rails_template_18f 0.8.2 → 1.1.0

data/lib/generators/rails_template18f/oscal/oscal_generator.rb

@@ -7,35 +7,41 @@ module RailsTemplate18f
     class OscalGenerator < ::Rails::Generators::Base
       include Base
 
-      class_option :oscal_repo, required: true, desc: "GitHub Repo containing Compliance-Template fork"
-      class_option :detach, type: :boolean, default: false, desc: "Copy OSCAL files into repo, rather than using a submodule"
-      class_option :branch, desc: "Name of the branch to switch to when using a submodule. Defaults to `app_name`"
+      class_option :oscal_repo, desc: "GitHub Repo to store compliance documents within. Leave blank to check docs into the app repo"
+      class_option :tag, desc: "Which docker-trestle tag to use. Defaults to `latest`"
+      class_option :branch, desc: "Name of the branch to switch to when using a submodule. Defaults to `main`"
 
       desc <<~DESC
         Description:
-          Add a fork of https://github.com/GSA-TTS/compliance-template.git as a
-          submodule for documenting security controls.
+          Set up doc/compliance/oscal as a working directory for use with https://github.com/GSA-TTS/docker-trestle.
 
           This generator is still experimental.
 
-          Prerequisite:
+          Optional Prerequisite:
 
-          Fork the compliance-template repo for your own use. Updates to the documentation
+          Set up a separate private repository to store the compliance documentation in if access control needs to be
+          tighter than for the code. This generator will set up the directory as a submodule so developers with access
+          can easily update documentation alongside code. Updates to the documentation
           will be pushed to this fork, not the rails app repository.
       DESC
 
-      def copy_template_files
-        if detach?
-          git clone: "#{options[:oscal_repo]} doc/compliance/oscal"
-          remove_dir "doc/compliance/oscal/.git"
-        else
+      def configure_compliance_files
+        if use_submodule?
           git submodule: "add #{options[:oscal_repo]} doc/compliance/oscal"
           inside "doc/compliance/oscal" do
             git switch: "-c #{branch_name}"
           end
+        else
+          create_file "doc/compliance/oscal/.keep"
         end
       end
 
+      def copy_templates
+        template "bin/trestle"
+        chmod "bin/trestle", 0o755
+        template "doc/compliance/oscal/trestle-config.yaml"
+      end
+
       def update_readme
         if file_content("README.md").match?("## Documentation")
           insert_into_file "README.md", readme_contents, after: "## Documentation\n"
@@ -45,7 +51,7 @@ module RailsTemplate18f
       end
 
       def configure_submodule
-        unless detach?
+        if use_submodule?
           git config: "-f .gitmodules submodule.\"doc/compliance/oscal\".branch #{branch_name}"
           git config: "diff.submodule log"
           git config: "status.submodulesummary 1"
@@ -53,9 +59,24 @@ module RailsTemplate18f
         end
       end
 
+      def configure_gitignore
+        unless skip_git? || use_submodule?
+          append_to_file ".gitignore", <<~EOM
+
+            # Trestle working files
+            doc/compliance/oscal/.trestle/_trash
+            doc/compliance/oscal/.trestle/cache
+          EOM
+        end
+      end
+
       no_tasks do
         def branch_name
-          options[:branch].present? ? options[:branch] : app_name
+          options[:branch].present? ? options[:branch] : "main"
+        end
+
+        def docker_trestle_tag
+          options[:tag].present? ? options[:tag] : "latest"
         end
 
         def readme_contents
@@ -64,8 +85,25 @@ module RailsTemplate18f
             ### Compliance Documentation
 
             Security Controls should be documented within doc/compliance/oscal.
+
+            * Run `bin/trestle` to start the trestle CLI.
+            * Run `bin/trestle SCRIPT_NAME` to run a single trestle script
+
+            #### Initial trestle setup.
+
+            These steps must happen once per project.
+
+            1. Docker desktop must be running
+            1. Start the trestle cli with `bin/trestle`
+            1. Copy the `cloud_gov` component to the local workspace with `copy-component -n cloud_gov`
+            1. Generate the initial markdown with `generate-ssp-markdown`
+
+            #### Ongoing use
+
+            See the [docker-trestle README](https://github.com/gsa-tts/docker-trestle) for help with the workflow
+            for using those scripts for editing the SSP.
           README
-          return content if detach?
+          return content unless use_submodule?
           <<~README
             #{content}
 
@@ -94,8 +132,8 @@ module RailsTemplate18f
           README
         end
 
-        def detach?
-          options[:detach]
+        def use_submodule?
+          options[:oscal_repo].present?
         end
       end
     end

data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt

@@ -0,0 +1,10 @@
+#! /usr/bin/env bash
+
+command="bash"
+if [ "$1" != "" ]; then
+    command=$1
+fi
+
+oscal_location="$(dirname "$(realpath "$0")")/../doc/compliance/oscal"
+
+docker run -it --rm -v $oscal_location:/app/docs:rw ghcr.io/gsa-tts/trestle:<%= docker_trestle_tag %> $command

data/lib/generators/rails_template18f/oscal/templates/doc/compliance/oscal/trestle-config.yaml.tt

@@ -0,0 +1,6 @@
+# docker-trestle configuration file
+# for ease of future rails_template18f generator use, keep the components list last in this file
+system-name: "<%= app_name %>"
+profile: lato
+components:
+  - cloud_gov

data/lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb

@@ -14,7 +14,7 @@ module RailsTemplate18f
 
       def install_gem
         return if gem_installed?("sidekiq")
-        gem "sidekiq", "~> 6.4"
+        gem "sidekiq", "~> 7.2"
         bundle_install
       end
 
@@ -24,7 +24,7 @@ module RailsTemplate18f
           # queue for sidekiq jobs
           brew "redis"
         EOB
-        insert_into_file "README.md", indent("* [redis]()\n"), after: /\* Install homebrew dependencies: `brew bundle`\n/
+        insert_into_file "README.md", indent("* [redis](https://redis.io/)\n"), after: /\* Install homebrew dependencies: `brew bundle`\n/
       end
 
       def configure_server_runner

data/lib/generators/rails_template18f/terraform/templates/terraform/README.md.tt

@@ -89,7 +89,7 @@ The below steps rely on you first configuring access to the Terraform state in s
 
 1. Run terraform from your new environment directory with
     ```bash
-    terraform init
+    terraform init -backend-config="profile=<%= app_name %>-terraform-backend"
     terraform plan
     ```
 

data/lib/generators/rails_template18f/terraform/templates/terraform/production/main.tf.tt

@@ -1,8 +1,8 @@
 locals {
-  cf_org_name      = "<%= cloud_gov_organization %>"
-  cf_space_name    = "<%= cloud_gov_production_space %>"
-  env              = "production"
-  app_name         = "<%= app_name %>"
+  cf_org_name   = "<%= cloud_gov_organization %>"
+  cf_space_name = "<%= cloud_gov_production_space %>"
+  env           = "production"
+  app_name      = "<%= app_name %>"
 }
 
 module "database" {

data/lib/generators/rails_template18f/terraform/templates/terraform/production/providers.tf.tt

@@ -12,7 +12,6 @@ terraform {
     key     = "terraform.tfstate.prod"
     encrypt = "true"
     region  = "us-gov-west-1"
-    profile = "<%= app_name %>-terraform-backend"
   }
 }
 

data/lib/generators/rails_template18f/terraform/templates/terraform/staging/main.tf.tt

@@ -1,8 +1,8 @@
 locals {
-  cf_org_name      = "<%= cloud_gov_organization %>"
-  cf_space_name    = "<%= cloud_gov_staging_space %>"
-  env              = "staging"
-  app_name         = "<%= app_name %>"
+  cf_org_name   = "<%= cloud_gov_organization %>"
+  cf_space_name = "<%= cloud_gov_staging_space %>"
+  env           = "staging"
+  app_name      = "<%= app_name %>"
 }
 
 module "database" {

data/lib/generators/rails_template18f/terraform/templates/terraform/staging/providers.tf.tt

@@ -12,7 +12,6 @@ terraform {
     key     = "terraform.tfstate.stage"
     encrypt = "true"
     region  = "us-gov-west-1"
-    profile = "<%= app_name %>-terraform-backend"
   }
 }
 

data/lib/rails_template18f/generators/base.rb

@@ -18,7 +18,6 @@ module RailsTemplate18f
 
       included do
         self.source_path = RailsTemplate18f::Generators.const_source_location(name).first
-        class_option :oscal_profile, desc: "Name of the OSCAL profile to populate. Only needed if multiple folders are present in doc/compliance/oscal/dist/system-security-plans"
       end
 
       private
@@ -60,33 +59,19 @@ module RailsTemplate18f
         Dir.exist? file_path("doc/compliance/oscal")
       end
 
-      def insert_into_oscal(filename, content, after: "## What is the solution and how is it implemented?\n")
-        content = <<~EOS
-
-          ### #{app_name}
-
-          #{content}
-        EOS
-        begin
-          insert_into_file File.join(oscal_path, filename), content, after: after
-        rescue Thor::Error => ex
-          warn ex.message
+      def copy_oscal_component(component_name)
+        template "oscal/component-definitions/#{component_name}/component-definition.json",
+          File.join(oscal_component_path, component_name, "component-definition.json")
+        if oscal_dir_exists?
+          insert_into_file "doc/compliance/oscal/trestle-config.yaml", "  - #{component_name}\n"
         end
       end
 
-      def oscal_path
-        @oscal_path ||= if options[:oscal_profile].present?
-          file_path(File.join("doc/compliance/oscal/dist/system-security-plans", options[:oscal_profile]))
+      def oscal_component_path
+        if oscal_dir_exists?
+          file_path("doc/compliance/oscal/component-definitions")
         else
-          ssp_dir = file_path("doc/compliance/oscal/dist/system-security-plans")
-          profiles = Dir.children(ssp_dir).select { |f| File.directory?(File.join(ssp_dir, f)) }
-          if profiles.empty?
-            fail "No OSCAL profiles found. Please run `make generate` from the `doc/compliance/oscal` folder"
-          elsif profiles.count > 1
-            fail "Multiple OSCAL profiles found. Please specify which one to update by passing the `--oscal-profile` option"
-          else
-            File.join(ssp_dir, profiles.first)
-          end
+          file_path("doc/compliance/oscal-component-definitions")
         end
       end
 

data/lib/rails_template18f/generators/pipeline_options.rb

@@ -13,178 +13,6 @@ module RailsTemplate18f
       def terraform?
         options[:terraform].nil? ? terraform_dir_exists? : options[:terraform]
       end
-
-      def update_cicd_oscal_docs(ci_name)
-        if oscal_dir_exists?
-          update_ca7_oscal_doc
-          update_cm2_oscal_doc(ci_name)
-          update_cm3_oscal_doc(ci_name)
-          update_ra5_oscal_doc
-          update_sa11_oscal_doc(ci_name)
-          update_sa22_oscal_doc
-          update_sc281_oscal_doc(ci_name)
-          update_si2_oscal_doc
-          update_si10_oscal_doc
-          update_sr3_oscal_doc(ci_name)
-        end
-      end
-
-      private
-
-      def update_ca7_oscal_doc
-        insert_into_oscal "ca-7.md", <<~EOS, after: "## Implementation a.\n"
-          * #{app_name} DevOps staff review OWASP and Dependency scans every build, or at least weekly.
-          * #{app_name} DevOps staff and the GSA ISSO review Web Application vulnerability scans on a weekly basis.
-          * #{app_name} Administrators and DevOps staff review changes for potential security impact and engage the #{app_name} ISSO and ISSM who will review or engage assessment staff as needed.
-        EOS
-      end
-
-      def update_cm2_oscal_doc(ci)
-        insert_into_oscal "cm-2.2.md", <<~EOS
-          The #{app_name} team develops, documents, and maintains a current baseline for the #{app_name} application
-          components under configuration control, managed via git and github.com, and orchestrated using #{ci}
-          and the cloud.gov Cloud Foundry CLI.
-
-          Note: All cloud.gov brokered services (including databases) are fully managed by the cloud.gov platform.
-          Due to this, the configuration and security of these services are not included in the #{app_name} configuration baseline.
-        EOS
-      end
-
-      def update_cm3_oscal_doc(ci)
-        insert_into_oscal "cm-3.1.md", <<~EOS, after: "## Implementation (f)\n"
-          #{app_name} employs #{ci} to execute proposed changes to the information system.
-          #{app_name} Administrators and #{app_name} Developers are automatically notified of
-          the success or failure of the change execution via the GitHub notification system.
-        EOS
-      end
-
-      def update_ra5_oscal_doc
-        insert_into_oscal "ra-5.md", <<~EOS, after: "## Implementation a.\n"
-          Any vulnerabilities in #{app_name} would have to be introduced at time of deployment because #{app_name}
-          is a set of cloud.gov managed applications with SSH disabled in Production. #{app_name} monitors for
-          vulnerabilities by ensuring that scans for vulnerabilities in the information system and hosted applications occur
-          daily and when new code is deployed.
-
-          OWASP ZAP scans are built into the #{app_name} CI/CD pipeline and runs a series of web vulnerability scans before
-          a successful deploy can be made to cloud.gov. Any issues or alerts caused by the scan are documented by #{app_name}
-          Operations and cause the deployment to fail. Issues are tracked in GitHub. The issue posted will provide information
-          on which endpoints are vulnerable and the level of vulnerability, ranging from **False Positive** to **High**.
-          The issue also provides a detailed report formatted in html, json, and markdown.
-
-          #{app_name} Administrators are responsible for reporting any new vulnerabilities reported by the OWASP ZAP scan to the #{app_name} ISSO.
-        EOS
-        insert_into_oscal "ra-5.md", <<~EOS, after: "## Implementation b.\n"
-          1. Alerts from each ZAP vulnerability scan are automatically reported in GitHub as an issue on the #{app_name} repository.
-          This issue will enumerate each finding and detail the type and severity of the vulnerability. #{app_name} Developers and
-          #{app_name} Administrators receive automated alerts via GitHub of the issues to remediate. Scan results are sent to the
-          #{app_name} System Owner by #{app_name} Administrators. The vulnerabilities are analyzed and prioritized within GitHub
-          based on input from the #{app_name} System Owner and ISSO.
-          1. The ZAP report contains vulnerabilities grouped by type and by risk level. The report also provides a detailed report
-          formatted in html, json, and markdown. The reported issues also include the CVE item associated with the vulnerability.
-          1. Vulnerabilities are classified by ZAP under a level range from **False Positive** to **High**. The impact level is
-          used to drive the priority of the effort to remediate.
-        EOS
-        insert_into_oscal "ra-5.md", <<~EOS, after: "## Implementation c.\n"
-          The ZAP vulnerability report contains information about how the attack was made and suggested solutions for each vulnerability found.
-          Any static code analysis findings identified during automation as part of the GitHub pull request process must be reviewed, analyzed,
-          and resolved by the #{app_name} Developer before the team can merge the pull request.
-        EOS
-      end
-
-      def update_sa11_oscal_doc(ci)
-        insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation a.\n"
-          The CI/CD pipeline utilizes multiple tools to perform static code analysis for security and privacy:
-
-          * **Brakeman** is a static code scanner designed to find security issues in Ruby on Rails code. It can flag potential SQL injection,
-          Command Injection, open redirects, and other common vulnerabilities.
-          * **bundle-audit** checks Ruby dependencies against a database of known CVE numbers.
-          * **yarn audit** checks Javascript dependencies against a database of known CVE numbers.
-          * **OWASP ZAP** is a dynamic security scanner that can simulate actual attacks on a running server.
-
-          An additional RAILS_ENV has been created called ci. It inherits from production to ensure that the system being tested is as close as possible to production while allowing for overrides such as bypassing authentication in a secure way.
-        EOS
-        insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation b.\n"
-          #{ci} runs rspec tests for unit, integration, and regression testing at every code push to github.com and every Pull Request.
-        EOS
-        insert_into_oscal "sa-11.md", <<~EOS, after: "## Implementation c.\n"
-          Test and scan results can be viewed from within #{ci} for every run of the pipeline.
-
-          When #{ci} is run as a result of a Pull Request, the status of the tests and scans are automatically reported as part of the Pull Request.
-        EOS
-      end
-
-      def update_sa22_oscal_doc
-        insert_into_oscal "sa-22.md", <<~EOS, after: "## Implementation a.\n"
-          The #{app_name} application is built and supported by the #{app_name} DevOps staff.
-
-          #{app_name} utilizes public open source Ruby and NodeJS components.
-
-          #{app_name} utilizes dependency scanning tools Bundle Audit and Yarn Audit to find vulnerable or insecure dependencies.
-
-          If a vulnerable or insecure dependency is found it will be upgraded or replaced. Additionally the #{app_name} team code
-          review processes include a review of the health (up to date, supported, many individuals involved) of direct open source dependencies.
-        EOS
-        insert_into_oscal "sa-22.md", <<~EOS, after: "## Implementation b.\n"
-          There are currently no unsupported system components within #{app_name}. In case an unsupported system component is required
-          to maintain #{app_name}, the #{app_name} System Owner will be consulted to make a determination in coordination with the #{app_name} ISSO and ISSM.
-        EOS
-      end
-
-      def update_sc281_oscal_doc(ci)
-        insert_into_oscal "sc-28.1.md", <<~EOS
-          As an additional layer of protection, all PII data is encrypted using [Active Record Encryption — Ruby on Rails Guides](https://guides.rubyonrails.org/active_record_encryption.html).
-          This encryption is implemented in a using non-deterministic AES-256-GCM through Ruby's openssl library with a 256-bit key and a random initialization vector {rails crypto module}.
-
-          The Data Encryption Key is stored in the credentials.yml file in an encrypted format by Ruby's openssl library using the AES-128-GCM cipher,
-          and is built into the application package.
-
-          The credentials.yml decryption key is stored in #{ci} and injected into the running application as an environmental variable. The application then uses this key
-          to decrypt the credentials.yml file and obtain the Data Encryption Key.
-
-          A backup of the key is stored by the Lead Developer and System Owner within a keepass database stored in Google Drive.
-        EOS
-      end
-
-      def update_si2_oscal_doc
-        insert_into_oscal "si-2.md", <<~EOS, after: "Implementation a.\n"
-          Flaw and vulnerability checks are built into the #{app_name} CI/CD pipeline and automated to ensure compliance.
-          Dynamic vulnerability scans are performed against #{app_name} before a successful deployment and reports issues after every scan.
-          Compliance is documented in sections SA-11 and RA-5. The #{app_name} DevOps team uses GitHub as the Product Backlog to
-          track and prioritize issues related to system flaws.
-
-          The responsibility of remediating flaws and vulnerabilities (once a remediation is available) falls on the #{app_name} Developer,
-          who updates the #{app_name} code and deploys fixes as part of the normal development and CI/CD process.
-        EOS
-        insert_into_oscal "si-2.md", <<~EOS, after: "Implementation b.\n"
-          Any flaws or vulnerabilities resolved in #{app_name} result in a GitHub issue for triage via the #{app_name} CM Configuration Control
-          process described in CM-2(2). After resolving a vulnerability or flaw in #{app_name}, unit tests and integration tests are updated to
-          prevent further inclusion of similar flaws.
-
-          * All GitHub tickets have accompanying Acceptance Criteria that are used to create unit tests.
-          * Unit tests are run on the Development environment when new code is pushed.
-          * Integration tests are run on the Test environment when the remediation is deployed via the CI/CD process to ensure that the production
-          environment does not suffer from any side effects of the vulnerability remediation.
-          * Integration tests are run on the Prod environment when the remediation is deployed via the CI/CD process to validate the remediation and application functionality.
-          * All findings that are not remediated immediately are tracked in the #{app_name} Plan of Action and Milestones (POAM) by #{app_name} Operations and the #{app_name} ISSO.
-        EOS
-      end
-
-      def update_si10_oscal_doc
-        insert_into_oscal "si-10.md", <<~EOS
-          All inputs from the end user are parameterized prior to use to avoid potential sql injection.
-
-          #{app_name} utilizes Brakeman scanner as part of the CI/CD pipeline which further identifies coding practices
-          that may lead to application vulnerabilities that are a result of improper input validation.
-        EOS
-      end
-
-      def update_sr3_oscal_doc(ci)
-        insert_into_oscal "sr-3.md", <<~EOS, after: "Implementation b.\n"
-          A complete Software Bill of Materials (SBOM) for all Ruby dependencies is automatically
-          generated by #{ci} on each push to GitHub as well as on a nightly basis. These can be downloaded
-          from the applicable artifact section for each CI job.
-        EOS
-      end
     end
   end
 end

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "0.8.2"
+  VERSION = "1.1.0"
 end

data/rails-template-18f.gemspec

@@ -31,12 +31,12 @@ Gem::Specification.new do |spec|
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html
-  spec.add_dependency "railties", "~> 7.0.0"
-  spec.add_dependency "activesupport", "~> 7.0.0"
-  spec.add_dependency "thor", "~> 1.0"
-  spec.add_dependency "colorize", "~> 0.8"
+  spec.add_dependency "railties", "~> 7.1.0"
+  spec.add_dependency "activesupport", "~> 7.1.0"
+  spec.add_dependency "thor", "~> 1.3"
+  spec.add_dependency "colorize", "~> 1.1"
 
-  spec.add_development_dependency "rspec", "~> 3.11"
+  spec.add_development_dependency "rspec", "~> 3.13"
   spec.add_development_dependency "ammeter", "~> 1.1"
-  spec.add_development_dependency "standard", "~> 1.3"
+  spec.add_development_dependency "standard", "~> 1.36"
 end

data/railsrc

@@ -3,6 +3,7 @@
 --skip-action-cable
 --skip-action-mailbox
 --skip-hotwire
+--skip-docker
 --skip-test
 --javascript=webpack
 --css=postcss

data/railsrc-hotwire

@@ -1,6 +1,7 @@
 --skip-active-storage
 --skip-action-text
 --skip-action-mailbox
+--skip-docker
 --skip-test
 --javascript=webpack
 --css=postcss