rails_template_18f 1.0.0 → 1.2.0

data/lib/generators/rails_template18f/auditree/templates/bin/auditree.tt

@@ -0,0 +1,103 @@
+#! /usr/bin/env bash
+
+image="ghcr.io/gsa-tts/auditree"
+tag="<%= docker_auditree_tag %>"
+cwd=`pwd`
+cdef="doc/compliance/oscal/component-definitions/devtools_cloud_gov/component-definition.json"
+config="config/auditree.template.json"
+email="<%= git_email %>"
+
+usage="
+$0: Run auditree docker image: $image.
+
+Usage:
+  $0 -h
+  $0 [-a AUDITREE_CONFIG_TEMPLATE] [-c CDEF] [-v EXTRA_VOLUME] [-e GIT_EMAIL] [-t TAG] CMD
+  $0 [-a AUDITREE_CONFIG_TEMPLATE] init
+  $0 [-o] check
+
+Options:
+-h: show help and exit
+-a: Auditree config. Given relative to \"$cwd\" Defaults to \"$config\". Location to write for init CMD
+-c: component definition. Given relative to \"$cwd\" Defaults to \"$cdef\"
+-v: volume to mount. Given as a docker -v argument except that the first part is relative to \"$cwd\"
+-e: Git email. Defaults to \"$email\"
+-t: Auditree docker tag. Defaults to \"$tag\"
+-o: Write assessment results to \"$cwd/tmp/auditree/auditree.json\". Only applicable for \"check\"
+CMD: The command to run. Defaults to \"bash\"
+
+Notes:
+The following environment variables will be passed through to the docker image:
+* GITHUB_TOKEN - a token that has permissions to read and write to the evidence locker and code repository. Required for all but 'init'
+* CF_USERNAME - the cloud.gov username to fetch evidence from cloud.gov, only needed when running fetch script
+* CF_PASSWORD - the cloud.gov password to fetch evidence from cloud.gov, only needed when running fetch script
+"
+
+ar_output=""
+args_to_shift=0
+declare -a volume_args
+
+while getopts "ha:c:v:e:t:o" opt; do
+  case "$opt" in
+    a)
+      config=${OPTARG}
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    c)
+      cdef=${OPTARG}
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    v)
+      volume_args+=("-v" "$cwd/${OPTARG}")
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    e)
+      email=${OPTARG}
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    t)
+      tag=${OPTARG}
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    o)
+      ar_output="$cwd/tmp/auditree"
+      args_to_shift=$((args_to_shift + 1))
+      ;;
+    h)
+      echo "$usage"
+      exit 0
+      ;;
+  esac
+done
+
+shift $args_to_shift
+
+command="bash"
+if [ "$1" != "" ]; then
+    command="$1"
+    shift 1
+fi
+
+if [ "$command" = "init" ]; then
+  docker run --rm $image:$tag init > "$config"
+  exit 0
+fi
+
+volume_args+=("-v" "$cwd/$config":/app/auditree.template.json:ro)
+volume_args+=("-v" "$cwd/$cdef":/app/cdef.json:ro)
+if [ "$ar_output" != "" ]; then
+  mkdir -p "$ar_output"
+  chmod a+w "$ar_output"
+  volume_args+=("-v" "$ar_output":/tmp/auditree:rw)
+  if [ "$command" = "check" ]; then
+    command="check /tmp/auditree"
+  fi
+fi
+
+if [ "$command" = "bash" ]; then
+  docker run -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="$email" \
+    "${volume_args[@]}" -it --rm $image:$tag $command "$@"
+else
+  docker run -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="$email" \
+    "${volume_args[@]}" --rm $image:$tag $command "$@"
+fi

data/lib/generators/rails_template18f/auditree/templates/github/actions/auditree-cmd/action.yml.tt

@@ -0,0 +1,42 @@
+name: "Run an auditree-devtools command"
+description: "Sets up workspace for running a single command in auditree-devtools"
+inputs:
+  tag:
+    description: auditree-devtools tag to use.
+    required: false
+    default: <%= docker_auditree_tag %>
+  cmd:
+    description: Command to run within auditree-devtools
+    required: true
+  email:
+    description: Git user email to attribute to evidence updates
+    required: false
+    default: "<%= git_email %>"
+  config_template:
+    description: Auditree config file template
+    required: false
+    default: config/auditree.template.json
+  cdef:
+    description: OSCAL Component Definition being used as baseline for assessment results
+    required: false
+    default: doc/compliance/oscal/component-definitions/devtools_cloud_gov/component-definition.json
+  volume:
+    description: Freeform volume string to mount another file in the auditree image
+    required: false
+    default: ""
+runs:
+  using: "composite"
+  steps:
+    - name: Run cmd
+      shell: bash
+      if: ${{ inputs.volume == '' }}
+      run:
+        bin/auditree -t ${{ inputs.tag }} -a ${{ inputs.config_template }} -c ${{ inputs.cdef }}
+          -e "${{ inputs.email }}" ${{ inputs.cmd }}
+
+    - name: Run cmd with volume
+      shell: bash
+      if: ${{ inputs.volume != '' }}
+      run:
+        bin/auditree -t ${{ inputs.tag }} -a ${{ inputs.config_template }} -c ${{ inputs.cdef }}
+          -e "${{ inputs.email }}" -v ${{ inputs.volume }} ${{ inputs.cmd }}

data/lib/generators/rails_template18f/auditree/templates/github/workflows/auditree-validation.yml.tt

@@ -0,0 +1,38 @@
+name: Run Auditree Checks
+
+on:
+  workflow_dispatch:
+  schedule:
+    # cron format: 'minute hour dayofmonth month dayofweek'
+    # this will run at 11am UTC every day (6am EST / 7am EDT)
+    - cron: '0 11 * * *'
+
+jobs:
+  run_auditree:
+    name: Fetch and check auditree evidence
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Fetch evidence
+        uses: ./.github/actions/auditree-cmd
+        env:
+          CF_USERNAME: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
+          GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
+        with:
+          cmd: fetch
+
+      - name: Check evidence
+        uses: ./.github/actions/auditree-cmd
+        env:
+          GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
+        with:
+          cmd: -o check
+
+      - name: Save results
+        uses: actions/upload-artifact@v4
+        with:
+          name: auditree_assessment_results
+          path: tmp/auditree/auditree.json

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -20,19 +20,16 @@ commands:
     description: Set up environment for running docker-trestle commands
     parameters:
       tag:
-        description: docker-trestle tag to use. Defaults to latest
+        description: docker-trestle tag to use.
         type: string
         default: latest
       cmd:
         description: Command to run within docker-trestle
         type: string
     steps:
-      - run:
-          name: Fix directory permissions
-          command: chmod -R a+w doc/compliance/oscal || true
       - run:
           name: Run trestle command
-          command: docker run -v $(pwd)/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:<< parameters.tag >> << parameters.cmd >><% end %>
+          command: docker run -u "$(id -u):$(id -g)" -v $(pwd)/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:<< parameters.tag >> << parameters.cmd >><% end %>
   cg-deploy:
     description: "Login to cloud foundry space with service account credentials
       and push application using deployment configuration file."
@@ -141,7 +138,7 @@ jobs:
     steps:
       - checkout
       - trestle-cmd:
-          cmd: trestle validate -f system-security-plans/<%= app_name %>/system-security-plan.json
+          cmd: validate-ssp-json
       - trestle-cmd:
           cmd: assemble-ssp-json 2> /dev/null | grep "^No changes to assembled ssp"
   assemble_ssp:
@@ -151,8 +148,12 @@ jobs:
       - checkout
       - trestle-cmd:
           cmd: trestle assemble -n <%= app_name %> system-security-plan
+      - trestle-cmd:
+          cmd: render-ssp
       - store_artifacts:
           path: doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+      - store_artifacts:
+          path: doc/compliance/oscal/ssp-render/<%= app_name %>_ssp.md
 <% end %>
   static_security_scans:
     docker:
@@ -161,7 +162,7 @@ jobs:
       - setup-project
       - run:
           name: Run Brakeman scan
-          command: bundle exec brakeman
+          command: bin/brakeman --no-pager --ensure-ignore-notes
       - run:
           name: Bundle audit
           command: bundle exec rake bundler:audit

data/lib/generators/rails_template18f/cloud_gov_config/cloud_gov_config_generator.rb

@@ -15,7 +15,7 @@ module RailsTemplate18f
       def install_climate_control
         return if gem_installed?("climate_control")
         gem_group :test do
-          gem "climate_control", "~> 1.0"
+          gem "climate_control", "~> 1.2"
         end
         bundle_install
       end

data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb

@@ -24,7 +24,6 @@ module RailsTemplate18f
         if !oscal_dir_exists?
           remove_file ".github/workflows/validate-ssp.yml"
           remove_file ".github/workflows/assemble-ssp.yml"
-          remove_dir ".github/actions/trestle-cmd"
         end
       end
 

data/lib/generators/rails_template18f/github_actions/templates/github/dependabot.yml.tt

@@ -0,0 +1,25 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+- package-ecosystem: npm
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10<% if terraform? %>
+- package-ecosystem: terraform
+  directories:
+    - "/terraform/production"
+    - "/terraform/staging"
+  schedule:
+    interval: weekly
+  open-pull-requests-limit: 10
+<% end %>

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/assemble-ssp.yml.tt

@@ -4,8 +4,6 @@ on:
   workflow_dispatch:
   push:
     branches: [ main ]
-    paths:
-      - "doc/compliance/oscal/**"
 
 jobs:
   assemble_ssp:
@@ -19,8 +17,19 @@ jobs:
         with:
           cmd: trestle assemble -n <%= app_name %> system-security-plan
 
+      - name: Render final SSPP
+        uses: ./.github/actions/trestle-cmd
+        with:
+          cmd: render-ssp
+
+      - name: Transform SSPP to PDF
+        run: docker run --rm -u "$(id -u):$(id -g)" -v "$GITHUB_WORKSPACE/doc/compliance/oscal/ssp-render:/data" pandoc/latex <%= app_name %>_ssp.md -o <%= app_name %>_ssp.pdf
+
       - name: Save artifact
         uses: actions/upload-artifact@v4
         with:
           name: <%= app_name %>_SSPP
-          path: doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+          path: |
+            doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+            doc/compliance/oscal/ssp-render/<%= app_name %>_ssp.md
+            doc/compliance/oscal/ssp-render/<%= app_name %>_ssp.pdf

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml

@@ -39,7 +39,7 @@ jobs:
     - name: Scan
       continue-on-error: true
       run: |
-        bundle exec brakeman -f sarif -o output.sarif.json .
+        bin/brakeman --no-pager --ensure-ignore-notes -f sarif -o output.sarif.json
 
     # Upload the SARIF file generated in the previous step
     - name: Upload SARIF

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/rspec.yml.tt

@@ -30,5 +30,13 @@ jobs:
 
       - name: Run rspec
         env:
-          DATABASE_URL: ${{ steps.setup.outputs.database_url }}
+          DATABASE_URL: ${{ steps.setup.outputs.database_url }}<% if oscal_dir_exists? %>
+          rspec_oscal_output: tmp<% end %>
         run: bundle exec rspec
+<% if oscal_dir_exists? %>
+      - name: Save assessment results
+        uses: actions/upload-artifact@v4
+        with:
+          name: <%= app_name %>_assessment
+          path: tmp/oscal
+<% end %>

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/{validate-ssp.yml.tt → validate-ssp.yml}

@@ -16,7 +16,7 @@ jobs:
       - name: Validate SSP
         uses: ./.github/actions/trestle-cmd
         with:
-          cmd: trestle validate -f system-security-plans/<%= app_name %>/system-security-plan.json
+          cmd: validate-ssp-json
 
   check_ssp:
     name: Check assembly is current

data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb

@@ -24,7 +24,7 @@ module RailsTemplate18f
 
       def install_gem
         return if gem_installed?("newrelic_rpm")
-        gem "newrelic_rpm", "~> 9.10"
+        gem "newrelic_rpm", "~> 9.12"
         bundle_install
       end
 

data/lib/generators/rails_template18f/oscal/oscal_generator.rb

@@ -10,6 +10,7 @@ module RailsTemplate18f
       class_option :oscal_repo, desc: "GitHub Repo to store compliance documents within. Leave blank to check docs into the app repo"
       class_option :tag, desc: "Which docker-trestle tag to use. Defaults to `latest`"
       class_option :branch, desc: "Name of the branch to switch to when using a submodule. Defaults to `main`"
+      class_option :ci, desc: "Name of CI to generate files for. Defaults to system already in use"
 
       desc <<~DESC
         Description:
@@ -42,6 +43,12 @@ module RailsTemplate18f
         template "doc/compliance/oscal/trestle-config.yaml"
       end
 
+      def copy_github_actions
+        if use_github_actions?
+          directory "github", ".github"
+        end
+      end
+
       def update_readme
         if file_content("README.md").match?("## Documentation")
           insert_into_file "README.md", readme_contents, after: "## Documentation\n"
@@ -66,6 +73,8 @@ module RailsTemplate18f
             # Trestle working files
             doc/compliance/oscal/.trestle/_trash
             doc/compliance/oscal/.trestle/cache
+            # Trestle renders
+            doc/compliance/oscal/ssp-render/#{app_name}_ssp.*
           EOM
         end
       end
@@ -76,7 +85,11 @@ module RailsTemplate18f
         end
 
         def docker_trestle_tag
-          options[:tag].present? ? options[:tag] : "latest"
+          options[:tag].present? ? options[:tag] : "20240912"
+        end
+
+        def use_github_actions?
+          options[:ci] == "github" || file_exists?(".github/workflows")
         end
 
         def readme_contents

data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt

@@ -1,10 +1,13 @@
 #! /usr/bin/env bash
 
+trestle_tag="<%= docker_trestle_tag %>"
+
 command="bash"
 if [ "$1" != "" ]; then
     command=$1
+    shift 1
 fi
 
 oscal_location="$(dirname "$(realpath "$0")")/../doc/compliance/oscal"
 
-docker run -it --rm -v $oscal_location:/app/docs:rw ghcr.io/gsa-tts/trestle:<%= docker_trestle_tag %> $command
+docker run -it --rm -v $oscal_location:/app/docs:rw ghcr.io/gsa-tts/trestle:$trestle_tag $command "$@"

data/lib/generators/rails_template18f/oscal/templates/github/actions/trestle-cmd/action.yml.tt

@@ -0,0 +1,16 @@
+name: "Run a docker-trestle command"
+description: "Sets up workspace for running a single command in docker-trestle"
+inputs:
+  tag:
+    description: docker-trestle tag to use.
+    required: false
+    default: <%= docker_trestle_tag %>
+  cmd:
+    description: Command to run within docker-trestle
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Run cmd
+      shell: bash
+      run: docker run -u "$(id -u):$(id -g)" -v $GITHUB_WORKSPACE/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:${{ inputs.tag }} ${{ inputs.cmd }}

data/lib/generators/rails_template18f/sidekiq/sidekiq_generator.rb

@@ -14,7 +14,7 @@ module RailsTemplate18f
 
       def install_gem
         return if gem_installed?("sidekiq")
-        gem "sidekiq", "~> 7.2"
+        gem "sidekiq", "~> 7.3"
         bundle_install
       end
 

data/lib/rails_template18f/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RailsTemplate18f
-  VERSION = "1.0.0"
+  VERSION = "1.2.0"
 end

data/rails-template-18f.gemspec

@@ -31,12 +31,12 @@ Gem::Specification.new do |spec|
 
   # For more information and examples about making a new gem, checkout our
   # guide at: https://bundler.io/guides/creating_gem.html
-  spec.add_dependency "railties", "~> 7.1.0"
-  spec.add_dependency "activesupport", "~> 7.1.0"
+  spec.add_dependency "railties", "~> 7.2.0"
+  spec.add_dependency "activesupport", "~> 7.2.0"
   spec.add_dependency "thor", "~> 1.3"
   spec.add_dependency "colorize", "~> 1.1"
 
   spec.add_development_dependency "rspec", "~> 3.13"
   spec.add_development_dependency "ammeter", "~> 1.1"
-  spec.add_development_dependency "standard", "~> 1.36"
+  spec.add_development_dependency "standard", "~> 1.40"
 end

data/railsrc

@@ -9,3 +9,5 @@
 --css=postcss
 --template=template.rb
 --database=postgresql
+--skip-rubocop
+--skip-ci

data/railsrc-hotwire

@@ -7,3 +7,5 @@
 --css=postcss
 --template=template.rb
 --database=postgresql
+--skip-rubocop
+--skip-ci

data/template.rb

@@ -39,14 +39,16 @@ def print_announcements
   end
 end
 
-unless Gem::Dependency.new("rails", "~> 7.1.0").match?("rails", Rails.gem_version)
-  warn "This template requires Rails 7.1.x"
+unless Gem::Dependency.new("rails", "~> 7.2.0").match?("rails", Rails.gem_version)
+  warn "This template requires Rails 7.2.x"
   if Gem::Dependency.new("rails", "~> 6.1.0").match?("rails", Rails.gem_version)
     warn "See the rails-6 branch https://github.com/gsa-tts/rails-template/tree/rails-6"
   elsif Gem::Dependency.new("rails", "~> 7.0.0").match?("rails", Rails.gem_version)
     warn "See the rails-7.0 branch https://github.com/gsa-tts/rails-template/tree/rails-7.0"
-  elsif Gem::Dependency.new("rails", "~> 7.2.0").match?("rails", Rails.gem_version)
-    warn "We haven't updated the template for Rails 7.2 yet! Please file an issue so we can get the template updated"
+  elsif Gem::Dependency.new("rails", "~> 7.1.0").match?("rails", Rails.gem_version)
+    warn "See the rails-7.1 branch https://github.com/gsa-tts/rails-template/tree/rails-7.1"
+  elsif Gem::Dependency.new("rails", ">= 7.3.0").match?("rails", Rails.gem_version)
+    warn "We haven't updated the template for Rails >= 7.3 yet! Please file an issue so we can get the template updated"
   else
     warn "We didn't recognize the version of Rails you are using: #{Rails.version}"
   end
@@ -69,6 +71,11 @@ if compliance_trestle_submodule && compliance_trestle_repo.blank?
   compliance_trestle = false
   compliance_trestle_submodule = false
 end
+# only ask about auditree if we're also using docker-trestle
+auditree = compliance_trestle ? yes?("Run compliance checks with auditree? (y/n)") : false
+if auditree
+  auditree_evidence_repo = ask("What is the https address of your auditree evidence repo? (Leave blank to fill in later)")
+end
 
 terraform = yes?("Create terraform files for cloud.gov services? (y/n)")
 @cloud_gov_organization = ask("What is your cloud.gov organization name? (Leave blank to fill in later)")
@@ -109,9 +116,8 @@ EOM
 if compliance_trestle
   after_bundle do
     generator_arguments = []
-    if compliance_trestle_submodule
-      generator_arguments << "--oscal_repo=#{compliance_trestle_repo}"
-    end
+    generator_arguments << "--oscal_repo=#{compliance_trestle_repo}" if compliance_trestle_submodule
+    generator_arguments << "--ci=github" if @github_actions
     generate "rails_template18f:oscal", *generator_arguments
   end
   register_announcement("OSCAL Documentation", <<~EOM)
@@ -181,7 +187,7 @@ after_bundle do
 end
 
 # updates for OWASP scan to pass
-gem "secure_headers", "~> 6.3"
+gem "secure_headers", "~> 6.7"
 initializer "secure_headers.rb", <<~EOM
   SecureHeaders::Configuration.default do |config|
     # CSP settings are handled by Rails
@@ -222,9 +228,8 @@ uncomment_lines csp_initializer, "content_security_policy_nonce"
 gem_group :development, :test do
   gem "rspec-rails", "~> 6.1"
   gem "dotenv-rails", "~> 3.1"
-  gem "brakeman", "~> 6.1"
   gem "bundler-audit", "~> 0.9"
-  gem "standard", "~> 1.36"
+  gem "standard", "~> 1.40"
 end
 if ENV["RT_DEV"] == "true"
   gem "rails_template_18f", group: :development, path: ENV["PWD"]
@@ -458,6 +463,15 @@ if @circleci_pipeline
   EOM
 end
 
+if auditree
+  after_bundle do
+    generate "rails_template18f:auditree", "--evidence_locker=#{auditree_evidence_repo}"
+  end
+  register_announcement "Auditree", <<~EOM
+    * Don't forget to follow the initial setup instructions for Auditree in the main README
+  EOM
+end
+
 # setup production credentials file
 require "rails/generators"
 require "rails/generators/rails/encryption_key_file/encryption_key_file_generator"
@@ -487,7 +501,8 @@ EOM
 # ensure this is the very last step
 after_bundle do
   if run_db_setup
-    rails_command "db:setup"
+    rails_command "db:create"
+    rails_command "db:migrate"
   end
 
   # x86_64-linux is required to install gems on any linux system such as cloud.gov or CI pipelines

data/templates/lib/tasks/scanning.rake

@@ -2,7 +2,7 @@ desc "Run brakeman with potential non-0 return code"
 task :brakeman do
   # -z flag makes it return non-0 if there are any warnings
   # -q quiets output
-  unless system("brakeman -z -q") # system is true if return is 0, false otherwise
+  unless system("bin/brakeman -z -q") # system is true if return is 0, false otherwise
     abort("Brakeman detected one or more code problems, please run it manually and inspect the output.")
   end
 end

data/templates/manifest.yml.tt

@@ -2,7 +2,6 @@
 applications:
 - name: <%= app_name %>-((env))
   buildpacks:
-    - nodejs_buildpack
     - ruby_buildpack
   env:
     RAILS_MASTER_KEY: ((rails_master_key))