baton-cloudflare/.github/workflows/ci.yaml at main · ConductorOne/baton-cloudflare · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
name: ci
on:
  workflow_dispatch:
  pull_request:
    types: [opened, reopened, synchronize]
  push:
    branches:
      - main
jobs:
  test:
    runs-on: ubuntu-latest
    env:
      BATON_API_KEY: ${{ secrets.BATON_API_KEY }}
      BATON_EMAIL_ID: ${{ secrets.BATON_EMAIL }}
      BATON_ACCOUNT_ID: ${{ secrets.BATON_ACCOUNT_ID }}
      BATON_LOG_LEVEL: 'debug'
      # Revoke grants variable
      CONNECTOR_GRANT: 'role:1963e6e3aca5ac9a7a91609a0040ab02:member:user:9d9a62a5b834a8c9c5cf43cd234dfd4a'
      # Grant entitlements variables
      CONNECTOR_ENTITLEMENT: 'role:1963e6e3aca5ac9a7a91609a0040ab02:member'
      CONNECTOR_PRINCIPAL: '9d9a62a5b834a8c9c5cf43cd234dfd4a'
      CONNECTOR_PRINCIPAL_TYPE: 'user'
      # Fake ID for failure testing
      FAKE_PRINCIPAL_ID: 'fake-id-that-does-not-exist-12345'
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
      - name: Build baton-cloudflare
        run: go build ./cmd/baton-cloudflare
      - name: Run baton-cloudflare
        run: ./baton-cloudflare
      - name: Install baton
        run: ./scripts/get-baton.sh && mv baton /usr/local/bin
      - name: Get baton resources
        run: baton resources
      - name: Grant entitlement
        run: |
          ./baton-cloudflare --grant-entitlement ${{ env.CONNECTOR_ENTITLEMENT }} --grant-principal ${{ env.CONNECTOR_PRINCIPAL }} --grant-principal-type ${{ env.CONNECTOR_PRINCIPAL_TYPE }}
      - name: Check for grant before revoking
        run: |
          ./baton-cloudflare
           baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | jq --exit-status ".grants[].principal.id.resource == \"${{ env.CONNECTOR_PRINCIPAL }}\""
      - name: Test grant failure with fake ID
        run: |
          set +e  # Don't exit on error
          ./baton-cloudflare --grant-entitlement ${{ env.CONNECTOR_ENTITLEMENT }} --grant-principal ${{ env.FAKE_PRINCIPAL_ID }} --grant-principal-type ${{ env.CONNECTOR_PRINCIPAL_TYPE }}
          exit_code=$?
          set -e  # Re-enable exit on error

          if [ $exit_code -eq 0 ]; then
            echo "ERROR: Grant with fake ID should have failed but succeeded"
            exit 1
          else
            echo "SUCCESS: Grant with fake ID failed as expected (exit code: $exit_code)"
          fi
      - name: Revoke grants
        run: |
          ./baton-cloudflare
          ./baton-cloudflare --revoke-grant ${{ env.CONNECTOR_GRANT }}
      - name: Check grant was revoked
        run: |
          ./baton-cloudflare
           baton grants --entitlement ${{ env.CONNECTOR_ENTITLEMENT }} --output-format=json | jq -e "try(.grants[]? | any(.principal.id.resource !=\"${{ env.CONNECTOR_PRINCIPAL }}\")) // true"
      - name: Grant entitlement
        run: |
          ./baton-cloudflare
          ./baton-cloudflare --grant-entitlement ${{ env.CONNECTOR_ENTITLEMENT }} --grant-principal ${{ env.CONNECTOR_PRINCIPAL }} --grant-principal-type ${{ env.CONNECTOR_PRINCIPAL_TYPE }}
      - name: Check grant was re-granted
        run: |
          ./baton-cloudflare
          baton grants --entitlement ${{ env.CONNECTOR_ENTITLEMENT }} --output-format=json | jq -e ".grants | any(.principal.id.resource ==\"${{ env.CONNECTOR_PRINCIPAL }}\")"