Adding unit tests (#14)

<!--
Thank you for proposing a pull request! Please note that SOME TESTS WILL
LIKELY FAIL due to how GitHub exposes secrets in Pull Requests from
forks.
Someone from the team will review your Pull Request and respond.

Please describe your change and any implementation details below.
-->

---------

Co-authored-by: Adish Agarwal <[email protected]>

Author: adishagarwal

.github/workflows/test.yml

@@ -37,6 +37,9 @@ jobs:
   unit:
     name: 'unit'
     runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'read'
+      id-token: 'write'
 
     steps:
       - uses: 'actions/checkout@v4'
@@ -50,6 +53,11 @@ jobs:
 
       - name: 'npm lint'
         run: 'npm run lint'
+      
+      - uses: 'google-github-actions/auth@v2'
+        with:
+          workload_identity_provider: 'projects/111685897256/locations/global/workloadIdentityPools/github/providers/my-repo'
+          service_account: '[email protected]'
 
       - name: 'npm test'
         run: 'npm run test'
@@ -84,7 +92,7 @@ jobs:
         with:
           organization_id: '${{ env.ORGANIZATION_ID }}'
           # plan file has 1 CRITICAL, 2 LOW severity vulnerabilites
-          scan_file_ref: 'test/resources/with-violations-tf_plan.json'
+          scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
           iac_type: 'terraform'
           iac_version: '1.0.0'
           failure_criteria: 'CRITICAL:2, Operator:OR'
@@ -93,7 +101,7 @@ jobs:
           scan_timeout: '1m'
       - name: 'Check scan result and compare sarif report generated.'
         run: |
-          report_expected="test/resources/sarif.json"
+          report_expected="tests/resources/sarif.json"
           report_generated="${{ steps.violations-found.outputs.iac_scan_result_sarif_path }}"
           if cmp -s "$report_expected" "$report_generated"; then
             exit 1
@@ -108,7 +116,7 @@ jobs:
       #   uses: './'
       #   with:
       #     organization_id: '${{ env.ORGANIZATION_ID }}'
-      #     scan_file_ref: 'test/resources/no-violations-tf_plan.json'
+      #     scan_file_ref: 'tests/resources/no-violations-tf_plan.json'
       #     iac_type: 'terraform'
       #     iac_version: '1.0.0'
       #     failure_criteria: 'CRITICAL:2, Operator:OR'
@@ -127,7 +135,7 @@ jobs:
         with:
           organization_id: '${{ env.ORGANIZATION_ID }}'
           # plan file has 1 CRITICAL, 2 LOW severity vulnerabilites
-          scan_file_ref: 'test/resources/with-violations-tf_plan.json'
+          scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
           iac_type: 'terraform'
           iac_version: '1.0.0'
           failure_criteria: 'CRITICAL:1, Operator:OR'
@@ -147,7 +155,7 @@ jobs:
         with:
           organization_id: '${{ env.ORGANIZATION_ID }}'
           # plan file has 1 CRITICAL, 2 LOW severity vulnerabilites
-          scan_file_ref: 'test/resources/with-violations-tf_plan.json'
+          scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
           iac_type: 'terraform'
           iac_version: '1.0.0'
           ignore_violations: 'true'
@@ -164,7 +172,7 @@ jobs:
         with:
           # Invalid org id, will cause an internal error in action
           organization_id: 'invalid-id'
-          scan_file_ref: 'test/resources/with-violations-tf_plan.json'
+          scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
           iac_type: 'terraform'
           iac_version: '1.0.0'
         continue-on-error: true
@@ -182,7 +190,7 @@ jobs:
         uses: './'
         with:
           organization_id: 'invalid-id'
-          scan_file_ref: 'test/resources/with-violations-tf_plan.json'
+          scan_file_ref: 'tests/resources/with-violations-tf_plan.json'
           iac_type: 'terraform'
           iac_version: '1.0.0'
           fail_silently: 'true'

bin/runTests.sh

@@ -7,7 +7,7 @@
     "build": "ncc build -m src/main.ts -o dist/main",
     "lint": "eslint . --ext .ts,.tsx",
     "format": "prettier --write **/*.ts",
-    "test": "bash ./bin/runTests.sh"
+    "test": "node --require ts-node/register --test-reporter spec --test tests/accessor.test.ts tests/iac_scan_report_processor.test.ts tests/utils.test.ts"
   },
   "repository": {
     "type": "git",

dist/main/index.js

@@ -19,12 +19,7 @@ import { GoogleAuth } from 'google-auth-library';
 import { debug as logDebug } from '@actions/core';
 import { errorMessage, toBase64, fromBase64 } from '@google-github-actions/actions-utils';
 
-import {
-  MAX_RETRIES_FOR_INITIATE_SCAN,
-  MAX_RETRIES_FOR_POLLING,
-  RETRIABLE_ERROR_CODES,
-  VALIDATE_ENDPOINT_PATH,
-} from './commons/http_config';
+import { RETRIABLE_ERROR_CODES, VALIDATE_ENDPOINT_PATH } from './commons/http_config';
 import { IACValidationException } from './exception';
 import { SCAN_FILE_MAX_SIZE_BYTES, USER_AGENT } from './commons/constants';
 
@@ -155,7 +150,6 @@ export class IACAccessor {
   private async request(
     method: string,
     url: string,
-    maxRetries: number,
     errorMsg: string,
     data?: any, // eslint-disable-line @typescript-eslint/no-explicit-any
   ) {
@@ -167,7 +161,7 @@ export class IACAccessor {
       'Content-Type': 'application/json',
     };
 
-    while (this.shouldRetry(this.retryCount, maxRetries)) {
+    while (this.shouldRetry()) {
       try {
         const intervalMs: number = Math.pow(2, this.retryCount) * 1000;
         this.retryCount++;
@@ -176,7 +170,7 @@ export class IACAccessor {
         const body = await response.readBody();
         const statusCode = response.message.statusCode || 500;
 
-        if (RETRIABLE_ERROR_CODES.includes(statusCode) && this.retryCount != maxRetries) {
+        if (RETRIABLE_ERROR_CODES.includes(statusCode)) {
           await new Promise((resolve) => setTimeout(resolve, intervalMs));
           continue;
         }
@@ -200,10 +194,7 @@ export class IACAccessor {
     throw new IACValidationException(/* statusCode= */ 500, `Operation timed out`);
   }
 
-  private shouldRetry(retryCount: number, maxRetryCount: number): boolean {
-    if (retryCount >= maxRetryCount) {
-      return false;
-    }
+  private shouldRetry(): boolean {
     const currentTime = new Date().getTime();
     return currentTime < this.scanStartTime + this.scanTimeOut;
   }
@@ -222,7 +213,7 @@ export class IACAccessor {
         throw new IACValidationException(
           /* statusCode= */ 500,
           `[Internal Error] Validation Service Endpoint Returned
-        invalid violations with one or more missing key Attributes, policyID : ${violation.policyId}, assetId : ${violation.assetId}`,
+        invalid violations with one or more missing key Attributes, policyID : ${violation.policyId ?? ''}, assetId : ${violation.assetId ?? ''}`,
         );
       }
     });
@@ -276,9 +267,8 @@ export class IACAccessor {
    * @param name Name of the operation, of the format `operations/{name}`.
    */
   private async pollOperation(name: string): Promise<Operation> {
-    while (this.retryCount < MAX_RETRIES_FOR_POLLING) {
+    while (this.shouldRetry()) {
       const intervalMs: number = Math.pow(2, this.retryCount) * 1000;
-      this.retryCount++;
       const resp = await this.getOperation(name);
       if (resp && resp.done) {
         return resp;
@@ -299,7 +289,6 @@ export class IACAccessor {
     const resp: Operation = await this.request(
       'GET',
       u,
-      MAX_RETRIES_FOR_POLLING,
       /*errorMsg=*/ 'encountered error while performing scan operation',
     );
     return resp;
@@ -326,7 +315,6 @@ export class IACAccessor {
       const resp: Operation = await this.request(
         'POST',
         u,
-        MAX_RETRIES_FOR_INITIATE_SCAN,
         /*errorMsg=*/ 'encountered error while requesting scan',
         body,
       );

package-lock.json

@@ -18,5 +18,3 @@ export const VALIDATE_ENDPOINT_DOMAIN = 'https://securityposture.googleapis.com/
 export const VALIDATE_ENDPOINT_PATH = (orgId: string) =>
   `/organizations/${orgId}/locations/global/reports:createIaCValidationReport`;
 export const RETRIABLE_ERROR_CODES = [408, 429, 500, 502, 503, 504];
-export const MAX_RETRIES_FOR_INITIATE_SCAN = 3;
-export const MAX_RETRIES_FOR_POLLING = 50;

package.json

@@ -61,7 +61,7 @@ const version = require('../package.json').version;
 async function run(): Promise<void> {
   logInfo(`IaC Scanning Action invoked`);
   try {
-    const organizationId = getInput(ORGANIZATION_ID_CONFIG_KEY, { required: true });
+    const organizationID = getInput(ORGANIZATION_ID_CONFIG_KEY, { required: true });
     const scanFileRef = getInput(SCAN_FILE_REF_CONFIG_KEY, { required: true });
     const iacType = getInput(IAC_TYPE_CONFIG_KEY, { required: true });
     const iacVersion = getInput(IAC_VERSION_CONFIG_KEY, { required: true });
@@ -92,7 +92,7 @@ async function run(): Promise<void> {
     const scanStartTime = new Date().getTime();
     const accessor = new IACAccessor(
       VALIDATE_ENDPOINT_DOMAIN,
-      organizationId,
+      organizationID,
       scanTimeoutMs,
       scanStartTime,
       version,

src/accessor.ts

@@ -126,17 +126,17 @@ function validateAndExtractFailureCriteriaFromMap(
   keyValueMap.forEach((value, key) => {
     if (isValidOperatorKey(key)) {
       if (operator) {
-        throw new Error(`multiple operators found.`);
+        throw new Error(`multiple operators found`);
       }
       operator = extractOperatorValue(value);
       return;
     }
     const severity: Severity = extractSeverityKey(
       key,
-      /** errMsg= */ `invalid key: ${key}, value: ${value} pair found.`,
+      /** errMsg= */ `invalid key: ${key}, value: ${value} pair found`,
     );
     if (violationsThresholdBySeverity.has(severity)) {
-      throw new Error(`multiple severities of type ${key} found.`);
+      throw new Error(`multiple severities of type ${key} found`);
     }
     if (isNaN(+value)) {
       throw new Error(`invalid severity count`);
@@ -145,10 +145,10 @@ function validateAndExtractFailureCriteriaFromMap(
   });
 
   if (!operator) {
-    throw new Error('no operator found.');
+    throw new Error('no operator found');
   }
   if (violationsThresholdBySeverity.size == 0) {
-    throw new Error('no severity mentioned in operator.');
+    throw new Error('no severity mentioned');
   }
   return {
     violationsThresholdBySeverity: violationsThresholdBySeverity,