From fa87f02f6ae9ea0562796b5c4a43d80ba65db7eb Mon Sep 17 00:00:00 2001 From: Takumi Yanagawa Date: Tue, 5 Dec 2023 15:05:15 +0900 Subject: [PATCH] Align the latest OSCAL Assessment Results and consolidate ocm test data in ocm dedicated directory Signed-off-by: Takumi Yanagawa --- cmd/ocm/oscal2policy/c2p-config.yaml | 2 +- cmd/ocm/result2oscal/c2p-config.yaml | 4 +- cmd/ocm/result2oscal/cmd/cmd.go | 17 +- docs/oscal-vs-ocm-status-mapping.csv | 16 ++ go.mod | 2 +- pkg/ocm/oscal2policy_test.go | 5 +- pkg/ocm/reporter/helper_test.go | 2 +- pkg/ocm/reporter/reporter.go | 192 +++++++++-------- pkg/ocm/reporter/reporter_test.go | 52 ++--- pkg/testdata/ocm/assessment-results.json | 204 ++++++++++++++++++ .../{oscal/reporter-test => ocm}/catalog.json | 0 .../component-definition.json | 0 .../MachineConfig.50-worker-chrony.0.yaml | 0 .../policies/add-chrony/kustomization.yaml | 0 .../policies/add-chrony/policy-generator.yaml | 0 .../kustomization.yaml | 0 .../LVMCluster.odf-lvmcluster.0.yaml | 0 .../policy-generator.yaml | 0 .../Namespace.openshift-storage.0.yaml | 0 ...oup.openshift-storage-operatorgroup.0.yaml | 0 .../Subscription.lvm-operator.0.yaml | 0 .../policy-deployment/kustomization.yaml | 0 .../policy-deployment/policy-generator.yaml | 0 .../Deployment.nginx-deployment.0.yaml | 0 .../kustomization.yaml | 0 .../Role.noname.0.yaml | 0 .../policy-generator.yaml | 0 .../ScanSettingBinding.high.0.yaml | 0 .../ComplianceCheckResult.noname.0.yaml | 0 .../ComplianceSuite.high.0.yaml | 0 .../policy-high-scan/kustomization.yaml | 0 .../policy-high-scan/policy-generator.yaml | 0 .../kustomization.yaml | 0 .../policy-generator.yaml | 0 .../Deployment.nginx-deployment.0.yaml | 0 .../policy-results/00.placementdecisions.yaml | 0 .../{ => ocm}/policy-results/00.policies.yaml | 0 .../policy-results/00.policysets.yaml | 0 ...lacement-managed-kubernetes-decision-1.yml | 0 .../Policy.c2p.policy-deployment.yml | 0 .../Policy.c2p.policy-disallowed-roles.yml | 0 .../Policy.c2p.policy-high-scan.yml | 0 .../Policy.cluster1.c2p.policy-deployment.yml | 0 ...y.cluster1.c2p.policy-disallowed-roles.yml | 0 .../Policy.cluster1.c2p.policy-high-scan.yml | 0 .../Policy.cluster2.c2p.policy-deployment.yml | 0 ...y.cluster2.c2p.policy-disallowed-roles.yml | 0 .../Policy.cluster2.c2p.policy-high-scan.yml | 0 .../PolicySet.c2p.managed-kubernetes.yml | 0 .../{oscal/reporter-test => ocm}/profile.json | 0 pkg/testdata/oscal/component-definition.json | 150 ------------- pkg/testdata/reports/compliance-report.md | 108 ---------- 52 files changed, 353 insertions(+), 401 deletions(-) create mode 100644 docs/oscal-vs-ocm-status-mapping.csv create mode 100755 pkg/testdata/ocm/assessment-results.json rename pkg/testdata/{oscal/reporter-test => ocm}/catalog.json (100%) rename pkg/testdata/{oscal/reporter-test => ocm}/component-definition.json (100%) rename pkg/testdata/{ => ocm}/policies/add-chrony/add-chrony-worker/MachineConfig.50-worker-chrony.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/add-chrony/kustomization.yaml (100%) rename pkg/testdata/{ => ocm}/policies/add-chrony/policy-generator.yaml (100%) rename pkg/testdata/{ => ocm}/policies/install-odf-lvm-operator/kustomization.yaml (100%) rename pkg/testdata/{ => ocm}/policies/install-odf-lvm-operator/odf-lvmcluster/LVMCluster.odf-lvmcluster.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/install-odf-lvm-operator/policy-generator.yaml (100%) rename pkg/testdata/{ => ocm}/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Namespace.openshift-storage.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/install-odf-lvm-operator/policy-odf-lvm-operator/OperatorGroup.openshift-storage-operatorgroup.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Subscription.lvm-operator.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-deployment/kustomization.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-deployment/policy-generator.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-disallowed-roles/kustomization.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-disallowed-roles/policy-disallowed-roles-sample-role/Role.noname.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-disallowed-roles/policy-generator.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-high-scan/compliance-high-scan/ScanSettingBinding.high.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-high-scan/compliance-suite-high-results/ComplianceCheckResult.noname.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-high-scan/compliance-suite-high/ComplianceSuite.high.0.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-high-scan/kustomization.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-high-scan/policy-generator.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-nginx-deployment/kustomization.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-nginx-deployment/policy-generator.yaml (100%) rename pkg/testdata/{ => ocm}/policies/policy-nginx-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml (100%) rename pkg/testdata/{ => ocm}/policy-results/00.placementdecisions.yaml (100%) rename pkg/testdata/{ => ocm}/policy-results/00.policies.yaml (100%) rename pkg/testdata/{ => ocm}/policy-results/00.policysets.yaml (100%) rename pkg/testdata/{ => ocm}/policy-results/PlacementDecision.c2p.placement-managed-kubernetes-decision-1.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/Policy.c2p.policy-deployment.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/Policy.c2p.policy-disallowed-roles.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/Policy.c2p.policy-high-scan.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/Policy.cluster1.c2p.policy-deployment.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/Policy.cluster1.c2p.policy-disallowed-roles.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/Policy.cluster1.c2p.policy-high-scan.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/Policy.cluster2.c2p.policy-deployment.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/Policy.cluster2.c2p.policy-disallowed-roles.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/Policy.cluster2.c2p.policy-high-scan.yml (100%) rename pkg/testdata/{ => ocm}/policy-results/PolicySet.c2p.managed-kubernetes.yml (100%) rename pkg/testdata/{oscal/reporter-test => ocm}/profile.json (100%) delete mode 100644 pkg/testdata/oscal/component-definition.json diff --git a/cmd/ocm/oscal2policy/c2p-config.yaml b/cmd/ocm/oscal2policy/c2p-config.yaml index 2c1bc45..1cd541a 100644 --- a/cmd/ocm/oscal2policy/c2p-config.yaml +++ b/cmd/ocm/oscal2policy/c2p-config.yaml @@ -7,7 +7,7 @@ compliance: componentDefinition: url: ./pkg/composer/testdata/oscal/component-definition.json policyResources: - url: ./pkg/composer/testdata/policies + url: ./pkg/composer/testdata/ocm/policies policyResults: url: a/b/c clusterGroups: diff --git a/cmd/ocm/result2oscal/c2p-config.yaml b/cmd/ocm/result2oscal/c2p-config.yaml index 70e663e..225c511 100644 --- a/cmd/ocm/result2oscal/c2p-config.yaml +++ b/cmd/ocm/result2oscal/c2p-config.yaml @@ -7,9 +7,9 @@ compliance: componentDefinition: url: ./pkg/testdata/oscal/reporter-test/component-definition.json policyResources: - url: ./pkg/testdata/policies + url: ./pkg/testdata/ocm/policies policyResults: - url: ./pkg/testdata/policy-results + url: ./pkg/testdata/ocm/policy-results clusterGroups: - name: test-group # name of clusterGroup matchLabels: diff --git a/cmd/ocm/result2oscal/cmd/cmd.go b/cmd/ocm/result2oscal/cmd/cmd.go index e53f233..1328a79 100644 --- a/cmd/ocm/result2oscal/cmd/cmd.go +++ b/cmd/ocm/result2oscal/cmd/cmd.go @@ -33,7 +33,7 @@ func New() *cobra.Command { command := &cobra.Command{ Use: "result2oscal", - Short: "Generate OSCAL Assessment Results from Kyverno policies and the policy reports", + Short: "Generate OSCAL Assessment Results from OCM Policy statuses", RunE: func(cmd *cobra.Command, args []string) error { if err := opts.Complete(); err != nil { return err @@ -71,26 +71,15 @@ func Run(options *options.Options) error { r := reporter.NewReporter(c2pcrParsed) r.SetGenerationType(reporter.GenerationTypePolicyReport) - report, err := r.Generate() + arRoot, err := r.Generate() if err != nil { panic(err) } - err = pkg.WriteObjToYamlFile(outputDir+"/compliance-report.yaml", report) + err = pkg.WriteObjToJsonFile(outputDir+"/assessment-results.json", arRoot) if err != nil { panic(err) } - for _, pr := range r.GetPolicyReports() { - nspath, err := pkg.MakeDir(outputDir + "/" + pr.Namespace) - if err != nil { - panic(err) - } - err = pkg.WriteObjToYamlFile(nspath+"/"+pr.Name+".yaml", pr) - if err != nil { - panic(err) - } - } - return nil } diff --git a/docs/oscal-vs-ocm-status-mapping.csv b/docs/oscal-vs-ocm-status-mapping.csv new file mode 100644 index 0000000..61fca5e --- /dev/null +++ b/docs/oscal-vs-ocm-status-mapping.csv @@ -0,0 +1,16 @@ +Field of OSCAL Assessment Result,How is OCM Policy status mapped,Field of OCM Policy status +local-definitions.inventory-items[],Per cluster,status_status = policies[].find(x -> x.namespace == hub ns).flatmap(x1 -> status.status[].map(x2 -> x2)) +local-definitions.inventory-items[].props[].(cluster-name),Cluster name,status_status.clustername +observations[],Per rule (= per policy),OSCAL CDef Rule Ids +observations[].props[].(assessment-rule-id),Rule Id,OSCAL CDef Rule Id +observations[].props[].(policy-id),Policy Id,OSCAL CDef Policy Id +observations[].props[].(control-id),Control Id,OSCAL CDef Control Id +observations[].props[].(result),Aggregated status of compliance over clusters (=subjects),policies[].find(x -> x.namespace == hub ns && x -> x.metadata.name == policy-id).status.compliant == “Compliant” ? “pass” : “fail” +observations[].subjects[],Per policy status of cluster,status[i] := policies[].find(x -> x.metadata.name == policy-id).status.status[] +observations[].subjects[].subject-uuid,Inventory item id of the check,inventory-items[].find(x -> x.props[].(cluster-name) == status[i].clustername).id +observations[].subjects[].props[].(result),Status of compliance (pass/fail),status[i].compliant == “Compliant” ? “pass” : “fail” +observations[].subjects[].props[].(reason),Reason of the status,details := policies[].find(x -> x.namespace == clustername && x.metadata.name == policy-id).status.details +observations[].subjects[].props[].(evaluate-on),Evaluation timestamp,details.map(x -> x.history[0].lastTimestamp).sort_by_descend()[0] +observations[].relevant_references[].description,Evidence description,TBD +observations[].relevant_references[].href,Evidence urls,TBD +observations[].links[].href,Report urls,TBD \ No newline at end of file diff --git a/go.mod b/go.mod index f81e71f..eb74e73 100644 --- a/go.mod +++ b/go.mod @@ -4,6 +4,7 @@ go 1.19 require ( github.com/go-logr/logr v1.2.4 + github.com/google/go-cmp v0.5.9 github.com/google/uuid v1.3.0 github.com/kcp-dev/kcp/pkg/apis v0.11.0 github.com/kyverno/kyverno v1.10.3 @@ -128,7 +129,6 @@ require ( github.com/golang/snappy v0.0.4 // indirect github.com/google/certificate-transparency-go v1.1.4 // indirect github.com/google/gnostic v0.6.9 // indirect - github.com/google/go-cmp v0.5.9 // indirect github.com/google/go-containerregistry v0.14.0 // indirect github.com/google/go-github/v45 v45.2.0 // indirect github.com/google/go-querystring v1.1.0 // indirect diff --git a/pkg/ocm/oscal2policy_test.go b/pkg/ocm/oscal2policy_test.go index 0af10c3..8b09b08 100644 --- a/pkg/ocm/oscal2policy_test.go +++ b/pkg/ocm/oscal2policy_test.go @@ -27,11 +27,10 @@ import ( ) func TestOscal2Policy(t *testing.T) { - policyDir := pkg.PathFromPkgDirectory("./testdata/policies") + policyDir := pkg.PathFromPkgDirectory("./testdata/ocm/policies") catalogPath := pkg.PathFromPkgDirectory("./testdata/oscal/catalog.json") profilePath := pkg.PathFromPkgDirectory("./testdata/oscal/profile.json") - cdPath := pkg.PathFromPkgDirectory("./testdata/oscal/component-definition.json") - // expectedDir := pkg.PathFromPkgDirectory("./composer/testdata/expected/c2pcr-parser-composed-policies") + cdPath := pkg.PathFromPkgDirectory("./testdata/ocm/component-definition.json") tempDirPath := pkg.PathFromPkgDirectory("./testdata/_test") err := os.MkdirAll(tempDirPath, os.ModePerm) diff --git a/pkg/ocm/reporter/helper_test.go b/pkg/ocm/reporter/helper_test.go index 8cb418f..cc5a4c0 100644 --- a/pkg/ocm/reporter/helper_test.go +++ b/pkg/ocm/reporter/helper_test.go @@ -36,7 +36,7 @@ func TestConvertToPolicyReport(t *testing.T) { func(policySet typepolicy.PolicySet) {}, func(placementDecision typeplacementdecision.PlacementDecision) {}, ) - err := filepath.Walk(pkg.PathFromPkgDirectory("./testdata/policy-results"), traverseFunc) + err := filepath.Walk(pkg.PathFromPkgDirectory("./testdata/ocm/policy-results"), traverseFunc) assert.NoError(t, err, "Should not happen") tempDirPath := pkg.PathFromPkgDirectory("./testdata/_test") diff --git a/pkg/ocm/reporter/reporter.go b/pkg/ocm/reporter/reporter.go index 6a2a514..a656dea 100644 --- a/pkg/ocm/reporter/reporter.go +++ b/pkg/ocm/reporter/reporter.go @@ -32,6 +32,8 @@ import ( "github.com/IBM/compliance-to-policy/pkg/oscal" typec2pcr "github.com/IBM/compliance-to-policy/pkg/types/c2pcr" + typear "github.com/IBM/compliance-to-policy/pkg/types/oscal/assessmentresults" + typeoscalcommon "github.com/IBM/compliance-to-policy/pkg/types/oscal/common" typeplacementdecision "github.com/IBM/compliance-to-policy/pkg/types/placementdecision" typepolicy "github.com/IBM/compliance-to-policy/pkg/types/policy" typereport "github.com/IBM/compliance-to-policy/pkg/types/report" @@ -79,11 +81,7 @@ func (r *Reporter) SetGenerationType(generationType GenerationType) { r.generationType = generationType } -func (r *Reporter) GetPolicyReports() []*typepolr.PolicyReport { - return r.policyReports -} - -func (r *Reporter) Generate() (typereport.ComplianceReport, error) { +func (r *Reporter) Generate() (*typear.AssessmentResultsRoot, error) { traverseFunc := genTraverseFunc( func(policy typepolicy.Policy) { r.policies = append(r.policies, &policy) }, func(policySet typepolicy.PolicySet) { r.policySets = append(r.policySets, &policySet) }, @@ -94,11 +92,30 @@ func (r *Reporter) Generate() (typereport.ComplianceReport, error) { if err := filepath.Walk(r.c2pParsed.PolicyResultsDir, traverseFunc); err != nil { logger.Error(err.Error()) } + + inventories := []typear.InventoryItem{} + clusternameIndex := map[string]bool{} for _, policy := range r.policies { polr := ConvertToPolicyReport(*policy) r.policyReports = append(r.policyReports, &polr) + if policy.Namespace == r.c2pParsed.Namespace { + for _, s := range policy.Status.Status { + _, exist := clusternameIndex[s.ClusterName] + if !exist { + clusternameIndex[s.ClusterName] = true + item := typear.InventoryItem{ + UUID: oscal.GenerateUUID(), + Props: []typeoscalcommon.Prop{{ + Name: "cluster-name", + Value: s.ClusterName, + }}, + } + inventories = append(inventories, item) + } + } + } } - reportComponents := []typereport.Component{} + observations := []typear.Observation{} for _, cdobj := range r.c2pParsed.ComponentObjects { policySets := typeutils.FilterByAnnotation(r.policySets, pkg.ANNOTATION_COMPONENT_TITLE, cdobj.ComponentTitle) clusterNameSets := sets.NewString() @@ -119,7 +136,6 @@ func (r *Reporter) Generate() (typereport.ComplianceReport, error) { } } for _, controlImpleObj := range cdobj.ControlImpleObjects { - controlResults := []typereport.ControlResult{} requiredControls := sets.NewString() checkedControls := sets.NewString() for _, controlObj := range controlImpleObj.ControlObjects { @@ -140,8 +156,8 @@ func (r *Reporter) Generate() (typereport.ComplianceReport, error) { if policySet != nil { policy = typeutils.FindByNamespaceName(r.policies, policySet.Namespace, policyId) } - var reason string var ruleStatus typereport.RuleStatus + subjects := []typear.Subject{} if policy != nil { var reasons []Reason if r.generationType == GenerationTypePolicyReport { @@ -149,62 +165,98 @@ func (r *Reporter) Generate() (typereport.ComplianceReport, error) { } else { reasons = r.GenerateReasonsFromRawPolicies(*policy) } - if statusByte, err := sigyaml.Marshal(reasons); err == nil { - reason = string(statusByte) - } else { - reason = err.Error() - } ruleStatus = mapToRuleStatus(policy.Status.ComplianceState) + for _, reason := range reasons { + var clusterName string + var inventoryUuid string + for _, inventory := range inventories { + prop, ok := oscal.FindProp("cluster-name", inventory.Props) + if ok { + clusterName = prop.Value + inventoryUuid = inventory.UUID + } else { + clusterName = "N/A" + inventoryUuid = "" + } + } + if inventoryUuid != "" { + var message string + if messageByte, err := sigyaml.Marshal(reason.Messages); err == nil { + message = string(messageByte) + } else { + message = err.Error() + } + subject := typear.Subject{ + SubjectUUID: inventoryUuid, + Type: "resource", + Title: "Cluster Name: " + clusterName, + Props: []typeoscalcommon.Prop{{ + Name: "result", + Value: string(mapToRuleStatus(reason.ComplianceState)), + }, { + Name: "reason", + Value: message, + }}, + } + subjects = append(subjects, subject) + } + } } else { - reason = fmt.Sprintf("Unable to find policy status for policy %s", policyId) ruleStatus = typereport.RuleStatusError } - ruleResult := typereport.RuleResult{ - RuleId: ruleId, - PolicyId: policyId, - Status: ruleStatus, - Reason: reason, + observation := typear.Observation{ + UUID: oscal.GenerateUUID(), + Description: fmt.Sprintf("Observation of policy %s", policyId), + Methods: []string{"TEST-AUTOMATED"}, + Props: []typeoscalcommon.Prop{{ + Name: "assessment-rule-id", + Value: ruleId, + }, { + Name: "policy-id", + Value: policyId, + }, { + Name: "control-id", + Value: controlId, + }, { + Name: "result", + Value: string(ruleStatus), + }}, + Subjects: subjects, } - ruleResults = append(ruleResults, ruleResult) + observations = append(observations, observation) checkedControls.Insert(controlId) } } - controlResult := typereport.ControlResult{ - ControlId: controlId, - RuleResults: ruleResults, - ComplianceStatus: aggregateRuleResults(ruleResults), - } - controlResults = append(controlResults, controlResult) - } - parameters := map[string]string{} - for _, setParam := range controlImpleObj.SetParameters { - parameters[setParam.ParamID] = setParam.Values[0] - } - reportComponent := typereport.Component{ - ComponentTitle: cdobj.ComponentTitle, - RequiredControls: requiredControls.List(), - CheckedControls: checkedControls.List(), - Parameters: parameters, - ControlResults: controlResults, - ComplianceStatus: aggregateControlResults(controlResults), } - reportComponents = append(reportComponents, reportComponent) } } - spec := typereport.Spec{ - Catalog: r.c2pParsed.Catalog.Metadata.Title, - Profile: r.c2pParsed.Profile.Metadata.Title, - Components: reportComponents, + + metadata := typear.Metadata{ + Title: "OSCAL Assessment Results", + LastModified: time.Now(), + Version: "0.0.1", + OscalVersion: "1.0.4", } - complianceReport := typereport.ComplianceReport{ - ObjectMeta: v1.ObjectMeta{ - Name: "compliance-report", - CreationTimestamp: v1.Now(), - }, - Spec: spec, + importAp := typear.ImportAp{ + Href: "http://...", + } + ar := typear.AssessmentResults{ + UUID: oscal.GenerateUUID(), + Metadata: metadata, + ImportAp: importAp, + Results: []typear.Result{}, + } + result := typear.Result{ + UUID: oscal.GenerateUUID(), + Title: "Assessment Results by OCM", + Description: "Assessment Results by OCM...", + Start: time.Now(), + Observations: observations, } + ar.Results = append(ar.Results, result) + arRoot := typear.AssessmentResultsRoot{AssessmentResults: ar} - return complianceReport, nil + return &arRoot, nil } func (r *Reporter) GenerateReasonsFromRawPolicies(policy typepolicy.Policy) []Reason { @@ -275,46 +327,6 @@ func aggregatePolicyReportSummaryToComplianceState(summary typepolr.PolicyReport } } -func aggregateRuleResults(ruleResults []typereport.RuleResult) typereport.ComplianceStatus { - countPass := 0 - countFail := 0 - countError := 0 - countUnimple := 0 - for _, ruleResult := range ruleResults { - switch ruleResult.Status { - case typereport.RuleStatusPass: - countPass++ - case typereport.RuleStatusFail: - countFail++ - case typereport.RuleStatusError: - countError++ - case typereport.RuleStatusUnImplemented: - countUnimple++ - } - } - if countPass != 0 && countPass == len(ruleResults) { - return typereport.ComplianceStatusCompliant - } - return typereport.ComplianceStatusNonCompliant -} - -func aggregateControlResults(controlResults []typereport.ControlResult) typereport.ComplianceStatus { - countCompiant := 0 - countNonCompiant := 0 - for _, controlResult := range controlResults { - switch controlResult.ComplianceStatus { - case typereport.ComplianceStatusCompliant: - countCompiant++ - case typereport.ComplianceStatusNonCompliant: - countNonCompiant++ - } - } - if countCompiant != 0 && countCompiant == len(controlResults) { - return typereport.ComplianceStatusCompliant - } - return typereport.ComplianceStatusNonCompliant -} - func genTraverseFunc(onPolicy func(typepolicy.Policy), onPolicySet func(typepolicy.PolicySet), onPlacementDesicion func(typeplacementdecision.PlacementDecision)) func(path string, info os.FileInfo, err error) error { return func(path string, info os.FileInfo, err error) error { if err != nil { diff --git a/pkg/ocm/reporter/reporter_test.go b/pkg/ocm/reporter/reporter_test.go index 8344487..5d258ef 100644 --- a/pkg/ocm/reporter/reporter_test.go +++ b/pkg/ocm/reporter/reporter_test.go @@ -17,24 +17,25 @@ limitations under the License. package reporter import ( - "fmt" "os" "testing" "github.com/IBM/compliance-to-policy/pkg" "github.com/IBM/compliance-to-policy/pkg/c2pcr" typec2pcr "github.com/IBM/compliance-to-policy/pkg/types/c2pcr" - typereport "github.com/IBM/compliance-to-policy/pkg/types/report" + typear "github.com/IBM/compliance-to-policy/pkg/types/oscal/assessmentresults" + "github.com/google/go-cmp/cmp" + "github.com/google/go-cmp/cmp/cmpopts" "github.com/stretchr/testify/assert" ) func TestReporter(t *testing.T) { - policyDir := pkg.PathFromPkgDirectory("./testdata/policies") - policyResultsDir := pkg.PathFromPkgDirectory("./testdata/policy-results") - catalogPath := pkg.PathFromPkgDirectory("./testdata/oscal/reporter-test/catalog.json") - profilePath := pkg.PathFromPkgDirectory("./testdata/oscal/reporter-test/profile.json") - cdPath := pkg.PathFromPkgDirectory("./testdata/oscal/reporter-test/component-definition.json") + policyDir := pkg.PathFromPkgDirectory("./testdata/ocm/policies") + policyResultsDir := pkg.PathFromPkgDirectory("./testdata/ocm/policy-results") + catalogPath := pkg.PathFromPkgDirectory("./testdata/ocm/catalog.json") + profilePath := pkg.PathFromPkgDirectory("./testdata/ocm/profile.json") + cdPath := pkg.PathFromPkgDirectory("./testdata/ocm/component-definition.json") tempDirPath := pkg.PathFromPkgDirectory("./testdata/_test") err := os.MkdirAll(tempDirPath, os.ModePerm) @@ -79,34 +80,23 @@ func TestReporter(t *testing.T) { assert.NoError(t, err, "Should not happen") reporter := NewReporter(c2pcrParsed) - report, err := reporter.Generate() + arRoot, err := reporter.Generate() assert.NoError(t, err, "Should not happen") - err = pkg.WriteObjToYamlFile(tempDir.GetTempDir()+"/compliance-report.yaml", report) + err = pkg.WriteObjToJsonFile(tempDir.GetTempDir()+"/assessment-results.json", arRoot) assert.NoError(t, err, "Should not happen") - var expected typereport.ComplianceReport - err = pkg.LoadYamlFileToK8sTypedObject(pkg.PathFromPkgDirectory("./testdata/reports/compliance-report.yaml"), &expected) + var expected typear.AssessmentResultsRoot + err = pkg.LoadYamlFileToK8sTypedObject(pkg.PathFromPkgDirectory("./testdata/ocm/assessment-results.json"), &expected) - // Timestamp is currently set by Now(). Since the timestamp should be always different from expected one, reset creationTimestamp of expected one to actual one. - expected.CreationTimestamp = report.CreationTimestamp - - assert.NoError(t, err, "Should not happen") - assert.Equal(t, expected, report) - - reporter.SetGenerationType("policy-report") - reportFromPolicyReports, err := reporter.Generate() assert.NoError(t, err, "Should not happen") - - // Timestamp is currently set by Now(). Since the timestamp should be always different from expected one, reset creationTimestamp of expected one to actual one. - reportFromPolicyReports.CreationTimestamp = report.CreationTimestamp - - assert.Equal(t, report, reportFromPolicyReports) - - for _, policyReport := range reporter.policyReports { - fname := fmt.Sprintf("policy-report.%s.%s.yaml", policyReport.Namespace, policyReport.Name) - err := pkg.WriteObjToYamlFile(tempDir.GetTempDir()+"/"+fname, policyReport) - assert.NoError(t, err, "Should not happen") - } - + diff := cmp.Diff(expected, *arRoot, + cmpopts.IgnoreFields(typear.AssessmentResults{}, "UUID"), + cmpopts.IgnoreFields(typear.Metadata{}, "LastModified"), + cmpopts.IgnoreFields(typear.Result{}, "UUID", "Start"), + cmpopts.IgnoreFields(typear.InventoryItem{}, "UUID"), + cmpopts.IgnoreFields(typear.Subject{}, "SubjectUUID"), + cmpopts.IgnoreFields(typear.Observation{}, "UUID"), + ) + assert.Equal(t, diff, "", "assessment-result matched") } diff --git a/pkg/testdata/ocm/assessment-results.json b/pkg/testdata/ocm/assessment-results.json new file mode 100755 index 0000000..7ba4d8f --- /dev/null +++ b/pkg/testdata/ocm/assessment-results.json @@ -0,0 +1,204 @@ +{ + "assessment-results": { + "uuid": "9913b24e-931f-11ee-82cf-62f79297f1b7", + "metadata": { + "title": "OSCAL Assessment Results", + "last-modified": "2023-12-05T12:37:21.653819+09:00", + "version": "0.0.1", + "oscal-version": "1.0.4" + }, + "import-ap": { + "href": "http://..." + }, + "results": [ + { + "uuid": "9913b258-931f-11ee-82cf-62f79297f1b7", + "title": "Assessment Results by OCM", + "description": "Assessment Results by OCM...", + "start": "2023-12-05T12:37:21.65382+09:00", + "local-definitions": { + "inventory-items": null + }, + "observations": [ + { + "uuid": "9913a92a-931f-11ee-82cf-62f79297f1b7", + "description": "Observation of policy policy-high-scan", + "props": [ + { + "name": "assessment-rule-id", + "value": "test_configuration_check" + }, + { + "name": "policy-id", + "value": "policy-high-scan" + }, + { + "name": "control-id", + "value": "cm-6" + }, + { + "name": "result", + "value": "fail" + } + ], + "methods": [ + "TEST-AUTOMATED" + ], + "subjects": [ + { + "subject-uuid": "99133e9a-931f-11ee-82cf-62f79297f1b7", + "type": "resource", + "title": "Cluster Name: cluster2", + "props": [ + { + "name": "result", + "value": "fail" + }, + { + "name": "reason", + "value": "- eventName: c2p.policy-high-scan.176f1dcdc2b51b01\n lastTimestamp: \"2023-07-05T23:52:34Z\"\n message: NonCompliant; violation - couldn't find mapping resource with kind ScanSettingBinding,\n please check if you have CRD deployed\n- eventName: c2p.policy-high-scan.176f1ddc44adf035\n lastTimestamp: \"2023-07-05T23:53:37Z\"\n message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceSuite,\n please check if you have CRD deployed\n- eventName: c2p.policy-high-scan.176f1ddc441457e5\n lastTimestamp: \"2023-07-05T23:53:37Z\"\n message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceCheckResult,\n please check if you have CRD deployed\n" + } + ] + }, + { + "subject-uuid": "99133e9a-931f-11ee-82cf-62f79297f1b7", + "type": "resource", + "title": "Cluster Name: cluster2", + "props": [ + { + "name": "result", + "value": "fail" + }, + { + "name": "reason", + "value": "- eventName: c2p.policy-high-scan.176f1dc3684f9eb6\n lastTimestamp: \"2023-07-05T23:51:50Z\"\n message: NonCompliant; violation - couldn't find mapping resource with kind ScanSettingBinding,\n please check if you have CRD deployed\n- eventName: c2p.policy-high-scan.176f1dc426d20948\n lastTimestamp: \"2023-07-05T23:51:53Z\"\n message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceSuite,\n please check if you have CRD deployed\n- eventName: c2p.policy-high-scan.176f1dc4e29e1221\n lastTimestamp: \"2023-07-05T23:51:56Z\"\n message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceCheckResult,\n please check if you have CRD deployed\n" + } + ] + } + ], + "collected": "0001-01-01T00:00:00Z", + "expires": "0001-01-01T00:00:00Z" + }, + { + "uuid": "9913adf8-931f-11ee-82cf-62f79297f1b7", + "description": "Observation of policy policy-deployment", + "props": [ + { + "name": "assessment-rule-id", + "value": "test_proxy_check" + }, + { + "name": "policy-id", + "value": "policy-deployment" + }, + { + "name": "control-id", + "value": "cm-2" + }, + { + "name": "result", + "value": "fail" + } + ], + "methods": [ + "TEST-AUTOMATED" + ], + "subjects": [ + { + "subject-uuid": "99133e9a-931f-11ee-82cf-62f79297f1b7", + "type": "resource", + "title": "Cluster Name: cluster2", + "props": [ + { + "name": "result", + "value": "fail" + }, + { + "name": "reason", + "value": "- eventName: c2p.policy-deployment.176f1ddc5591cb1c\n lastTimestamp: \"2023-07-05T23:53:37Z\"\n message: 'NonCompliant; violation - deployments not found: [nginx-deployment] in\n namespace cluster1 missing; [nginx-deployment] in namespace kube-node-lease missing;\n [nginx-deployment] in namespace kube-public missing; [nginx-deployment] in namespace\n local-path-storage missing'\n" + } + ] + }, + { + "subject-uuid": "99133e9a-931f-11ee-82cf-62f79297f1b7", + "type": "resource", + "title": "Cluster Name: cluster2", + "props": [ + { + "name": "result", + "value": "fail" + }, + { + "name": "reason", + "value": "- eventName: c2p.policy-deployment.176f1dc4e7de17cb\n lastTimestamp: \"2023-07-05T23:51:56Z\"\n message: 'NonCompliant; violation - deployments not found: [nginx-deployment] in\n namespace cluster2 missing; [nginx-deployment] in namespace default missing; [nginx-deployment]\n in namespace kube-node-lease missing; [nginx-deployment] in namespace kube-public\n missing; [nginx-deployment] in namespace local-path-storage missing'\n" + } + ] + } + ], + "collected": "0001-01-01T00:00:00Z", + "expires": "0001-01-01T00:00:00Z" + }, + { + "uuid": "9913b244-931f-11ee-82cf-62f79297f1b7", + "description": "Observation of policy policy-disallowed-roles", + "props": [ + { + "name": "assessment-rule-id", + "value": "test_rbac_check" + }, + { + "name": "policy-id", + "value": "policy-disallowed-roles" + }, + { + "name": "control-id", + "value": "ac-6" + }, + { + "name": "result", + "value": "pass" + } + ], + "methods": [ + "TEST-AUTOMATED" + ], + "subjects": [ + { + "subject-uuid": "99133e9a-931f-11ee-82cf-62f79297f1b7", + "type": "resource", + "title": "Cluster Name: cluster2", + "props": [ + { + "name": "result", + "value": "pass" + }, + { + "name": "reason", + "value": "- eventName: c2p.policy-disallowed-roles.176f1dcdc4c8d17e\n lastTimestamp: \"2023-07-05T23:52:34Z\"\n message: Compliant; notification - roles in namespace cluster1; in namespace default;\n in namespace kube-node-lease; in namespace kube-public; in namespace local-path-storage\n missing as expected, therefore this Object template is compliant\n" + } + ] + }, + { + "subject-uuid": "99133e9a-931f-11ee-82cf-62f79297f1b7", + "type": "resource", + "title": "Cluster Name: cluster2", + "props": [ + { + "name": "result", + "value": "pass" + }, + { + "name": "reason", + "value": "- eventName: c2p.policy-disallowed-roles.176f1dc36e36b7b2\n lastTimestamp: \"2023-07-05T23:51:50Z\"\n message: Compliant; notification - roles in namespace cluster2; in namespace default;\n in namespace kube-node-lease; in namespace kube-public; in namespace local-path-storage\n missing as expected, therefore this Object template is compliant\n" + } + ] + } + ], + "collected": "0001-01-01T00:00:00Z", + "expires": "0001-01-01T00:00:00Z" + } + ] + } + ] + } +} \ No newline at end of file diff --git a/pkg/testdata/oscal/reporter-test/catalog.json b/pkg/testdata/ocm/catalog.json similarity index 100% rename from pkg/testdata/oscal/reporter-test/catalog.json rename to pkg/testdata/ocm/catalog.json diff --git a/pkg/testdata/oscal/reporter-test/component-definition.json b/pkg/testdata/ocm/component-definition.json similarity index 100% rename from pkg/testdata/oscal/reporter-test/component-definition.json rename to pkg/testdata/ocm/component-definition.json diff --git a/pkg/testdata/policies/add-chrony/add-chrony-worker/MachineConfig.50-worker-chrony.0.yaml b/pkg/testdata/ocm/policies/add-chrony/add-chrony-worker/MachineConfig.50-worker-chrony.0.yaml similarity index 100% rename from pkg/testdata/policies/add-chrony/add-chrony-worker/MachineConfig.50-worker-chrony.0.yaml rename to pkg/testdata/ocm/policies/add-chrony/add-chrony-worker/MachineConfig.50-worker-chrony.0.yaml diff --git a/pkg/testdata/policies/add-chrony/kustomization.yaml b/pkg/testdata/ocm/policies/add-chrony/kustomization.yaml similarity index 100% rename from pkg/testdata/policies/add-chrony/kustomization.yaml rename to pkg/testdata/ocm/policies/add-chrony/kustomization.yaml diff --git a/pkg/testdata/policies/add-chrony/policy-generator.yaml b/pkg/testdata/ocm/policies/add-chrony/policy-generator.yaml similarity index 100% rename from pkg/testdata/policies/add-chrony/policy-generator.yaml rename to pkg/testdata/ocm/policies/add-chrony/policy-generator.yaml diff --git a/pkg/testdata/policies/install-odf-lvm-operator/kustomization.yaml b/pkg/testdata/ocm/policies/install-odf-lvm-operator/kustomization.yaml similarity index 100% rename from pkg/testdata/policies/install-odf-lvm-operator/kustomization.yaml rename to pkg/testdata/ocm/policies/install-odf-lvm-operator/kustomization.yaml diff --git a/pkg/testdata/policies/install-odf-lvm-operator/odf-lvmcluster/LVMCluster.odf-lvmcluster.0.yaml b/pkg/testdata/ocm/policies/install-odf-lvm-operator/odf-lvmcluster/LVMCluster.odf-lvmcluster.0.yaml similarity index 100% rename from pkg/testdata/policies/install-odf-lvm-operator/odf-lvmcluster/LVMCluster.odf-lvmcluster.0.yaml rename to pkg/testdata/ocm/policies/install-odf-lvm-operator/odf-lvmcluster/LVMCluster.odf-lvmcluster.0.yaml diff --git a/pkg/testdata/policies/install-odf-lvm-operator/policy-generator.yaml b/pkg/testdata/ocm/policies/install-odf-lvm-operator/policy-generator.yaml similarity index 100% rename from pkg/testdata/policies/install-odf-lvm-operator/policy-generator.yaml rename to pkg/testdata/ocm/policies/install-odf-lvm-operator/policy-generator.yaml diff --git a/pkg/testdata/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Namespace.openshift-storage.0.yaml b/pkg/testdata/ocm/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Namespace.openshift-storage.0.yaml similarity index 100% rename from pkg/testdata/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Namespace.openshift-storage.0.yaml rename to pkg/testdata/ocm/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Namespace.openshift-storage.0.yaml diff --git a/pkg/testdata/policies/install-odf-lvm-operator/policy-odf-lvm-operator/OperatorGroup.openshift-storage-operatorgroup.0.yaml b/pkg/testdata/ocm/policies/install-odf-lvm-operator/policy-odf-lvm-operator/OperatorGroup.openshift-storage-operatorgroup.0.yaml similarity index 100% rename from pkg/testdata/policies/install-odf-lvm-operator/policy-odf-lvm-operator/OperatorGroup.openshift-storage-operatorgroup.0.yaml rename to pkg/testdata/ocm/policies/install-odf-lvm-operator/policy-odf-lvm-operator/OperatorGroup.openshift-storage-operatorgroup.0.yaml diff --git a/pkg/testdata/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Subscription.lvm-operator.0.yaml b/pkg/testdata/ocm/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Subscription.lvm-operator.0.yaml similarity index 100% rename from pkg/testdata/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Subscription.lvm-operator.0.yaml rename to pkg/testdata/ocm/policies/install-odf-lvm-operator/policy-odf-lvm-operator/Subscription.lvm-operator.0.yaml diff --git a/pkg/testdata/policies/policy-deployment/kustomization.yaml b/pkg/testdata/ocm/policies/policy-deployment/kustomization.yaml similarity index 100% rename from pkg/testdata/policies/policy-deployment/kustomization.yaml rename to pkg/testdata/ocm/policies/policy-deployment/kustomization.yaml diff --git a/pkg/testdata/policies/policy-deployment/policy-generator.yaml b/pkg/testdata/ocm/policies/policy-deployment/policy-generator.yaml similarity index 100% rename from pkg/testdata/policies/policy-deployment/policy-generator.yaml rename to pkg/testdata/ocm/policies/policy-deployment/policy-generator.yaml diff --git a/pkg/testdata/policies/policy-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml b/pkg/testdata/ocm/policies/policy-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml similarity index 100% rename from pkg/testdata/policies/policy-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml rename to pkg/testdata/ocm/policies/policy-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml diff --git a/pkg/testdata/policies/policy-disallowed-roles/kustomization.yaml b/pkg/testdata/ocm/policies/policy-disallowed-roles/kustomization.yaml similarity index 100% rename from pkg/testdata/policies/policy-disallowed-roles/kustomization.yaml rename to pkg/testdata/ocm/policies/policy-disallowed-roles/kustomization.yaml diff --git a/pkg/testdata/policies/policy-disallowed-roles/policy-disallowed-roles-sample-role/Role.noname.0.yaml b/pkg/testdata/ocm/policies/policy-disallowed-roles/policy-disallowed-roles-sample-role/Role.noname.0.yaml similarity index 100% rename from pkg/testdata/policies/policy-disallowed-roles/policy-disallowed-roles-sample-role/Role.noname.0.yaml rename to pkg/testdata/ocm/policies/policy-disallowed-roles/policy-disallowed-roles-sample-role/Role.noname.0.yaml diff --git a/pkg/testdata/policies/policy-disallowed-roles/policy-generator.yaml b/pkg/testdata/ocm/policies/policy-disallowed-roles/policy-generator.yaml similarity index 100% rename from pkg/testdata/policies/policy-disallowed-roles/policy-generator.yaml rename to pkg/testdata/ocm/policies/policy-disallowed-roles/policy-generator.yaml diff --git a/pkg/testdata/policies/policy-high-scan/compliance-high-scan/ScanSettingBinding.high.0.yaml b/pkg/testdata/ocm/policies/policy-high-scan/compliance-high-scan/ScanSettingBinding.high.0.yaml similarity index 100% rename from pkg/testdata/policies/policy-high-scan/compliance-high-scan/ScanSettingBinding.high.0.yaml rename to pkg/testdata/ocm/policies/policy-high-scan/compliance-high-scan/ScanSettingBinding.high.0.yaml diff --git a/pkg/testdata/policies/policy-high-scan/compliance-suite-high-results/ComplianceCheckResult.noname.0.yaml b/pkg/testdata/ocm/policies/policy-high-scan/compliance-suite-high-results/ComplianceCheckResult.noname.0.yaml similarity index 100% rename from pkg/testdata/policies/policy-high-scan/compliance-suite-high-results/ComplianceCheckResult.noname.0.yaml rename to pkg/testdata/ocm/policies/policy-high-scan/compliance-suite-high-results/ComplianceCheckResult.noname.0.yaml diff --git a/pkg/testdata/policies/policy-high-scan/compliance-suite-high/ComplianceSuite.high.0.yaml b/pkg/testdata/ocm/policies/policy-high-scan/compliance-suite-high/ComplianceSuite.high.0.yaml similarity index 100% rename from pkg/testdata/policies/policy-high-scan/compliance-suite-high/ComplianceSuite.high.0.yaml rename to pkg/testdata/ocm/policies/policy-high-scan/compliance-suite-high/ComplianceSuite.high.0.yaml diff --git a/pkg/testdata/policies/policy-high-scan/kustomization.yaml b/pkg/testdata/ocm/policies/policy-high-scan/kustomization.yaml similarity index 100% rename from pkg/testdata/policies/policy-high-scan/kustomization.yaml rename to pkg/testdata/ocm/policies/policy-high-scan/kustomization.yaml diff --git a/pkg/testdata/policies/policy-high-scan/policy-generator.yaml b/pkg/testdata/ocm/policies/policy-high-scan/policy-generator.yaml similarity index 100% rename from pkg/testdata/policies/policy-high-scan/policy-generator.yaml rename to pkg/testdata/ocm/policies/policy-high-scan/policy-generator.yaml diff --git a/pkg/testdata/policies/policy-nginx-deployment/kustomization.yaml b/pkg/testdata/ocm/policies/policy-nginx-deployment/kustomization.yaml similarity index 100% rename from pkg/testdata/policies/policy-nginx-deployment/kustomization.yaml rename to pkg/testdata/ocm/policies/policy-nginx-deployment/kustomization.yaml diff --git a/pkg/testdata/policies/policy-nginx-deployment/policy-generator.yaml b/pkg/testdata/ocm/policies/policy-nginx-deployment/policy-generator.yaml similarity index 100% rename from pkg/testdata/policies/policy-nginx-deployment/policy-generator.yaml rename to pkg/testdata/ocm/policies/policy-nginx-deployment/policy-generator.yaml diff --git a/pkg/testdata/policies/policy-nginx-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml b/pkg/testdata/ocm/policies/policy-nginx-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml similarity index 100% rename from pkg/testdata/policies/policy-nginx-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml rename to pkg/testdata/ocm/policies/policy-nginx-deployment/policy-nginx-deployment/Deployment.nginx-deployment.0.yaml diff --git a/pkg/testdata/policy-results/00.placementdecisions.yaml b/pkg/testdata/ocm/policy-results/00.placementdecisions.yaml similarity index 100% rename from pkg/testdata/policy-results/00.placementdecisions.yaml rename to pkg/testdata/ocm/policy-results/00.placementdecisions.yaml diff --git a/pkg/testdata/policy-results/00.policies.yaml b/pkg/testdata/ocm/policy-results/00.policies.yaml similarity index 100% rename from pkg/testdata/policy-results/00.policies.yaml rename to pkg/testdata/ocm/policy-results/00.policies.yaml diff --git a/pkg/testdata/policy-results/00.policysets.yaml b/pkg/testdata/ocm/policy-results/00.policysets.yaml similarity index 100% rename from pkg/testdata/policy-results/00.policysets.yaml rename to pkg/testdata/ocm/policy-results/00.policysets.yaml diff --git a/pkg/testdata/policy-results/PlacementDecision.c2p.placement-managed-kubernetes-decision-1.yml b/pkg/testdata/ocm/policy-results/PlacementDecision.c2p.placement-managed-kubernetes-decision-1.yml similarity index 100% rename from pkg/testdata/policy-results/PlacementDecision.c2p.placement-managed-kubernetes-decision-1.yml rename to pkg/testdata/ocm/policy-results/PlacementDecision.c2p.placement-managed-kubernetes-decision-1.yml diff --git a/pkg/testdata/policy-results/Policy.c2p.policy-deployment.yml b/pkg/testdata/ocm/policy-results/Policy.c2p.policy-deployment.yml similarity index 100% rename from pkg/testdata/policy-results/Policy.c2p.policy-deployment.yml rename to pkg/testdata/ocm/policy-results/Policy.c2p.policy-deployment.yml diff --git a/pkg/testdata/policy-results/Policy.c2p.policy-disallowed-roles.yml b/pkg/testdata/ocm/policy-results/Policy.c2p.policy-disallowed-roles.yml similarity index 100% rename from pkg/testdata/policy-results/Policy.c2p.policy-disallowed-roles.yml rename to pkg/testdata/ocm/policy-results/Policy.c2p.policy-disallowed-roles.yml diff --git a/pkg/testdata/policy-results/Policy.c2p.policy-high-scan.yml b/pkg/testdata/ocm/policy-results/Policy.c2p.policy-high-scan.yml similarity index 100% rename from pkg/testdata/policy-results/Policy.c2p.policy-high-scan.yml rename to pkg/testdata/ocm/policy-results/Policy.c2p.policy-high-scan.yml diff --git a/pkg/testdata/policy-results/Policy.cluster1.c2p.policy-deployment.yml b/pkg/testdata/ocm/policy-results/Policy.cluster1.c2p.policy-deployment.yml similarity index 100% rename from pkg/testdata/policy-results/Policy.cluster1.c2p.policy-deployment.yml rename to pkg/testdata/ocm/policy-results/Policy.cluster1.c2p.policy-deployment.yml diff --git a/pkg/testdata/policy-results/Policy.cluster1.c2p.policy-disallowed-roles.yml b/pkg/testdata/ocm/policy-results/Policy.cluster1.c2p.policy-disallowed-roles.yml similarity index 100% rename from pkg/testdata/policy-results/Policy.cluster1.c2p.policy-disallowed-roles.yml rename to pkg/testdata/ocm/policy-results/Policy.cluster1.c2p.policy-disallowed-roles.yml diff --git a/pkg/testdata/policy-results/Policy.cluster1.c2p.policy-high-scan.yml b/pkg/testdata/ocm/policy-results/Policy.cluster1.c2p.policy-high-scan.yml similarity index 100% rename from pkg/testdata/policy-results/Policy.cluster1.c2p.policy-high-scan.yml rename to pkg/testdata/ocm/policy-results/Policy.cluster1.c2p.policy-high-scan.yml diff --git a/pkg/testdata/policy-results/Policy.cluster2.c2p.policy-deployment.yml b/pkg/testdata/ocm/policy-results/Policy.cluster2.c2p.policy-deployment.yml similarity index 100% rename from pkg/testdata/policy-results/Policy.cluster2.c2p.policy-deployment.yml rename to pkg/testdata/ocm/policy-results/Policy.cluster2.c2p.policy-deployment.yml diff --git a/pkg/testdata/policy-results/Policy.cluster2.c2p.policy-disallowed-roles.yml b/pkg/testdata/ocm/policy-results/Policy.cluster2.c2p.policy-disallowed-roles.yml similarity index 100% rename from pkg/testdata/policy-results/Policy.cluster2.c2p.policy-disallowed-roles.yml rename to pkg/testdata/ocm/policy-results/Policy.cluster2.c2p.policy-disallowed-roles.yml diff --git a/pkg/testdata/policy-results/Policy.cluster2.c2p.policy-high-scan.yml b/pkg/testdata/ocm/policy-results/Policy.cluster2.c2p.policy-high-scan.yml similarity index 100% rename from pkg/testdata/policy-results/Policy.cluster2.c2p.policy-high-scan.yml rename to pkg/testdata/ocm/policy-results/Policy.cluster2.c2p.policy-high-scan.yml diff --git a/pkg/testdata/policy-results/PolicySet.c2p.managed-kubernetes.yml b/pkg/testdata/ocm/policy-results/PolicySet.c2p.managed-kubernetes.yml similarity index 100% rename from pkg/testdata/policy-results/PolicySet.c2p.managed-kubernetes.yml rename to pkg/testdata/ocm/policy-results/PolicySet.c2p.managed-kubernetes.yml diff --git a/pkg/testdata/oscal/reporter-test/profile.json b/pkg/testdata/ocm/profile.json similarity index 100% rename from pkg/testdata/oscal/reporter-test/profile.json rename to pkg/testdata/ocm/profile.json diff --git a/pkg/testdata/oscal/component-definition.json b/pkg/testdata/oscal/component-definition.json deleted file mode 100644 index 49a22b4..0000000 --- a/pkg/testdata/oscal/component-definition.json +++ /dev/null @@ -1,150 +0,0 @@ -{ - "component-definition": { - "uuid": "e3f74636-b63c-4406-bbc7-cf9dee495816", - "metadata": { - "title": "Test Component Definition", - "last-modified": "2023-05-22T04:20:26+00:00", - "version": "20210826", - "oscal-version": "1.0.4" - }, - "components": [ - { - "uuid": "5ccc0047-6b10-4f9d-90d4-5f2bc4141fa8", - "type": "Service", - "title": "My Test Service", - "description": "My Test Service...", - "props": [ - { - "name": "Rule_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule1", - "class": "scc_class", - "remarks": "rule_set_01" - }, - { - "name": "Rule_Description", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule1...", - "class": "scc_class", - "remarks": "rule_set_01" - }, - { - "name": "Policy_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "add-chrony", - "remarks": "rule_set_01" - }, - { - "name": "Rule_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule2", - "class": "scc_class", - "remarks": "rule_set_02" - }, - { - "name": "Rule_Description", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule2...", - "class": "scc_class", - "remarks": "rule_set_02" - }, - { - "name": "Policy_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "install-odf-lvm-operator", - "remarks": "rule_set_02" - }, - { - "name": "Rule_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule3", - "class": "scc_class", - "remarks": "rule_set_03" - }, - { - "name": "Rule_Description", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule3...", - "class": "scc_class", - "remarks": "rule_set_03" - }, - { - "name": "Policy_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "policy-nginx-deployment", - "remarks": "rule_set_03" - }, - { - "name": "Parameter_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "minimum_nginx_deployment_replicas", - "class": "scc_class", - "remarks": "rule_set_03" - }, - { - "name": "Parameter_Description", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "Minimum # of NGINX pod", - "class": "scc_class", - "remarks": "rule_set_02" - } - ], - "control-implementations": [ - { - "uuid": "18c98b61-9561-4fc6-b65a-7715bf61e17f", - "source": "https://github.com/usnistgov/oscal-content/blob/main/nist.gov/SP800-53/rev5/json/NIST_SP-800-53_rev5_HIGH-baseline_profile.json", - "description": "NIST Special Publication 800-53 Revision 5 HIGH IMPACT BASELINE", - "set-parameters": [ - { - "param-id": "minimum_nginx_deployment_replicas", - "values": [ - "3" - ] - } - ], - "implemented-requirements": [ - { - "uuid": "bdc3a56a-d12e-46d7-bd39-db909a3daabd", - "control-id": "ac-1", - "description": "", - "props": [ - { - "name": "Rule_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule1", - "class": "scc_class" - }, - { - "name": "Rule_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule2", - "class": "scc_class" - } - ] - }, - { - "uuid": "8a2cb5a3-f3d1-480f-8463-dd4ecf45a8cd", - "control-id": "ac-2.1", - "description": "", - "props": [ - { - "name": "Rule_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule2", - "class": "scc_class" - }, - { - "name": "Rule_Id", - "ns": "http://ibm.github.io/compliance-trestle/schemas/oscal/cd/ibmcloud", - "value": "rule3", - "class": "scc_class" - } - ] - } - ] - } - ] - } - ] - } -} \ No newline at end of file diff --git a/pkg/testdata/reports/compliance-report.md b/pkg/testdata/reports/compliance-report.md index 9fa7bb9..e69de29 100755 --- a/pkg/testdata/reports/compliance-report.md +++ b/pkg/testdata/reports/compliance-report.md @@ -1,108 +0,0 @@ -## Catalog -Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures -## Component: Managed Kubernetes - -Compliance status: NonCompliant - -Checked controls: [ac-6,cm-2,cm-6,] -#### Result of control: cm-6 -**Compliance status: NonCompliant** - -Rules: -- Rule ID: test_configuration_check -- Policy ID: policy-high-scan -- Status: fail -- Reason: -``` -- clusterName: cluster1 - complianceState: NonCompliant - messages: - - eventName: c2p.policy-high-scan.176f1dcdc2b51b01 - lastTimestamp: "2023-07-05T23:52:34Z" - message: NonCompliant; violation - couldn't find mapping resource with kind ScanSettingBinding, - please check if you have CRD deployed - - eventName: c2p.policy-high-scan.176f1ddc44adf035 - lastTimestamp: "2023-07-05T23:53:37Z" - message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceSuite, - please check if you have CRD deployed - - eventName: c2p.policy-high-scan.176f1ddc441457e5 - lastTimestamp: "2023-07-05T23:53:37Z" - message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceCheckResult, - please check if you have CRD deployed -- clusterName: cluster2 - complianceState: NonCompliant - messages: - - eventName: c2p.policy-high-scan.176f1dc3684f9eb6 - lastTimestamp: "2023-07-05T23:51:50Z" - message: NonCompliant; violation - couldn't find mapping resource with kind ScanSettingBinding, - please check if you have CRD deployed - - eventName: c2p.policy-high-scan.176f1dc426d20948 - lastTimestamp: "2023-07-05T23:51:53Z" - message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceSuite, - please check if you have CRD deployed - - eventName: c2p.policy-high-scan.176f1dc4e29e1221 - lastTimestamp: "2023-07-05T23:51:56Z" - message: NonCompliant; violation - couldn't find mapping resource with kind ComplianceCheckResult, - please check if you have CRD deployed - -``` ---- -#### Result of control: cm-2 -**Compliance status: NonCompliant** - -Rules: -- Rule ID: test_proxy_check -- Policy ID: policy-deployment -- Status: fail -- Reason: -``` -- clusterName: cluster1 - complianceState: NonCompliant - messages: - - eventName: c2p.policy-deployment.176f1ddc5591cb1c - lastTimestamp: "2023-07-05T23:53:37Z" - message: 'NonCompliant; violation - deployments not found: [nginx-deployment] - in namespace cluster1 missing; [nginx-deployment] in namespace kube-node-lease - missing; [nginx-deployment] in namespace kube-public missing; [nginx-deployment] - in namespace local-path-storage missing' -- clusterName: cluster2 - complianceState: NonCompliant - messages: - - eventName: c2p.policy-deployment.176f1dc4e7de17cb - lastTimestamp: "2023-07-05T23:51:56Z" - message: 'NonCompliant; violation - deployments not found: [nginx-deployment] - in namespace cluster2 missing; [nginx-deployment] in namespace default missing; - [nginx-deployment] in namespace kube-node-lease missing; [nginx-deployment] - in namespace kube-public missing; [nginx-deployment] in namespace local-path-storage - missing' - -``` ---- -#### Result of control: ac-6 -**Compliance status: Compliant** - -Rules: -- Rule ID: test_rbac_check -- Policy ID: policy-disallowed-roles -- Status: pass -- Reason: -``` -- clusterName: cluster1 - complianceState: Compliant - messages: - - eventName: c2p.policy-disallowed-roles.176f1dcdc4c8d17e - lastTimestamp: "2023-07-05T23:52:34Z" - message: Compliant; notification - roles in namespace cluster1; in namespace default; - in namespace kube-node-lease; in namespace kube-public; in namespace local-path-storage - missing as expected, therefore this Object template is compliant -- clusterName: cluster2 - complianceState: Compliant - messages: - - eventName: c2p.policy-disallowed-roles.176f1dc36e36b7b2 - lastTimestamp: "2023-07-05T23:51:50Z" - message: Compliant; notification - roles in namespace cluster2; in namespace default; - in namespace kube-node-lease; in namespace kube-public; in namespace local-path-storage - missing as expected, therefore this Object template is compliant - -``` ----