Initial commit

Author: ssherar

.github/workflows/build-and-upload.yml

@@ -0,0 +1,34 @@
+name: Build and Upload Artifacts
+
+on:
+  workflow_call:
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v2
+        with:
+          version: latest
+      - name: Run OPA Build
+        run: |
+          mkdir -p dist/
+          opa build -b policies -o dist/bundle.tar.gz
+      - name: Bundle
+        uses: softprops/action-gh-release@v2
+        with:
+          files: dist/bundle.tar.gz
+      - name: Install gooci cli
+        run: go install github.com/compliance-framework/gooci@latest
+      - name: Authenticate gooci cli
+        run: gooci login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
+      - name: gooci Upload Version
+        run: gooci upload-single dist/bundle.tar.gz ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{github.ref_name}}
+      - name: gooci Upload Latest
+        if: "!github.event.release.prerelease"
+        run: gooci upload-single dist/bundle.tar.gz ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
+        

.github/workflows/push.yaml

@@ -0,0 +1,13 @@
+name: Push
+
+on:
+  pull_request:
+  push:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/test.yml

.github/workflows/release.yml

@@ -0,0 +1,13 @@
+name: New Release
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  release:
+    permissions:
+      packages: write
+      contents: write
+    uses: ./.github/workflows/build-and-upload.yml

.github/workflows/test.yml

@@ -0,0 +1,23 @@
+name: OPA Test
+
+on:
+  workflow_call:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v2
+        with:
+          version: latest
+
+      - name: Run OPA Tests
+        run: opa test policies
+
+      - name: Run OPA Check
+        run: opa check policies

.gitignore

@@ -0,0 +1,3 @@
+.idea/
+data/
+dist/

Makefile

@@ -0,0 +1,65 @@
+# Makefile for building and pushing OPA policies to a registry
+
+# Variables
+REGISTRY_URL := ghcr.io
+NAMESPACE := chris-cmsoft
+POLICY_NAME := local-ssh-policies
+VERSION := latest
+POLICY_DIR := ./ssh # Directory containing your .rego files
+
+# Build and Push Commands
+.PHONY: all build bundle push clean
+
+# Default action
+all: test check build push clean
+
+# Check if OPA CLI is installed
+OPA := $(shell command -v opa 2> /dev/null)
+ifeq ($(OPA),)
+$(error "opa CLI not found. Please install it: https://www.openpolicyagent.org/docs/latest/cli/")
+endif
+
+# Check if Docker CLI is installed
+
+CONTAINER_CLI := ""
+DOCKER := $(shell command -v docker 2> /dev/null)
+PODMAN := $(shell command -v podman 2> /dev/null)
+ifeq ($(DOCKER),)
+	PODMAN := := $(shell command -v podman 2> /dev/null)
+	ifeq ($(PODMAN),)
+		$(error "either docker or podman CLI is required.")
+	else
+		CONTAINER_CLI = PODMAN
+	endif
+else
+	CONTAINER_CLI = DOCKER
+endif
+
+test:
+	@echo "Testing policies..."
+	@OPA test policies
+
+# Build the policies
+check:
+	@echo "Checking policies..."
+	@opa check policies
+
+# Bundle the policies into a tarball for OCI registry
+build: clean
+	@echo "Bundling policies..."
+	@mkdir -p dist/
+	@opa build -b policies -o dist/bundle.tar.gz
+
+# Push the bundled policies to an OCI-compliant registry
+push: build
+	@echo "Pushing bundle to registry..."
+	@# Log in to the registry if necessary
+	@$(CONTAINER_CLI) login $(REGISTRY_URL)
+	@# Push the bundle as an OCI artifact
+	@$(CONTAINER_CLI) cp dist/bundle.tar.gz $(REGISTRY_URL)/$(NAMESPACE)/$(POLICY_NAME):$(VERSION)
+	@echo "Bundle pushed successfully to $(REGISTRY_URL)/$(NAMESPACE)/$(POLICY_NAME):$(VERSION)"
+
+# Clean up build artifacts
+clean:
+	@echo "Cleaning up..."
+	@rm -f dist/bundle.tar.gz

README.md

@@ -0,0 +1,74 @@
+# Template for policies for use in Compliance Framework plugins
+
+## Testing
+
+
+```shell
+opa test policies
+```
+
+## Bundling
+
+Policies are built into bundle to make distribution easier. 
+
+You can easily build the policies by running 
+```shell
+make build
+```
+
+## Running policies locally
+
+```shell
+opa eval -I -b policies -f pretty data.compliance_framework.local_ssh <<EOF 
+{
+  "passwordauthentication": [
+    "yes"
+  ],
+  "permitrootlogin": [
+    "with-password"
+  ],
+  "pubkeyauthentication": [
+    "no"
+  ]
+}
+EOF
+```
+
+## Writing policies.
+
+Policies are written in the [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) language.
+
+```rego
+package ssh.deny_password_auth
+
+import future.keywords.in
+
+violation[{
+    "title": "Host SSH is using password authentication.",
+    "description": "Host SSH should not use password, as this is insecure to brute force attacks from external sources.",
+    "remarks": "Migrate to using SSH Public Keys, and switch off password authentication."
+}] {
+	"yes" in input.passwordauthentication
+}
+```
+
+## Metadata
+
+Plugins expect policies to contain a metadata section as comments, with a `# METADATA` line to indicate it. This metadata should be in a YAML format, and contain a title and description of the policy. Other configuration can be set also, like the schedule that a policy should run on, or the control that it is linked to.
+
+Any other comments can be added as normal (before and after) with a line separator between them and the metadata.
+
+Here is an example metadata:
+```opa
+# your custom comment
+
+# METADATA
+# title: <your-title>
+# description: <your-description>
+# custom:
+#   controls:
+#     - <control-id>
+#   schedule: "<cron-string>"
+
+# your custom comment
+```

policies/example.rego

@@ -0,0 +1,17 @@
+# METADATA
+# title: <your-title>
+# description: <your-description>
+# custom:
+#   controls:
+#     - <control-id>
+#   schedule: "<cron-string>"
+
+package example
+
+import rego.v1
+
+# Your policy code here
+# e.g.
+allow if {
+    input.example
+}

policies/example_test.rego

@@ -0,0 +1,11 @@
+package example
+
+import rego.v1
+
+import data.example
+
+# Your code here
+# e.g. 
+test_something if {
+    example.allow with input as {"example": true}
+}