Add plus constructs

.projenrc.js

@@ -5,7 +5,15 @@ const project = new cdk.JsiiProject({
   defaultReleaseBranch: "main",
   name: "cdktg",
   description: "Agile Threat Modeling as Code",
-  keywords: ["threagile", "cdk", "threat modeling", "stride"],
+  keywords: [
+    "threagile",
+    "cdk",
+    "threat modeling",
+    "stride",
+    "devsecops",
+    "appsec",
+    "constructs",
+  ],
   vscode: true,
   repositoryUrl: "https://github.com/hupe1980/cdk-threagile.git",
   license: "MIT",

src/data-asset.ts

@@ -46,7 +46,7 @@ export class DataAsset extends Resource {
     return {
       [this.node.id]: {
         id: this.uuid,
-        description: this.description,
+        description: this.description ?? null,
         usage: this.usage,
         tags: Array.from(new Set(this.tags)),
         origin: this.origin,

src/index.ts

@@ -19,3 +19,7 @@ export * from "./synthesizer";
 export * from "./technical-asset";
 export * from "./trust-boundary";
 export * from "./usage";
+
+// export submobules
+export * as plus_aws from "./plus-aws";
+export * as plus from "./plus";

src/plus-aws/application-load-balancer.ts

@@ -0,0 +1,53 @@
+import { Construct } from "constructs";
+import {
+  CIATriad,
+  Encryption,
+  Machine,
+  Size,
+  TechnicalAsset,
+  TechnicalAssetType,
+  Technology,
+  Usage,
+} from "..";
+import { SecurityGroup } from "./security-group";
+
+export interface ApplicationLoadBalancerProps {
+  readonly waf?: boolean;
+  readonly securityGroup?: SecurityGroup;
+  readonly description?: string;
+  readonly ciaTriad: CIATriad;
+  readonly tags?: string[];
+}
+
+export class ApplicationLoadBalancer extends TechnicalAsset {
+  public readonly securityGroup: SecurityGroup;
+
+  constructor(
+    scope: Construct,
+    id: string,
+    props: ApplicationLoadBalancerProps
+  ) {
+    super(scope, id, {
+      description: props.description,
+      type: TechnicalAssetType.PROCESS,
+      usage: Usage.BUSINESS,
+      humanUse: false,
+      size: Size.COMPONENT,
+      technology: props.waf ? Technology.WAF : Technology.LOAD_BALANCER,
+      tags: props.tags,
+      internet: false,
+      machine: Machine.VIRTUAL,
+      encryption: Encryption.NONE,
+      owner: "",
+      ciaTriad: props.ciaTriad,
+      multiTenant: true,
+      redundant: true,
+      customDevelopedParts: false,
+    });
+
+    this.securityGroup =
+      props.securityGroup ?? new SecurityGroup(this, `${id} SG`);
+
+    this.securityGroup.addTechnicalAssets(this);
+  }
+}

src/plus-aws/cloud.ts

@@ -0,0 +1,17 @@
+import { Construct } from "constructs";
+import { TrustBoundary, TrustBoundaryType } from "..";
+
+export interface CloudProps {
+  readonly description?: string;
+  readonly tags?: string[];
+}
+
+export class Cloud extends TrustBoundary {
+  constructor(scope: Construct, id: string, props: CloudProps = {}) {
+    super(scope, id, {
+      type: TrustBoundaryType.NETWORK_CLOUD_PROVIDER,
+      description: props.description,
+      tags: props.tags,
+    });
+  }
+}

src/plus-aws/index.ts

@@ -0,0 +1,3 @@
+export * from "./application-load-balancer";
+export * from "./cloud";
+export * from "./security-group";

src/plus-aws/security-group.ts

@@ -0,0 +1,17 @@
+import { Construct } from "constructs";
+import { TrustBoundary, TrustBoundaryType } from "..";
+
+export interface SecurityGroupProps {
+  readonly description?: string;
+  readonly tags?: string[];
+}
+
+export class SecurityGroup extends TrustBoundary {
+  constructor(scope: Construct, id: string, props: SecurityGroupProps = {}) {
+    super(scope, id, {
+      type: TrustBoundaryType.NETWORK_CLOUD_SECURITY_GROUP,
+      description: props.description,
+      tags: props.tags,
+    });
+  }
+}

src/plus/browser.ts

@@ -0,0 +1,41 @@
+import { Construct } from "constructs";
+import {
+  TechnicalAsset,
+  TechnicalAssetType,
+  Usage,
+  Scope,
+  Machine,
+  Encryption,
+  CIATriad,
+  Size,
+  Technology,
+} from "..";
+
+export interface BrowserProps {
+  readonly description?: string;
+  readonly scope: Scope;
+  readonly owner?: string;
+  readonly ciaTriad: CIATriad;
+}
+
+export class Browser extends TechnicalAsset {
+  constructor(scope: Construct, id: string, props: BrowserProps) {
+    super(scope, id, {
+      description: props.description,
+      type: TechnicalAssetType.EXTERNAL_ENTITY,
+      usage: Usage.BUSINESS,
+      humanUse: true,
+      scope: props.scope,
+      size: Size.APPLICATION,
+      technology: Technology.BROWSER,
+      internet: true,
+      machine: Machine.PHYSICAL,
+      encryption: Encryption.NONE,
+      owner: props.owner,
+      ciaTriad: props.ciaTriad,
+      multiTenant: false,
+      redundant: false,
+      customDevelopedParts: false,
+    });
+  }
+}

src/plus/index.ts

@@ -0,0 +1,2 @@
+export * from "./browser";
+export * from "./vault";

src/plus/vault.ts

@@ -0,0 +1,214 @@
+import { Construct } from "constructs";
+import {
+  Authentication,
+  Authorization,
+  Availability,
+  CIATriad,
+  Confidentiality,
+  DataAsset,
+  Encryption,
+  Integrity,
+  Machine,
+  Protocol,
+  Quantity,
+  Size,
+  TechnicalAsset,
+  TechnicalAssetType,
+  Technology,
+  TrustBoundary,
+  TrustBoundaryType,
+  Usage,
+} from "..";
+
+export interface VaultProps {
+  readonly vendor?: string;
+  readonly storageType: StorageType;
+  readonly authtentication: Authentication;
+  readonly multiTenant: boolean;
+  readonly tags?: string[];
+  readonly trustBoundary?: TrustBoundary;
+}
+
+export class Vault extends TechnicalAsset {
+  public readonly configurationSecrets: DataAsset;
+  public readonly vaultStorage?: TechnicalAsset;
+
+  private authentication: Authentication;
+
+  constructor(scope: Construct, id: string, props: VaultProps) {
+    super(scope, id, {
+      description: props.vendor ? `${props.vendor} Vault` : "No Name Vault",
+      type: TechnicalAssetType.PROCESS,
+      usage: Usage.DEVOPS,
+      humanUse: false,
+      tags: props.tags,
+      size: Size.SERVICE,
+      technology: Technology.VAULT,
+      internet: false,
+      machine: Machine.VIRTUAL,
+      encryption: Encryption.TRANSPARENT,
+      owner: "",
+      ciaTriad: new CIATriad({
+        confidentiality: Confidentiality.STRICTLY_CONFIDENTIAL,
+        integrity: Integrity.CRITICAL,
+        availability: Availability.CRITICAL,
+        justification: "Vault components are rated as 'strictly-confidential'.",
+      }),
+      multiTenant: props.multiTenant,
+      redundant: false,
+      customDevelopedParts: false,
+    });
+
+    this.authentication = props.authtentication;
+
+    this.configurationSecrets = new DataAsset(this, "Configuration Secrets", {
+      description:
+        "Configuration secrets (like credentials, keys, certificates, etc.) secured and managed by a vault",
+      usage: Usage.DEVOPS,
+      origin: "",
+      owner: "",
+      quantity: Quantity.VERY_FEW,
+      ciaTriad: new CIATriad({
+        confidentiality: Confidentiality.STRICTLY_CONFIDENTIAL,
+        integrity: Integrity.CRITICAL,
+        availability: Availability.CRITICAL,
+        justification:
+          "Configuration secrets are rated as being 'strictly-confidential'.",
+      }),
+    });
+
+    this.processes(this.configurationSecrets);
+
+    if (props.storageType === StorageType.IN_MEMORY) {
+      this.stores(this.configurationSecrets);
+    }
+
+    if (
+      props.storageType === StorageType.FILESYSTEM ||
+      props.storageType === StorageType.DATABASE
+    ) {
+      this.vaultStorage = new TechnicalAsset(this, "Vault Storage", {
+        description: "Vault Storage",
+        type: TechnicalAssetType.DATASTORE,
+        usage: Usage.DEVOPS,
+        humanUse: false,
+        size: Size.COMPONENT,
+        technology:
+          props.storageType === StorageType.FILESYSTEM
+            ? Technology.FILE_SERVER
+            : Technology.DATABASE,
+        internet: false,
+        machine: Machine.VIRTUAL,
+        encryption: Encryption.SYMMETRIC_SHARED_KEY,
+        owner: "",
+        ciaTriad: new CIATriad({
+          confidentiality: Confidentiality.CONFIDENTIAL,
+          integrity: Integrity.CRITICAL,
+          availability: Availability.CRITICAL,
+          justification:
+            "Vault components are only rated as 'confidential' as vaults usually apply a trust barrier to encrypt all data-at-rest with a vault key.",
+        }),
+        multiTenant: props.multiTenant,
+        redundant: false,
+        customDevelopedParts: false,
+      });
+
+      this.vaultStorage.stores(this.configurationSecrets);
+
+      const vaultStorageAccess = this.communicatesWith(
+        "Vault Storage Access",
+        this.vaultStorage,
+        {
+          description: "Vault Storage Access",
+          protocol:
+            props.storageType === StorageType.FILESYSTEM
+              ? Protocol.LOCAL_FILE_ACCESS
+              : Protocol.SQL_ACCESS_PROTOCOL,
+          authentication: Authentication.CREDENTIALS,
+          authorization: Authorization.TECHNICAL_USER,
+          vpn: false,
+          ipFiltered: false,
+          readonly: false,
+          usage: Usage.DEVOPS,
+        }
+      );
+
+      vaultStorageAccess.sends(this.configurationSecrets);
+      vaultStorageAccess.receives(this.configurationSecrets);
+    }
+
+    if (props.storageType === StorageType.FILESYSTEM) {
+      const vaultEnvironment = new TrustBoundary(this, "Vault Environment", {
+        description: "Vault Environment",
+        type: TrustBoundaryType.EXECUTION_ENVIRONMENT,
+      });
+
+      vaultEnvironment.addTechnicalAssets(this, this.vaultStorage!);
+
+      if (props.trustBoundary) {
+        // nest as execution-environment trust boundary
+        props.trustBoundary.addTrustBoundary(vaultEnvironment);
+      }
+    } else {
+      if (props.trustBoundary) {
+        // place assets inside directly
+        props.trustBoundary.addTechnicalAssets(this);
+
+        if (this.vaultStorage) {
+          props.trustBoundary.addTechnicalAssets(this.vaultStorage);
+        }
+      }
+    }
+  }
+
+  public isUsedBy(client: TechnicalAsset) {
+    const vaultAccessTraffic = client.communicatesWith(
+      `Vault Access Traffic by (${client.node.id})`,
+      this,
+      {
+        description: `Vault Access Traffic by (${client.node.id})`,
+        protocol: Protocol.HTTPS,
+        authentication: this.authentication,
+        authorization: Authorization.TECHNICAL_USER,
+        vpn: false,
+        ipFiltered: false,
+        readonly: true,
+        usage: Usage.DEVOPS,
+      }
+    );
+
+    vaultAccessTraffic.receives(this.configurationSecrets);
+  }
+}
+
+export enum StorageType {
+  /**
+   * Cloud Provider (storage buckets or similar)
+   */
+  CLOUD_PROVIDER = 1,
+
+  /**
+   * Container Platform (orchestration platform managed storage)
+   */
+  CONTAINER_PLATFORM = 2,
+
+  /**
+   * Database (SQL-DB, NoSQL-DB, object store or similar)
+   */
+  DATABASE = 3,
+
+  /**
+   * Filesystem (local or remote)
+   */
+  FILESYSTEM = 4,
+
+  /**
+   * In-Memory (no persistent storage of secrets)
+   */
+  IN_MEMORY = 5,
+
+  /**
+   * Service Registry
+   */
+  SERVICE_REGISTRY = 6,
+}