Fixes from demonstrations in January 2023 (#143)

* Pivots the World Clock API demo to use a GitHub API

* Fixes support for binary evidence types

* Add binary evidence signing test

* Updates the demo configuration for remote lockers on main branches

* Version 1.24.0

Author: ksnavely

CHANGES.md

@@ -1,9 +1,11 @@
-# [UNRELEASED](https://github.com/ComplianceAsCode/auditree-framework/releases/tag/UNRELEASED)
+# [1.24.0](https://github.com/ComplianceAsCode/auditree-framework/releases/tag/v1.24.0)
 
 - [FIXED] Update pre-commit dependencies.
 - [CHANGED] Use python 3.8 in GitHub Actions as newer flake8 does not support less than that.
 - [CHANGED] Dot not update pre-commit hooks during "make develop"
 - [ADDED] Add basic pre-commit hooks.
+- [FIXED] Support for agent signing of binary content
+- [FIXED] Demo fetcher/check for World Clock API replaced with GitHub API example
 
 # [1.23.0](https://github.com/ComplianceAsCode/auditree-framework/releases/tag/v1.23.0)
 

compliance/__init__.py

@@ -13,4 +13,4 @@
 # limitations under the License.
 """Compliance automation package."""
 
-__version__ = '1.23.1'
+__version__ = '1.24.0'

compliance/evidence.py

@@ -80,6 +80,8 @@ def __init__(self, name, category, ttl=DAY, description='', **kwargs):
         self._evidence_dt = kwargs.get('evidence_dt')
         self._raw_content = None
         self._signature = None
+        self.binary_content = kwargs.get('binary_content', False)
+        self.filtered_content = kwargs.get('filtered_content', False)
 
     @classmethod
     def from_evidence(cls, evidence):
@@ -223,8 +225,12 @@ def set_content(self, content, sign=True):
         if self.extension == 'json':
             self._content = format_json(json.loads(content))
         if sign:
+            if self.binary_content:
+                data_bytes = self._content
+            else:
+                data_bytes = self._content.encode()
             self._digest, self._signature = self.agent.hash_and_sign(
-                self._content.encode()
+                data_bytes
             )
 
     def set_digest(self, digest):
@@ -291,8 +297,6 @@ def __init__(self, *args, **kwargs):
         )
         self.part_fields = partition.get('fields')
         self.part_root = partition.get('root')
-        self.binary_content = kwargs.get('binary_content', False)
-        self.filtered_content = kwargs.get('filtered_content', False)
 
     @property
     def is_partitioned(self):

demo/auditree_demo.json

@@ -1,6 +1,7 @@
 {
   "locker": {
-      "url": "https://github.com/MY_ORG/MY_EVIDENCE_REPO"
+      "default_branch": "main",
+      "repo_url": "https://github.com/MY_ORG/MY_EVIDENCE_REPO"
   },
   "notify": {
     "slack": {

demo/controls.json

@@ -1,5 +1,5 @@
 {
   "arboretum.auditree.checks.test_python_packages.PythonPackageCheck": ["demo.arboretum.accred"],
-  "demo_examples.checks.test_world_clock.WorldClockCheck": ["demo.custom.accred"],
+  "demo_examples.checks.test_github_api_versions.GitHubAPIVersionsCheck": ["demo.custom.accred"],
   "demo_examples.checks.test_image_content.ImageCheck": ["demo.custom.accred"]
 }

demo/demo_examples/checks/test_github_api_versions.py

@@ -0,0 +1,72 @@
+# -*- mode:python; coding:utf-8 -*-
+# Copyright (c) 2020 IBM Corp. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import json
+
+from compliance.check import ComplianceCheck
+from compliance.evidence import with_raw_evidences
+
+class GitHubAPIVersionsCheck(ComplianceCheck):
+    """Perform analysis on GitHub supported versions API response evidence."""
+
+    @property
+    def title(self):
+        """
+        Return the title of the checks.
+
+        :returns: the title of the checks
+        """
+        return 'GitHub API Versions'
+
+    @with_raw_evidences('github/api_versions.json')
+    def test_supported_versions(self, evidence):
+        """
+        Check whether there are any supported versions.
+
+        Always warn about something, for demo purposes.
+        """
+        version_list = json.loads(evidence.content)
+        versions_str = ', '.join(version_list)
+        if not version_list:
+            self.add_failures(
+                'Supported GitHub API Versions Violation',
+                f'No API versions were indicated as supported by GitHub.'
+            )
+        elif len(version_list) == 1:
+            self.add_warnings(
+                'Supported GitHub API Versions Warning',
+                f'There is only one supported version. Get with the program: {versions_str}'
+            )
+        elif len(version_list) > 1:
+            self.add_warnings(
+                'Supported GitHub API Versions Warning',
+                f'There are more than one supported versions. Check the docs for the latest changes: {versions_str}'
+            )
+
+    def get_reports(self):
+        """
+        Provide the check report name.
+
+        :returns: the report(s) generated for this check
+        """
+        return ['github/api_versions.md']
+
+    def msg_supported_versions(self):
+        """
+        Supported GitHub API versions check notifier.
+
+        :returns: notification dictionary.
+        """
+        return {'subtitle': 'Supported GitHub API Versions Violation', 'body': None}

demo/demo_examples/checks/test_world_clock.py

@@ -18,10 +18,10 @@
 get_config().add_evidences(
     [
         RawEvidence(
-            'world_clock_utc.json',
-            'time',
+            'api_versions.json',
+            'github',
             DAY,
-            'Coordinated Universal Time'
+            'Supported GitHub API versions'
         ),
         RawEvidence(
             'auditree_logo.png',
@@ -31,10 +31,10 @@
             binary_content=True
         ),
         ReportEvidence(
-            'world_clock.md',
-            'time',
+            'api_versions.md',
+            'github',
             DAY,
-            'World Clock Analysis report.'
+            'Supported GitHub versions report.'
         ),
         ReportEvidence(
             'image_check.md',

demo/demo_examples/evidences/__init__.py

@@ -11,17 +11,22 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+import json
 
 from compliance.evidence import store_raw_evidence
 from compliance.fetch import ComplianceFetcher
 
-class WorldClockFetcher(ComplianceFetcher):
-    """Fetch the current coordinated universal time."""
+class GitHubAPIVersionsFetcher(ComplianceFetcher):
+    """Fetch the current supported GitHub API versions."""
 
-    @store_raw_evidence('time/world_clock_utc.json')
-    def fetch_world_clock_utc(self):
-        """Fetch the universal time."""
-        session = self.session('http://worldclockapi.com/api/json')
-        clock = session.get('utc/now')
-        clock.raise_for_status()
-        return clock.text
+    @store_raw_evidence('github/api_versions.json')
+    def fetch_api_versions(self):
+        """Fetch the current supported GitHub API versions."""
+        # This is where you might e.g. fetch your evidence
+        # from a remote API
+        session = self.session('https://api.github.com/')
+        versions = session.get(
+            'versions',
+            headers={"Accept": "application/json"})
+        versions.raise_for_status()
+        return versions.text

…o_examples/fetchers/fetch_world_clock.py …es/fetchers/fetch_github_api_versions.pydemo/demo_examples/fetchers/fetch_world_clock.py renamed to demo/demo_examples/fetchers/fetch_github_api_versions.py demo/demo_examples/fetchers/fetch_world_clock.py renamed to demo/demo_examples/fetchers/fetch_github_api_versions.py

@@ -15,7 +15,7 @@ limitations under the License.
 #}
 # {{ test.title }} Report: {{ now.strftime('%Y-%m-%d') }}
 
-This report contains all world clock check violations.
+This report contains all GitHub API versions violations
 
 {% if test.total_issues_count(results) == 0 %}
 **No violations found!**