Merge pull request #180 from 18F/build-fix

fix schema violations

.travis.yml

@@ -7,11 +7,8 @@ python:
 
 cache: pip
 
-install:
+before_install:
   - git clone https://github.com/opencontrol/schemas
-  - travis_retry pip install pytest
-  - travis_retry pip install pykwalify
-  - travis_retry pip install pyyaml
 
 script:
   - py.test

AC_Policy/component.yaml

@@ -239,7 +239,7 @@ satisfies:
   narrative:
   - key: a
     text: |
-      18F implements Identity and Access Management (IAM) 
+      18F implements Identity and Access Management (IAM)
       roles and individual user accounts for separation of duties at the AWS layer.
       For Cloud Foundry access, cloud.gov uses UAA role based access controls (RBAC) to
       maintain separation of duties.
@@ -481,7 +481,7 @@ satisfies:
       be handled at the application level and is the responsibility of the application
       system owner.
   standard_key: NIST-800-53
-schema_version: "3.0.0"
+schema_version: "3.1.0"
 verifications:
 - key: POLICY_DOC
   name: Policy Document

AT_Policy/component.yaml

@@ -53,7 +53,7 @@ satisfies:
         security awareness training for 18F staff. currently reviewing the SEI training
         programs for Secure DevOps and Online line Learning management system.
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 system: 18F
 verifications:
 - key: POLICY_DOC

AU_Policy/component.yaml

@@ -241,7 +241,7 @@ satisfies:
   narrative:
     - text: In Progress
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 verifications:
 - key: POLICY_DOC
   name: Policy Document

CA_Policy/component.yaml

@@ -1,5 +1,5 @@
 ---
-schema_version: 3.0.0
+schema_version: 3.1.0
 documentation_complete: false
 name: Security Assessment and Authorization Policy for 18F
 satisfies:

CICloudGov/component.yaml

@@ -16,7 +16,7 @@ satisfies:
       text: |
         18F incorporates flaw remediation into the its configuration management process. New versions of cloud.gov can easily recreated and deployed in the event of any system flaws.
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 verifications:
 - key: CONCOURSE_PIPELINE
   name: CI cloud.gov Concourse Pipeline

CM_Policy/component.yaml

@@ -290,7 +290,7 @@ satisfies:
         of the system or recognized by another system as a component within that systems
         inventory.
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 verifications:
 - key: POLICY_DOC
   name: Policy Document

CONTRIBUTING.md

@@ -17,3 +17,27 @@ the [CC0 1.0 Universal public domain dedication](https://creativecommons.org/pub
 All contributions to this project will be released under the CC0
 dedication. By submitting a pull request, you are agreeing to comply
 with this waiver of copyright interest.
+
+## Validating the data
+
+To check that the schema is valid, run:
+
+1. Clone (or update) the [schemas](https://github.com/opencontrol/schemas) repository into this one.
+
+    ```bash
+    git clone https://github.com/opencontrol/schemas.git
+    # or
+    cd schemas && git pull origin master && cd ..
+    ```
+
+1. Install the dependencies.
+
+    ```bash
+    pip install -r requirements.txt
+    ```
+
+1. Run the tests.
+
+    ```bash
+    py.test
+    ```

CP_Policy/component.yaml

@@ -337,7 +337,7 @@ satisfies:
     - text: |
         This control is not applicable to the cloud.gov information system. cloud.gov is not transaction based.
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 system: 18F
 verifications:
 - description: "GIVEN the github link - <policy> THEN the policy has been updated\

CloudCheckr/component.yaml

@@ -124,4 +124,4 @@ satisfies:
     text: |
       For changes related to the virtual infrastructure, 18F uses VisualOps and Cloud Checkr for real-time configuration changes which are documented, approved and tracked within GitHub. All Cloud Foundry configuration changes are documented, approved and tracked within 18F's GitHub site.
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0

ELKStack/component.yaml

@@ -74,4 +74,4 @@ satisfies:
     - text: |
         The cloud.gov platform as a service generates audit logs from its Loggregator component and is passed through the ELK stack to produce audit records which contain sufficient information to establish at a minimum: what type of event occurred, when (date and time the event occurrence) the source of the event the outcome (success or failure) of the event the identity of any user/subject associated with the event
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0

IA_Policy/component.yaml

@@ -205,7 +205,7 @@ satisfies:
   - text: |
       NA - cloud.gov delegates authentication to an enterprise single sign on (SSO) system.
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 system: 18F
 verifications:
 - key: POLICY_DOC

IR_Policy/component.yaml

@@ -1,5 +1,5 @@
 ---
-schema_version: 3.0.0
+schema_version: 3.1.0
 documentation_complete: false
 name: Incident Response for cloud.gov
 satisfies:
@@ -35,9 +35,8 @@ satisfies:
   implementation_status: planned
   narrative:
   - text: |
-      cloud.gov will create test plans and exercises in accordance to NIST 800-62, and it will present these to the cloud.gov Authorizing Official for their approval.
+      cloud.gov will create test plans and exercises in accordance to NIST 800-61 (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf), and it will present these to the cloud.gov Authorizing Official for their approval.
       cloud.gov will test its incident response capabilities and related exercises annually.
-    link: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
   standard_key: NIST-800-53
 - control_key: IR-3 (2)
   covered_by: []

JumpBox/component.yaml

@@ -71,4 +71,4 @@ satisfies:
     - text: |
         Access keys and user accounts can be revoked using IAM. Sessions terminate after 10 minutes.
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0

MA_Policy/component.yaml

@@ -143,7 +143,7 @@ satisfies:
     - text: |
         This control is inherited from the AWS GovCloud FedRAMP implementation.
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 system: 18F
 verifications:
 - key: POLICY_DOC

MP_Policy/component.yaml

@@ -103,7 +103,7 @@ satisfies:
     - text: |
         This control is not Applicable to the Cloud.Gov Platform. There are no physical media devices used and Cloud.Gov information system components are virtualized. All network hardware and server components are the responsibility of the underlying Infrastructure as a service provider
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 system: 18F
 verifications:
 - description: "GIVEN the github link - <policy> THEN the policy has been updated\

PE_Policy/component.yaml

@@ -207,7 +207,7 @@ satisfies:
       text: |
         All physical and Environmental Security Controls for the Cloud.Gov information system are managed and inherited by the AWS Infrastructure as a Service layer.
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 system: 18F
 verifications:
 - key: POLICY_DOC

PL_Policy/component.yaml

@@ -55,7 +55,7 @@ satisfies:
         18F ensures that planned information security architecture changes are reflected in the security plan and organizational procurements/acquisitions.
         18F follows the risk management framework (RMF) which includes conducting annual risk assessments for its information systems and infrastructure. Any changes are then updated in systems security plans, plan of actions and milestones POA&Ms, security assessment reports (SAR)
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 system: 18F
 verifications:
 - key: POLICY_DOC

PS_Policy/component.yaml

@@ -153,7 +153,7 @@ satisfies:
       text: |
         the amount of time that it takes to verify that a security breach as occurred
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 system: 18F
 verifications:
 - key: POLICY_DOC

RA_Policy/component.yaml

@@ -29,7 +29,7 @@ satisfies:
       text: |
         18F shares information obtained from the vulnerability scanning process and security control assessments with designated System Owners, DevOps, GSA SecOps, ISSM and the Authorizing Official (AO) to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0
 system: 18F
 verifications:
 - key: POLICY_DOC

SA_Policy/component.yaml

@@ -1,4 +1,4 @@
-schema_version: 3.0.0
+schema_version: 3.1.0
 documentation_complete: false
 name: System and Services Acquisition Policy for 18F
 satisfies:
@@ -324,13 +324,6 @@ satisfies:
   - key: b
     text: |-
       cloud.gov performs unit and integration testing on the sytem on each deployment.
-    parameters:
-      - key: SA-11
-        text: |
-          unit and integration
-      - key: SA-11
-        text: |
-          cloud.gov
   - key: c
     text: |-
       Testing is done automatically and tracked using tools like Nessus, OWASP and Concourse.
@@ -340,6 +333,11 @@ satisfies:
   - key: e
     text: |-
       Flaws are identified by automated tools and false positives are marked as such.
+  parameters:
+  - key: SA-11
+    text: unit and integration
+  - key: SA-11
+    text: cloud.gov
   standard_key: NIST-800-53
 - control_key: SA-11 (1)
   covered_by:

SC_Policy/component.yaml

@@ -1,5 +1,5 @@
 ---
-schema_version: 3.0.0
+schema_version: 3.1.0
 documentation_complete: false
 name: System and Communications Protection Policy for cloud.gov
 satisfies:
@@ -20,7 +20,8 @@ satisfies:
       This 18F policy contains a protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
 
       18F's "Before You Ship" guide facilitates the implementation of the system and communications protection policy and associated system and communications protection controls.
-    link: https://github.com/18F/before-you-ship/
+
+      See https://github.com/18F/before-you-ship/ for more information.
   - key: b
     text: |
       Reviews and updates the current System and Communications Protection Policy every three years.
@@ -54,7 +55,7 @@ satisfies:
       cloud.gov limits the effects of Volume Based and Protocol DoS type attacks by utilizing the following groups of technical measures:
 
       18F administrative staff maintains hardened Amazon Managed Images (AMI) and Cloud Foundry custom buildpacks with the latest patches and updates.
-      
+
       Buildpacks provide framework and runtime support for applications that are deployed on cloud.gov.  The AMI and custom buildpacks are maintained and secured within 18F's software repository, GitHub.
 
       cloud.gov also uses AWS's IaaS services with well-formed Virtual Private Cloud (VPC) firewall rules to reduce the attack surface, while service resiliency is maintained by utilizing AWS Availability Zones, Elastic Load Balancing, and Auto Scaling services.

SI_Policy/component.yaml

@@ -1,5 +1,5 @@
 ---
-schema_version: 3.0.0
+schema_version: 3.1.0
 documentation_complete: false
 name: System and Information Integrity Policy for 18F
 satisfies:

SecureProxy/component.yaml

@@ -28,4 +28,4 @@ satisfies:
       Application developers push their code using the Cloud Foundry API. Cloud Foundry
       secures each call to the CF API using the UAA and SSL
   standard_key: NIST-800-53
-schema_version: 3.0.0
+schema_version: 3.1.0

requirements.txt

@@ -0,0 +1,3 @@
+pykwalify~=1.5.1
+pytest~=3.0.0
+PyYAML~=3.11

test_data_valid.py

@@ -1,20 +1,25 @@
 from glob import iglob
 from pykwalify.core import Core
-
 import yaml
 
+def get_schema(version):
+    path = 'schemas/kwalify/component/v{}.yaml'.format(version)
+    contents = open(path)
+    return yaml.load(contents)
 
-def get_schema():
-    return yaml.load(open('schemas/opencontrol-component-kwalify-schema.yaml'))
-
+def create_validator(source_data):
+    version = source_data.get('schema_version', '1.0.0')
+    schema = get_schema(version)
+    validator = Core(source_data={}, schema_data=schema)
+    validator.source = source_data
+    return validator
 
 def test_component_data_valid():
     """ Check that the content of data fits with masonry schema v2 """
-    validator = Core(source_data={}, schema_data=get_schema())
     for component_file in iglob('*/component.yaml'):
         print(component_file)
         source_data = yaml.load(open(component_file))
-        validator.source = source_data
+        validator = create_validator(source_data)
         try:
             validator.validate(raise_exception=True)
         except: