Skip to content

Commit

Permalink
Refactored code to conditionally install agent (#239)
Browse files Browse the repository at this point in the history
  • Loading branch information
h0x0er authored Feb 5, 2023
1 parent 8f144f8 commit 6755445
Show file tree
Hide file tree
Showing 10 changed files with 109 additions and 69 deletions.
7 changes: 7 additions & 0 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/index.js.map

Large diffs are not rendered by default.

7 changes: 7 additions & 0 deletions dist/post/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -61033,8 +61033,10 @@ function addSummary() {
}
});
}
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";

;// CONCATENATED MODULE: external "node:fs"
const external_node_fs_namespaceObject = require("node:fs");
Expand Down Expand Up @@ -61199,6 +61201,11 @@ var cleanup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _
console.log(CONTAINER_MESSAGE);
return;
}
if (String(process.env.STATE_monitorStatusCode) ===
STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
external_fs_.writeFileSync("/home/agent/post_event.json", JSON.stringify({ event: "post" }));
var doneFile = "/home/agent/done.json";
var counter = 0;
Expand Down
2 changes: 1 addition & 1 deletion dist/post/index.js.map

Large diffs are not rendered by default.

54 changes: 29 additions & 25 deletions dist/pre/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -14163,8 +14163,10 @@ function addSummary() {
}
});
}
const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";
const CONTAINER_MESSAGE = "This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";
const UBUNTU_MESSAGE = "This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";
const HARDEN_RUNNER_UNAVAILABLE_MESSAGE = "Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";

// EXTERNAL MODULE: ./node_modules/@actions/tool-cache/lib/tool-cache.js
var tool_cache = __nccwpck_require__(7784);
Expand Down Expand Up @@ -14354,7 +14356,6 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
var env = "agent";
var api_url = `https://${env}.api.stepsecurity.io/v1`;
var web_url = "https://app.stepsecurity.io";
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
const confg = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
Expand All @@ -14368,6 +14369,33 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
disable_file_monitoring: lib_core.getBooleanInput("disable-file-monitoring"),
private: github.context.payload.repository.private,
};
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
lib_core.setFailed("egress-policy must be either audit or block");
}
if (confg.egress_policy === "block" && confg.allowed_endpoints === "") {
lib_core.warning("egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps.");
}
if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
lib_core.setFailed("disable-telemetry must be a boolean value");
}
let _http = new lib.HttpClient();
let statusCode;
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
const resp = yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
statusCode = resp.message.statusCode; // adding error code to check whether agent is getting installed or not.
external_fs_.appendFileSync(process.env.GITHUB_STATE, `monitorStatusCode=${statusCode}${external_os_.EOL}`, {
encoding: "utf8",
});
}
catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
console.log(`Step Security Job Correlation ID: ${correlation_id}`);
if (String(statusCode) === STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}
if (isValidEvent()) {
try {
const cacheEntry = yield getCacheEntry([cacheKey], [cacheFile], {
Expand All @@ -14386,30 +14414,6 @@ var setup_awaiter = (undefined && undefined.__awaiter) || function (thisArg, _ar
}
}
}
if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
lib_core.setFailed("egress-policy must be either audit or block");
}
if (confg.egress_policy === "block" && confg.allowed_endpoints === "") {
lib_core.warning("egress-policy is set to block (default) and allowed-endpoints is empty. No outbound traffic will be allowed for job steps.");
}
if (confg.disable_telemetry !== true && confg.disable_telemetry !== false) {
lib_core.setFailed("disable-telemetry must be a boolean value");
}
if (!confg.disable_telemetry) {
let _http = new lib.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
const resp = yield _http.get(`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`);
if (resp.message.statusCode === 200) {
external_fs_.appendFileSync(process.env.GITHUB_STATE, `monitorStatusCode=${resp.message.statusCode}${external_os_.EOL}`, {
encoding: "utf8",
});
}
}
catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
}
const confgStr = JSON.stringify(confg);
external_child_process_.execSync("sudo mkdir -p /home/agent");
external_child_process_.execSync("sudo chown -R $USER /home/agent");
Expand Down
2 changes: 1 addition & 1 deletion dist/pre/index.js.map

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions src/cleanup.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,14 @@ import path from "path";
return;
}

if (
String(process.env.STATE_monitorStatusCode) ===
common.STATUS_HARDEN_RUNNER_UNAVAILABLE
) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}

fs.writeFileSync(
"/home/agent/post_event.json",
JSON.stringify({ event: "post" })
Expand Down
12 changes: 8 additions & 4 deletions src/common.ts
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import * as core from "@actions/core";
import { exit } from "process";
export function printInfo(web_url) {
console.log(
"\x1b[32m%s\x1b[0m",
Expand All @@ -21,16 +22,19 @@ export async function addSummary() {
"StepSecurity Harden-Runner",
{ width: "200" }
)
.addLink(
"View security insights and recommended policy",
insights_url
)
.addLink("View security insights and recommended policy", insights_url)
.addSeparator()
.write();
}
}

export const STATUS_HARDEN_RUNNER_UNAVAILABLE = "409";

export const CONTAINER_MESSAGE =
"This job is running in a container. Harden Runner does not run in a container as it needs sudo access to run. This job will not be monitored.";

export const UBUNTU_MESSAGE =
"This job is not running in a GitHub Actions Hosted Runner Ubuntu VM. Harden Runner is only supported on Ubuntu VM. This job will not be monitored.";

export const HARDEN_RUNNER_UNAVAILABLE_MESSAGE =
"Sorry, we are currently experiencing issues with the Harden Runner installation process. It is currently unavailable.";
8 changes: 8 additions & 0 deletions src/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,14 @@ import isDocker from "is-docker";
return;
}

if (
String(process.env.STATE_monitorStatusCode) ===
common.STATUS_HARDEN_RUNNER_UNAVAILABLE
) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}

if (
core.getBooleanInput("disable-telemetry") &&
core.getInput("egress-policy") === "block"
Expand Down
76 changes: 39 additions & 37 deletions src/setup.ts
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,6 @@ import {
var api_url = `https://${env}.api.stepsecurity.io/v1`;
var web_url = "https://app.stepsecurity.io";

console.log(`Step Security Job Correlation ID: ${correlation_id}`);

const confg = {
repo: process.env["GITHUB_REPOSITORY"],
run_id: process.env["GITHUB_RUN_ID"],
Expand All @@ -50,24 +48,6 @@ import {
private: context.payload.repository.private,
};

if (isValidEvent()) {
try {
const cacheEntry = await getCacheEntry([cacheKey], [cacheFile], {
compressionMethod: CompressionMethod.ZstdWithoutLong,
});
const url = new URL(cacheEntry.archiveLocation);
core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
} catch (exception) {
// some exception has occurred.
core.info("Unable to fetch cacheURL");
if (confg.egress_policy === "block") {
core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}
}
}

if (confg.egress_policy !== "audit" && confg.egress_policy !== "block") {
core.setFailed("egress-policy must be either audit or block");
}
Expand All @@ -82,25 +62,47 @@ import {
core.setFailed("disable-telemetry must be a boolean value");
}

if (!confg.disable_telemetry) {
let _http = new httpm.HttpClient();
_http.requestOptions = { socketTimeout: 3 * 1000 };
let _http = new httpm.HttpClient();
let statusCode;
_http.requestOptions = { socketTimeout: 3 * 1000 };
try {
const resp: httpm.HttpClientResponse = await _http.get(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
);
statusCode = resp.message.statusCode; // adding error code to check whether agent is getting installed or not.
fs.appendFileSync(
process.env.GITHUB_STATE,
`monitorStatusCode=${statusCode}${EOL}`,
{
encoding: "utf8",
}
);
} catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}

console.log(`Step Security Job Correlation ID: ${correlation_id}`);

if (String(statusCode) === common.STATUS_HARDEN_RUNNER_UNAVAILABLE) {
console.log(common.HARDEN_RUNNER_UNAVAILABLE_MESSAGE);
return;
}

if (isValidEvent()) {
try {
const resp: httpm.HttpClientResponse = await _http.get(
`${api_url}/github/${process.env["GITHUB_REPOSITORY"]}/actions/runs/${process.env["GITHUB_RUN_ID"]}/monitor`
);
if(resp.message.statusCode === 200){
fs.appendFileSync(
process.env.GITHUB_STATE,
`monitorStatusCode=${resp.message.statusCode}${EOL}`,
{
encoding: "utf8",
}
);
const cacheEntry = await getCacheEntry([cacheKey], [cacheFile], {
compressionMethod: CompressionMethod.ZstdWithoutLong,
});
const url = new URL(cacheEntry.archiveLocation);
core.info(`Adding cacheHost: ${url.hostname}:443 to allowed-endpoints`);
confg.allowed_endpoints += ` ${url.hostname}:443`;
} catch (exception) {
// some exception has occurred.
core.info("Unable to fetch cacheURL");
if (confg.egress_policy === "block") {
core.info("Switching egress-policy to audit mode");
confg.egress_policy = "audit";
}

} catch (e) {
console.log(`error in connecting to ${api_url}: ${e}`);
}
}

Expand Down

0 comments on commit 6755445

Please sign in to comment.