PCI DSS pre-release testing (#107)

* fix: try using Buffer for base64
* feat: added authz to control page visibility
* feat: UI for account management
* chore: prepare PCI DSS report release

---------

Co-authored-by: Christopher Langton <chris@vulnetix.com>

.repo/sql/staging.sql

@@ -10,10 +10,24 @@ VALUES (
     );
 INSERT INTO `Session` (kid, orgId, memberUuid, expiry, issued, `secret`)
 VALUES (
-        "18f55ff2-cd8e-4c31-8d62-43bc60d3117e",
+        lower(
+            hex(randomblob(4)) || '-' || hex(randomblob(2)) || '-' || '4' ||
+            substr(hex( randomblob(2)), 2) || '-' ||
+            substr('AB89', 1 + (abs(random()) % 4) , 1)  ||
+            substr(hex(randomblob(2)), 2) || '-' ||
+            hex(randomblob(6))
+        ),
         "8cb6de92-71f8-4a09-81bc-b9181d127db6",
         "d6585822-0a2d-4199-827f-e77563518829",
         1824893666954,
         1735401968528,
         "REPLACEME"
     );
+INSERT INTO `Group` (uuid, `name`)
+VALUES ("8ac52122-b9ae-40fb-b4c6-7c83238ae8d4", "Owner"),
+       ("8ac52122-b9ae-40fb-b4c6-7c83238ae8d5", "Internal Support"),
+       ("8ac52122-b9ae-40fb-b4c6-7c83238ae8d6", "Internal Admin"),
+       ("8ac52122-b9ae-40fb-b4c6-7c83238ae8d7", "Audit"),
+       ("8ac52122-b9ae-40fb-b4c6-7c83238ae8d8", "Triage");
+INSERT INTO MemberGroups (memberUuid, groupUuid)
+VALUES ("d6585822-0a2d-4199-827f-e77563518829", "8ac52122-b9ae-40fb-b4c6-7c83238ae8d4");

Makefile

@@ -79,6 +79,9 @@ git-staging:
 _helpers: ## FOR DOCO ONLY
 	npx wrangler d1 execute vulnetix --local --file ./migrations/0001_init.sql
 	npx wrangler d1 execute vulnetix --remote --command "SELECT * FROM Member;"
+	npx wrangler d1 execute vulnetix --local --command 'PRAGMA table_list;'
+	npx wrangler d1 execute vulnetix --local --command 'PRAGMA table_info("Member");'
+	npx wrangler d1 execute vulnetix --remote --command 'INSERT INTO MemberGroups (memberUuid, groupUuid) VALUES ("a5c8611d-81e9-4cd0-8b16-f3e278064c3e", "8ac52122-b9ae-40fb-b4c6-7c83238ae8d6");'
 	npx prisma migrate diff \
 	--from-empty \
 	--to-schema-datamodel ./prisma/schema.prisma \

migrations/0030_pci_reports.sql

@@ -0,0 +1,95 @@
+-- CreateTable
+CREATE TABLE "Report" (
+    "uuid" TEXT NOT NULL PRIMARY KEY,
+    "lastGenerated" INTEGER NOT NULL,
+    "initialDate" INTEGER NOT NULL,
+    "assessmentDueDate" INTEGER NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'draft',
+    "orgId" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "ReportType" (
+    "uuid" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "version" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "ReportingInstructions" (
+    "uuid" TEXT NOT NULL PRIMARY KEY,
+    "text" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "Requirement" (
+    "uuid" TEXT NOT NULL PRIMARY KEY,
+    "reportTypeId" TEXT NOT NULL,
+    "title" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "currentlyBestPractice" INTEGER NOT NULL DEFAULT 0,
+    "serviceProvidersOnly" INTEGER NOT NULL DEFAULT 0
+);
+
+-- CreateTable
+CREATE TABLE "TestingProcedure" (
+    "uuid" TEXT NOT NULL PRIMARY KEY,
+    "reportTypeId" TEXT NOT NULL,
+    "requirementId" TEXT NOT NULL,
+    "description" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "RequirementResult" (
+    "uuid" TEXT NOT NULL PRIMARY KEY,
+    "requirementId" TEXT NOT NULL,
+    "reportId" TEXT NOT NULL,
+    "orgId" TEXT NOT NULL,
+    "detail" TEXT NOT NULL,
+    "assessmentFinding" TEXT NOT NULL DEFAULT 'Not Tested',
+    "method" TEXT,
+    "step1" TEXT NOT NULL DEFAULT '',
+    "step2" TEXT NOT NULL DEFAULT '',
+    "step3" TEXT NOT NULL DEFAULT '',
+    "step4" TEXT NOT NULL DEFAULT ''
+);
+
+-- CreateTable
+CREATE TABLE "RequirementScope" (
+    "uuid" TEXT NOT NULL PRIMARY KEY,
+    "orgId" TEXT NOT NULL,
+    "requirementResultId" TEXT NOT NULL,
+    "repoName" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "TestingProcedureResult" (
+    "uuid" TEXT NOT NULL PRIMARY KEY,
+    "testingProcedureId" TEXT NOT NULL,
+    "requirementResultId" TEXT NOT NULL,
+    "reportingDetails" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "_TestingProcedureEvidence" (
+    "A" TEXT NOT NULL,
+    "B" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "_TestingProcedureInstructions" (
+    "A" TEXT NOT NULL,
+    "B" TEXT NOT NULL
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "_TestingProcedureEvidence_AB_unique" ON "_TestingProcedureEvidence"("A", "B");
+
+-- CreateIndex
+CREATE INDEX "_TestingProcedureEvidence_B_index" ON "_TestingProcedureEvidence"("B");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "_TestingProcedureInstructions_AB_unique" ON "_TestingProcedureInstructions"("A", "B");
+
+-- CreateIndex
+CREATE INDEX "_TestingProcedureInstructions_B_index" ON "_TestingProcedureInstructions"("B");

prisma/schema.prisma

@@ -36,13 +36,15 @@ model Org {
     sarif                 SARIFInfo[]
     cdx                   CycloneDXInfo[]
     spdx                  SPDXInfo[]
-    repos                 ProductRepos[]
+    productRepos          ProductRepos[]
     branches              GitBranch[]
     products              Product[]
     tags                  Tags[]
     gitHubPAT             GitHubPAT[]
     gitHubApps            GitHubApp[]
     gitHubOAuth           GitHubOAuth[]
+    reports               Report[]
+    requirementResults    RequirementResult[]
 }
 
 model IntegrationConfig {
@@ -193,33 +195,34 @@ model ProductRepos {
 }
 
 model GitRepo {
-    fullName      String
-    orgId         String
-    org           Org             @relation(fields: [orgId], references: [uuid])
-    ghAppId       Int?
-    ghApp         GitHubApp?      @relation(fields: [ghAppId], references: [installationId])
-    ghPATId       String?
-    ghPAT         GitHubPAT?      @relation(fields: [ghPATId], references: [uuid])
-    ghid          Int?
-    source        String
-    createdAt     Int
-    updatedAt     Int
-    pushedAt      Int
-    defaultBranch String
-    ownerId       Int
-    licenseSpdxId String?
-    licenseName   String?
-    fork          Int             @default(0)
-    template      Int             @default(0)
-    archived      Int             @default(0)
-    visibility    String
-    avatarUrl     String?
-    products      ProductRepos[]
-    sarif         SARIFInfo[]
-    spdx          SPDXInfo[]
-    cdx           CycloneDXInfo[]
-    findings      Finding[]
-    branches      GitBranch[]
+    fullName         String
+    orgId            String
+    org              Org                @relation(fields: [orgId], references: [uuid])
+    ghAppId          Int?
+    ghApp            GitHubApp?         @relation(fields: [ghAppId], references: [installationId])
+    ghPATId          String?
+    ghPAT            GitHubPAT?         @relation(fields: [ghPATId], references: [uuid])
+    ghid             Int?
+    source           String
+    createdAt        Int
+    updatedAt        Int
+    pushedAt         Int
+    defaultBranch    String
+    ownerId          Int
+    licenseSpdxId    String?
+    licenseName      String?
+    fork             Int                @default(0)
+    template         Int                @default(0)
+    archived         Int                @default(0)
+    visibility       String
+    avatarUrl        String?
+    products         ProductRepos[]
+    sarif            SARIFInfo[]
+    spdx             SPDXInfo[]
+    cdx              CycloneDXInfo[]
+    findings         Finding[]
+    branches         GitBranch[]
+    RequirementScope RequirementScope[]
 
     @@id([fullName, orgId])
 }
@@ -486,26 +489,27 @@ model Link {
 }
 
 model Artifact {
-    uuid          String          @id @default(uuid())
+    uuid                      String                   @id @default(uuid())
     // displayIdentifier String
-    type          String // BOM ATTESTATION VDR VEX OTHER
-    date          Int
-    bomFormat     String
-    downloadLinks Link[]
+    type                      String // BOM ATTESTATION VDR VEX OTHER
+    date                      Int
+    bomFormat                 String
+    downloadLinks             Link[]
     // inventoryTypes    String // SOFTWARE HARDWARE CRYPTOGRAPHY SERVICE VULNERABILITY
     // identities        Identity[]
     // Collection        Collection? @relation(fields: [collectionUuid], references: [uuid])
     // collectionUuid    String?
-    sarif         SARIFInfo[]
-    cdx           CycloneDXInfo[]
-    spdx          SPDXInfo[]
-    vex           Triage[]
+    sarif                     SARIFInfo[]
+    cdx                       CycloneDXInfo[]
+    spdx                      SPDXInfo[]
+    vex                       Triage[]
+    testingProcedureEvidences TestingProcedureResult[] @relation("TestingProcedureEvidence")
 }
 
 // model Lifecycle {
 //   uuid  String   @id @default(uuid())
 //   event String // list enum String
-//   date  DateTime
+//   date  Int
 //   Collection     Collection? @relation(fields: [collectionUuid], references: [uuid])
 //   collectionUuid String?
 //   Leaf           Leaf?       @relation(fields: [leafUuid], references: [uuid])
@@ -542,3 +546,93 @@ model Artifact {
 //   Product     Product?    @relation(fields: [productUuid], references: [uuid])
 //   productUuid String?
 // }
+
+model Report {
+    uuid               String              @id @default(uuid())
+    lastGenerated      Int
+    initialDate        Int
+    assessmentDueDate  Int
+    status             String              @default("draft")
+    orgId              String
+    org                Org                 @relation(fields: [orgId], references: [uuid])
+    requirementResults RequirementResult[]
+}
+
+model ReportType {
+    uuid              String             @id @default(uuid())
+    type              String // e.g. "PCI DSS"
+    version           String // e.g. "4.0.1"
+    requirements      Requirement[]
+    testingProcedures TestingProcedure[]
+}
+
+model ReportingInstructions {
+    uuid              String             @id @default(uuid())
+    text              String
+    // Implicit many-to-many relation with TestingProcedure
+    testingProcedures TestingProcedure[] @relation("TestingProcedureInstructions")
+}
+
+model Requirement {
+    uuid                  String              @id @default(uuid())
+    reportTypeId          String
+    reportType            ReportType          @relation(fields: [reportTypeId], references: [uuid])
+    title                 String
+    description           String
+    currentlyBestPractice Int                 @default(0)
+    serviceProvidersOnly  Int                 @default(0)
+    testingProcedures     TestingProcedure[]
+    results               RequirementResult[]
+}
+
+model TestingProcedure {
+    uuid                    String                   @id @default(uuid())
+    reportTypeId            String
+    reportType              ReportType               @relation(fields: [reportTypeId], references: [uuid])
+    requirementId           String
+    requirement             Requirement              @relation(fields: [requirementId], references: [uuid])
+    description             String
+    // Many-to-many relation with ReportingInstructions
+    instructions            ReportingInstructions[]  @relation("TestingProcedureInstructions")
+    testingProcedureResults TestingProcedureResult[]
+}
+
+model RequirementResult {
+    uuid              String                   @id @default(uuid())
+    requirementId     String
+    requirement       Requirement              @relation(fields: [requirementId], references: [uuid])
+    reportId          String
+    report            Report                   @relation(fields: [reportId], references: [uuid])
+    orgId             String
+    org               Org                      @relation(fields: [orgId], references: [uuid])
+    detail            String
+    assessmentFinding String                   @default("Not Tested")
+    method            String?
+    step1             String                   @default("")
+    step2             String                   @default("")
+    step3             String                   @default("")
+    step4             String                   @default("")
+    // Relation to scope and testing procedures results
+    scope             RequirementScope[]
+    results           TestingProcedureResult[]
+}
+
+model RequirementScope {
+    uuid                String            @id @default(uuid())
+    orgId               String
+    requirementResultId String
+    requirementResult   RequirementResult @relation(fields: [requirementResultId], references: [uuid])
+    repoName            String
+    repo                GitRepo           @relation(fields: [repoName, orgId], references: [fullName, orgId])
+}
+
+model TestingProcedureResult {
+    uuid                String            @id @default(uuid())
+    testingProcedureId  String
+    testingProcedure    TestingProcedure  @relation(fields: [testingProcedureId], references: [uuid])
+    requirementResultId String
+    requirementResult   RequirementResult @relation(fields: [requirementResultId], references: [uuid])
+    reportingDetails    String
+    // Implicit many-to-many relation with Artifacts
+    evidence            Artifact[]        @relation("TestingProcedureEvidence")
+}