From fdf45108682b61bf2324730aad3a13891339df79 Mon Sep 17 00:00:00 2001 From: AgnesG Date: Thu, 8 Feb 2024 11:21:25 +0000 Subject: [PATCH] Add flag validation to prevent lambda execution with incorrect settings --- .github/workflows/release.yml | 40 +++++++++------------------------ cmd/root.go | 11 +++++++++ internal/fac/extensions.go | 14 ++++++------ internal/fac/extensions_test.go | 6 ++--- internal/sync.go | 2 ++ 5 files changed, 34 insertions(+), 39 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d16140be..ec97d4e7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,48 +4,30 @@ name: release on: push: tags: - - '*' + - 'v[0-9]+.[0-9]+.[0-9]+*' -jobs: - test: - runs-on: ubuntu-latest - steps: - - name: Check out code into the Go module directory - uses: actions/checkout@v3 - - - name: Setup go - uses: actions/setup-go@v4 - with: - go-version: '1.20.x' - - - name: Install staticcheck - run: go install honnef.co/go/tools/cmd/staticcheck@latest - - - name: Run staticcheck - run: staticcheck ./... - - - name: Run Tests - run: go test -p 1 -cover -race -v ./... +permissions: + contents: write +jobs: release: runs-on: ubuntu-latest - needs: [ test ] steps: - name: Checkout - uses: actions/checkout@v3 - - - name: Unshallow - run: git fetch --prune --unshallow + uses: actions/checkout@v4 + with: + fetch-depth: 0 + fetch-tags: true - name: Set up Go uses: actions/setup-go@v4 with: - go-version: '1.20.x' + go-version: '1.21.x' - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v4 + uses: goreleaser/goreleaser-action@v5 with: version: latest - args: release --rm-dist + args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/cmd/root.go b/cmd/root.go index 8139d360..c63b2874 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -19,6 +19,7 @@ import ( "context" "fmt" "os" + "regexp" "github.com/aws/aws-lambda-go/events" "github.com/aws/aws-lambda-go/lambda" @@ -50,6 +51,16 @@ var rootCmd = &cobra.Command{ Long: `A command line tool to enable you to synchronise your Google Apps (Google Workspace) users to AWS Single Sign-on (AWS SSO) Complete documentation is available at https://github.com/awslabs/ssosync`, + PreRun: func(cmd *cobra.Command, args []string) { + awsGroupMatch, flagErr := cmd.Flags().GetString("aws-group-match") + if flagErr != nil { + log.Fatal("flag `aws-group-match` does not exist", flagErr) + } + _, compileErr := regexp.Compile(awsGroupMatch) + if compileErr != nil { + log.Fatalf("invalid aws-group-match flag value %s", awsGroupMatch, compileErr) + } + }, RunE: func(cmd *cobra.Command, args []string) error { ctx, cancel := context.WithCancel(context.Background()) defer cancel() diff --git a/internal/fac/extensions.go b/internal/fac/extensions.go index 10626530..cf245916 100644 --- a/internal/fac/extensions.go +++ b/internal/fac/extensions.go @@ -10,16 +10,16 @@ import ( log "github.com/sirupsen/logrus" ) -// ErrNoAWSGroups indicates no AWS groups were received. -var ErrNoAWSGroups = errors.New("received no AWS groups") +// NoAWSGroupsErr indicates no AWS groups were received. +var NoAWSGroupsErr = errors.New("received no AWS groups") -// ErrorBadRegex represents a regex compilation error. -type ErrorBadRegex struct { +// BadRegexError represents a regex compilation error. +type BadRegexError struct { Message string Err error } -func (e ErrorBadRegex) Error() string { +func (e BadRegexError) Error() string { return e.Message } @@ -27,12 +27,12 @@ func (e ErrorBadRegex) Error() string { // Returns an error on failure, a list of AWS groups that match on success. func MatchAWSGroups(awsGroups []*aws.Group, matchRegex string) ([]*aws.Group, error) { if len(awsGroups) == 0 { - return nil, ErrNoAWSGroups + return nil, NoAWSGroupsErr } awsGroupRegex, err := regexp.Compile(matchRegex) if err != nil { - return nil, ErrorBadRegex{Message: fmt.Sprintf("can't compile regex %s", matchRegex), Err: err} + return nil, BadRegexError{Message: fmt.Sprintf("can't compile regex %s", matchRegex), Err: err} } matchedGroups := make([]*aws.Group, 0) diff --git a/internal/fac/extensions_test.go b/internal/fac/extensions_test.go index 16f5ab24..29d17057 100644 --- a/internal/fac/extensions_test.go +++ b/internal/fac/extensions_test.go @@ -54,19 +54,19 @@ func TestMatchAWSGroups(t *testing.T) { name: "returns an error when input groups empty", awsGroupMatch: "aws-group-*", inputGroups: []*aws.Group{}, - expectedErr: ErrNoAWSGroups, + expectedErr: NoAWSGroupsErr, }, { name: "returns an error when input groups nil", awsGroupMatch: "aws-group-*", inputGroups: []*aws.Group{}, - expectedErr: ErrNoAWSGroups, + expectedErr: NoAWSGroupsErr, }, { name: "returns an error when regex invalid", awsGroupMatch: "[^0-1", inputGroups: []*aws.Group{{DisplayName: "aws-group-A"}}, - expectedErr: ErrorBadRegex{ + expectedErr: BadRegexError{ Message: "can't compile regex [^0-1", Err: &syntax.Error{Code: syntax.ErrMissingBracket, Expr: "[^0-1"}, }, diff --git a/internal/sync.go b/internal/sync.go index 23a6a22f..f2218126 100644 --- a/internal/sync.go +++ b/internal/sync.go @@ -325,6 +325,8 @@ func (s *syncGSuite) SyncGroupsUsers(query, awsGroupMatch string) error { onlyAWSGroupsFromGoogle, matchErr := fac.MatchAWSGroups(awsGroups, awsGroupMatch) if err != nil { log.Errorf("error filtering AWS groups by %s", matchErr) + // Will continue with the full group which will delete the non Google groups. + // This flow is prevented by adding pre-run flag validation. } else { awsGroups = onlyAWSGroupsFromGoogle }