From 68630054c689837d20598eecc04c1109d3ac9886 Mon Sep 17 00:00:00 2001 From: MattyA Date: Tue, 17 Dec 2024 21:08:36 +0000 Subject: [PATCH] #687 WIP to help with the Issue discussion --- .../pattern/instantiation.json | 4 ++ .../policies/encryption-in-transit.json | 8 ++++ .../policy-encryption-in-transit.json | 47 +++++++++++++++++++ .../security/schema/policy.json | 36 ++++++++++++++ .../submit-trade-ticket.json | 13 ++++- 5 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 calm/domains-example/security/policies/encryption-in-transit.json create mode 100644 calm/domains-example/security/policies/policy-encryption-in-transit.json create mode 100644 calm/domains-example/security/schema/policy.json diff --git a/calm/domains-example/pattern/instantiation.json b/calm/domains-example/pattern/instantiation.json index 19108249..70e60f3d 100644 --- a/calm/domains-example/pattern/instantiation.json +++ b/calm/domains-example/pattern/instantiation.json @@ -124,6 +124,10 @@ { "control-requirement-url": "https://raw.githubusercontent.com/finos/architecture-as-code/main/calm/domains-example/security/schema/permitted-connection.json", "control-config-url": "https://raw.githubusercontent.com/finos/architecture-as-code/main/calm/domains-example/security/cluster-internal-mtls.json" + }, + { + "control-requirement-url": "https://raw.githubusercontent.com/finos/architecture-as-code/main/calm/domains-example/security/schema/encryption-in-transit.json", + "control-config-url": "https://raw.githubusercontent.com/finos/architecture-as-code/main/calm/domains-example/security/" } ] } diff --git a/calm/domains-example/security/policies/encryption-in-transit.json b/calm/domains-example/security/policies/encryption-in-transit.json new file mode 100644 index 00000000..9ad72e11 --- /dev/null +++ b/calm/domains-example/security/policies/encryption-in-transit.json @@ -0,0 +1,8 @@ +{ + "$schema": "https://raw.githubusercontent.com/finos/architecture-as-code/main/calm/domains-example/security/policies/policy-encryption-in-transit.json", + "control-id": "policy-001", + "name": "Encryption in transit", + "description": "Point to point communication must be encrypted", + "statement": "You MUST encrypt all data in transit with an approved protocol using an approved secure cryptographic protocol", + "protocol": "mTLS" +} \ No newline at end of file diff --git a/calm/domains-example/security/policies/policy-encryption-in-transit.json b/calm/domains-example/security/policies/policy-encryption-in-transit.json new file mode 100644 index 00000000..f9994088 --- /dev/null +++ b/calm/domains-example/security/policies/policy-encryption-in-transit.json @@ -0,0 +1,47 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://raw.githubusercontent.com/finos/architecture-as-code/main/calm/domains-example/security/policies/encryption-in-transit.json", + "title": "Encryption in Transit policy", + "type": "object", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/finos/architecture-as-code/main/calm/domains-example/security/schema/policy.json" + } + ], + "properties": { + "control-id": { + "const": "Policy-01" + }, + "name": { + "const": "Encryption in transit" + }, + "description": { + "const": "Point to point communication must be encrypted" + }, + "statement": { + "const": "You MUST encrypt all data in transit with an approved protocol using an approved secure cryptographic protocol" + }, + "protocol": { + "$ref": "#/defs/protocol" + } + + }, + "required": [ + "control-id", + "name", + "description", + "statement", + "protocol" + ], + "defs": { + "protocol": { + "enum": [ + "TLS", + "mTLS", + "ssh", + "smpt" + ] + } + } +} + \ No newline at end of file diff --git a/calm/domains-example/security/schema/policy.json b/calm/domains-example/security/schema/policy.json new file mode 100644 index 00000000..62f996cd --- /dev/null +++ b/calm/domains-example/security/schema/policy.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://raw.githubusercontent.com/finos/architecture-as-code/main/calm/domains-example/security/schema/policy.json", + "title": "Policy", + "type": "object", + "allOf": [ + { + "$ref": "https://raw.githubusercontent.com/finos/architecture-as-code/main/calm/draft/2024-08/meta/control-requirement.json" + } + ], + "properties": { + "control-id": { + "type": "string", + "description": "Unique id of the control" + }, + "name": { + "type": "string", + "description": "Name of the policy" + }, + "description": { + "type": "string", + "description": "Layman's explanation of the policy" + }, + "statement": { + "type": "string", + "description": "The policy statement that the Policy adheres to e.g. YOU MUST ENABLE END TO END ENCRYPTION" + } + }, + "required": [ + "control-id", + "name", + "description", + "statement" + ] + } + \ No newline at end of file diff --git a/calm/samples/2024-10/traderx/flows/submit-trade-ticket/submit-trade-ticket.json b/calm/samples/2024-10/traderx/flows/submit-trade-ticket/submit-trade-ticket.json index f7813c1b..f2337e05 100644 --- a/calm/samples/2024-10/traderx/flows/submit-trade-ticket/submit-trade-ticket.json +++ b/calm/samples/2024-10/traderx/flows/submit-trade-ticket/submit-trade-ticket.json @@ -43,7 +43,17 @@ "direction": "destination-to-source" } ], - "controls": { + "controls": [{ + "security": { + "description": "Encryption in transit control", + "requirements": [ + { + "control-requirement-url": "https://calm.finos.org/samples/traderx/controls/flow-sla-control-requirement.json", + "control-config": "https://calm.finos.org/samples/traderx/flows/submit-trade-ticket/submit-trade-ticket-control-configuration.json" + } + ] + }, + },{ "submit-trade-ticket-sla": { "description": "Control requirement for flow SLA", "requirements": [ @@ -54,4 +64,5 @@ ] } } + ] }