Skip to content

Commit

Permalink
Merge pull request #680 from fuller-inc/drop-obfuscate-repository2
Browse files Browse the repository at this point in the history
drop obfuscate_repository
shogo82148 authored Jan 16, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
2 parents 6c36856 + 8df0700 commit 3f45ada
Showing 2 changed files with 15 additions and 76 deletions.
43 changes: 15 additions & 28 deletions provider/assume-role/assume-role.go
Original file line number Diff line number Diff line change
@@ -2,8 +2,6 @@ package assumerole

import (
"context"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
@@ -81,21 +79,20 @@ func NewHandler() *Handler {
}

type requestBody struct {
GitHubToken string `json:"github_token"`
IDToken string `json:"id_token"`
RoleToAssume string `json:"role_to_assume"`
RoleSessionName string `json:"role_session_name"`
DurationSeconds int32 `json:"duration_seconds"`
Repository string `json:"repository"`
UseNodeID bool `json:"use_node_id"`
ObfuscateRepository string `json:"obfuscate_repository"`
APIURL string `json:"api_url"`
SHA string `json:"sha"`
RoleSessionTagging bool `json:"role_session_tagging"`
RunID string `json:"run_id"`
Workflow string `json:"workflow"`
Actor string `json:"actor"`
Branch string `json:"branch"`
GitHubToken string `json:"github_token"`
IDToken string `json:"id_token"`
RoleToAssume string `json:"role_to_assume"`
RoleSessionName string `json:"role_session_name"`
DurationSeconds int32 `json:"duration_seconds"`
Repository string `json:"repository"`
UseNodeID bool `json:"use_node_id"`
APIURL string `json:"api_url"`
SHA string `json:"sha"`
RoleSessionTagging bool `json:"role_session_tagging"`
RunID string `json:"run_id"`
Workflow string `json:"workflow"`
Actor string `json:"actor"`
Branch string `json:"branch"`
}

type responseBody struct {
@@ -520,17 +517,7 @@ func (h *Handler) assumeRole(ctx context.Context, nextIDFormat bool, idToken *gi
if req.UseNodeID {
input.ExternalId = aws.String(repo.NodeID)
} else {
switch req.ObfuscateRepository {
case "sha256":
hash := sha256.Sum256([]byte(req.Repository))
input.ExternalId = aws.String("sha256:" + hex.EncodeToString(hash[:]))
case "":
input.ExternalId = aws.String(req.Repository)
default:
return nil, &validationError{
message: fmt.Sprintf("invalid obfuscate repository type: %s", req.ObfuscateRepository),
}
}
input.ExternalId = aws.String(req.Repository)
}
input.DurationSeconds = aws.Int32(req.DurationSeconds)
resp, err := h.sts.AssumeRole(ctx, &input)
48 changes: 0 additions & 48 deletions provider/assume-role/assume-role_test.go
Original file line number Diff line number Diff line change
@@ -339,54 +339,6 @@ func TestAssumeRole_UseNodeID(t *testing.T) {
}
}

func TestAssumeRole_ObfuscateRepository(t *testing.T) {
h := &Handler{
github: &githubClientMock{
GetRepoFunc: dummyGetRepoFunc,
GetUserFunc: dummyGetUserFunc,
ValidateAPIURLFunc: func(url string) error {
return nil
},
},
sts: &stsClientMock{
AssumeRoleFunc: func(ctx context.Context, params *sts.AssumeRoleInput, optFns ...func(*sts.Options)) (*sts.AssumeRoleOutput, error) {
if params.ExternalId == nil {
return nil, errAccessDenied
}
if got, want := aws.ToString(params.ExternalId), "sha256:339c2238399e1150eb8d76a7a74cfd92448d347dc4212bad33a4978edfc455e0"; want != got {
t.Errorf("unexpected external id: want %q, got %q", want, got)
return nil, errAccessDenied
}
return &sts.AssumeRoleOutput{
Credentials: &types.Credentials{
AccessKeyId: aws.String("AKIAIOSFODNN7EXAMPLE"),
SecretAccessKey: aws.String("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"),
SessionToken: aws.String("session-token"),
},
}, nil
},
},
}
resp, err := h.assumeRole(context.Background(), false, nil, &requestBody{
RoleToAssume: "arn:aws:iam::123456789012:role/assume-role-test",
RoleSessionName: "GitHubActions",
Repository: "fuller-inc/actions-aws-assume-role",
ObfuscateRepository: "sha256",
})
if err != nil {
t.Fatal(err)
}
if resp.AccessKeyId != "AKIAIOSFODNN7EXAMPLE" {
t.Errorf("want %q, got %q", "AKIAIOSFODNN7EXAMPLE", resp.AccessKeyId)
}
if resp.SecretAccessKey != "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" {
t.Errorf("want %q, got %q", "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", resp.SecretAccessKey)
}
if resp.SessionToken != "session-token" {
t.Errorf("want %q, got %q", "session-token", resp.SessionToken)
}
}

func TestSanitizeTagValue(t *testing.T) {
cases := []struct {
input string

0 comments on commit 3f45ada

Please sign in to comment.