Discontinued Policy Markdown Creation (#1089)

* (New) Add Licensing Information to AAD Report (#1011) * Copied Changes form broken branch for new PR * removed trailing whitespace * Removed more trailing white space * updated licensing table to have unique id and added case in smoke test for licensing table * remove white space * added check for licensing information to functional tests * added smoke test for licensing * Add a UTC timestamp to the Provider JSON (#1009) * add a quick timestamp * add milliseconds * timestamp_zulu * add timestampzulu to metadata in mergejson * fix unit tests * fix bug found in previous PR * Add config file for GitHub Pages (#1001) * add YML for theme * add config for pages * lint * put regal yaml back * Create a workflow for bumping the ScubaGear module version (#989) * create workflow for automated version bumping * clean up whitespace * bump checkout version * fix variable substitution and regex match output * remove testing variable * Fix the Handful of AAD unit tests that are broken (#1019) * fixed unit tests :) * Resolved Linter Warnings --------- Co-authored-by: Devesh Agarwal <[email protected]> * Remove default vars from test configs (#996) * minor edits to aad.5.3v1 and aad5.4v1 instructions (#1028) * uncenter the text (#1031) * Add option to generate a config file template (#984) * config file generation * Adding defender * Final generate config file * Ready for pull request * moved to support module * added to manifest file * pascal case and whitespace * linter hacks * linter test * "unused" variables * linter hacks part II * linter hacks part III * Unit Test added * added default value for unit testing various syntax fixes as well * fixed unit test, mock converting to yaml * fixed unit tests? * fixed? * more debugging * debugging * Update README.md for generating config * Update ScubaGear version to 1.2.0 (#1029) Co-authored-by: GitHub Action <[email protected]> * Fix bug with msaad52v1 only admins consent to apps (#1043) * uploading for Cassey debugging session * modified Rego policy 5.2 and unit tests to account for Microsoft updates to tenant output data * modified 5.2 functional tests based on Microsoft changes to JSON output * Update sample reports to latest version output examples (#1058) * Fix publish package errors (#1042) * inject write-error * comment out publish * show manifest error * remove fail silently * debug path version * fix id typo * fixed list * fix needs * fix release prep again * write prereleasetag * get types * fix typo * fix typos * set tags as array * reset tags * debug w string * remove array * gc manifest * get childitem * write module path * Debug manifest * debug more * typecast to string * debug string concat * display hashtable * more debug details * tweak debugging * update install w prerelease * commenting * install required version * add debug * add debug * add version * use 1 if * hard code * install only * force it * remove install * add debug statements * see params * fix parameter set * fix comment typo * use binding * add comments * fix @ * remove cmdlet * uncomm param set * remove param sets * split into 2 * fix push paths * add env back * clean debug statement * fix pipeline issues * add output test * use write-output * clean up minor * back to previous version * use output * more output * use debug * more output * fix ps lint * test returning false * return to old error * hardcode params * fix step name * improve debug statements * back to write host * debug prerelease * changed info to host * switch tag version * write manifest out * update version * fix temp print * bump to 8 * add import back * require version * bump to 10 * bump vers * without tag * bump tag * use find mod * fix unit test * bump tag * trivial change to trigger tests * hide error * v 03 * fix pipeline * return false * add write error * remove details * be silent * be false * cleanup * unhardcode * Exclude Write-Host locally * commented out push trigger * comment out push trigger * update description * Add a Workflow to check for OPA version updates (#1004) * add parseable language * add OPA Update workflow * remove white space * grammar * Update Pull Request Description Co-authored-by: Addam Schroll <[email protected]> --------- Co-authored-by: Addam Schroll <[email protected]> * Defender functional test plan fixes (#1057) * Remove IsNotChecked flag from G3 3.1 Non-compliant - No defender license test * Move impersonation protection tests from standard to g5 variant * Fix Markdown in readme (#1068) * fix table * fix links * minor changes * Add Policy Group Names to ScubaResults.json (#1041) * package Report Results by control group * finish comment * upgrade the ScubaGear ScubaResults metadata with even more context * make comment clearer * make another comment clearer * Bump OPA version from v0.61.0 to v0.63.0 (#1070) * Bump OPA version from v0.61.0 to v0.63.0 * also add support for 0.62.1 * add omit comments * add back in the space * add back in the link --------- Co-authored-by: GitHub Action <[email protected]> Co-authored-by: buidav <[email protected]> * Add GitLeaks to CI/CD Pipeline (#1066) * add if * update pipeline * remove push * set permissions * Enhance AAD Provider and Rego Code to automate checks for policy MS.AAD.3.3v1 (#1014) * Update provider json for auth method config * Added new json for MS auth feature settings * Combined authentication method calls into one json object * Updates to JSON for aad 3.4 and 3.5 * updates to aad 3.3 rego * Include all auth method configs in json export * Updates to aad 3.3 to check msauth settings * Updates to unit tests for aad 3.4 * Update AADConfig.rego 3.3v1 status check * fix N/A criticality for 3.5 and adjust unit and functional tests for new JSON structure * changed JSON structure for 3.4, 3.5 because it had redundant objects and updated all tests * fix run unit test * revised 3.3 unit tests * update 3.3 code & added unit tests * refactored names and added comments to 3.3 policy * refactored 3.4 to reduce redundant code and bad variable naming * streamlined code for 3.5 to reduce redundancy and returned ActualValue which was missing * renamed MFAPolicies to PhishingResistantMFAPolicies for accuracy * initial version 3.3 functional test wip * added functional test cases * removed NotCheckedDetails import since linter complained * made AuthenticationPolicyMigrationIsComplete shorter due to linter complaints * changed AuthenticationPolicyMigrationIsComplete from boolean assignment to if due to linter * removed redundant call to Get-MgBetaPolicyAuthenticationMethodPolicy which was left by mistake --------- Co-authored-by: Ted Kolovos <[email protected]> Co-authored-by: Sloane4 <[email protected]> * Bump OPA version from v0.63.0 to v0.64.1 (#1079) Co-authored-by: GitHub Action <[email protected]> * fixed functional test for 5.3 so that it only produces a single EnableAdminConsentRequests field (#1081) --------- Co-authored-by: Devesh Agarwal <[email protected]> Co-authored-by: David Bui <[email protected]> Co-authored-by: James Garriss <[email protected]> Co-authored-by: Ted Kolovos <[email protected]> Co-authored-by: Devesh Agarwal <[email protected]> Co-authored-by: Addam Schroll <[email protected]> Co-authored-by: amart241 <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: GitHub Action <[email protected]> Co-authored-by: Shanti Satyapal <[email protected]> Co-authored-by: Sloane4 <[email protected]>
cisagov · May 6, 2024 · 0f353ee · 0f353ee
1 parent 575fcae
commit 0f353ee
Show file tree

Hide file tree

Showing 66 changed files with 9,709 additions and 12,692 deletions.
diff --git a/.github/workflows/publish_package.yaml b/.github/workflows/publish_package.yaml
diff --git a/.github/workflows/publish_private_package.yaml b/.github/workflows/publish_private_package.yaml
@@ -0,0 +1,99 @@
+# Purpose: Publish nightly to a a private gallery just to make
+# sure that the code can be published.  This is like a
+# smoke test.
+
+name: Publish Private Package
+
+on:
+  schedule:
+    - cron: "23 0 * * *" # Execute each day at 00:23 UTC
+  workflow_dispatch:
+  # for testing
+  # push:
+  #   paths:
+  #     - ".github/workflows/publish_private_package.yaml"
+  #     - "utils/DeployUtils.ps1"
+
+env:
+  GalleryName: PrivateScubaGearGallery
+
+jobs:
+  publish:
+    name: Publish to Private Gallery
+    runs-on: windows-latest
+    environment: Development
+    permissions:
+      id-token: write
+      contents: write
+    defaults:
+      run:
+        shell: powershell
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: repo
+      - name: Install Azure Signing Tool
+        run: |
+          dotnet --version
+          dotnet tool install --global AzureSignTool --version 4.0.1
+      # OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true)
+      - name: Login to Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+      - name: Create Private Gallery
+        run: |
+          cd repo
+          . utils/DeployUtils.ps1
+          New-PrivateGallery -GalleryName $env:GalleryName -Trusted
+      - name: Get Key Vault Info
+        id: key-vault-info
+        env:
+          KEY_VAULT_INFO: ${{ secrets.SCUBA_KEY_VAULT_PROD}}
+        run: |
+          $KeyVaultInfo = ${env:KEY_VAULT_INFO} | ConvertFrom-Json
+          echo "KeyVaultUrl=$($KeyVaultInfo.KeyVault.URL)" >> $env:GITHUB_OUTPUT
+          echo "KeyVaultCertificateName=$($KeyVaultInfo.KeyVault.CertificateName)" >> $env:GITHUB_OUTPUT
+      - name: Sign and Publish Module
+        uses: azure/powershell@v1
+        with:
+          inlineScript: |
+            # Source the deploy utilities so the functions in it can be called.
+            . repo/utils/DeployUtils.ps1
+            # Remove non-release files
+            Remove-Item -Recurse -Force repo -Include .git*
+            # Setup the parameters
+            $Parameters = @{
+              AzureKeyVaultUrl = '${{ steps.key-vault-info.outputs.KeyVaultUrl }}'
+              CertificateName = '${{ steps.key-vault-info.outputs.KeyVaultCertificateName }}'
+              ModulePath = 'repo/PowerShell/ScubaGear'
+              GalleryName = $env:GalleryName
+            }
+            # This publishes to a private gallery.
+            Publish-ScubaGearModule @Parameters
+          azPSVersion: "latest"
+      - name: Test Module Publish
+        run: |
+          Get-Location
+          $TestContainers = @()
+          $TestContainers += New-PesterContainer -Path "repo/Testing/Functional/BuildTest" -Data @{ }
+          $PesterConfig = @{
+            Run = @{
+              Container = $TestContainers
+            }
+            Output = @{
+              Verbosity = 'Detailed'
+            }
+          }
+          $Config = New-PesterConfiguration -Hashtable $PesterConfig
+          Invoke-Pester -Configuration $Config
+      # This is a manual test that writes the version to the console.
+      - name: Print Scuba Version
+        run: |
+          Install-Module -Name ScubaGear -SkipPublisherCheck
+          # Import-Module -Name ScubaGear
+          Invoke-SCuBA -Version
diff --git a/.github/workflows/publish_public_package.yaml b/.github/workflows/publish_public_package.yaml
@@ -0,0 +1,106 @@
+# Purpose: Publish on demand to the real gallery (PSGallery).
+
+name: Publish Public Package
+
+on:
+  workflow_dispatch:
+    inputs:
+      OverrideModuleVersion:
+        description: "Override the version of the release. Restricted to SemVer 1.0 - 3 segments"
+        required: false
+        type: string
+      IsPrerelease:
+        description: "Is this a prerelease"
+        required: false
+        type: boolean
+        default: false
+      PrereleaseTag:
+        description: "The prerelease tag: (-)?[0-9A-Za-z]+ (e.g. -alpha1, -rc2, b1234)"
+        required: false
+        type: string
+  # for testing
+  # push:
+  #   paths:
+  #     - ".github/workflows/publish_public_package.yaml"
+  #     - "utils/DeployUtils.ps1"
+
+jobs:
+  publish:
+    name: Publish to PSGallery
+    runs-on: windows-latest
+    environment: Development
+    permissions:
+      id-token: write
+      contents: write
+    defaults:
+      run:
+        shell: powershell
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: repo
+      - name: Install Azure Signing Tool
+        run: |
+          dotnet --version
+          dotnet tool install --global AzureSignTool --version 4.0.1
+      # OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true)
+      - name: Login to Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+      - name: Get Key Vault info
+        id: key-vault-info
+        env:
+          KEY_VAULT_INFO: ${{ secrets.SCUBA_KEY_VAULT_PROD}}
+        run: |
+          $KeyVaultInfo = ${env:KEY_VAULT_INFO} | ConvertFrom-Json
+          echo "KeyVaultUrl=$($KeyVaultInfo.KeyVault.URL)" >> $env:GITHUB_OUTPUT
+          echo "KeyVaultCertificateName=$($KeyVaultInfo.KeyVault.CertificateName)" >> $env:GITHUB_OUTPUT
+      - name: Sign and Publish Module
+        run: |
+          # Source the deploy utilities so the functions in it can be called.
+          . repo/utils/DeployUtils.ps1
+          # Remove non-release files
+          Remove-Item -Recurse -Force repo -Include .git*
+          # Extract the API key used to publish to PSGallery
+          $ApiKey = az keyvault secret show --id '${{ steps.key-vault-info.outputs.KeyVaultUrl }}/secrets/ScubaGear-PSGAllery-API-Key' --query value -o tsv
+          if (-Not $ApiKey)
+          {
+            Write-Error "Failed to retrieve API key"
+          }
+          # Setup the parameters
+          $Parameters = @{
+            AzureKeyVaultUrl = '${{ steps.key-vault-info.outputs.KeyVaultUrl }}'
+            CertificateName = '${{ steps.key-vault-info.outputs.KeyVaultCertificateName }}'
+            ModulePath = 'repo/PowerShell/ScubaGear'
+            GalleryName = 'PSGallery'
+            NuGetApiKey = $ApiKey
+          }
+          # if ('true' -eq '${{ inputs.IsPrerelease }}')
+          # {
+          #   $Parameters.Add('PrereleaseTag', '${{ inputs.PrereleaseTag }}')
+          # }
+          # if (-Not [string]::IsNullOrEmpty('${{ inputs.OverrideModuleVersion }}'))
+          # {
+          #   $Parameters.Add('OverrideModuleVersion', '${{ inputs.OverrideModuleVersion }}')
+          # }
+          # This publishes to PSGallery.
+          Publish-ScubaGearModule @Parameters
+      # This is a manual test that simply writes the version to the console
+      - name: Print Scuba Version
+        run: |
+          if ('true' -eq '${{ inputs.IsPrerelease }}')
+          {
+            $Version = '${{ inputs.OverrideModuleVersion }}' + '${{ inputs.PrereleaseTag }}'
+            Write-Host "Checking for prerelease with required version: " + $Version
+            Find-Module -Name ScubaGear -RequiredVersion $Version -AllowPrerelease
+          }
+          else
+          {
+            Write-Host "Installing latest version"
+            Find-Module -Name ScubaGear
+          }
diff --git a/.github/workflows/run_module_version_bump.yml b/.github/workflows/run_module_version_bump.yml
@@ -0,0 +1,111 @@
+name: Module Version Bump
+
+on:
+  workflow_dispatch:
+    inputs:
+      newVersionNumber:
+        description: "New Version number (e.g., 1.2.4)"
+        required: true
+        type: string
+
+jobs:
+  module-version-bump:
+    runs-on: windows-latest
+    env:
+      NEW_VERSION_NUMBER: ${{ inputs.newVersionNumber }}
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Bump ScubaGear Version Number
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          #
+          # Replace ScubaGear module version in the manifest.
+          #
+          $ManifestPath = '.\PowerShell\ScubaGear\ScubaGear.psd1'
+          $VersionRegex = "\'\d+\.\d+\.\d+\'"
+          $PreviousVersion = ''
+          (Get-Content -Path $ManifestPath) | ForEach-Object {
+            $ModuleVersionRegex = $_ -match "ModuleVersion = $($VersionRegex)"
+            if ($ModuleVersionRegex) {
+                $_ -match $VersionRegex | Out-Null
+                $PreviousVersion = $matches[0] -replace "'", ""
+                $_ -replace $VersionRegex, "'${env:NEW_VERSION_NUMBER}'"
+            }
+            else {
+              $_
+            }
+          } | Set-Content -Path $ManifestPath
+
+          #
+          # Replace ScubaGear module version in the README
+          #
+          $READMEPath = '.\README.md'
+          $BadgeRegex = "ScubaGear-v\d+\.\d+\.\d+"
+          $ZipRegex = "ScubaGear-v\d+\-\d+\-\d+.zip"
+          $ZipVerReplace = "ScubaGear-v${env:NEW_VERSION_NUMBER}" -replace '\.', '-'
+          $ZipVerReplace = $ZipVerReplace + '.zip'
+          (Get-Content -Path $READMEPath) | ForEach-Object {
+            $BadgeVerMatch = $_ -match $BadgeRegex
+            $ZipVerMatch = $_ -match $ZipRegex
+            if ($BadgeVerMatch) {
+              $_ -replace $BadgeRegex, "ScubaGear-v${env:NEW_VERSION_NUMBER}"
+            }
+            elseif ($ZipVerMatch) {
+              $_ -replace $ZipRegex, $ZipVerReplace
+            }
+            else {
+              $_
+            }
+          } | Set-Content -Path $READMEPath
+
+          #
+          # Create the PR body
+          #
+          $PRTemplatePath = '.\.github\pull_request_template.md'
+
+          $Description = '<!-- Describe the "what" of your changes in detail. -->'
+          $Motivation = '<!-- Why is this change required\? -->'
+          $Testing = '<!-- see how your change affects other areas of the code, etc. -->'
+          $RemoveHeader = '# <!-- Use the title to describe PR changes in the imperative mood --> #'
+
+          $NewDescription = "- This PR was create by a GitHub Action to bump ScubaGear's module version in the manifest and the README.`n - Please fill out the rest of the template that the Action did not cover. `n"
+          $NewMotivation = "- Bump ScubaGear's module version to v${env:NEW_VERSION_NUMBER} before the next release`n"
+          $NewTesting = "- A human should still check if the version bumping was successful by running ScubaGear.`n"
+
+          $PRTemplateContent = (Get-Content -Path $PRTemplatePath) | ForEach-Object {
+            $DescriptionRegex = $_ -match $Description
+            $MotivationRegex = $_ -match $Motivation
+            $TestingRegex = $_ -match $Testing
+            $RemoveHeaderRegex = $_ -match $RemoveHeader # removes unneeded new line
+            if ($DescriptionRegex) {
+                  $_ -replace $Description, $NewDescription
+            }
+            elseif ($MotivationRegex) {
+                  $_ -replace $Motivation, $NewMotivation
+            }
+            elseif ($TestingRegex) {
+                $_ -replace $Testing, $NewTesting
+            }
+            elseif ($RemoveHeaderRegex) {
+              $_ -replace $RemoveHeader, ""
+            }
+            else {
+              $_ + "`n"
+            }
+          }
+
+          # Create the PR
+          $ScubaGearVersionBumpBranch = "scubagear-version-bump-${env:NEW_VERSION_NUMBER}"
+          git config --global user.email "[email protected]"
+          git config --global user.name "GitHub Action"
+          git checkout -b $ScubaGearVersionBumpBranch
+          git add .
+          git commit -m "Update ScubaGear version to ${env:NEW_VERSION_NUMBER}"
+          git push origin $ScubaGearVersionBumpBranch
+          gh pr create -B main -H $ScubaGearVersionBumpBranch --title "Bump ScubaGear module version from v$($PreviousVersion) to v${env:NEW_VERSION_NUMBER}" --body "${PRTemplateContent}" --label "version bump"
diff --git a/.github/workflows/run_pipeline.yaml b/.github/workflows/run_pipeline.yaml
@@ -7,77 +7,23 @@ on:
   push:
   pull_request:
   workflow_dispatch:
-    inputs:
-      # When set to true, it will run every step in the pipeline, regardless of
-      # what files have changed.
-      doEverything:
-        description: "Run every workflow in the pipeline."
-        required: false
-        type: boolean
-        default: true
 
 jobs:
-  test-files:
-    name: Test for Changes
-    runs-on: ubuntu-latest
-    # This condition prevents duplicate runs.
-    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
-    steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v4
-      - name: Check for Changes
-        uses: dorny/paths-filter@v3
-        id: file-changes
-        with:
-          base: ${{ github.ref }}
-          filters: |
-            yaml-files:
-              - added|modified: "**.yml"
-              - added|modified: "**.yaml"
-            powershell-files:
-              - added|modified: "**.ps1"
-              - added|modified: "**.psm1"
-              - added|modified: "**.psd1"
-              - added|modified: "**.pssc"
-              - added|modified: "**.psrc"
-              - added|modified: "**.ps1xml"
-              - added|modified: "**.cdxml"
-            markdown-files:
-              - added|modified: "PowerShell/ScubaGear/baselines/*.md"
-            rego-files:
-              - added|modified: "**.rego"
-    outputs:
-      yaml-changes: ${{ steps.file-changes.outputs.yaml-files || inputs.doEverything }}
-      powershell-changes: ${{ steps.file-changes.outputs.powershell-files || inputs.doEverything }}
-      markdown-changes: ${{ steps.file-changes.outputs.markdown-files || inputs.doEverything }}
-      rego-changes: ${{ steps.file-changes.outputs.rego-files || inputs.doEverything }}
   lint-yaml:
     name: Lint
-    needs:
-      - test-files
-    if: needs.test-files.outputs.yaml-changes == 'true'
     uses: ./.github/workflows/lint_yaml.yaml
   lint-powershell:
     name: Lint
-    needs:
-      - test-files
-    if: needs.test-files.outputs.powershell-changes == 'true'
     uses: ./.github/workflows/lint_powershell.yaml
+  scan-secret:
+    name: Security
+    uses: ./.github/workflows/run_secret_scan.yaml
   syntax:
     name: Syntax
-    needs:
-      - test-files
-    if: needs.test-files.outputs.markdown-changes == 'true'
     uses: ./.github/workflows/syntax_check_markdown.yaml
   unit-powershell:
     name: Unit
-    needs:
-      - test-files
-    if: needs.test-files.outputs.powershell-changes == 'true'
     uses: ./.github/workflows/unit_test_powershell.yaml
   unit-opa:
     name: Unit
-    needs:
-      - test-files
-    if: needs.test-files.outputs.rego-changes == 'true'
     uses: ./.github/workflows/unit_test_opa.yaml