feat: Added configuration and basic logging to hyperproof sync. (#9)

Author: jamesiarmes

.github/workflows/ruby.yaml

@@ -60,7 +60,7 @@ jobs:
           working-directory: ${{ matrix.dir }}
       - name: RuboCop Linter
         working-directory: ${{ matrix.dir }}
-        run: bundle exec rubocop
+        run: bundle exec rubocop --format github
 
   spec:
     name: Run ruby tests
@@ -81,4 +81,4 @@ jobs:
           working-directory: ${{ matrix.dir }}
       - name: Run tests
         working-directory: ${{ matrix.dir }}
-        run: bundle exec rspec
+        run: bundle exec rake spec

hyperproof/Gemfile.lock

@@ -6,6 +6,7 @@ PATH
       aws-sdk-configservice (~> 1.128)
       aws-sdk-rds (~> 1.276)
       aws-sdk-resourceexplorer2 (~> 1.36)
+      configsl (~> 1.0)
       csv (~> 3.3)
       faraday (~> 2.13)
       faraday-multipart (~> 1.1)
@@ -72,11 +73,14 @@ GEM
     benchmark (0.4.0)
     bigdecimal (3.1.9)
     concurrent-ruby (1.3.4)
+    configsl (1.0.2)
+      facets (~> 3.1)
     connection_pool (2.5.3)
     csv (3.3.4)
     diff-lcs (1.6.2)
     docile (1.4.1)
     drb (2.2.1)
+    facets (3.1.0)
     faraday (2.13.1)
       faraday-net_http (>= 2.0, < 3.5)
       json

hyperproof/cfa-security-controls-hyperproof.gemspec

@@ -27,6 +27,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'aws-sdk-configservice', '~> 1.128'
   s.add_dependency 'aws-sdk-rds', '~> 1.276'
   s.add_dependency 'aws-sdk-resourceexplorer2', '~> 1.36'
+  s.add_dependency 'configsl', '~> 1.0'
   s.add_dependency 'csv', '~> 3.3'
   s.add_dependency 'faraday', '~> 2.13'
   s.add_dependency 'faraday-multipart', '~> 1.1'

hyperproof/lib/cfa_security_controls/hyperproof.rb

@@ -1,25 +1,63 @@
 # frozen_string_literal: true
 
+require_relative 'hyperproof/config'
 require_relative 'hyperproof/entities/label'
 require_relative 'hyperproof/entities/proof'
 require_relative 'hyperproof/proofs'
 
 module CfaSecurityControls
   # Top level module for our gem.
   module Hyperproof
+    @mutex = Mutex.new
+
+    # Set or load the system configuration.
+    #
+    # If no configuration is explicitly set, it will be loaded from the
+    # environment.
+    #
+    # @param config [Config] Configuration to set for the system.
+    def self.config(config = nil)
+      @mutex.synchronize do
+        if config
+          @config = config
+        else
+          @config ||= Config.from_environment
+        end
+      end
+    end
+
     # Collect and upload all proofs to Hyperproof.
     def self.run
       Dir.mktmpdir do |dir|
+        config.logger.info("Writing proofs to #{dir}")
         writer = Writer.new(dir)
         Proofs.proofs.map do |klass|
           proof = klass.new
-          filename = proof.write(writer)
-
-          label = Entities::Label.new(proof.label)
-          label.create unless label.exists?
-          Entities::Proof.new(File.basename(filename), label:).create(filename)
+          filename = collect_proof(proof, writer)
+          Entities::Proof.new(File.basename(filename), label: proof_label(proof))
+                         .create(filename)
         end
       end
     end
+
+    # Collect evidence for a specific proof.
+    #
+    # @param proof [Proofs::Proof] The proof to collect evidence for.
+    # @param writer [Writer] The writer to use for formatting the proof.
+    # @return [String] The filename where the proof was written.
+    private_class_method def self.collect_proof(proof, writer)
+      config.logger.debug("Collecting proof for #{proof.name} (#{proof.label})")
+      proof.write(writer)
+    end
+
+    # Get the label for a proof.
+    #
+    # @param proof [Proofs::Proof] The proof to get the label for.
+    # @return [Entities::Label] The label entity for the proof.
+    private_class_method def self.proof_label(proof)
+      label = Entities::Label.new(proof.label)
+      label.create unless label.exists?
+      label
+    end
   end
 end

hyperproof/lib/cfa_security_controls/hyperproof/clients/aptible.rb

@@ -21,6 +21,13 @@ def databases
 
         private
 
+        # Configuration for the system.
+        #
+        # @return [Config]
+        def config
+          @config ||= CfaSecurityControls::Hyperproof.config
+        end
+
         # Retrieve a token to authenticate with Aptible.
         #
         # This method uses a chain to find the first valid set of credentials:
@@ -62,11 +69,10 @@ def sso_token
         # @return [Aptible::Auth::Token, Boolean] The token for the Aptible API,
         #   or false if the credentials aren't present.
         def basic_auth_token
-          email = ENV.fetch('APTIBLE_USERNAME', nil)
-          password = ENV.fetch('APTIBLE_PASSWORD', nil)
-          return false unless email && password
+          return false unless config.aptible_username && config.aptible_password
 
-          ::Aptible::Auth::Token.create(email:, password:,
+          ::Aptible::Auth::Token.create(email: config.aptible_username,
+                                        password: config.aptible_password,
                                         headers: { 'Authorization' => nil })
         rescue OAuth2::Error
           false

hyperproof/lib/cfa_security_controls/hyperproof/clients/hyperproof.rb

@@ -98,6 +98,13 @@ def proofs(params = {})
 
         private
 
+        # Configuration for the system.
+        #
+        # @return [Config]
+        def config
+          @config ||= CfaSecurityControls::Hyperproof.config
+        end
+
         # Establish a connection to the Hyperproof API.
         #
         # @return [Faraday::Connection] The Faraday connection object.
@@ -117,15 +124,11 @@ def conn
         #
         # @return [String] The authentication token.
         def auth_token
-          unless ENV.key?('HYPERPROOF_CLIENT_ID') && ENV.key?('HYPERPROOF_CLIENT_SECRET')
-            raise Unauthorized, 'Missing Hyperproof credentials'
-          end
-
           response = Faraday.post(
             'https://accounts.hyperproof.app/oauth/token',
             {
-              client_id: ENV.fetch('HYPERPROOF_CLIENT_ID'),
-              client_secret: ENV.fetch('HYPERPROOF_CLIENT_SECRET'),
+              client_id: config.hyperproof_client_id,
+              client_secret: config.hyperproof_client_secret,
               grant_type: 'client_credentials'
             }.to_json,
             {

hyperproof/lib/cfa_security_controls/hyperproof/config.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'configsl'
+
+module CfaSecurityControls
+  module Hyperproof
+    # Configuration for the Hyperproof integration.
+    class Config < ConfigSL::Config
+      option :log_level, type: Symbol, default: :info,
+                         values: %i[debug info warn error]
+
+      option :aptible_username, type: String
+      option :aptible_password, type: String
+      option :hyperproof_client_id, type: String, required: true
+      option :hyperproof_client_secret, type: String, required: true
+
+      def initialize(params = {})
+        super
+        validate!
+      end
+
+      def logger
+        @logger ||= Logger.new($stdout, level: log_level)
+      end
+    end
+  end
+end

hyperproof/spec/spec_helper.rb

@@ -13,8 +13,37 @@
   end
 end
 
-# Include the gem.
+# Include the gem and test helpers.
 require_relative '../lib/cfa-security-controls-hyperproof'
+require_relative 'support/helpers'
+
+RSpec.configure do |config|
+  # Keep the original $stderr and $stdout so that we can suppress output during
+  # tests.
+  original_stderr = $stderr
+  original_stdout = $stdout
+
+  config.include Helpers::Config
+
+  config.before do
+    # Clear the configuration before each test.
+    stub_const('ENV', default_config_env)
+    clear_config
+    allow(File).to receive(:exist?).and_call_original
+  end
+
+  config.before(:all) do
+    # Suppress logger output.
+    $stderr = File.new(File::NULL, 'w')
+    $stdout = File.new(File::NULL, 'w')
+  end
+
+  config.after(:all) do
+    # Restore the original $stderr and $stdout after all tests.
+    $stderr = original_stderr
+    $stdout = original_stdout
+  end
+end
 
 # Include supporting resources.
 require_relative 'support/examples'

hyperproof/spec/support/helpers.rb

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+require_relative 'helpers/config'

hyperproof/spec/support/helpers/config.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Helpers
+  # Test helpers for system configuration.
+  module Config
+    # Clear the current configuration.
+    def clear_config
+      CfaSecurityControls::Hyperproof.instance_variable_set(:@config, nil)
+    end
+
+    # Default configuration environment variables.
+    #
+    # This is useful for tests that need to override the environment, but need
+    # the configuration to be valid.
+    #
+    # @return [Hash] A hash of environment variables.
+    def default_config_env
+      {
+        'APTIBLE_PASSWORD' => 'aptible_password',
+        'APTIBLE_USERNAME' => 'aptible_username',
+        'HYPERPROOF_CLIENT_ID' => 'hyperproof_client_id',
+        'HYPERPROOF_CLIENT_SECRET' => 'hyperproof_client_secret'
+      }
+    end
+
+    # Force the configuration to be valid without actually validating it.
+    #
+    # This is useful for tests that need to run without a valid configuration
+    # but still want to avoid validation errors.
+    #
+    # rubocop:disable RSpec/AnyInstance
+    def force_valid_config
+      allow_any_instance_of(CfaSecurityControls::Hyperproof::Config).to \
+        receive(:validate!).and_return(true)
+    end
+    # rubocop:enable RSpec/AnyInstance
+
+    # Set the configuration for the system.
+    #
+    # @param options [Hash] Options to set in the configuration.
+    # @return [CfaSecurityControls::Hyperproof::Config] The configuration object.
+    def set_config(options = {})
+      config = CfaSecurityControls::Hyperproof::Config.new(options)
+      CfaSecurityControls::Hyperproof.config(config)
+      config
+    end
+  end
+end