rails_template_18f 1.1.0 → 1.3.0

data/lib/generators/rails_template18f/auditree/templates/bin/auditree.tt

@@ -1,13 +1,30 @@
 #! /usr/bin/env bash
+
+image="ghcr.io/gsa-tts/auditree"
+tag="<%= docker_auditree_tag %>"
+cwd=`pwd`
+cdef="doc/compliance/oscal/component-definitions/devtools_cloud_gov/component-definition.json"
+config="config/auditree.template.json"
+email="<%= git_email %>"
+
 usage="
-$0: Run auditree docker image.
+$0: Run auditree docker image: $image.
 
 Usage:
   $0 -h
-  $0
-  $0 init > path/to/auditree.template.json
-  $0 fetch
-  $0 check > path/to/assessment-results/auditree/assessment-results.json
+  $0 [-a AUDITREE_CONFIG_TEMPLATE] [-c CDEF] [-v EXTRA_VOLUME] [-e GIT_EMAIL] [-t TAG] CMD
+  $0 [-a AUDITREE_CONFIG_TEMPLATE] init
+  $0 [-o] check
+
+Options:
+-h: show help and exit
+-a: Auditree config. Given relative to \"$cwd\" Defaults to \"$config\". Location to write for init CMD
+-c: component definition. Given relative to \"$cwd\" Defaults to \"$cdef\"
+-v: volume to mount. Given as a docker -v argument except that the first part is relative to \"$cwd\"
+-e: Git email. Defaults to \"$email\"
+-t: Auditree docker tag. Defaults to \"$tag\"
+-o: Write assessment results to \"$cwd/tmp/auditree/auditree.json\". Only applicable for \"check\"
+CMD: The command to run. Defaults to \"bash\"
 
 Notes:
 The following environment variables will be passed through to the docker image:
@@ -16,14 +33,71 @@ The following environment variables will be passed through to the docker image:
 * CF_PASSWORD - the cloud.gov password to fetch evidence from cloud.gov, only needed when running fetch script
 "
 
-if [ "$1" = "-h" ]; then
-    echo "$usage"
-    exit 0
-fi
+ar_output=""
+args_to_shift=0
+declare -a volume_args
+
+while getopts "ha:c:v:e:t:o" opt; do
+  case "$opt" in
+    a)
+      config=${OPTARG}
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    c)
+      cdef=${OPTARG}
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    v)
+      volume_args+=("-v" "$cwd/${OPTARG}")
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    e)
+      email=${OPTARG}
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    t)
+      tag=${OPTARG}
+      args_to_shift=$((args_to_shift + 2))
+      ;;
+    o)
+      ar_output="$cwd/tmp/auditree"
+      args_to_shift=$((args_to_shift + 1))
+      ;;
+    h)
+      echo "$usage"
+      exit 0
+      ;;
+  esac
+done
+
+shift $args_to_shift
 
 command="bash"
 if [ "$1" != "" ]; then
-    command=$1
+    command="$1"
+    shift 1
 fi
 
-docker run -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="<%= git_email %>" -it --rm ghcr.io/gsa-tts/auditree:<%= docker_auditree_tag %> $command
+if [ "$command" = "init" ]; then
+  docker run --rm $image:$tag init > "$config"
+  exit 0
+fi
+
+volume_args+=("-v" "$cwd/$config":/app/auditree.template.json:ro)
+volume_args+=("-v" "$cwd/$cdef":/app/cdef.json:ro)
+if [ "$ar_output" != "" ]; then
+  mkdir -p "$ar_output"
+  chmod a+w "$ar_output"
+  volume_args+=("-v" "$ar_output":/tmp/auditree:rw)
+  if [ "$command" = "check" ]; then
+    command="check /tmp/auditree"
+  fi
+fi
+
+if [ "$command" = "bash" ]; then
+  docker run -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="$email" \
+    "${volume_args[@]}" -it --rm $image:$tag $command "$@"
+else
+  docker run -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="$email" \
+    "${volume_args[@]}" --rm $image:$tag $command "$@"
+fi

data/lib/generators/rails_template18f/auditree/templates/github/actions/auditree-cmd/action.yml.tt

@@ -2,7 +2,7 @@ name: "Run an auditree-devtools command"
 description: "Sets up workspace for running a single command in auditree-devtools"
 inputs:
   tag:
-    description: auditree-devtools tag to use. Defaults to <%= docker_auditree_tag %>
+    description: auditree-devtools tag to use.
     required: false
     default: <%= docker_auditree_tag %>
   cmd:
@@ -10,7 +10,8 @@ inputs:
     required: true
   email:
     description: Git user email to attribute to evidence updates
-    required: true
+    required: false
+    default: "<%= git_email %>"
   config_template:
     description: Auditree config file template
     required: false
@@ -19,13 +20,23 @@ inputs:
     description: OSCAL Component Definition being used as baseline for assessment results
     required: false
     default: doc/compliance/oscal/component-definitions/devtools_cloud_gov/component-definition.json
+  volume:
+    description: Freeform volume string to mount another file in the auditree image
+    required: false
+    default: ""
 runs:
   using: "composite"
   steps:
     - name: Run cmd
       shell: bash
+      if: ${{ inputs.volume == '' }}
+      run:
+        bin/auditree -t ${{ inputs.tag }} -a ${{ inputs.config_template }} -c ${{ inputs.cdef }}
+          -e "${{ inputs.email }}" ${{ inputs.cmd }}
+
+    - name: Run cmd with volume
+      shell: bash
+      if: ${{ inputs.volume != '' }}
       run:
-        docker run -v $GITHUB_WORKSPACE/${{inputs.config_template}}:/app/auditree.template.json:ro
-          -v $GITHUB_WORKSPACE/${{inputs.cdef}}:/app/cdef.json:ro
-          -e GITHUB_TOKEN -e CF_USERNAME -e CF_PASSWORD -e GIT_EMAIL="${{inputs.email}}"
-          ghcr.io/gsa-tts/auditree:${{ inputs.tag }} ${{ inputs.cmd }}
+        bin/auditree -t ${{ inputs.tag }} -a ${{ inputs.config_template }} -c ${{ inputs.cdef }}
+          -e "${{ inputs.email }}" -v ${{ inputs.volume }} ${{ inputs.cmd }}

data/lib/generators/rails_template18f/auditree/templates/github/workflows/auditree-validation.yml.tt

@@ -23,20 +23,16 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
         with:
           cmd: fetch
-          email: "<%= git_email %>"
 
       - name: Check evidence
         uses: ./.github/actions/auditree-cmd
         env:
-          CF_USERNAME: ${{ secrets.CF_USERNAME }}
-          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
         with:
-          cmd: check > doc/compliance/oscal/assessment-results/auditree/assessment-results.json
-          email: "<%= git_email %>"
+          cmd: -o check
 
       - name: Save results
         uses: actions/upload-artifact@v4
         with:
           name: auditree_assessment_results
-          path: doc/compliance/oscal/assessment-results/auditree
+          path: tmp/auditree/auditree.json

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -20,19 +20,16 @@ commands:
     description: Set up environment for running docker-trestle commands
     parameters:
       tag:
-        description: docker-trestle tag to use. Defaults to latest
+        description: docker-trestle tag to use.
         type: string
         default: latest
       cmd:
         description: Command to run within docker-trestle
         type: string
     steps:
-      - run:
-          name: Fix directory permissions
-          command: chmod -R a+w doc/compliance/oscal || true
       - run:
           name: Run trestle command
-          command: docker run -v $(pwd)/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:<< parameters.tag >> << parameters.cmd >><% end %>
+          command: docker run -u "$(id -u):$(id -g)" -v $(pwd)/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:<< parameters.tag >> << parameters.cmd >><% end %>
   cg-deploy:
     description: "Login to cloud foundry space with service account credentials
       and push application using deployment configuration file."
@@ -74,6 +71,11 @@ commands:
               -p ${<< parameters.cloudgov_password >>} \
               -o << parameters.cloudgov_org >> \
               -s << parameters.cloudgov_space >>
+      - run:
+          name: Set restricted egress
+          command: |
+            cf bind-security-group trusted_local_networks_egress << parameters.cloudgov_org >> \
+              --space << parameters.cloudgov_space >>
       - run:
           name: Push application with deployment vars
           command: |
@@ -141,7 +143,7 @@ jobs:
     steps:
       - checkout
       - trestle-cmd:
-          cmd: trestle validate -f system-security-plans/<%= app_name %>/system-security-plan.json
+          cmd: validate-ssp-json
       - trestle-cmd:
           cmd: assemble-ssp-json 2> /dev/null | grep "^No changes to assembled ssp"
   assemble_ssp:
@@ -151,8 +153,12 @@ jobs:
       - checkout
       - trestle-cmd:
           cmd: trestle assemble -n <%= app_name %> system-security-plan
+      - trestle-cmd:
+          cmd: render-ssp
       - store_artifacts:
           path: doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+      - store_artifacts:
+          path: doc/compliance/oscal/ssp-render/<%= app_name %>_ssp.md
 <% end %>
   static_security_scans:
     docker:
@@ -161,7 +167,7 @@ jobs:
       - setup-project
       - run:
           name: Run Brakeman scan
-          command: bundle exec brakeman
+          command: bin/brakeman --no-pager --ensure-ignore-notes
       - run:
           name: Bundle audit
           command: bundle exec rake bundler:audit

data/lib/generators/rails_template18f/cloud_gov_config/cloud_gov_config_generator.rb

@@ -15,7 +15,7 @@ module RailsTemplate18f
       def install_climate_control
         return if gem_installed?("climate_control")
         gem_group :test do
-          gem "climate_control", "~> 1.0"
+          gem "climate_control", "~> 1.2"
         end
         bundle_install
       end

data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb

@@ -24,7 +24,6 @@ module RailsTemplate18f
         if !oscal_dir_exists?
           remove_file ".github/workflows/validate-ssp.yml"
           remove_file ".github/workflows/assemble-ssp.yml"
-          remove_dir ".github/actions/trestle-cmd"
         end
       end
 

data/lib/generators/rails_template18f/github_actions/templates/github/dependabot.yml.tt

@@ -0,0 +1,25 @@
+version: 2
+updates:
+- package-ecosystem: bundler
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+- package-ecosystem: npm
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10
+- package-ecosystem: github-actions
+  directory: "/"
+  schedule:
+    interval: daily
+  open-pull-requests-limit: 10<% if terraform? %>
+- package-ecosystem: terraform
+  directories:
+    - "/terraform/production"
+    - "/terraform/staging"
+  schedule:
+    interval: weekly
+  open-pull-requests-limit: 10
+<% end %>

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/assemble-ssp.yml.tt

@@ -4,8 +4,6 @@ on:
   workflow_dispatch:
   push:
     branches: [ main ]
-    paths:
-      - "doc/compliance/oscal/**"
 
 jobs:
   assemble_ssp:
@@ -19,8 +17,19 @@ jobs:
         with:
           cmd: trestle assemble -n <%= app_name %> system-security-plan
 
+      - name: Render final SSPP
+        uses: ./.github/actions/trestle-cmd
+        with:
+          cmd: render-ssp
+
+      - name: Transform SSPP to PDF
+        run: docker run --rm -u "$(id -u):$(id -g)" -v "$GITHUB_WORKSPACE/doc/compliance/oscal/ssp-render:/data" pandoc/latex <%= app_name %>_ssp.md -o <%= app_name %>_ssp.pdf
+
       - name: Save artifact
         uses: actions/upload-artifact@v4
         with:
           name: <%= app_name %>_SSPP
-          path: doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+          path: |
+            doc/compliance/oscal/dist/system-security-plans/<%= app_name %>.json
+            doc/compliance/oscal/ssp-render/<%= app_name %>_ssp.md
+            doc/compliance/oscal/ssp-render/<%= app_name %>_ssp.pdf

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/brakeman-analysis.yml

@@ -39,7 +39,7 @@ jobs:
     - name: Scan
       continue-on-error: true
       run: |
-        bundle exec brakeman -f sarif -o output.sarif.json .
+        bin/brakeman --no-pager --ensure-ignore-notes -f sarif -o output.sarif.json
 
     # Upload the SARIF file generated in the previous step
     - name: Upload SARIF

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml.tt

@@ -32,6 +32,14 @@ jobs:
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
       <% end %>
+      - name: Set restricted egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: <%= cloud_gov_organization %>
+          cf_space: <%= cloud_gov_production_space %>
+          cf_command: bind-security-group trusted_local_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
       - name: Deploy app
         uses: cloud-gov/cg-cli-tools@main
         with:

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml.tt

@@ -32,6 +32,14 @@ jobs:
             access_key=${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
             secret_key=${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
       <% end %>
+      - name: Set restricted egress
+        uses: cloud-gov/cg-cli-tools@main
+        with:
+          cf_username: ${{ secrets.CF_USERNAME }}
+          cf_password: ${{ secrets.CF_PASSWORD }}
+          cf_org: <%= cloud_gov_organization %>
+          cf_space: <%= cloud_gov_staging_space %>
+          cf_command: bind-security-group trusted_local_networks_egress $INPUT_CF_ORG --space $INPUT_CF_SPACE
       - name: Deploy app
         uses: cloud-gov/cg-cli-tools@main
         with:

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/rspec.yml.tt

@@ -30,5 +30,13 @@ jobs:
 
       - name: Run rspec
         env:
-          DATABASE_URL: ${{ steps.setup.outputs.database_url }}
+          DATABASE_URL: ${{ steps.setup.outputs.database_url }}<% if oscal_dir_exists? %>
+          rspec_oscal_output: tmp<% end %>
         run: bundle exec rspec
+<% if oscal_dir_exists? %>
+      - name: Save assessment results
+        uses: actions/upload-artifact@v4
+        with:
+          name: <%= app_name %>_assessment
+          path: tmp/oscal
+<% end %>

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/{validate-ssp.yml.tt → validate-ssp.yml}

@@ -16,7 +16,7 @@ jobs:
       - name: Validate SSP
         uses: ./.github/actions/trestle-cmd
         with:
-          cmd: trestle validate -f system-security-plans/<%= app_name %>/system-security-plan.json
+          cmd: validate-ssp-json
 
   check_ssp:
     name: Check assembly is current

data/lib/generators/rails_template18f/i18n_js/i18n_js_generator.rb

@@ -12,37 +12,29 @@ module RailsTemplate18f
           Install and configure i18n-js gem to provide translations to JS code.
 
           By default, will only export translations with keys that match `*.js.*`
+
+          To use, add the following to your js code:
+
+          1. `import { i18n } from './i18n';`
+          2. `i18n.t('path.to.translation.key')`
       DESC
 
-      def install_gem_and_tasks
-        return if gem_installed?("i18n-js")
-        gem "i18n-js", "~> 3.9"
+      def install_gems
+        gem "i18n-js", "~> 4.2" unless gem_installed?("i18n-js")
+        gem "listen", "~> 3.9", group: :development unless gem_installed?("listen")
         bundle_install do
           run "yarn add i18n-js"
-          generate "i18n:js:config"
         end
       end
 
       def configure_translation_yaml
-        append_to_file "config/i18n-js.yml", <<~EOYAML
-          # remove `only` to include all translations
-          translations:
-            - file: "app/assets/builds/translations.js"
-              only: "*.js.*"
-        EOYAML
+        copy_file "config/i18n-js.yml"
       end
 
       def configure_asset_pipeline
         copy_file "lib/tasks/i18n.rake"
-        environment "config.middleware.use I18n::JS::Middleware", env: :development
-        insert_into_file "app/views/layouts/application.html.erb", indent(<<~EOHTML, 4), after: /<%= stylesheet_link_tag "application".*$\n/
-          <%= javascript_include_tag "i18n", "data-turbo-track": "reload" %>
-          <%= javascript_include_tag "translations", "data-turbo-track": "reload" %>
-        EOHTML
-        append_to_file "app/assets/config/manifest.js", <<~EOJS
-          //= link i18n.js
-          //= link translations.js
-        EOJS
+        copy_file "config/initializers/i18n_js.rb"
+        copy_file "app/javascript/i18n.js"
       end
 
       def ignore_generated_file
@@ -50,7 +42,7 @@ module RailsTemplate18f
           append_to_file ".gitignore", <<~EOM
 
             # Generated by i18n-js
-            /public/javascripts/i18n.js
+            /app/javascript/generated
           EOM
         end
       end

data/lib/generators/rails_template18f/i18n_js/templates/app/javascript/i18n.js

@@ -0,0 +1,11 @@
+import { I18n } from 'i18n-js';
+import translations from './generated/translations.json';
+
+const userLocale = document.documentElement.lang;
+
+export const i18n = new I18n();
+
+i18n.store(translations);
+i18n.defaultLocale = "en";
+i18n.enableFallback = true;
+i18n.locale = userLocale;

data/lib/generators/rails_template18f/i18n_js/templates/config/i18n-js.yml

@@ -0,0 +1,4 @@
+translations:
+  - file: "app/javascript/generated/translations.json"
+    patterns:
+      - "*.js.*"

data/lib/generators/rails_template18f/i18n_js/templates/config/initializers/i18n_js.rb

@@ -0,0 +1,5 @@
+Rails.application.config.after_initialize do
+  require "i18n-js/listen"
+  # This will only run in development
+  I18nJS.listen config_file: Rails.root.join("config/i18n-js.yml")
+end

data/lib/generators/rails_template18f/i18n_js/templates/lib/tasks/i18n.rake

@@ -1,9 +1,10 @@
 # export translations as part of asset precompile
-
-Rake::Task["assets:precompile"].enhance(["i18n:js:export"])
-
-if Rake::Task.task_defined?("test:prepare")
-  Rake::Task["test:prepare"].enhance(["i18n:js:export"])
-elsif Rake::Task.task_defined?("db:test:prepare")
-  Rake::Task["db:test:prepare"].enhance(["i18n:js:export"])
+namespace "i18n:js" do
+  desc "Call the i18n-js export method"
+  task :export do
+    require "i18n-js"
+    I18nJS.call(config_file: "config/i18n-js.yml")
+  end
 end
+
+Rake::Task["javascript:build"].enhance(["i18n:js:export"])

data/lib/generators/rails_template18f/newrelic/newrelic_generator.rb

@@ -24,7 +24,7 @@ module RailsTemplate18f
 
       def install_gem
         return if gem_installed?("newrelic_rpm")
-        gem "newrelic_rpm", "~> 9.10"
+        gem "newrelic_rpm", "~> 9.12"
         bundle_install
       end
 

data/lib/generators/rails_template18f/oscal/oscal_generator.rb

@@ -10,6 +10,7 @@ module RailsTemplate18f
       class_option :oscal_repo, desc: "GitHub Repo to store compliance documents within. Leave blank to check docs into the app repo"
       class_option :tag, desc: "Which docker-trestle tag to use. Defaults to `latest`"
       class_option :branch, desc: "Name of the branch to switch to when using a submodule. Defaults to `main`"
+      class_option :ci, desc: "Name of CI to generate files for. Defaults to system already in use"
 
       desc <<~DESC
         Description:
@@ -42,6 +43,12 @@ module RailsTemplate18f
         template "doc/compliance/oscal/trestle-config.yaml"
       end
 
+      def copy_github_actions
+        if use_github_actions?
+          directory "github", ".github"
+        end
+      end
+
       def update_readme
         if file_content("README.md").match?("## Documentation")
           insert_into_file "README.md", readme_contents, after: "## Documentation\n"
@@ -66,6 +73,8 @@ module RailsTemplate18f
             # Trestle working files
             doc/compliance/oscal/.trestle/_trash
             doc/compliance/oscal/.trestle/cache
+            # Trestle renders
+            doc/compliance/oscal/ssp-render/#{app_name}_ssp.*
           EOM
         end
       end
@@ -76,7 +85,11 @@ module RailsTemplate18f
         end
 
         def docker_trestle_tag
-          options[:tag].present? ? options[:tag] : "latest"
+          options[:tag].present? ? options[:tag] : "20240912"
+        end
+
+        def use_github_actions?
+          options[:ci] == "github" || file_exists?(".github/workflows")
         end
 
         def readme_contents

data/lib/generators/rails_template18f/oscal/templates/bin/trestle.tt

@@ -1,10 +1,13 @@
 #! /usr/bin/env bash
 
+trestle_tag="<%= docker_trestle_tag %>"
+
 command="bash"
 if [ "$1" != "" ]; then
     command=$1
+    shift 1
 fi
 
 oscal_location="$(dirname "$(realpath "$0")")/../doc/compliance/oscal"
 
-docker run -it --rm -v $oscal_location:/app/docs:rw ghcr.io/gsa-tts/trestle:<%= docker_trestle_tag %> $command
+docker run -it --rm -v $oscal_location:/app/docs:rw ghcr.io/gsa-tts/trestle:$trestle_tag $command "$@"

data/lib/generators/rails_template18f/oscal/templates/github/actions/trestle-cmd/action.yml.tt

@@ -0,0 +1,16 @@
+name: "Run a docker-trestle command"
+description: "Sets up workspace for running a single command in docker-trestle"
+inputs:
+  tag:
+    description: docker-trestle tag to use.
+    required: false
+    default: <%= docker_trestle_tag %>
+  cmd:
+    description: Command to run within docker-trestle
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Run cmd
+      shell: bash
+      run: docker run -u "$(id -u):$(id -g)" -v $GITHUB_WORKSPACE/doc/compliance/oscal:/app/docs:rw ghcr.io/gsa-tts/trestle:${{ inputs.tag }} ${{ inputs.cmd }}