From 5be58e7ed8acabd039a4913960bb4fb93d6cab80 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Wed, 7 Dec 2022 20:14:10 -0800 Subject: [PATCH] Bug fix to change order of remediation (#1633) --- remediation/workflow/hardenrunner/addaction.go | 7 ++++++- remediation/workflow/hardenrunner/addaction_test.go | 2 +- remediation/workflow/pin/pinactions.go | 6 +++--- remediation/workflow/secureworkflow.go | 8 ++++---- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/remediation/workflow/hardenrunner/addaction.go b/remediation/workflow/hardenrunner/addaction.go index bc566a72..df8ec44f 100644 --- a/remediation/workflow/hardenrunner/addaction.go +++ b/remediation/workflow/hardenrunner/addaction.go @@ -6,6 +6,7 @@ import ( metadata "github.com/step-security/secure-workflows/remediation/workflow/metadata" "github.com/step-security/secure-workflows/remediation/workflow/permissions" + "github.com/step-security/secure-workflows/remediation/workflow/pin" "gopkg.in/yaml.v3" ) @@ -14,7 +15,7 @@ const ( HardenRunnerActionName = "Harden Runner" ) -func AddAction(inputYaml, action string) (string, bool, error) { +func AddAction(inputYaml, action string, pinActions bool) (string, bool, error) { workflow := metadata.Workflow{} updated := false err := yaml.Unmarshal([]byte(inputYaml), &workflow) @@ -45,6 +46,10 @@ func AddAction(inputYaml, action string) (string, bool, error) { } } + if updated && pinActions { + out, _ = pin.PinAction(action, out) + } + return out, updated, nil } diff --git a/remediation/workflow/hardenrunner/addaction_test.go b/remediation/workflow/hardenrunner/addaction_test.go index aa02527d..4e722f16 100644 --- a/remediation/workflow/hardenrunner/addaction_test.go +++ b/remediation/workflow/hardenrunner/addaction_test.go @@ -32,7 +32,7 @@ func TestAddAction(t *testing.T) { if err != nil { t.Fatalf("error reading test file") } - got, gotUpdated, err := AddAction(string(input), tt.args.action) + got, gotUpdated, err := AddAction(string(input), tt.args.action, false) if gotUpdated != tt.wantUpdated { t.Errorf("AddAction() updated = %v, wantUpdated %v", gotUpdated, tt.wantUpdated) diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go index e7a18153..b1053a47 100644 --- a/remediation/workflow/pin/pinactions.go +++ b/remediation/workflow/pin/pinactions.go @@ -22,12 +22,12 @@ func PinActions(inputYaml string) (string, bool, error) { out := inputYaml - for jobName, job := range workflow.Jobs { + for _, job := range workflow.Jobs { for _, step := range job.Steps { if len(step.Uses) > 0 { localUpdated := false - out, localUpdated = pinAction(step.Uses, jobName, out) + out, localUpdated = PinAction(step.Uses, out) updated = updated || localUpdated } } @@ -36,7 +36,7 @@ func PinActions(inputYaml string) (string, bool, error) { return out, updated, nil } -func pinAction(action, jobName, inputYaml string) (string, bool) { +func PinAction(action, inputYaml string) (string, bool) { updated := false if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") { diff --git a/remediation/workflow/secureworkflow.go b/remediation/workflow/secureworkflow.go index 7c2d49c5..d042d881 100644 --- a/remediation/workflow/secureworkflow.go +++ b/remediation/workflow/secureworkflow.go @@ -66,10 +66,6 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d addedPermissions = !secureWorkflowReponse.HasErrors } - if addHardenRunner { - secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag) - } - if pinActions { pinnedAction, pinnedDocker := false, false secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput) @@ -77,6 +73,10 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d pinnedActions = pinnedAction || pinnedDocker } + if addHardenRunner { + secureWorkflowReponse.FinalOutput, addedHardenRunner, _ = hardenrunner.AddAction(secureWorkflowReponse.FinalOutput, HardenRunnerActionPathWithTag, pinActions) + } + // Setting appropriate flags secureWorkflowReponse.PinnedActions = pinnedActions secureWorkflowReponse.AddedHardenRunner = addedHardenRunner