Merge pull request #81 from selenaxiao-nist/main

Implemented initial handshake to S3
usnistgov · Aug 9, 2024 · d9416cb · d9416cb
2 parents 610398a + 2f5d5c9
commit d9416cb
Show file tree

Hide file tree

Showing 7 changed files with 1,402 additions and 1,245 deletions.
diff --git a/.github/ISSUE_TEMPLATE/account_management_request_form.yaml b/.github/ISSUE_TEMPLATE/account_management_request_form.yaml
@@ -3,19 +3,33 @@ description: Submit an account related request
 labels: ['ACCOUNT_REQUEST_RECORD']
 body:
   - type: input
-    id: first-name
+    id: user-first-name
     attributes:
       label: Account Holder First Name
       placeholder: Type here user's first name as it appears in his/her ID.
     validations:
       required: true
   - type: input
-    id: last-name
+    id: user-last-name
     attributes:
       label: Account Holder Last Name
       placeholder: Type here user's last name as it appears in his/her ID.
     validations:
       required: true
+  - type: input
+    id: user-email
+    attributes:
+      label: Account Holder Email
+      placeholder: Type here user's email
+    validations:
+      required: true
+  - type: input
+    id: user-username
+    attributes:
+      label: Account Holder Username
+      placeholder: Type here user's username
+    validations:
+      required: true
   - type: input
     id: requester-name
     attributes:

diff --git a/.github/workflows/account_request_approve.yaml b/.github/workflows/account_request_approve.yaml
@@ -21,6 +21,82 @@ jobs:
           NUMBER: ${{ github.event.issue.number }}
           BODY: >
             Account management request APPROVED by Blossom Management.
-            @usnistgov/blossom-sysdevs please implement by updating the ACL and the SSP.
+            @usnistgov/blossom-sysdevs please ensure the ACL and/or Cognito are updated and the SSP is in sync with the update.
             When implemented, add the ACCOUNT_IMPLEMENTED label and 
-            link this account request issue to the PR with the implementation.
+            link this account request issue to the PR with the implementation.
+
+  parse-issue:
+    needs: request-approved
+    runs-on: ubuntu-20.04
+    outputs:
+      account-modification: ${{ steps.issue-parser.outputs.issueparser_account-modification }}
+      user-first-name: ${{ steps.issue-parser.outputs.issueparser_user-first-name }}
+      user-last-name: ${{ steps.issue-parser.outputs.issueparser_user-last-name }}
+      user-username: ${{ steps.issue-parser.outputs.issueparser_user-username }}
+      user-email: ${{ steps.issue-parser.outputs.issueparser_user-email }}
+      account-type: ${{ steps.issue-parser.outputs.issueparser_account-type }}
+    steps:        
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            .github/ISSUE_TEMPLATE/account_management_request_form.yaml
+          sparse-checkout-cone-mode: false
+
+      - name: Parse issue body
+        uses: stefanbuck/[email protected]
+        id: issue-parser
+        with:
+          template-path: ".github/ISSUE_TEMPLATE/account_management_request_form.yaml"
+
+  create-user:
+    needs: parse-issue
+    if: ${{ needs.parse-issue.outputs.account-modification == 'Create' }}
+    runs-on: ubuntu-20.04
+    steps: 
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Ensure directory exists for created users
+        run: |
+          mkdir -p ato/oscal-artifacts/created_users/
+      
+      - name: Ensure directory exists for created users references
+        run: |
+          mkdir -p ato/oscal-artifacts/reference_created_users/
+
+      - name: Create yaml file for automated user creation
+        env:
+          USER_NAME: "${{ needs.parse-issue.outputs.user-first-name }} ${{ needs.parse-issue.outputs.user-last-name }}"
+          USER_USERNAME: ${{ needs.parse-issue.outputs.user-username }}
+          USER_EMAIL: ${{ needs.parse-issue.outputs.user-email }}
+          USER_ROLE: ${{ needs.parse-issue.outputs.account-type }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+        run: |
+          python ato/secops/create_user.py --user-name "$USER_NAME" --user-username "$USER_USERNAME" --user-email "$USER_EMAIL" --user-role "$USER_ROLE" --issue-number "$ISSUE_NUMBER"
+
+      - name: Store user yaml in repo
+        run: |
+          git config --global user.name "create-user-action[bot]"
+          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git checkout -b "$BRANCH_NAME"
+          git add "ato/oscal-artifacts/created_users/*"
+          git add "ato/oscal-artifacts/reference_created_users/*"
+          git commit -m "Create user request #$ISSUE_NUMBER"
+          git push origin "$BRANCH_NAME"
+        env:
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          BRANCH_NAME: "account-request-${{ github.event.issue.number }}"
+
+      - name: Configure AWS CLI
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }}
+
+      - name: Copy reference yaml to bucket
+        run: |
+          aws s3 cp --recursive ato/oscal-artifacts/reference_created_users/ s3://"$AWS_BUCKET"
+        env:
+          AWS_BUCKET: ${{ secrets.AWS_BUCKET }}
diff --git a/.github/workflows/account_request_assessment.yaml b/.github/workflows/account_request_assessment.yaml
@@ -12,10 +12,9 @@ jobs:
   if_merged:
     if: github.event.pull_request.merged == true
     runs-on: ubuntu-20.04
-    permissions:
-      issues: write
+#     permissions:
+#       issues: write
     steps:
     - name: Run automated assessment
       run: echo "assessment"
-      # 1. dump empty file to s3 bucket, to initiate connection
-      # 2. query chaincode, code to execute on chaincode for list of supported roles, API command
+      # query chaincode, code to execute on chaincode for list of supported roles, API command
diff --git a/account_workflow.md → .github/workflows/account_workflow.md b/account_workflow.md → .github/workflows/account_workflow.md
@@ -2,13 +2,20 @@
 
 This document explains the workflow of GitHub actions used to automate Blossom service's accounts management.
 
+## Requirements to run Actions
+- [ ] Repository secrets: AWS_ACCESS_KEY, AWS_SECRET_KEY, AWS_REGION, AWS_BUCKET
+- [ ] Issue labels: ACCOUNT_REQUEST_RECORD, ACCOUNT_APPROVED, ACCOUNT_REJECTED, ACCOUNT_IMPLEMENTED
+
 ## Account Request and Creation
 - [ ] The requester requests an account for the Account Holder by creating a new GitHub issue using the Account Request Form.
 - [ ] The Blossom Management group is automatically notified to review the request through GitHub.
 - [ ] One of the Blossom Management (a member of the Blossom Management group) reviews the request and adds a new label to the issue: ACCOUNT_APPROVED or ACCOUNT_REJECTED
 - [ ] If ACCOUNT_REJECTED, the account request issue is automatically closed.
-- [ ] If the account is approved and the label ACCOUNT_APPROVED is added, the Blossom Sysdevs group is automatically notified to implement the account.
-- [ ] Upon completion of creating the account requested, the Blossom Sysdev links the Account Request issue to the Pull Request that implements the account.
+- [ ] If the account is approved and the label ACCOUNT_APPROVED is added, the Blossom Sysdevs group is automatically notified about implementation.
+- [ ] A YAML file is automatically created from information submitted through the Account Request Form, which is pushed to the GitHub repo as a new branch and a condensed version is sent to S3 bucket.
+- [ ] S3 bucket receives the file about the new user to create and sends a trigger to EC2, which implements the new user in Cognito, SSM, ACL, AMB as necessary.
+- [ ] The new user is inserted into the SSP, which is pushed into the GitHub repo to the new branch.
+- [ ] Upon completion of creating the account requested, a Pull Request is automatically created, to link the branch with the Account Request issue.
 - [ ] Upon merging the Pull Request that implements the account, the relevant updated controls are re-assessed automatically. The Blossom Assessors group is then notified to monitor the automated assessment.
 - [ ] TBD: STEPS FOR AUTOMATED ASSESSMENT
 

diff --git a/.sims/handshake/handshake_empty b/.sims/handshake/handshake_empty
diff --git a/ato/secops/create_user.py b/ato/secops/create_user.py
@@ -0,0 +1,61 @@
+import click
+import yaml
+from datetime import datetime
+
+@click.command()
+@click.option('--user-name', required=True, help='Name of user to create')
+@click.option('--user-username', required=True, help='Name of user to create')
+@click.option('--user-email', required=True, help='Email of user to create')
+@click.option('--user-role', required=True, help='Role of user to create')
+@click.option('--location-uuid', help='UUID of physical location of user')
+@click.option('--org-member', help='UUID of organization that user is member of')
+@click.option('--issue-number', help='Issue number of user account request')
+def create_user(user_name, user_username, user_email, user_role, location_uuid, org_member, issue_number):
+    """
+    Creates a yaml file containing information about a new user
+
+    Args:
+        user_name (string): String containing name of new user
+        user_username (string): String containing username of new user
+        user_email (string): String containing email of new user
+        user_role (string): String containing role of new user
+        location_uuid (string): String containing UUID of physical location of user
+        org_member (string): String containing UUID of organization that user is member of
+        issue_number (string): String containing issue number of user account request
+    """
+
+    # Structure of yaml file
+    cmd = {
+    "command" : "create-acl-user|create-cognito-user",
+    "user" : {
+        "name" : f"{user_name}",
+        "username" : f"{user_username}",
+        "email-address":f"{user_email}",
+        "role":f"{user_role}",
+        "location-uuid":f"{location_uuid}",
+        "member-of-organization":f"{org_member}",
+        },
+    }
+
+    # Include timestamp in filename
+    timestamp = datetime.now().strftime("%Y%m%d-%H%M%S")
+
+    # Write to user yaml file (stored in repo)
+    filename = "ato/oscal-artifacts/created_users/created_user_" + timestamp + ".yaml"
+    with open(filename, 'w') as f:
+        print(f"\n\n{yaml.safe_dump(cmd, default_flow_style=False)}", file=f)
+
+    # Structure of yaml file referencing user yaml file
+    reference = {
+        "file": f"{filename}",
+        "issue_number": f"{issue_number}",
+        "branch_name": f"account-request-{issue_number}"
+    }
+
+    # Write to user reference yaml file (sent to S3)
+    filename_reference = "ato/oscal-artifacts/reference_created_users/reference_created_user_" + timestamp + ".yaml"
+    with open(filename_reference, 'w') as f:
+        print(f"\n\n{yaml.safe_dump(reference, default_flow_style=False)}", file=f)
+
+if __name__ == '__main__':
+    create_user()