✨ Added independent probe for required MFA

Signed-off-by: Eddie Knight <[email protected]>
ossf · Oct 29, 2024 · 1b9a198 · 1b9a198
1 parent 1703089
commit 1b9a198
Show file tree

Hide file tree

Showing 11 changed files with 233 additions and 1 deletion.
diff --git a/clients/git/client.go b/clients/git/client.go
@@ -333,6 +333,10 @@ func (c *Client) GetDefaultBranch() (*clients.BranchRef, error) {
 	return nil, clients.ErrUnsupportedFeature
 }
 
+func (c *Client) GetMFARequired() (required bool, err error) {
+	return required, clients.ErrUnsupportedFeature
+}
+
 func (c *Client) GetOrgRepoClient(ctx context.Context) (clients.RepoClient, error) {
 	return nil, clients.ErrUnsupportedFeature
 }

diff --git a/clients/githubrepo/client.go b/clients/githubrepo/client.go
@@ -204,6 +204,17 @@ func (client *Client) GetCreatedAt() (time.Time, error) {
 	return client.repo.CreatedAt.Time, nil
 }
 
+func (client *Client) GetMFARequired() (required bool, err error) {
+	org, _, err := client.repoClient.Organizations.Get(context.Background(), client.repourl.owner)
+	if err != nil {
+		return
+	}
+	if org.TwoFactorRequirementEnabled != nil {
+		return *org.TwoFactorRequirementEnabled, nil
+	}
+	return false, nil
+}
+
 func (client *Client) GetOrgRepoClient(ctx context.Context) (clients.RepoClient, error) {
 	dotGithubRepo, err := MakeGithubRepo(fmt.Sprintf("%s/.github", client.repourl.owner))
 	if err != nil {

diff --git a/clients/gitlabrepo/client.go b/clients/gitlabrepo/client.go
@@ -236,6 +236,11 @@ func (client *Client) GetCreatedAt() (time.Time, error) {
 	return client.project.getCreatedAt()
 }
 
+func (c *Client) GetMFARequired() (required bool, err error) {
+	err = fmt.Errorf("GetMFARequired: %w", clients.ErrUnsupportedFeature)
+	return
+}
+
 func (client *Client) GetOrgRepoClient(ctx context.Context) (clients.RepoClient, error) {
 	return nil, fmt.Errorf("GetOrgRepoClient (GitLab): %w", clients.ErrUnsupportedFeature)
 }

diff --git a/clients/localdir/client.go b/clients/localdir/client.go
@@ -194,6 +194,11 @@ func (client *localDirClient) GetDefaultBranchName() (string, error) {
 	return "", fmt.Errorf("GetDefaultBranchName: %w", clients.ErrUnsupportedFeature)
 }
 
+func (c *localDirClient) GetMFARequired() (required bool, err error) {
+	err = fmt.Errorf("GetMFARequired: %w", clients.ErrUnsupportedFeature)
+	return
+}
+
 // ListCommits implements RepoClient.ListCommits.
 func (client *localDirClient) ListCommits() ([]clients.Commit, error) {
 	return nil, fmt.Errorf("ListCommits: %w", clients.ErrUnsupportedFeature)

diff --git a/clients/mockclients/repo_client.go b/clients/mockclients/repo_client.go
diff --git a/clients/ossfuzz/client.go b/clients/ossfuzz/client.go
@@ -197,6 +197,11 @@ func (c *client) GetDefaultBranch() (*clients.BranchRef, error) {
 	return nil, fmt.Errorf("GetDefaultBranch: %w", clients.ErrUnsupportedFeature)
 }
 
+func (c *client) GetMFARequired() (required bool, err error) {
+	err = fmt.Errorf("GetMFARequired: %w", clients.ErrUnsupportedFeature)
+	return
+}
+
 // GetOrgRepoClient implements RepoClient.GetOrgRepoClient.
 func (c *client) GetOrgRepoClient(ctx context.Context) (clients.RepoClient, error) {
 	return nil, fmt.Errorf("GetOrgRepoClient: %w", clients.ErrUnsupportedFeature)

diff --git a/clients/repo_client.go b/clients/repo_client.go
@@ -44,6 +44,7 @@ type RepoClient interface {
 	GetCreatedAt() (time.Time, error)
 	GetDefaultBranchName() (string, error)
 	GetDefaultBranch() (*BranchRef, error)
+	GetMFARequired() (bool, error)
 	GetOrgRepoClient(context.Context) (RepoClient, error)
 	ListCommits() ([]Commit, error)
 	ListIssues() ([]Issue, error)

diff --git a/probes/entries.go b/probes/entries.go
@@ -44,6 +44,7 @@ import (
 	"github.com/ossf/scorecard/v5/probes/hasUnverifiedBinaryArtifacts"
 	"github.com/ossf/scorecard/v5/probes/issueActivityByProjectMember"
 	"github.com/ossf/scorecard/v5/probes/jobLevelPermissions"
+	"github.com/ossf/scorecard/v5/probes/orgRequiresMFA"
 	"github.com/ossf/scorecard/v5/probes/packagedWithAutomatedWorkflow"
 	"github.com/ossf/scorecard/v5/probes/pinsDependencies"
 	"github.com/ossf/scorecard/v5/probes/releasesAreSigned"
@@ -173,7 +174,9 @@ var (
 	}
 
 	// Probes which don't use pre-computed raw data but rather collect it themselves.
-	Independent = []IndependentProbeImpl{}
+	Independent = []IndependentProbeImpl{
+		orgRequiresMFA.Run,
+	}
 )
 
 //nolint:gochecknoinits

diff --git a/probes/orgRequiresMFA/def.yml b/probes/orgRequiresMFA/def.yml
@@ -0,0 +1,30 @@
+# Copyright 2024 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+id: orgRequiresMFA # required
+lifecycle: experimental # required
+short: A short description of this probe
+motivation: >
+ What is the motivation for this probe?
+implementation: >
+ How does this probe work under-the-hood?
+outcome:
+ - If MFA is found to be required, the probe returns OutcomeTrue
+ - IF MFA is not found to be required, the probe returns OutcomeFalse
+ - If the runtime environment does not have authentication for the target project, the probe returns OutcomeNotAvailable
+remediation:
+ onOutcome: False # required
+ effort: Low # required
+ text:
+ - In your project settings, require MFA for all collaborators.
diff --git a/probes/orgRequiresMFA/impl.go b/probes/orgRequiresMFA/impl.go
@@ -0,0 +1,76 @@
+// Copyright 2024 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//nolint:stylecheck
+package orgRequiresMFA
+
+import (
+	"embed"
+	"fmt"
+
+	"github.com/ossf/scorecard/v5/checker"
+	"github.com/ossf/scorecard/v5/finding"
+	"github.com/ossf/scorecard/v5/internal/probes"
+	"github.com/ossf/scorecard/v5/probes/internal/utils/uerror"
+)
+
+//go:embed *.yml
+var fs embed.FS
+
+const (
+	Probe = "orgRequiresMFA"
+)
+
+func init() {
+	// Register independently of any checks
+	probes.MustRegisterIndependent(Probe, Run)
+}
+
+func Run(raw *checker.CheckRequest) (found []finding.Finding, probeName string, err error) {
+	probeName = Probe
+	if raw == nil {
+		err = fmt.Errorf("raw results is nil: %w", uerror.ErrNil)
+		return
+	}
+
+	mfaRequired, err := raw.RepoClient.GetMFARequired()
+	if err != nil {
+		err = fmt.Errorf("getting MFA required: %w", err)
+		return
+	}
+
+	var outcome finding.Outcome
+	if mfaRequired {
+		outcome = finding.OutcomeTrue
+	} else {
+		outcome = finding.OutcomeFalse
+	}
+
+	result, err := finding.NewWith(
+		fs,
+		Probe,
+		"Collaborators require MFA",
+		nil,
+		outcome,
+	)
+
+	if err != nil {
+		err = fmt.Errorf("creating finding: %w", err)
+		return
+	}
+
+	found = append(found, *result)
+
+	return
+}
diff --git a/probes/orgRequiresMFA/impl_test.go b/probes/orgRequiresMFA/impl_test.go
@@ -0,0 +1,84 @@
+package orgRequiresMFA
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/ossf/scorecard/v5/checker"
+	mockrepo "github.com/ossf/scorecard/v5/clients/mockclients"
+	"github.com/ossf/scorecard/v5/finding"
+	"github.com/ossf/scorecard/v5/probes/internal/utils/uerror"
+)
+
+// ConfigurableMockRepoClient mocks RepoClient with configurable return values.
+type ConfigurableMockRepoClient struct {
+	mockrepo.MockRepoClient
+	MFARequired bool
+	ReturnError error
+}
+
+// GetMFARequired returns the pre-set value for MFA requirement.
+func (m *ConfigurableMockRepoClient) GetMFARequired() (bool, error) {
+	return m.MFARequired, m.ReturnError
+}
+
+func (m *ConfigurableMockRepoClient) Close() error { return nil }
+
+func TestProbeCodeApproved(t *testing.T) {
+	t.Parallel()
+	probeTests := []struct {
+		name            string
+		rawResults      *checker.CheckRequest
+		expectedError   error
+		expectedCount   int
+		expectedOutcome finding.Outcome
+	}{
+		{
+			name: "mfa check succeeded",
+			rawResults: &checker.CheckRequest{
+				RepoClient: &ConfigurableMockRepoClient{MFARequired: true, ReturnError: nil},
+			},
+			expectedError:   nil,
+			expectedCount:   1,
+			expectedOutcome: finding.OutcomeTrue,
+		},
+		{
+			name: "error retrieving MFA status",
+			rawResults: &checker.CheckRequest{
+				RepoClient: &ConfigurableMockRepoClient{ReturnError: uerror.ErrNil},
+			},
+			expectedError:   uerror.ErrNil,
+			expectedCount:   0,
+			expectedOutcome: finding.OutcomeFalse,
+		},
+		{
+			name:            "nil raw results",
+			rawResults:      nil,
+			expectedError:   uerror.ErrNil,
+			expectedCount:   0,
+			expectedOutcome: finding.OutcomeFalse,
+		},
+	}
+
+	for _, tt := range probeTests {
+		t.Run(tt.name, func(t *testing.T) {
+			found, probeName, err := Run(tt.rawResults)
+
+			if probeName != Probe {
+				t.Errorf("unexpected probe name: got %v, want %v", probeName, Probe)
+			}
+
+			if !errors.Is(err, tt.expectedError) {
+				t.Errorf("unexpected error: got %v, want %v", err, tt.expectedError)
+			}
+
+			if len(found) != tt.expectedCount {
+				t.Errorf("unexpected number of findings: got %d, want %d", len(found), tt.expectedCount)
+			}
+
+			if len(found) > 0 && found[0].Outcome != tt.expectedOutcome {
+				t.Errorf("unexpected outcome: got %v, want %v", found[0].Outcome, tt.expectedOutcome)
+			}
+		})
+	}
+}