OEP-30 Checking using OEP-2 Checker Tool

Overview

In developing the ability to annotate PII in any repository, we want to also adhere to OEP-2. OEP-2 specifies an openedx.yaml file that lives at the top-level of each code repository. The file describes the state of each repo in regards to other standards, along with declaring ownership and other things. It's important that openedx.yaml correctly reflects the state of annotated PII over time, particularly when a code repository contains annotated PII.

To ensure that openedx.yaml stays properly updated for OEP-30, a CI-run test will be developed that will run against all PRs in a repository. The CI will fail if annotated PII is added without properly updating openedx.yaml.

Details

The OEP-30 checking will be implemented in the repo-tools repository. That repo is not currently uploaded to PyPI - we'll perform that upload so that repo-tools will be able to be installed via pip. Once installed, the CI check will be invoked by a cmd-line command, such as:

oep30 check – <additional pytest parameters>

The oep30 command will perform the following checks:

• openedx.yaml exists
• openedx.yaml has an 'oep30' section
• Use code-annotations to detect PII annotations in the repo, yielding whether the repo has PII annotations or not.
  • Check that 'oep30' section reflects that existence with an existing 'state: true' or 'state: false' / 'applicable: False'.
  • Implies that repo-tools will use code-annotations as a requirement.

If any checks above fail, then the command returns non-zero to fail the CI.

Work To Ticket

• Add OEP-30 checking to repo-tools.
  • Add code-annotations as a requirement.
  • Implement 'oep30 check' command.
    • Parse openedx.yaml.
    • Invoke Django search tool from code-annotations to determine a True/False representing whether repo has PII annotations or not.
    • Compare result to openedx.yaml.
• Upload repo-tools to PyPI.
  • Version module.
  • Ensure module can be packaged.
  • Add Travis-based automatic PyPI upload upon tagging.
• Modify repo to add OEP-30 checking (ideally a repo that already has PII CI checking using code-annotations).
  • Add repo-tools to testing requirements.
  • Add oep30 command to Travis testing.
  • Verify OEP-30 checking fails.
  • Add proper 'oep30' section to openedx.yaml.
  • Verify OEP-30 checking succeeds.

Org Repo Reporting Tool

Overview

At certain intervals, a report detailing all the annotated PII for all the code repositories of an organization is needed. A tool that generates this report will be implemented in repo-tools. The report should be human-readable and should contain separate sections for each repository containing PII annotations.

This tool will respect the value of 'oep30' within the openedx.yaml file. If the value of 'oep30' within a repo indicate that no PII annotation exists in the repo, then no PII report will be generated for that repo.

Details

The tool will be implemented in the repo-tools repository. It will be invoked as this:

oep30 report --org <Github org> --username <Github username> --token <Github auth token> –out_filename <filename>

The report will contain all the information in each PII annotation, along with annotation location and all other info reported normally by the code-annotations module. The tool should be able to be called manually from the cmd-line or automated via a Jenkins job.

Work To Ticket

• Implement single-repo PII annotation report.
  • Given a cloned repo, generate a report for all annotated PII using Django search tool.
• Implement a script which generates full report.
  • Clones each repo listed in the repos.yaml file from the repo-tools-data repository which are in the specified org.
  • Calls the single-repo implementation above, retaining the report.
  • Merges each report into a single report.
• Stretch: Implement Jenkins job that generates this report daily or weekly.