feat: add check validator for githubOrgMFA

UlisesGascon · UlisesGascon · commit 44c41d119f0d · 2024-12-07T04:47:53.000+01:00
Related: #43
diff --git a/__tests__/checks/validators.test.js b/__tests__/checks/validators.test.js
@@ -0,0 +1,148 @@
+const { githubOrgMFA } = require('../../src/checks/validators')
+// @see: https://github.com/secure-dashboards/openjs-foundation-dashboard/issues/43
+describe('githubOrgMFA', () => {
+  let organizations, check, projects
+  beforeEach(() => {
+    organizations = [
+      {
+        project_id: 1,
+        login: 'org1',
+        two_factor_requirement_enabled: true
+      },
+      {
+        project_id: 1,
+        login: 'org2',
+        two_factor_requirement_enabled: true
+      },
+      {
+        project_id: 2,
+        login: 'org3',
+        two_factor_requirement_enabled: true
+      }
+    ]
+
+    check = {
+      id: 1,
+      priority_group: 'P1',
+      details_url: 'https://example.com',
+      level_incubating_status: 'expected',
+      level_active_status: 'expected',
+      level_retiring_status: 'expected'
+    }
+
+    projects = [
+      {
+        id: 1,
+        category: 'impact'
+      },
+      {
+        id: 2,
+        category: 'at-large'
+      }
+    ]
+  })
+  it('Should generate a passed result if all organizations have 2FA enabled', () => {
+    const analysis = githubOrgMFA({ organizations, check, projects })
+    expect(analysis).toEqual({
+      alerts: [],
+      results: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'passed',
+          rationale: 'The organization(s) have 2FA enabled'
+        },
+        {
+          compliance_check_id: 1,
+          project_id: 2,
+          rationale: 'The organization(s) have 2FA enabled',
+          severity: 'critical',
+          status: 'passed'
+        }
+      ],
+      tasks: []
+    })
+  })
+
+  it('should generate a failed result if some organizations do not have 2FA enabled', () => {
+    organizations[0].two_factor_requirement_enabled = false
+    // IMPORTANT: If one organization fails, the whole project fails no matter how other organizations are in the project
+    organizations[1].two_factor_requirement_enabled = null
+
+    const analysis = githubOrgMFA({ organizations, check, projects })
+    expect(analysis).toEqual({
+      alerts: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          title: 'The organization(s) (org1) do not have 2FA enabled',
+          description: 'Check the details on https://example.com'
+        }
+      ],
+      results: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'failed',
+          rationale: 'The organization(s) (org1) do not have 2FA enabled'
+        },
+        {
+          project_id: 2,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'passed',
+          rationale: 'The organization(s) have 2FA enabled'
+        }
+      ],
+      tasks: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          title: 'Enable 2FA for the organization(s) (org1)',
+          description: 'Check the details on https://example.com'
+        }
+      ]
+    })
+  })
+
+  it('should generate an unknown result if some organizations have unknown 2FA status', () => {
+    organizations[1].two_factor_requirement_enabled = null
+    const analysis = githubOrgMFA({ organizations, check, projects })
+    expect(analysis).toEqual({
+      alerts: [],
+      results: [
+        {
+          project_id: 1,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'unknown',
+          rationale: 'The organization(s) (org2) have 2FA status unknown'
+        },
+        {
+          project_id: 2,
+          compliance_check_id: 1,
+          severity: 'critical',
+          status: 'passed',
+          rationale: 'The organization(s) have 2FA enabled'
+        }
+      ],
+      tasks: []
+    })
+  })
+
+  it('Should skip the check if it is not in scope for the project category', () => {
+    check.level_active_status = 'n/a'
+    check.level_incubating_status = 'n/a'
+    check.level_retiring_status = 'n/a'
+    const analysis = githubOrgMFA({ organizations, check, projects })
+    expect(analysis).toEqual({
+      alerts: [],
+      results: [],
+      tasks: []
+    })
+  })
+})
diff --git a/src/checks/validators/index.js b/src/checks/validators/index.js
@@ -0,0 +1,80 @@
+const debug = require('debug')('checks:validator:githubOrgMFA')
+const { getSeverityFromPriorityGroup, isCheckApplicableToProjectCategory, groupArrayItemsByCriteria } = require('../../utils')
+
+const groupByProject = groupArrayItemsByCriteria('project_id')
+
+// @see: https://github.com/secure-dashboards/openjs-foundation-dashboard/issues/43
+const githubOrgMFA = ({ organizations, check, projects }) => {
+  debug('Validating GitHub organizations MFA...')
+  debug('Grouping organizations by project...')
+  const organizationsGroupedByProject = groupByProject(organizations)
+
+  const alerts = []
+  const results = []
+  const tasks = []
+
+  debug('Processing organizations...')
+  organizationsGroupedByProject.forEach((projectOrgs) => {
+    debug(`Processing project (${projectOrgs[0].project_id})`)
+    const project = projects.find(p => p.id === projectOrgs[0].project_id)
+    const isInScope = isCheckApplicableToProjectCategory(check, project)
+    // If the check is not in scope, skip it.
+    if (!isInScope) {
+      debug(`This check is not in scope for project (${project.id})`)
+      return
+    }
+
+    const baseData = {
+      project_id: projectOrgs[0].project_id,
+      compliance_check_id: check.id,
+      severity: getSeverityFromPriorityGroup(check.priority_group)
+    }
+
+    const result = { ...baseData }
+    const task = { ...baseData }
+    const alert = { ...baseData }
+
+    const failedOrgs = projectOrgs.filter(org => org.two_factor_requirement_enabled === false).map(org => org.login)
+    const unknownOrgs = projectOrgs.filter(org => org.two_factor_requirement_enabled === null).map(org => org.login)
+
+    if (projectOrgs.every(org => org.two_factor_requirement_enabled === true)) {
+      result.status = 'passed'
+      result.rationale = 'The organization(s) have 2FA enabled'
+    } else if (failedOrgs.length) {
+      result.status = 'failed'
+      result.rationale = `The organization(s) (${failedOrgs.join(',')}) do not have 2FA enabled`
+      alert.title = `The organization(s) (${failedOrgs.join(',')}) do not have 2FA enabled`
+      alert.description = `Check the details on ${check.details_url}`
+      task.title = `Enable 2FA for the organization(s) (${failedOrgs.join(',')})`
+      task.description = `Check the details on ${check.details_url}`
+    } else if (unknownOrgs.length) {
+      result.status = 'unknown'
+      result.rationale = `The organization(s) (${unknownOrgs.join(',')}) have 2FA status unknown`
+    }
+    // Include only the task if was populated
+    if (Object.keys(task).length > Object.keys(baseData).length) {
+      debug(`Adding task for project (${project.id})`)
+      tasks.push(task)
+    }
+    // Include only the alert if was populated
+    if (Object.keys(alert).length > Object.keys(baseData).length) {
+      debug(`Adding alert for project (${project.id})`)
+      alerts.push(alert)
+    }
+    // Always include the result
+    results.push(result)
+    debug(`Processed project (${project.id})`)
+  })
+
+  return {
+    alerts,
+    results,
+    tasks
+  }
+}
+
+const validators = {
+  githubOrgMFA
+}
+
+module.exports = validators
