Address review comments.

stackrox · Nov 2, 2023 · ed15d99 · ed15d99
1 parent e283e14
commit ed15d99
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 34 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,9 @@
 
 Configure your Central login credentials for use in other GitHub Actions.
 
-This action obtains an access token to a RedHat ACS Central instance and configures environment variables for your
+This action obtains an access token to
+a [Red Hat Advanced Cluster Security (ACS)](https://www.redhat.com/en/technologies/cloud-computing/openshift/advanced-cluster-security-kubernetes)
+Central instance and configures environment variables for your
 other actions to use.
 
 This is as simple as adding the following step to your workflow:
@@ -26,7 +28,8 @@ This is as simple as adding the following step to your workflow:
 It is currently only supported to retrieve credentials by
 using [GitHub's OIDC provider](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers).
 
-With GitHub's OIDC provider, this action will be issued with an ID token unique to this workflow run, which will then
+With [GitHub's OIDC provider](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers),
+this action will be issued with an ID token unique to this workflow run, which will then
 be exchanged for a ACS Central access token.
 
 For creating the ID
@@ -45,10 +48,10 @@ originating from GitHub Action workflow runs.
 At the current time, this only works via API, see the sample configuration below:
 
 ```bash
-curl -X POST \
+curl \
   https://<central-endpoint>/v1/auth/m2m \
-  -d \
-  '{
+  -d  @- << EOF
+  {
     "config": {
       "type": "GITHUB_ACTIONS",
       "tokenExpirationDuration": "5m", // This can be used to specify the expiration of the exchanged access token.
@@ -60,7 +63,8 @@ curl -X POST \
         }
       ],
     }
-  }'
+  }
+  EOF
 ```
 
 **Recommendations**

diff --git a/action.yml b/action.yml
@@ -1,5 +1,5 @@
 name: 'central-login'
-description: A GitHub Action to configure login credentials for a RHACS Central instance for use in subsequent steps
+description: A GitHub Action to configure login credentials for an ACS Central instance for use in subsequent steps
 inputs:
   endpoint:
     required: true

diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "central-login",
   "version": "1.0.0",
-  "description": "A GitHub Action to configure login credentials for a RHACS Central instance",
+  "description": "A GitHub Action to configure login credentials for an ACS Central instance",
   "main": "src/main.ts",
   "scripts": {
     "build": "tsc",

diff --git a/src/main.ts b/src/main.ts
@@ -3,40 +3,21 @@ import axios, {isAxiosError} from 'axios'
 import * as https from 'https'
 
 async function run(): Promise<void> {
+  // Input from the GitHub Action.
+  // Currently only supports the endpoint as well as whether to skip TLS verification.
+  const endpoint: string = core.getInput('endpoint', {required: true})
+  const parsedURL = new URL(`${endpoint}/v1/auth/m2m/exchange`)
+  const skipTLSVerify = Boolean(core.getInput('skip-tls-verify'))
   try {
-    // Input from the GitHub Action.
-    // Currently only supports the endpoint as well as whether to skip TLS verification.
-    const endpoint: string = core.getInput('endpoint', {required: true})
-    const parsedURL = new URL(`${endpoint}/v1/auth/m2m/exchange`)
-    const skipTLSVerify = Boolean(core.getInput('skip-tls-verify'))
-    const agent = new https.Agent({rejectUnauthorized: !skipTLSVerify})
-
     core.info(`Attempting to obtain an access token for Central ${endpoint}...`)
 
-    // Retrieve an ID token from GitHub's OIDC.
-    const idToken: string = await core.getIDToken()
-
-    // Exchange the ID token from GitHub for a Rox token for Central access.
-    const exchangeTokenRequest = {
-      id_token: idToken
-    }
-    const response = await axios.post(
-      parsedURL.toString(),
-      JSON.stringify(exchangeTokenRequest),
-      {httpsAgent: agent}
-    )
-
-    core.info(
-      `Received status ${
-        response.status
-      } from endpoint ${parsedURL.toString()}: ${JSON.stringify(response.data)}`
-    )
+    const accessToken = await obtainAccessToken(parsedURL, skipTLSVerify)
 
     core.info(`Successfully obtained an access token for central ${endpoint}!`)
 
     // Expose the API token we received from Central as environment variable for other jobs to use.
     // Mark this environment variable as secret, so it will be obfuscated in output.
-    core.exportVariable('ROX_API_TOKEN', response.data['accessToken'])
+    core.exportVariable('ROX_API_TOKEN', accessToken)
     core.setSecret('ROX_API_TOKEN')
 
     // Additionally, also set the Central API endpoint as environment variable for other jobs to use.
@@ -59,4 +40,32 @@ async function run(): Promise<void> {
   }
 }
 
+async function obtainAccessToken(
+  endpoint: URL,
+  skipTLSVerify: boolean
+): Promise<string> {
+  const agent = new https.Agent({rejectUnauthorized: !skipTLSVerify})
+
+  // Retrieve an ID token from GitHub's OIDC.
+  const idToken: string = await core.getIDToken()
+
+  // Exchange the ID token from GitHub for a Rox token for Central access.
+  const exchangeTokenRequest = {
+    id_token: idToken
+  }
+  const response = await axios.post(
+    endpoint.toString(),
+    JSON.stringify(exchangeTokenRequest),
+    {httpsAgent: agent}
+  )
+
+  core.info(
+    `Received status ${
+      response.status
+    } from endpoint ${endpoint.toString()}: ${JSON.stringify(response.data)}`
+  )
+
+  return response.data['accessToken']
+}
+
 run()