rails_template_18f 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a7f0ec410febea02b2e3cbc4200373ebbe5b2403f2bd643433acd8d493af8729
-  data.tar.gz: 6a58037093cf649f10bd0ae6166372c8d878e0eecf547baf0ab9be4be91b5d59
+  metadata.gz: ea2ec3406d7768825b772437242ea1b106d635ef1e4231b0a3c5b7959c88574f
+  data.tar.gz: edce599ccfdb6455e5dd8a781aecd37c54ec1d94045aba71735d9262885070e1
 SHA512:
-  metadata.gz: 04c73690530b927f6cf0063c512f580725d19fcad7cce351b24e672b3169167747ae5c344ee437ca078bf4077f53bc7678a0fcdb0b5cf59b3743cec7ecfe79a0
-  data.tar.gz: 6aabb2b9fa5191ed1f295605d47153e79c753880eb8038591ceee1ac733185ddd23de64a7f0041f602527c12f4f92f627fe4a6379772b14cebe36fe87bcdf102
+  metadata.gz: 6b1cd11a24976b6eeb067ac5ff3dc050c6e049dc2e5875d55b24b269059233b7503cb9eeeb6f70df78543dd30e6a69bc9cbaf8d15f9b38aba7e568847f830bd4
+  data.tar.gz: 3cbeed2a16a2f6b89d31f193540556b56e12fa575f659feb513ba75cfea06b1bb19f7fcfcae501fc0ec576a8dead1d7bca87d058c67d3db605611bc6f6551eb2

data/CHANGELOG.md

@@ -1,5 +1,11 @@
 ## [Unreleased]
 
+
+## [1.1.0] - 2024-08-20
+
+- add an auditree generator for integration with auditree-devtools and github actions to run it
+- remove the obsolete entry to include nodejs_buildpack in cloud.gov manifest.yml
+
 ## [1.0.0] - 2024-06-27
 
 - new applications are now on Rails 7.1.x

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (1.0.0)
+    rails_template_18f (1.1.0)
       activesupport (~> 7.1.0)
       colorize (~> 1.1)
       railties (~> 7.1.0)

data/lib/generators/rails_template18f/auditree/auditree_generator.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module RailsTemplate18f
+  module Generators
+    class AuditreeGenerator < ::Rails::Generators::Base
+      include Base
+
+      class_option :tag, desc: "Which auditree docker tag to use. Defaults to `latest`"
+      class_option :git_email, desc: "Email address to associate with commits to the evidence locker"
+
+      desc <<~DESC
+        Description:
+          Set up auditree validation checking with https://github.com/GSA-TTS/devtools-auditree.
+
+          This generator is still experimental.
+      DESC
+
+      def copy_bin
+        template "bin/auditree"
+        chmod "bin/auditree", 0o755
+      end
+
+      def copy_github_actions
+        if file_exists? ".github/workflows"
+          directory "github", ".github"
+        end
+      end
+
+      def update_readme
+        if file_content("README.md").match?("## Documentation")
+          insert_into_file "README.md", readme_contents, after: "## Documentation\n"
+        else
+          append_to_file "README.md", "\n## Documentation\n#{readme_contents}"
+        end
+      end
+
+      def update_component_list
+        if oscal_dir_exists?
+          insert_into_file "doc/compliance/oscal/trestle-config.yaml", "  - devtools_cloud_gov\n"
+        end
+      end
+
+      no_tasks do
+        def docker_auditree_tag
+          options[:tag].present? ? options[:tag] : "latest"
+        end
+
+        def git_email
+          options[:git_email].present? ? options[:git_email] : "TKTK-email@gsa.gov"
+        end
+
+        def readme_contents
+          <<~README
+
+            ### Auditree Control Validation
+
+            Auditree is used within CI/CD to validate that certain controls are in place.
+
+            * Run `bin/auditree` to start the auditree CLI.
+            * Run `bin/auditree SCRIPT_NAME` to run a single auditree script
+
+            #### Initial auditree setup.
+
+            These steps must happen once per project.
+
+            1. Docker desktop must be running
+            1. Initialize the config file with `bin/auditree init > config/auditree.template.json`
+            1. Create an evidence locker repository with a default or blank README
+            1. Create a github personal access token to interact with the code repo and evidence locker and set as `AUDITREE_GITHUB_TOKEN` secret within your production Github environment secrets.
+            1. Update `config/auditree.template.json` with the repo addresses for your locker and code repos
+            1. Copy the `devtools_cloud_gov` component definition into the project with the latest docker-trestle
+
+            #### Ongoing use
+
+            See the [auditree-devtools README](https://github.com/gsa-tts/auditree-devtools) for help with updating
+            auditree and using new checks.
+          README
+        end
+      end
+    end
+  end
+end

data/lib/generators/rails_template18f/auditree/templates/bin/auditree.tt

@@ -0,0 +1,29 @@
+#! /usr/bin/env bash
+usage="
+$0: Run auditree docker image.
+
+Usage:
+  $0 -h
+  $0
+  $0 init > path/to/auditree.template.json
+  $0 fetch
+  $0 check > path/to/assessment-results/auditree/assessment-results.json
+
+Notes:
+The following environment variables will be passed through to the docker image:
+* GITHUB_TOKEN - a token that has permissions to read and write to the evidence locker and code repository. Required for all but 'init'
+* CF_USERNAME - the cloud.gov username to fetch evidence from cloud.gov, only needed when running fetch script
+* CF_PASSWORD - the cloud.gov password to fetch evidence from cloud.gov, only needed when running fetch script
+"
+
+if [ "$1" = "-h" ]; then
+    echo "$usage"
+    exit 0
+fi
+
+command="bash"
+if [ "$1" != "" ]; then
+    command=$1
+fi
+
+docker run -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="<%= git_email %>" -it --rm ghcr.io/gsa-tts/auditree:<%= docker_auditree_tag %> $command

data/lib/generators/rails_template18f/auditree/templates/github/actions/auditree-cmd/action.yml.tt

@@ -0,0 +1,31 @@
+name: "Run an auditree-devtools command"
+description: "Sets up workspace for running a single command in auditree-devtools"
+inputs:
+  tag:
+    description: auditree-devtools tag to use. Defaults to <%= docker_auditree_tag %>
+    required: false
+    default: <%= docker_auditree_tag %>
+  cmd:
+    description: Command to run within auditree-devtools
+    required: true
+  email:
+    description: Git user email to attribute to evidence updates
+    required: true
+  config_template:
+    description: Auditree config file template
+    required: false
+    default: config/auditree.template.json
+  cdef:
+    description: OSCAL Component Definition being used as baseline for assessment results
+    required: false
+    default: doc/compliance/oscal/component-definitions/devtools_cloud_gov/component-definition.json
+runs:
+  using: "composite"
+  steps:
+    - name: Run cmd
+      shell: bash
+      run:
+        docker run -v $GITHUB_WORKSPACE/${{inputs.config_template}}:/app/auditree.template.json:ro
+          -v $GITHUB_WORKSPACE/${{inputs.cdef}}:/app/cdef.json:ro
+          -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="${{inputs.email}}"
+          ghcr.io/gsa-tts/auditree:${{ inputs.tag }} ${{ inputs.cmd }}

data/lib/generators/rails_template18f/auditree/templates/github/workflows/auditree-validation.yml.tt

@@ -0,0 +1,42 @@
+name: Run Auditree Checks
+
+on:
+  workflow_dispatch:
+  schedule:
+    # cron format: 'minute hour dayofmonth month dayofweek'
+    # this will run at 11am UTC every day (6am EST / 7am EDT)
+    - cron: '0 11 * * *'
+
+jobs:
+  run_auditree:
+    name: Fetch and check auditree evidence
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Fetch evidence
+        uses: ./.github/actions/auditree-cmd
+        env:
+          CF_USERNAME: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
+          GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
+        with:
+          cmd: fetch
+          email: "<%= git_email %>"
+
+      - name: Check evidence
+        uses: ./.github/actions/auditree-cmd
+        env:
+          CF_USERNAME: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
+          GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
+        with:
+          cmd: check > doc/compliance/oscal/assessment-results/auditree/assessment-results.json
+          email: "<%= git_email %>"
+
+      - name: Save results
+        uses: actions/upload-artifact@v4
+        with:
+          name: auditree_assessment_results
+          path: doc/compliance/oscal/assessment-results/auditree

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
 end

data/template.rb

@@ -69,6 +69,8 @@ if compliance_trestle_submodule && compliance_trestle_repo.blank?
   compliance_trestle = false
   compliance_trestle_submodule = false
 end
+# only ask about auditree if we're also using docker-trestle
+auditree = compliance_trestle ? yes?("Run compliance checks with auditree? (y/n)") : false
 
 terraform = yes?("Create terraform files for cloud.gov services? (y/n)")
 @cloud_gov_organization = ask("What is your cloud.gov organization name? (Leave blank to fill in later)")
@@ -458,6 +460,12 @@ if @circleci_pipeline
   EOM
 end
 
+if auditree
+  after_bundle do
+    generate "rails_template18f:auditree"
+  end
+end
+
 # setup production credentials file
 require "rails/generators"
 require "rails/generators/rails/encryption_key_file/encryption_key_file_generator"

data/templates/manifest.yml.tt

@@ -2,7 +2,6 @@
 applications:
 - name: <%= app_name %>-((env))
   buildpacks:
-    - nodejs_buildpack
     - ruby_buildpack
   env:
     RAILS_MASTER_KEY: ((rails_master_key))

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rails_template_18f
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Ryan Ahearn
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-06-27 00:00:00.000000000 Z
+date: 2024-08-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -136,6 +136,10 @@ files:
 - lib/generators/rails_template18f/active_storage/templates/oscal/component-definitions/active_storage/component-definition.json
 - lib/generators/rails_template18f/active_storage/templates/spec/jobs/file_scan_job_spec.rb
 - lib/generators/rails_template18f/active_storage/templates/spec/models/file_upload_spec.rb
+- lib/generators/rails_template18f/auditree/auditree_generator.rb
+- lib/generators/rails_template18f/auditree/templates/bin/auditree.tt
+- lib/generators/rails_template18f/auditree/templates/github/actions/auditree-cmd/action.yml.tt
+- lib/generators/rails_template18f/auditree/templates/github/workflows/auditree-validation.yml.tt
 - lib/generators/rails_template18f/circleci/circleci_generator.rb
 - lib/generators/rails_template18f/circleci/templates/Dockerfile.ci.tt
 - lib/generators/rails_template18f/circleci/templates/bin/ci-server-start