Fix Add artifact and build retention export and rules #88 (#89)

* Fix Add artifact and build retention export and rules #88
* Add configuration settings for retention rules

Author: webtonize

example/best-practice/ps-rule.yaml

@@ -5,6 +5,8 @@ execution:
   suppressionGroupExpired: Error
 
 configuration:
+  ArtifactMinimumRetentionDays: 7
+  PullRequestRunsMinimumRetentionDays: 7
   ProjectAdminsMinMembers: 2
   ProjectAdminsMaxMembers: 4
   releaseMinimumProductionApproverCount: 1

src/PSRule.Rules.AzureDevOps/Functions/DevOps.RetentionSettings.ps1

@@ -0,0 +1,85 @@
+<#
+    .SYNOPSIS
+    Get retention settings for a project.
+
+    .DESCRIPTION
+    Get retention settings for a project from Azure DevOps REST API.
+
+    .PARAMETER Project
+    The project to get retention settings for.
+
+    .EXAMPLE
+    Get-AzDevOpsRetentionSettings -Project 'MyProject'
+
+    .NOTES
+    This function requires a connection to Azure DevOps. See Connect-AzDevOps for more information.
+#>
+Function Get-AzDevOpsRetentionSettings {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory=$true)]
+        [string]
+        $Project
+    )
+    if($null -eq $script:connection) {
+        throw 'Not connected to Azure DevOps. Run Connect-AzDevOps first.'
+    }
+    $Organization = $script:connection.Organization
+    $header = $script:connection.GetHeader()
+
+    # Azure DevOps REST API endpoint for project retention settings
+    $settingsUri = "https://dev.azure.com/$($Organization)/$($Project)/_apis/build/retention?api-version=7.1-preview.1"
+    $policyUri = "https://dev.azure.com/$($Organization)/$($Project)/_apis/build/settings?api-version=7.1-preview.1"
+    try {
+        $settingsResponse = Invoke-RestMethod -Uri $settingsUri -Method Get -Headers $header
+        $policyResponse = Invoke-RestMethod -Uri $policyUri -Method Get -Headers $header
+        If($settingsResponse -is [string] -or $policyResponse -is [string]) {
+            throw "Failed to get retention settings for project '$($Project)' from Azure DevOps"
+        }
+    }
+    catch {
+        throw "Failed to get retention settings for project '$($Project)' from Azure DevOps"
+    }
+    return @{
+        RetentionSettings = $settingsResponse
+        RetentionPolicy = $policyResponse
+        ObjectType = 'Azure.DevOps.RetentionSettings'
+        ObjectName = "$Organization.$Project.RetentionSettings"
+    }
+}
+Export-ModuleMember -Function Get-AzDevOpsRetentionSettings
+
+<#
+    .SYNOPSIS
+    Export retention settings for a project to a JSON file.
+
+    .DESCRIPTION
+    Export retention settings for a project to a JSON file from Azure DevOps REST API.
+
+    .PARAMETER Project
+    The project to get retention settings for.
+
+    .PARAMETER OutputPath
+    The path to export the retention settings to.
+
+    .EXAMPLE
+    Get-AzDevOpsRetentionSettings -Project 'MyProject' -OutputPath 'C:\Temp\'
+
+    .NOTES
+    This function requires a connection to Azure DevOps. See Connect-AzDevOps for more information.
+#>
+Function Export-AzDevOpsRetentionSettings {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory=$true)]
+        [string]
+        $Project,
+
+        [Parameter(Mandatory=$true)]
+        [string]
+        $OutputPath
+    )
+    $settings = Get-AzDevOpsRetentionSettings -Project $Project
+    $settings | ConvertTo-Json -Depth 100 | Out-File -FilePath "$OutputPath\$($Project).ret.ado.json"
+}
+Export-ModuleMember -Function Export-AzDevOpsRetentionSettings

src/PSRule.Rules.AzureDevOps/PSRule.Rules.AzureDevOps.psm1

@@ -57,6 +57,8 @@ Function Export-AzDevOpsRuleData {
     Export-AzDevOpsReleaseDefinitions -Project $Project -OutputPath $OutputPath
     Write-Verbose "Exporting groups"
     Export-AzDevOpsGroups -Project $Project -OutputPath $OutputPath
+    Write-Verbose "Exporting retention settings"
+    Export-AzDevOpsRetentionSettings -Project $Project -OutputPath $OutputPath
 }
 Export-ModuleMember -Function Export-AzDevOpsRuleData -Alias Export-AzDevOpsProjectRuleData
 # End of Function Export-AzDevOpsRuleData

src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays.md

@@ -0,0 +1,34 @@
+---
+category: Microsoft Azure DevOps Retention Settings
+severity: Severe
+online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays.md
+---
+
+# Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays
+
+## SYNOPSIS
+
+Retention settings for artifacts should be configured to meet compliance
+requirements. For example, a retention policy of 30 days may be required for
+production environments.
+
+## DESCRIPTION
+
+Retention settings for artifacts should be configured to meet compliance
+requirements. For example, a retention policy of 30 days may be required for
+production environments.
+
+This rule requires a minimum retention period of 7 days. The rule is configurable
+to allow a different minimum retention period with the `ArtifactMinimumRetentionDays`
+conifguration setting.
+
+Mininum TokenType: `ReadOnly`
+
+## RECOMMENDATION
+
+Consider setting a minimum retention period of more than 7 days for artifacts.
+
+## LINKS
+
+- [Define approvals and checks](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass)
+

src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays.md

@@ -0,0 +1,32 @@
+---
+category: Microsoft Azure DevOps Retention Settings
+severity: Severe
+online version: https://github.com/cloudyspells/PSRule.Rules.AzureDevOps/blob/main/src/PSRule.Rules.AzureDevOps/en/Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays.md
+---
+
+# Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays
+
+## SYNOPSIS
+
+Retention settings for rull request runs should be configured to meet compliance
+requirements such as 30 days for production environments.
+
+## DESCRIPTION
+
+Retention settings for rull request runs should be configured to meet compliance
+requirements such as 30 days for production environments. 
+
+This rule requires a minimum retention period of 7 days. The rule is configurable
+to allow a different minimum retention period with the 
+`PullRequestRunsMinimumRetentionDays` conifguration setting.
+
+Mininum TokenType: `ReadOnly`
+
+## RECOMMENDATION
+
+Consider setting a minimum retention period of more than 7 days for pull request runs.
+
+## LINKS
+
+- [Define approvals and checks](https://learn.microsoft.com/en-us/azure/devops/pipelines/process/approvals?view=azure-devops&tabs=check-pass)
+

src/PSRule.Rules.AzureDevOps/rules/AzureDevOps.RetentionSettings.Rule.ps1

@@ -0,0 +1,33 @@
+# PSRule rule definitions for Azure DevOps Retention Settings
+
+# Synopsis: Retention settings should allow for artifacts to be retained for a minimum of 7 days
+Rule 'Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays' `
+    -Ref 'ADO-RET-001' `
+    -Type 'Azure.DevOps.RetentionSettings' `
+    -Tag @{ release = 'GA'} `
+    -Level Warning {
+        # Description "Retention settings allow for artifacts to be retained for a minimum of 7 days"
+        Reason "Retention settings allow for artifacts to be retained for at least 7 days"
+        Recommend "Consider increasing the minimum retention days to 7 days"
+        # Links "https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/retention?view=azure-devops#minimum-retention-days"
+        AllOf {
+            $Assert.HasField($TargetObject, "RetentionSettings.purgeArtifacts.value", $true)
+            $Assert.GreaterOrEqual($TargetObject, "RetentionSettings.purgeArtifacts.value", $Configuration.GetValueOrDefault('ArtifactMinimumRetentionDays', 7))
+        }
+}
+
+# Synopsis: Retention settings should allow pull request runs to be retained at least 7 days
+Rule 'Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays' `
+    -Ref 'ADO-RET-002' `
+    -Type 'Azure.DevOps.RetentionSettings' `
+    -Tag @{ release = 'GA'} `
+    -Level Warning {
+        # Description "Retention settings should allow pull request runs to be retained at least 7 days"
+        Reason "Retention settings should allow pull request runs to be retained at least 7 days"
+        Recommend "Consider increasing the minimum retention days to 7 days"
+        # Links "https://docs.microsoft.com/en-us/azure/devops/pipelines/policies/retention?view=azure-devops#minimum-retention-days"
+        AllOf {
+            $Assert.HasField($TargetObject, "RetentionSettings.purgePullRequestRuns.value", $true)
+            $Assert.GreaterOrEqual($TargetObject, "RetentionSettings.purgePullRequestRuns.value", $Configuration.GetValueOrDefault('PullRequestRunsMinimumRetentionDays', 7))
+        }
+}

tests/DevOps.Groups.Tests.ps1

@@ -297,3 +297,8 @@ Describe "Azure.DevOps.Group" {
         }
     }
 }
+
+AfterAll {
+    Disconnect-AzDevOps
+    Remove-Module -Name PSRule.Rules.AzureDevOps -Force
+}

tests/DevOps.RetentionSettings.Tests.ps1

@@ -0,0 +1,142 @@
+BeforeAll {
+    $rootPath = $PWD;
+    Import-Module -Name (Join-Path -Path $rootPath -ChildPath '/src/PSRule.Rules.AzureDevOps/PSRule.Rules.AzureDevOps.psd1') -Force;
+}
+
+Describe 'Azure.DevOps.RetentionSettings' {
+    Context ' Get-AzDevOpsRetentionSettings without a connection' {
+        It 'should throw an error' {
+            { 
+                Disconnect-AzDevOps
+                Get-AzDevOpsRetentionSettings -Project 'MyProject'
+            } | Should -Throw 'Not connected to Azure DevOps. Run Connect-AzDevOps first.'
+        }
+    }
+
+    Context ' Get-AzDevOpsRetentionSettings' {
+        BeforeAll {
+            Connect-AzDevOps -Organization $env:ADO_ORGANIZATION -PAT $env:ADO_PAT
+            $response = Get-AzDevOpsRetentionSettings -Project $env:ADO_PROJECT
+        }
+
+        It 'should return a hashtable' {
+            $response | Should -BeOfType [hashtable]
+        }
+
+        It 'should return a hashtable with RetentionSettings property' {
+            $response.RetentionSettings | Should -Not -BeNullOrEmpty
+        }
+
+        It 'should return a hashtable with RetentionPolicy property' {
+            $response.RetentionPolicy | Should -Not -BeNullOrEmpty
+        }
+
+        It 'should return a hashtable with ObjectType property' {
+            $response.ObjectType | Should -Not -BeNullOrEmpty
+        }
+
+        It 'should return a hashtable with ObjectName property' {
+            $response.ObjectName | Should -Not -BeNullOrEmpty
+        }
+
+        AfterAll {
+            Disconnect-AzDevOps
+        }
+    }
+
+    Context ' Get-AzDevOpsRetentionSettings with a wrong organization or PAT' {
+        It 'should throw an error with a wrong PAT' {
+            { 
+                Disconnect-AzDevOps
+                Connect-AzDevOps -Organization $env:ADO_ORGANIZATION -PAT 'wrongPAT'
+                Get-AzDevOpsRetentionSettings -Project $env:ADO_PROJECT
+            } | Should -Throw "Failed to get retention settings for project '$($env:ADO_PROJECT)' from Azure DevOps"
+        }
+
+        It 'should throw an error with a wrong organization' {
+            { 
+                Disconnect-AzDevOps
+                Connect-AzDevOps -Organization 'wrongOrganization' -PAT $env:ADO_PAT
+                Get-AzDevOpsRetentionSettings -Project $env:ADO_PROJECT
+            } | Should -Throw "Failed to get retention settings for project '$($env:ADO_PROJECT)' from Azure DevOps"
+        }
+
+        It 'should throw an error with a wrong project' {
+            { 
+                Disconnect-AzDevOps
+                Connect-AzDevOps -Organization $env:ADO_ORGANIZATION -PAT $env:ADO_PAT
+                Get-AzDevOpsRetentionSettings -Project 'wrongProject'
+            } | Should -Throw "Failed to get retention settings for project 'wrongProject' from Azure DevOps"
+        }
+    }
+
+    Context ' Export-AzDevOpsRetentionSettings without a connection' {
+        It 'should throw an error' {
+            { 
+                Disconnect-AzDevOps
+                Export-AzDevOpsRetentionSettings -Project 'MyProject' -OutputPath $Env:ADO_EXPORT_DIR
+            } | Should -Throw 'Not connected to Azure DevOps. Run Connect-AzDevOps first.'
+        }
+    }
+
+    Context ' Export-AzDevOpsRetentionSettings' {
+        BeforeAll {
+            Connect-AzDevOps -Organization $env:ADO_ORGANIZATION -PAT $env:ADO_PAT
+            Export-AzDevOpsRetentionSettings -Project $env:ADO_PROJECT -OutputPath $Env:ADO_EXPORT_DIR
+        }
+
+        It 'should export a JSON file' {
+            $file = Get-ChildItem -Path $Env:ADO_EXPORT_DIR -Filter "$($env:ADO_PROJECT).ret.ado.json" -Recurse -ErrorAction SilentlyContinue | Select-Object -ExpandProperty 'FullName'
+            $file | Should -Not -BeNullOrEmpty
+        }
+
+        It 'should export a JSON file with the correct name' {
+            $file = Get-ChildItem -Path $Env:ADO_EXPORT_DIR -Filter "$($env:ADO_PROJECT).ret.ado.json" -Recurse -ErrorAction SilentlyContinue | Select-Object -ExpandProperty 'FullName'
+            $file | Should -Match "$($env:ADO_PROJECT).ret.ado.json"
+        }
+
+        It 'should export a JSON file with the correct content' {
+            $file = Get-ChildItem -Path $Env:ADO_EXPORT_DIR -Filter "$($env:ADO_PROJECT).ret.ado.json" -Recurse -ErrorAction SilentlyContinue | Select-Object -ExpandProperty 'FullName'
+            $content = Get-Content -Path $file -Raw
+            $content | Should -Match 'RetentionSettings'
+            $content | Should -Match 'RetentionPolicy'
+            $content | Should -Match 'ObjectType'
+            $content | Should -Match 'ObjectName'
+        }
+
+        AfterAll {
+            Disconnect-AzDevOps
+        }
+    }
+
+    Context ' Export-AzDevOpsRetentionSettings with a wrong organization or PAT' {
+        It 'should throw an error with a wrong PAT' {
+            { 
+                Disconnect-AzDevOps
+                Connect-AzDevOps -Organization $env:ADO_ORGANIZATION -PAT 'wrongPAT'
+                Export-AzDevOpsRetentionSettings -Project $env:ADO_PROJECT -OutputPath $Env:ADO_EXPORT_DIR
+            } | Should -Throw "Failed to get retention settings for project '$($env:ADO_PROJECT)' from Azure DevOps"
+        }
+
+        It 'should throw an error with a wrong organization' {
+            { 
+                Disconnect-AzDevOps
+                Connect-AzDevOps -Organization 'wrongOrganization' -PAT $env:ADO_PAT
+                Export-AzDevOpsRetentionSettings -Project $env:ADO_PROJECT -OutputPath $Env:ADO_EXPORT_DIR
+            } | Should -Throw "Failed to get retention settings for project '$($env:ADO_PROJECT)' from Azure DevOps"
+        }
+
+        It 'should throw an error with a wrong project' {
+            { 
+                Disconnect-AzDevOps
+                Connect-AzDevOps -Organization $env:ADO_ORGANIZATION -PAT $env:ADO_PAT
+                Export-AzDevOpsRetentionSettings -Project 'wrongProject' -OutputPath $Env:ADO_EXPORT_DIR
+            } | Should -Throw "Failed to get retention settings for project 'wrongProject' from Azure DevOps"
+        }
+    }
+}
+
+AfterAll {
+    Disconnect-AzDevOps
+    Remove-Module -Name PSRule.Rules.AzureDevOps -Force
+}

tests/Rules.Tests.ps1

@@ -49,9 +49,9 @@ BeforeAll {
 
 Describe 'AzureDevOps ' {
     Context 'Base rules ' {
-        It 'Should contain 57 rules' {
+        It 'Should contain 59 rules' {
             $rules = Get-PSRule -Module PSRule.Rules.AzureDevOps;
-            $rules.Count | Should -Be 57;
+            $rules.Count | Should -Be 59;
         }
     }
 
@@ -1688,4 +1688,20 @@ Describe 'AzureDevOps ' {
             $ruleHits.Count | Should -Be 1;
         }
     }
+
+    Context 'Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays' {
+        It 'Should pass once' {
+            $ruleHits = @($ruleResult | Where-Object { $_.RuleName -eq 'Azure.DevOps.RetentionSettings.ArtifactMinimumRetentionDays' })
+            $ruleHits[0].Outcome | Should -Be 'Pass';
+            $ruleHits.Count | Should -Be 1;
+        }
+    }
+
+    Context 'Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays' {
+        It 'Should pass once' {
+            $ruleHits = @($ruleResult | Where-Object { $_.RuleName -eq 'Azure.DevOps.RetentionSettings.PullRequestRunsMinimumRetentionDays' })
+            $ruleHits[0].Outcome | Should -Be 'Pass';
+            $ruleHits.Count | Should -Be 1;
+        }
+    }
 }