Merge pull request #44 from secure-dashboards/feat/add-githubOrgMFA

Author: UlisesGascon

.github/ISSUE_TEMPLATE/add-a-new-compliance-check.md

@@ -36,4 +36,4 @@ _Provide a clear definition_
   - [ ] Run the command `check run --name {check_code_name}` and verify the changes in the database. Update the seed script if needed (`npm run db:seed`)
 - [ ] **5. Update the website**
   - [ ] Review the current content it in `https://openjs-security-program-standards.netlify.app/details/{check_code_name}`
-  - [ ] Create a PR in https://github.com/secure-dashboards/openjs-security-program-standards to include how we calculate this check and include additional information on the mitigation if needed.
+  - [ ] Create a PR in https://github.com/secure-dashboards/openjs-security-program-standards to include how we calculate this check and include additional information on the mitigation if needed.

__tests__/checks/githubOrgMFA.test.js

@@ -0,0 +1,105 @@
+const knexInit = require('knex')
+const { getConfig } = require('../../src/config')
+const githubOrgMFA = require('../../src/checks/complianceChecks/githubOrgMFA')
+const {
+  resetDatabase, addProject, addGithubOrg, getAllResults, getAllTasks, getAllAlerts,
+  addAlert, addTask, addResult, getCheckByCodeName
+} = require('../../__utils__')
+const { sampleGithubOrg } = require('../../__fixtures__')
+
+const { dbSettings } = getConfig('test')
+
+let knex
+let project
+let check
+
+beforeAll(async () => {
+  knex = knexInit(dbSettings)
+  check = await getCheckByCodeName(knex, 'githubOrgMFA')
+})
+
+beforeEach(async () => {
+  await resetDatabase(knex)
+  project = await addProject(knex, { name: sampleGithubOrg.login, category: 'impact' })
+})
+
+afterAll(async () => {
+  await knex.destroy()
+})
+
+describe('Integration: githubOrgMFA', () => {
+  test('Should add results without alerts or tasks', async () => {
+    // Add a passed check scenario
+    await addGithubOrg(knex, { login: sampleGithubOrg.login, html_url: sampleGithubOrg.html_url, project_id: project.id, two_factor_requirement_enabled: true })
+    // Check that the database is empty
+    let results = await getAllResults(knex)
+    expect(results.length).toBe(0)
+    let alerts = await getAllAlerts(knex)
+    expect(alerts.length).toBe(0)
+    let tasks = await getAllTasks(knex)
+    expect(tasks.length).toBe(0)
+    // Run the check
+    await expect(githubOrgMFA(knex)).resolves.toBeUndefined()
+    // Check that the database has the expected results
+    results = await getAllResults(knex)
+    expect(results.length).toBe(1)
+    expect(results[0].status).toBe('passed')
+    expect(results[0].compliance_check_id).toBe(check.id)
+    alerts = await getAllAlerts(knex)
+    expect(alerts.length).toBe(0)
+    tasks = await getAllTasks(knex)
+    expect(tasks.length).toBe(0)
+  })
+
+  test('Should delete (previous alerts and tasks) and add results', async () => {
+    // Prepare the Scenario
+    await addGithubOrg(knex, { login: sampleGithubOrg.login, html_url: sampleGithubOrg.html_url, project_id: project.id, two_factor_requirement_enabled: true })
+    await addAlert(knex, { compliance_check_id: check.id, project_id: project.id, title: 'existing', description: 'existing', severity: 'critical' })
+    await addTask(knex, { compliance_check_id: check.id, project_id: project.id, title: 'existing', description: 'existing', severity: 'critical' })
+    // Check that the database has the expected results
+    let results = await getAllResults(knex)
+    expect(results.length).toBe(0)
+    let alerts = await getAllAlerts(knex)
+    expect(alerts.length).toBe(1)
+    expect(alerts[0].compliance_check_id).toBe(check.id)
+    let tasks = await getAllTasks(knex)
+    expect(tasks.length).toBe(1)
+    expect(tasks[0].compliance_check_id).toBe(check.id)
+    // Run the check
+    await githubOrgMFA(knex)
+    // Check that the database has the expected results
+    results = await getAllResults(knex)
+    expect(results.length).toBe(1)
+    expect(results[0].status).toBe('passed')
+    alerts = await getAllAlerts(knex)
+    expect(alerts.length).toBe(0)
+    tasks = await getAllTasks(knex)
+    expect(tasks.length).toBe(0)
+  })
+  test('Should add (alerts and tasks) and update results', async () => {
+    // Prepare the Scenario
+    await addGithubOrg(knex, { login: sampleGithubOrg.login, html_url: sampleGithubOrg.html_url, project_id: project.id, two_factor_requirement_enabled: false })
+    await addResult(knex, { compliance_check_id: check.id, project_id: project.id, status: 'passed', rationale: 'failed previously', severity: 'critical' })
+    // Check that the database has the expected results
+    let results = await getAllResults(knex)
+    expect(results.length).toBe(1)
+    expect(results[0].compliance_check_id).toBe(check.id)
+    let alerts = await getAllAlerts(knex)
+    expect(alerts.length).toBe(0)
+    let tasks = await getAllTasks(knex)
+    expect(tasks.length).toBe(0)
+    // Run the check
+    await githubOrgMFA(knex)
+    // Check that the database has the expected results
+    results = await getAllResults(knex)
+    expect(results.length).toBe(1)
+    expect(results[0].status).toBe('failed')
+    expect(results[0].rationale).not.toBe('failed previously')
+    alerts = await getAllAlerts(knex)
+    expect(alerts.length).toBe(1)
+    expect(alerts[0].compliance_check_id).toBe(check.id)
+    tasks = await getAllTasks(knex)
+    expect(tasks.length).toBe(1)
+    expect(tasks[0].compliance_check_id).toBe(check.id)
+  })
+})

__tests__/checks/validators.test.js

@@ -0,0 +1,148 @@
+const { githubOrgMFA } = require('../../src/checks/validators')
+// @see: https://github.com/secure-dashboards/openjs-foundation-dashboard/issues/43
+describe('githubOrgMFA', () => {
+  let organizations, check, projects
+  beforeEach(() => {
+    organizations = [
+      {
+        project_id: 1,
+        login: 'org1',
+        two_factor_requirement_enabled: true
+      },
+      {
+        project_id: 1,
+        login: 'org2',
+        two_factor_requirement_enabled: true
+      },
+      {
+        project_id: 2,
+        login: 'org3',
+        two_factor_requirement_enabled: true
+      }
+    ]
+
+    check = {
+      id: 1,
+      priority_group: 'P1',
+      details_url: 'https://example.com',
+      level_incubating_status: 'expected',
+      level_active_status: 'expected',
+      level_retiring_status: 'expected'
+    }
+
+    projects = [
+      {
+        id: 1,
+        category: 'impact'
+      },
+      {
+        id: 2,
+        category: 'at-large'
+      }
+    ]
+  })
+  it('Should generate a passed result if all organizations have 2FA enabled', () => {
+    const analysis = githubOrgMFA({ organizations, check, projects })
+    expect(analysis).toEqual({
+      alerts: [],
+      results: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'passed',
+          rationale: 'The organization(s) have 2FA enabled'
+        },
+        {
+          compliance_check_id: 1,
+          project_id: 2,
+          rationale: 'The organization(s) have 2FA enabled',
+          severity: 'critical',
+          status: 'passed'
+        }
+      ],
+      tasks: []
+    })
+  })
+
+  it('should generate a failed result if some organizations do not have 2FA enabled', () => {
+    organizations[0].two_factor_requirement_enabled = false
+    // IMPORTANT: If one organization fails, the whole project fails no matter how other organizations are in the project
+    organizations[1].two_factor_requirement_enabled = null
+
+    const analysis = githubOrgMFA({ organizations, check, projects })
+    expect(analysis).toEqual({
+      alerts: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          title: 'The organization(s) (org1) do not have 2FA enabled',
+          description: 'Check the details on https://example.com'
+        }
+      ],
+      results: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'failed',
+          rationale: 'The organization(s) (org1) do not have 2FA enabled'
+        },
+        {
+          project_id: 2,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'passed',
+          rationale: 'The organization(s) have 2FA enabled'
+        }
+      ],
+      tasks: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          title: 'Enable 2FA for the organization(s) (org1)',
+          description: 'Check the details on https://example.com'
+        }
+      ]
+    })
+  })
+
+  it('should generate an unknown result if some organizations have unknown 2FA status', () => {
+    organizations[1].two_factor_requirement_enabled = null
+    const analysis = githubOrgMFA({ organizations, check, projects })
+    expect(analysis).toEqual({
+      alerts: [],
+      results: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'unknown',
+          rationale: 'The organization(s) (org2) have 2FA status unknown'
+        },
+        {
+          project_id: 2,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'passed',
+          rationale: 'The organization(s) have 2FA enabled'
+        }
+      ],
+      tasks: []
+    })
+  })
+
+  it('Should skip the check if it is not in scope for the project category', () => {
+    check.level_active_status = 'n/a'
+    check.level_incubating_status = 'n/a'
+    check.level_retiring_status = 'n/a'
+    const analysis = githubOrgMFA({ organizations, check, projects })
+    expect(analysis).toEqual({
+      alerts: [],
+      results: [],
+      tasks: []
+    })
+  })
+})

__tests__/utils.test.js

@@ -1,4 +1,4 @@
-const { validateGithubUrl, ensureGithubToken } = require('../src/utils/index')
+const { validateGithubUrl, ensureGithubToken, groupArrayItemsByCriteria, isCheckApplicableToProjectCategory, getSeverityFromPriorityGroup } = require('../src/utils/index')
 
 describe('ensureGithubToken', () => {
   let originalGithubToken
@@ -43,3 +43,68 @@ describe('validateGithubUrl', () => {
     expect(validateGithubUrl(url)).toBe(false)
   })
 })
+
+describe('groupArrayItemsByCriteria', () => {
+  const groupByProject = groupArrayItemsByCriteria('project_id')
+
+  it('should group array items by criteria', () => {
+    const items = [
+      { project_id: 1, name: 'item1' },
+      { project_id: 1, name: 'item2' },
+      { project_id: 2, name: 'item3' }
+    ]
+    const expected = [
+      [
+        { project_id: 1, name: 'item1' },
+        { project_id: 1, name: 'item2' }
+      ],
+      [
+        { project_id: 2, name: 'item3' }
+      ]
+    ]
+    expect(groupByProject(items)).toEqual(expected)
+  })
+})
+
+describe('isCheckApplicableToProjectCategory', () => {
+  const disabledCheck = {
+    level_active_status: 'n/a',
+    level_incubating_status: 'n/a',
+    level_retiring_status: 'n/a'
+  }
+
+  it('should return false if the check is not applicable to the project category', () => {
+    let project = { category: 'impact' }
+    expect(isCheckApplicableToProjectCategory(disabledCheck, project)).toBe(false)
+    project = { category: 'incubation' }
+    expect(isCheckApplicableToProjectCategory(disabledCheck, project)).toBe(false)
+    project = { category: 'emeritus' }
+    expect(isCheckApplicableToProjectCategory(disabledCheck, project)).toBe(false)
+    project = { category: 'at-large' }
+    expect(isCheckApplicableToProjectCategory(disabledCheck, project)).toBe(false)
+  })
+
+  it('should return true if the check is applicable to the project category', () => {
+    const project = { category: 'impact' }
+    const check = { ...disabledCheck, level_active_status: 'recommended' }
+    expect(isCheckApplicableToProjectCategory(check, project)).toBe(true)
+  })
+})
+
+describe('getSeverityFromPriorityGroup', () => {
+  it('should return the correct severity based on the priority group', () => {
+    expect(getSeverityFromPriorityGroup('P0')).toBe('critical')
+    expect(getSeverityFromPriorityGroup('P1')).toBe('critical')
+    expect(getSeverityFromPriorityGroup('P2')).toBe('critical')
+    expect(getSeverityFromPriorityGroup('P3')).toBe('high')
+    expect(getSeverityFromPriorityGroup('P4')).toBe('high')
+    expect(getSeverityFromPriorityGroup('P5')).toBe('medium')
+    expect(getSeverityFromPriorityGroup('P6')).toBe('medium')
+    expect(getSeverityFromPriorityGroup('P7')).toBe('medium')
+    expect(getSeverityFromPriorityGroup('P8')).toBe('low')
+    expect(getSeverityFromPriorityGroup('P20')).toBe('low')
+    // Recommendations always have 'info' severity
+    expect(getSeverityFromPriorityGroup('R1')).toBe('info')
+    expect(getSeverityFromPriorityGroup('R11')).toBe('info')
+  })
+})

__utils__/index.js

@@ -1,4 +1,7 @@
 const resetDatabase = async (knex) => {
+  await knex.raw('TRUNCATE TABLE compliance_checks_results RESTART IDENTITY CASCADE')
+  await knex.raw('TRUNCATE TABLE compliance_checks_tasks RESTART IDENTITY CASCADE')
+  await knex.raw('TRUNCATE TABLE compliance_checks_alerts RESTART IDENTITY CASCADE')
   await knex.raw('TRUNCATE TABLE github_repositories RESTART IDENTITY CASCADE')
   await knex.raw('TRUNCATE TABLE github_organizations RESTART IDENTITY CASCADE')
   await knex.raw('TRUNCATE TABLE projects RESTART IDENTITY CASCADE')
@@ -23,7 +26,29 @@ const addGithubRepo = async (knex, data) => {
   return githubRepo
 }
 
+const getAllResults = (knex) => knex('compliance_checks_results').select('*')
+const getAllTasks = (knex) => knex('compliance_checks_tasks').select('*')
+const getAllAlerts = (knex) => knex('compliance_checks_alerts').select('*')
+const addAlert = async (knex, alert) => {
+  const [newAlert] = await knex('compliance_checks_alerts').insert(alert).returning('*')
+  return newAlert
+}
+
+const addTask = async (knex, task) => {
+  const [newTask] = await knex('compliance_checks_tasks').insert(task).returning('*')
+  return newTask
+}
+
+const addResult = async (knex, result) => {
+  const [newResult] = await knex('compliance_checks_results').insert(result).returning('*')
+  return newResult
+}
+
 const getAllComplianceChecks = (knex) => knex('compliance_checks').select('*')
+const getCheckByCodeName = async (knex, codeName) => {
+  const check = await knex('compliance_checks').where({ code_name: codeName }).first()
+  return check
+}
 
 module.exports = {
   getAllComplianceChecks,
@@ -33,5 +58,12 @@ module.exports = {
   addProject,
   addGithubOrg,
   getAllGithubRepos,
-  addGithubRepo
+  addGithubRepo,
+  getAllResults,
+  getAllTasks,
+  getAllAlerts,
+  addAlert,
+  addTask,
+  addResult,
+  getCheckByCodeName
 }