add actionMap as a argument to secure workflow

Author: Balijepalli Vamshi Krishna

remediation/workflow/maintainedactions/maintainedActions.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
-	"path/filepath"
 	"strings"
 
 	"github.com/step-security/secure-repo/remediation/workflow/metadata"
@@ -32,10 +31,8 @@ type replacement struct {
 }
 
 // LoadMaintainedActions loads the maintained actions from the JSON file
-func LoadMaintainedActions() (map[string]string, error) {
+func LoadMaintainedActions(jsonPath string) (map[string]string, error) {
 	// Read the JSON file
-	jsonPath := filepath.Join("maintainedactions", "maintainedActions.json")
-	// jsonPath := filepath.Join("maintainedActions.json")
 	data, err := ioutil.ReadFile(jsonPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read maintained actions file: %v", err)
@@ -59,14 +56,13 @@ func LoadMaintainedActions() (map[string]string, error) {
 }
 
 // ReplaceActions replaces original actions with Step Security actions in a workflow
-func ReplaceActions(inputYaml string, customerMaintainedActions []string) (string, bool, error) {
+func ReplaceActions(inputYaml string, customerMaintainedActions map[string]string) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
-	actionMap, err := LoadMaintainedActions()
-	if err != nil {
-		return "", updated, fmt.Errorf("unable to load maintained actions: %v", err)
-	}
-	err = yaml.Unmarshal([]byte(inputYaml), &workflow)
+
+	actionMap := customerMaintainedActions
+
+	err := yaml.Unmarshal([]byte(inputYaml), &workflow)
 	if err != nil {
 		return "", updated, fmt.Errorf("unable to parse yaml: %v", err)
 	}
@@ -83,9 +79,6 @@ func ReplaceActions(inputYaml string, customerMaintainedActions []string) (strin
 			// fmt.Println("step ", step.Uses)
 			actionName := strings.Split(step.Uses, "@")[0]
 			if newAction, ok := actionMap[actionName]; ok {
-				if isMaintained(newAction, customerMaintainedActions) {
-					continue
-				}
 				latestVersion, err := GetLatestRelease(newAction)
 				if err != nil {
 					return "", updated, fmt.Errorf("unable to get latest release: %v", err)
@@ -148,12 +141,3 @@ func replaceAction(t *yaml.Node, inputLines []string, replacements []replacement
 	}
 	return inputLines, updated
 }
-
-func isMaintained(actionName string, maintainedActions []string) bool {
-	for _, maintainedAction := range maintainedActions {
-		if maintainedAction == actionName {
-			return true
-		}
-	}
-	return false
-}

remediation/workflow/maintainedactions/maintainedactions_test.go

@@ -69,12 +69,6 @@ func TestReplaceActions(t *testing.T) {
 			wantUpdated: true,
 			wantErr:     false,
 		},
-		{
-			name:        "exemtedMaintainedActions.yml",
-			inputFile:   "exemtedMaintainedActions.yml",
-			outputFile:  "exemtedMaintainedActions.yml",
-			wantUpdated: true,
-		},
 	}
 
 	for _, tt := range tests {
@@ -84,16 +78,12 @@ func TestReplaceActions(t *testing.T) {
 			if err != nil {
 				t.Fatalf("error reading input file: %v", err)
 			}
-
-			// Call ReplaceActions
-			var got string
-			var updated bool
-			var replaceErr error
-			if tt.inputFile == "exemtedMaintainedActions.yml" {
-				got, updated, replaceErr = ReplaceActions(string(input), []string{"step-security/git-restore-mtime-action"})
-			} else {
-				got, updated, replaceErr = ReplaceActions(string(input), []string{})
+			actionMap, err := LoadMaintainedActions("maintainedActions.json")
+			if err != nil {
+				t.Errorf("ReplaceActions() unable to json file %v", err)
+				return
 			}
+			got, updated, replaceErr := ReplaceActions(string(input), actionMap)
 
 			// Check error
 			if (replaceErr != nil) != tt.wantErr {

remediation/workflow/secureworkflow.go

@@ -1,7 +1,6 @@
 package workflow
 
 import (
-	"encoding/json"
 	"log"
 
 	"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbiface"
@@ -18,10 +17,10 @@ const (
 )
 
 func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI, params ...interface{}) (*permissions.SecureWorkflowReponse, error) {
-	pinActions, addHardenRunner, addPermissions, addProjectComment, addMaintainedActions := true, true, true, true, true
-	pinnedActions, addedHardenRunner, addedPermissions, addedMaintainedActions := false, false, false, false
+	pinActions, addHardenRunner, addPermissions, addProjectComment, replaceMaintainedActions := true, true, true, true, false
+	pinnedActions, addedHardenRunner, addedPermissions, replacedMaintainedActions := false, false, false, false
 	ignoreMissingKBs := false
-	exemptedActions, pinToImmutable, customerMaintainedActions := []string{}, false, []string{}
+	exemptedActions, pinToImmutable, customerMaintainedActions := []string{}, false, map[string]string{}
 	if len(params) > 0 {
 		if v, ok := params[0].([]string); ok {
 			exemptedActions = v
@@ -33,7 +32,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 		}
 	}
 	if len(params) > 2 {
-		if v, ok := params[2].([]string); ok {
+		if v, ok := params[2].(map[string]string); ok {
 			customerMaintainedActions = v
 		}
 	}
@@ -58,17 +57,8 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 		addProjectComment = false
 	}
 
-	if queryStringParams["enableLogging"] == "true" {
-		enableLogging = true
-	}
-
-	if enableLogging {
-		// Log query parameters
-		paramsJSON, _ := json.MarshalIndent(queryStringParams, "", "  ")
-		log.Printf("SecureWorkflow called with query parameters: %s", paramsJSON)
-
-		// Log input YAML (complete)
-		log.Printf("Input YAML: %s", inputYaml)
+	if len(customerMaintainedActions) > 0 {
+		replaceMaintainedActions = true
 	}
 
 	secureWorkflowReponse := &permissions.SecureWorkflowReponse{FinalOutput: inputYaml, OriginalInput: inputYaml}
@@ -114,8 +104,8 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 		addedPermissions = !secureWorkflowReponse.HasErrors
 	}
 
-	if addMaintainedActions {
-		secureWorkflowReponse.FinalOutput, addedMaintainedActions, err = maintainedactions.ReplaceActions(secureWorkflowReponse.FinalOutput, customerMaintainedActions)
+	if replaceMaintainedActions {
+		secureWorkflowReponse.FinalOutput, replacedMaintainedActions, err = maintainedactions.ReplaceActions(secureWorkflowReponse.FinalOutput, customerMaintainedActions)
 		if err != nil {
 			secureWorkflowReponse.HasErrors = true
 		}
@@ -156,6 +146,6 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	secureWorkflowReponse.PinnedActions = pinnedActions
 	secureWorkflowReponse.AddedHardenRunner = addedHardenRunner
 	secureWorkflowReponse.AddedPermissions = addedPermissions
-	secureWorkflowReponse.AddedMaintainedActions = addedMaintainedActions
+	secureWorkflowReponse.AddedMaintainedActions = replacedMaintainedActions
 	return secureWorkflowReponse, nil
 }

remediation/workflow/secureworkflow_test.go

@@ -8,6 +8,8 @@ import (
 	"testing"
 
 	"github.com/jarcoal/httpmock"
+	"github.com/step-security/secure-repo/remediation/workflow/maintainedactions"
+	"github.com/step-security/secure-repo/remediation/workflow/permissions"
 )
 
 func TestSecureWorkflow(t *testing.T) {
@@ -202,7 +204,9 @@ func TestSecureWorkflow(t *testing.T) {
 		{fileName: "error.yml", wantPinnedActions: false, wantAddedHardenRunner: false, wantAddedPermissions: false},
 	}
 	for _, test := range tests {
-		input, err := ioutil.ReadFile(path.Join(inputDirectory, test.fileName))
+		var err error
+		var input []byte
+		input, err = ioutil.ReadFile(path.Join(inputDirectory, test.fileName))
 
 		if err != nil {
 			log.Fatal(err)
@@ -232,7 +236,18 @@ func TestSecureWorkflow(t *testing.T) {
 		}
 		queryParams["addProjectComment"] = "false"
 
-		output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
+		var output *permissions.SecureWorkflowReponse
+		var actionMap map[string]string
+		if test.fileName == "oneJob.yml" {
+			actionMap, err = maintainedactions.LoadMaintainedActions("maintainedactions/maintainedActions.json")
+			if err != nil {
+				t.Errorf("unable to load the file %s", err)
+			}
+			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{}, []string{}, false, actionMap)
+
+		} else {
+			output, err = SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
+		}
 
 		if err != nil {
 			t.Errorf("Error not expected")