    def initialize(metadata, groups)
-      @metadata = MetadataBlock.new(metadata)
-      @groups = Group.wrap(groups)
+    def initialize(uuid, metadata, params, controls, groups, back_matter)
+      @uuid        = uuid
+      @metadata    = MetadataBlock.new(metadata)
+      @params      = Parameter.wrap(params) if params
+      @controls    = Control.wrap(controls) if controls
+      @groups      = Group.wrap(groups) if groups
+      @back_matter = BackMatter.wrap(back_matter) if back_matter
+
+      @all_controls = []
     end
 
     def self.load_from_yaml(path)
-      yaml_data = YAML.load_file(path, permitted_classes: [Time, Date, DateTime])
+      yaml_data     = safe_load_yaml(path)
+      yaml_catalog  = yaml_data["catalog"]
+
+      uuid          = yaml_catalog["uuid"]
+      metadata      = yaml_catalog["metadata"]
+      params        = yaml_catalog["params"]
+      controls      = yaml_catalog["controls"]
+      groups        = yaml_catalog["groups"]
+      back_matter   = yaml_catalog["back-matter"]
 
-      yaml_catalog = yaml_data['catalog']
+      Catalog.new(uuid, metadata, params, controls, groups, back_matter)
+    end
+
+    def get_all_controls
+      append_all_control_group(self)
+      @all_controls.uniq
+    end
 
-      metadata = yaml_catalog['metadata']
-      group_data = yaml_catalog['groups']
+    def append_all_control_group(obj)
+      if /Oscal::Control/.match?(obj.to_s)
+        @all_controls << obj
+      end
 
-      Catalog.new(metadata, group_data)
+      if obj.respond_to?(:controls) && !obj.controls.nil?
+        obj.controls.each do |c|
+          append_all_control_group(c)
+        end
+      end
+
+      if obj.respond_to?(:groups) && !obj.groups.nil?
+        obj.groups.each do |g|
+          append_all_control_group(g)
+        end
+      end
     end
   end
-
 end

data/lib/oscal/choice.rb

@@ -0,0 +1,11 @@
+require_relative "base_class"
+
+module Oscal
+  class Choice < Oscal::BaseClass
+    KEY = %i(val)
+
+    attr_accessor *KEY
+
+    attr_serializable *KEY
+  end
+end

data/lib/oscal/citation.rb

@@ -0,0 +1,22 @@
+require_relative "base_class"
+
+module Oscal
+  class Citation < Oscal::BaseClass
+    KEY = %i(text props links)
+
+    attr_accessor *KEY
+
+    attr_serializable *KEY
+
+    def set_value(key_name, val)
+      case key_name
+      when "props"
+        Property.wrap(val)
+      when "links"
+        Link.wrap(val)
+      else
+        val
+      end
+    end
+  end
+end

data/lib/oscal/combine.rb

@@ -0,0 +1,11 @@
+require_relative "base_class"
+
+module Oscal
+  class Combine < Oscal::BaseClass
+    KEY = %i(method)
+
+    attr_accessor *KEY
+
+    attr_serializable *KEY
+  end
+end