gitlabcis 1.3.2__py3-none-any.whl

gitlabcis/benchmarks/source_code_1/contribution_access_1_3.py

@@ -0,0 +1,334 @@
+# -------------------------------------------------------------------------
+
+def review_and_remove_inactive_users(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.1
+    title: Ensure inactive users are reviewed and removed periodically
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+    from gitlab.exceptions import GitlabListError
+
+    from dateutil.relativedelta import relativedelta
+    from datetime import datetime, timezone
+
+    try:
+        ninetyDaysAgo = datetime.now(timezone.utc) - relativedelta(days=90)
+
+        users = glObject.users.list(per_page=100, iterator=True)
+
+        for user in users:
+
+            # a regular PAT is not going to return this value:
+            try:
+                if user.last_activity_on is None:
+                    continue
+            except AttributeError:
+                return {None: 'Insufficient permissions'}
+
+            if datetime.strptime(
+                user.last_activity_on,
+                '%Y-%m-%d'
+                    ).replace(tzinfo=timezone.utc) > ninetyDaysAgo:
+                return {
+                    False: 'User found with last activity longer than 90 days'}
+
+        return {True: 'No users found with activity longer than 90 days'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def limit_top_level_group_creation(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.2
+    title: Ensure top-level group creation is limited to specific members
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+
+    try:
+        if glObject.settings.get().can_create_group is False:
+            return {True: 'Top-level group creation is limited'}
+
+        return {False: 'Top-level group creation is not limited'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403, 404]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def minimum_number_of_admins(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.3
+    title: Ensure minimum number of administrators are set for the
+           organization
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+
+    try:
+        members = glEntity.members_all.list(get_all=True)
+
+        totalMembers = len(members)
+
+        if totalMembers == 1:
+            return {None: 'Only 1 member found'}
+
+        # Access levels:
+        #   No access      0
+        #   Minimal access 5
+        #   Guest          10
+        #   Reporter       20
+        #   Developer      30
+        #   Maintainer     40
+        #   Owner          50
+
+        ownersOrMaintainers = []
+        for member in members:
+            if member.access_level >= 40:
+                ownersOrMaintainers.append(member)
+
+        if len(ownersOrMaintainers) < totalMembers:
+            return {True: 'Less owners/maintainers than members set'}
+
+        return {False: 'Access levels not restrictive for members'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403, 404]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def require_mfa_for_contributors(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.4
+    title: Ensure Multi-Factor Authentication (MFA) is required for
+           contributors of new code
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+
+    try:
+        _settings = glObject.settings.get()
+
+        if _settings.require_two_factor_authentication is True:
+            return {True: 'Two Factor Authentication is required'}
+
+        return {False: 'Two Factor Authentication is not required'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403, 404]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def require_mfa_at_org_level(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.5
+    title: Ensure the organization is requiring members to use
+           Multi-Factor Authentication (MFA)
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+
+    try:
+        _settings = glObject.settings.get()
+
+        if _settings.require_two_factor_authentication is True:
+            return {True: 'Two Factor Authentication is required'}
+
+        if _settings.two_factor_grace_period != 0:
+            return {True: 'Grace period is set for Two Factor Authentication'}
+
+        return {False: 'Two Factor Authentication is not required'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403, 404]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def limit_user_registration_domain(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.6
+    title: Ensure new members are required to be invited using
+           company-approved email
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def ensure_2_admins_per_repo(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.7
+    title: Ensure two administrators are set for each repository
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+
+    try:
+        owners = 0
+        members = glEntity.members_all.list(get_all=True)
+
+        for member in members:
+
+            if member.access_level == 50:
+                owners += 1
+
+                if owners == 2:
+                    return {True: 'Two repository owners found'}
+
+        return {
+            True: 'No repository owners found'
+                  if owners == 0
+                  else f'Only found: {owners} owners'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+    # this throws an attr error if accessed anonymously (pytest no auth)
+    except AttributeError:
+        return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def strict_permissions_for_repo(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.8
+    title: Ensure strict base permissions are set for repositories
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+    from gitlab.exceptions import GitlabListError
+
+    try:
+        members = glEntity.members_all.list(get_all=True)
+
+        totalMembers = len(members)
+
+        if totalMembers == 1:
+            return {None: 'Only 1 member found'}
+
+        # Access levels:
+        #   No access      0
+        #   Minimal access 5
+        #   Guest          10
+        #   Reporter       20
+        #   Developer      30
+        #   Maintainer     40
+        #   Owner          50
+
+        ownersOrMaintainers = []
+        for member in members:
+            if member.access_level >= 40:
+                ownersOrMaintainers.append(member)
+
+        if len(ownersOrMaintainers) < totalMembers:
+            return {True: 'Less owners/maintainers than members set'}
+
+        return {False: 'Access levels not restrictive for members'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def domain_verification(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.9
+    title: Ensure an organization's identity is confirmed with a “Verified”
+           badge
+    """
+
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def scm_notification_restriction(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.10
+    title: Ensure Source Code Management (SCM) email notifications are
+           restricted to verified domains
+    """
+
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def org_provided_ssh_certs(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.11
+    title: Ensure an organization provides SSH certificates
+    """
+
+    from gitlab.exceptions import GitlabGetError, GitlabHttpError
+    from gitlab.exceptions import GitlabAuthenticationError
+
+    try:
+        keyRestrictions = [
+            'ed25519_key_restriction', 'ecdsa_key_restriction',
+            'dsa_key_restriction', 'rsa_key_restriction',
+            'ecdsa_sk_key_restriction', 'ed25519_sk_key_restriction'
+        ]
+
+        settings = glObject.settings.get()
+
+        for restriction in keyRestrictions:
+
+            if getattr(settings, restriction) != 0:
+                return {True: f'{restriction} is enforced'}
+
+        return {False: 'No key restrictions set'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def restrict_ip_addresses(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.12
+    title: Ensure Git access is limited based on IP addresses
+    """
+
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def track_code_anomalies(glEntity, glObject, **kwargs):
+    """
+    id: 1.3.13
+    title: Ensure anomalous code behavior is tracked
+    """
+
+    return {None: 'This check requires validation'}

gitlabcis/benchmarks/source_code_1/repository_management_1_2.py

@@ -0,0 +1,168 @@
+# -------------------------------------------------------------------------
+
+
+def public_repos_have_security_file(glEntity, glObject, **kwargs):
+    """
+    id: 1.2.1
+    title: Ensure all public repositories contain a SECURITY.md file
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    try:
+        # SKIP private repos:
+        try:
+            if glEntity.visibility == 'private':
+                return {None: 'Project is private'}
+        except AttributeError:
+            return {None: 'Insufficient permissions'}
+
+        # PASS if the SECURITY.md file exists in the root dir of default
+        # branch
+        _rootFiles = glEntity.repository_tree(path='')
+
+        for _file in _rootFiles:
+            if _file.get('name').upper() == 'SECURITY.MD':
+                return {True: 'SECURITY.md file found'}
+
+        return {False: 'No SECURITY.md file found'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def limit_repo_creations(glEntity, glObject, **kwargs):
+    """
+    id: 1.2.2
+    title: Ensure repository creation is limited to specific members
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    try:
+        settings = glObject.settings.get()
+
+        if settings.signup_enabled is False:
+            return {True: 'Public signup is disabled'}
+
+        if settings.signup_enabled is True and \
+            settings.require_admin_approval_after_user_signup is True and \
+                settings.email_confirmation_setting == 'hard':
+            return {True: 'Requires approval after signup and email '
+                          'confirmation setting is "hard"'}
+
+        return {False: 'Either public signup enabled, admin approval after '
+                       'signup not set or email confirmation is set to '
+                       '"hard"'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def limit_repo_deletions(glEntity, glObject, **kwargs):
+    """
+    id: 1.2.3
+    title: Ensure repository deletion is limited to specific users
+    """
+
+    # attempting to paginate over 1,000 users in a project which
+    # recived their membership due to nested-group permissions...
+    # results in a large wait-time for this function to run.
+    # roughly it take 1.5 minutes for it to complete all of /gitlab-com.
+
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def limit_issue_deletions(glEntity, glObject, **kwargs):
+    """
+    id: 1.2.4
+    title: Ensure issue deletion is limited to specific users
+    """
+
+    # attempting to paginate over 1,000 users in a project which
+    # recived their membership due to nested-group permissions...
+    # results in a large wait-time for this function to run.
+    # roughly it take 1.5 minutes for it to complete all of /gitlab-com.
+
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def track_forks(glEntity, glObject, **kwargs):
+    """
+    id: 1.2.5
+    title: Ensure all copies (forks) of code are tracked and accounted for
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+
+    try:
+        _forksFound = glEntity.forks.list(get_all=False)
+
+        if not _forksFound:
+            return {True: 'No forks found'}
+
+        # we can't track and account for forks, so SKIP if forks found
+        return {None: 'Cannot track and account for forks'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [403, 404]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def track_project_visibility_status(glEntity, glObject, **kwargs):
+    """
+    id: 1.2.6
+    title: Ensure all code projects are tracked for changes in visibility
+           status
+    """
+
+    # We cannot automatically answer this check, therefore we SKIP:
+    return {None: 'This check requires validation'}
+
+# -------------------------------------------------------------------------
+
+
+def review_and_archive_stale_repos(glEntity, glObject, **kwargs):
+    """
+    id: 1.2.7
+    title: Ensure inactive repositories are reviewed and archived
+           periodically
+    """
+
+    from datetime import datetime, timezone
+
+    from dateutil.relativedelta import relativedelta
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+
+    try:
+        lastActivity = datetime.strptime(
+            glEntity.last_activity_at, '%Y-%m-%dT%H:%M:%S.%fZ'
+        ).replace(tzinfo=timezone.utc)
+
+        sixMonthsAgo = datetime.now(timezone.utc) - relativedelta(months=6)
+
+        if lastActivity > sixMonthsAgo:
+            return {True: 'Repository is active'}
+
+        return {False: 'Repository is inactive'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}

gitlabcis/benchmarks/source_code_1/third_party_1_4.py

@@ -0,0 +1,139 @@
+# -------------------------------------------------------------------------
+
+
+def admin_approval_for_app_installs(glEntity, glObject, **kwargs):
+    """
+    id: 1.4.1
+    title: Ensure administrator approval is required for every installed
+           application
+    """
+
+    return {True: 'You are compliant by default. Only maintainers and '
+                  'owners can integrate with external applications'}
+
+# -------------------------------------------------------------------------
+
+
+def stale_app_reviews(glEntity, glObject, **kwargs):
+    """
+    id: 1.4.2
+    title: Ensure stale applications are reviewed and inactive ones are
+           removed
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError)
+    from gql import Client, gql
+    from gql.transport.exceptions import (TransportAlreadyConnected,
+                                          TransportServerError)
+    from gql.transport.requests import RequestsHTTPTransport
+    from graphql import GraphQLError
+
+    try:
+
+        variables = {
+            'fullPath': glEntity.path_with_namespace
+        }
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+    client = Client(
+        transport=RequestsHTTPTransport(
+            url=kwargs.get('graphQLEndpoint'),
+            headers=kwargs.get('graphQLHeaders'),
+            use_json=True
+        ),
+        fetch_schema_from_transport=True
+    )
+
+    query = gql('''
+    query GetSecurityScanners($fullPath: ID!) {
+        project(fullPath: $fullPath) {
+            securityScanners {
+                enabled
+            }
+        }
+    }
+    ''')
+
+    try:
+
+        results = client.execute(query, variable_values=variables)
+
+    except (GraphQLError, TransportServerError, TransportAlreadyConnected):
+        return {None: 'Error: Issue with GraphQL Query'}
+
+    # pytest no auth:
+    except AttributeError:
+        return {None: 'Insufficient permissions'}
+
+    try:
+        # dependency scanning alerts when there are stale applications present:
+        if 'DEPENDENCY_SCANNING' in \
+                results['project']['securityScanners']['enabled']:
+            return {True: 'Dependency Scanning is enabled'}
+
+        else:
+            return {False: 'Dependency Scanning is not enabled'}
+
+    except KeyError:
+        return {False: 'Dependency Scanning is not enabled'}
+
+# -------------------------------------------------------------------------
+
+
+def least_privilge_app_permissions(glEntity, glObject, **kwargs):
+    """
+    id: 1.4.3
+    title: Ensure the access granted to each installed application is
+           limited to the least privilege needed
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+
+    try:
+        integrations = glEntity.integrations.list(get_all=False)
+
+        if len(integrations) == 0:
+            return {True: 'No integrations found'}
+
+        return {None: 'This check requires validation'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}
+
+# -------------------------------------------------------------------------
+
+
+def secure_webhooks(glEntity, glObject, **kwargs):
+    """
+    id: 1.4.4
+    title: Ensure only secured webhooks are used
+    """
+
+    from gitlab.exceptions import (GitlabAuthenticationError, GitlabGetError,
+                                   GitlabHttpError, GitlabListError)
+
+    try:
+        webhooks = glEntity.hooks.list(get_all=True)
+
+        if len(webhooks) == 0:
+            return {None: 'No webhooks found'}
+
+        for hook in webhooks:
+
+            if hook.enable_ssl_verification is False or \
+                    hook.url.startswith('http://'):
+                return {False: 'Insecure webhook found'}
+
+        return {True: 'All webhooks using HTTPS'}
+
+    except (GitlabHttpError, GitlabGetError, GitlabAuthenticationError,
+            GitlabListError) as e:
+        if e.response_code in [401, 403]:
+            return {None: 'Insufficient permissions'}

gitlabcis/cli/log.py

@@ -0,0 +1,30 @@
+# -----------------------------------------------------------------------------
+
+import logging
+
+# -----------------------------------------------------------------------------
+
+
+class CustomLogFilter(logging.Filter):
+
+    # -------------------------------------------------------------------------
+
+    def __init__(self, token):
+
+        super().__init__()
+        self.token = token
+
+    # -------------------------------------------------------------------------
+
+    def filter(self, record):
+
+        # The connection is being discarded after the request is completed
+        # we want to suppress this as it affects the cosmetics of the progress
+        if ('Connection pool is full, discarding connection'
+                in record.getMessage()):
+            return False
+
+        # Suppress any logs containing the token
+        record.msg = record.getMessage().replace(self.token, '[REDACTED]')
+
+        return True