Merge pull request #1400 from step-security/remediation

Update folder structure

Author: varunsh-coder

.github/workflows/test.yml

@@ -38,7 +38,7 @@ jobs:
         with:
           go-version: 1.17
       - name: Run coverage
-        run: go test -race -coverprofile=coverage.txt -covermode=atomic
+        run: go test ./...  -coverpkg=./... -race -coverprofile=coverage.txt -covermode=atomic
         env:
           PAT: ${{ secrets.GITHUB_TOKEN }}
       - uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # v2

go.mod

@@ -6,6 +6,8 @@ require (
 	github.com/asottile/dockerfile v3.1.0+incompatible
 	github.com/aws/aws-lambda-go v1.30.0
 	github.com/aws/aws-sdk-go v1.43.45
+	github.com/paulvollmer/dependabot-config-go v0.1.1
+	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 )
 
@@ -29,7 +31,6 @@ require (
 	github.com/moby/buildkit v0.10.3 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
-	github.com/paulvollmer/dependabot-config-go v0.1.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f // indirect
@@ -38,7 +39,6 @@ require (
 	golang.org/x/sys v0.0.0-20220422013727-9388b58f7150 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
 require (

go.sum

@@ -11,6 +11,11 @@ import (
 	"github.com/aws/aws-lambda-go/lambda"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/dynamodb"
+	"github.com/step-security/secure-workflows/remediation/dependabot"
+	"github.com/step-security/secure-workflows/remediation/docker"
+	"github.com/step-security/secure-workflows/remediation/secrets"
+	"github.com/step-security/secure-workflows/remediation/workflow"
+	"github.com/step-security/secure-workflows/remediation/workflow/permissions"
 )
 
 type Handler struct {
@@ -42,7 +47,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 		if strings.Contains(httpRequest.RawPath, "/secrets") {
 			if httpRequest.RequestContext.HTTP.Method == "GET" {
 				authHeader := httpRequest.Headers["authorization"]
-				githubWorkflowSecrets, err := GetSecrets(httpRequest.QueryStringParameters, authHeader, dynamoDbSvc)
+				githubWorkflowSecrets, err := secrets.GetSecrets(httpRequest.QueryStringParameters, authHeader, dynamoDbSvc)
 				if err != nil {
 					response = events.APIGatewayProxyResponse{
 						StatusCode: http.StatusInternalServerError,
@@ -58,7 +63,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 
 			} else if httpRequest.RequestContext.HTTP.Method == "PUT" {
 				authHeader := httpRequest.Headers["authorization"]
-				githubWorkflowSecrets, err := InitSecrets(httpRequest.Body, authHeader, dynamoDbSvc)
+				githubWorkflowSecrets, err := secrets.InitSecrets(httpRequest.Body, authHeader, dynamoDbSvc)
 				if err != nil {
 					response = events.APIGatewayProxyResponse{
 						StatusCode: http.StatusInternalServerError,
@@ -73,7 +78,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 				}
 
 			} else if httpRequest.RequestContext.HTTP.Method == "POST" {
-				err := SetSecrets(httpRequest.Body, dynamoDbSvc)
+				err := secrets.SetSecrets(httpRequest.Body, dynamoDbSvc)
 				if err != nil {
 					response = events.APIGatewayProxyResponse{
 						StatusCode: http.StatusInternalServerError,
@@ -86,7 +91,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 				}
 			} else if httpRequest.RequestContext.HTTP.Method == "DELETE" {
 				authHeader := httpRequest.Headers["authorization"]
-				err := DeleteSecrets(authHeader, dynamoDbSvc)
+				err := secrets.DeleteSecrets(authHeader, dynamoDbSvc)
 				if err != nil {
 					response = events.APIGatewayProxyResponse{
 						StatusCode: http.StatusInternalServerError,
@@ -107,9 +112,9 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 			// if owner is set, assuming that repo, path are also set
 			// get the workflow using API
 			if _, ok := queryStringParams["owner"]; ok {
-				inputYaml, err = GetGitHubWorkflowContents(httpRequest.QueryStringParameters)
+				inputYaml, err = workflow.GetGitHubWorkflowContents(httpRequest.QueryStringParameters)
 				if err != nil {
-					fixResponse := &SecureWorkflowReponse{WorkflowFetchError: true, HasErrors: true}
+					fixResponse := &permissions.SecureWorkflowReponse{WorkflowFetchError: true, HasErrors: true}
 					output, _ := json.Marshal(fixResponse)
 					response = events.APIGatewayProxyResponse{
 						StatusCode: http.StatusOK,
@@ -123,7 +128,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 				inputYaml = httpRequest.Body
 			}
 
-			fixResponse, err := SecureWorkflow(httpRequest.QueryStringParameters, inputYaml, dynamoDbSvc)
+			fixResponse, err := workflow.SecureWorkflow(httpRequest.QueryStringParameters, inputYaml, dynamoDbSvc)
 
 			if err != nil {
 				response = events.APIGatewayProxyResponse{
@@ -148,9 +153,9 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 			// if owner is set, assuming that repo, path are also set
 			// get the dockerfile using API
 			if _, ok := queryStringParams["owner"]; ok {
-				dockerFile, err = GetGitHubWorkflowContents(httpRequest.QueryStringParameters)
+				dockerFile, err = workflow.GetGitHubWorkflowContents(httpRequest.QueryStringParameters)
 				if err != nil {
-					fixResponse := &SecureDockerfileResponse{DockerfileFetchError: true}
+					fixResponse := &docker.SecureDockerfileResponse{DockerfileFetchError: true}
 					output, _ := json.Marshal(fixResponse)
 					response = events.APIGatewayProxyResponse{
 						StatusCode: http.StatusOK,
@@ -164,7 +169,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 				dockerFile = httpRequest.Body
 			}
 
-			fixResponse, err := SecureDockerFile(dockerFile)
+			fixResponse, err := docker.SecureDockerFile(dockerFile)
 			if err != nil {
 				response = events.APIGatewayProxyResponse{
 					StatusCode: http.StatusInternalServerError,
@@ -186,7 +191,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 			updateDependabotConfigRequest := ""
 			updateDependabotConfigRequest = httpRequest.Body
 
-			fixResponse, err := UpdateDependabotConfig(updateDependabotConfigRequest)
+			fixResponse, err := dependabot.UpdateDependabotConfig(updateDependabotConfigRequest)
 			if err != nil {
 				response = events.APIGatewayProxyResponse{
 					StatusCode: http.StatusInternalServerError,

main.go

@@ -1,4 +1,4 @@
-package main
+package dependabot
 
 import (
 	"bufio"

dependabotconfig.go renamed to remediation/dependabot/dependabotconfig.go

@@ -1,4 +1,4 @@
-package main
+package dependabot
 
 import (
 	"encoding/json"
@@ -10,8 +10,8 @@ import (
 
 func TestConfigDependabotFile(t *testing.T) {
 
-	const inputDirectory = "./testfiles/dependabotfiles/input"
-	const outputDirectory = "./testfiles/dependabotfiles/output"
+	const inputDirectory = "../../testfiles/dependabotfiles/input"
+	const outputDirectory = "../../testfiles/dependabotfiles/output"
 
 	tests := []struct {
 		fileName   string

dependabotconfig_test.go renamed to remediation/dependabot/dependabotconfig_test.go

@@ -1,7 +1,8 @@
-package main
+package docker
 
 import (
 	"fmt"
+	"net/http"
 	"strings"
 
 	"github.com/asottile/dockerfile"
@@ -10,6 +11,8 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/remote"
 )
 
+var Tr http.RoundTripper = remote.DefaultTransport
+
 type SecureDockerfileResponse struct {
 	OriginalInput        string
 	FinalOutput          string

securedockerfile.go renamed to remediation/docker/securedockerfile.go

@@ -1,4 +1,4 @@
-package main
+package docker
 
 import (
 	"io/ioutil"
@@ -9,12 +9,12 @@ import (
 	"github.com/jarcoal/httpmock"
 )
 
-var resp = httpmock.File("./testfiles/dockerfiles/response.json").String()
+var resp = httpmock.File("../../testfiles/dockerfiles/response.json").String()
 
 func TestSecureDockerFile(t *testing.T) {
 
-	const inputDirectory = "./testfiles/dockerfiles/input"
-	const outputDirectory = "./testfiles/dockerfiles/output"
+	const inputDirectory = "../../testfiles/dockerfiles/input"
+	const outputDirectory = "../../testfiles/dockerfiles/output"
 	// NOTE: http mocking is not working,
 	// need to investigate this issue
 	httpmock.Activate()

securedockerfile_test.go renamed to remediation/docker/securedockerfile_test.go

@@ -1,4 +1,4 @@
-package main
+package secrets
 
 import (
 	"context"

secrets.go renamed to remediation/secrets/secrets.go

@@ -1,4 +1,4 @@
-package main
+package secrets
 
 import (
 	"reflect"

secrets_test.go renamed to remediation/secrets/secrets_test.go

@@ -1,14 +1,21 @@
-package main
+package hardenrunner
 
 import (
 	"fmt"
 	"strings"
 
+	metadata "github.com/step-security/secure-workflows/remediation/workflow/metadata"
+	"github.com/step-security/secure-workflows/remediation/workflow/permissions"
 	"gopkg.in/yaml.v3"
 )
 
+const (
+	HardenRunnerActionPath = "step-security/harden-runner"
+	HardenRunnerActionName = "Harden Runner"
+)
+
 func AddAction(inputYaml, action string) (string, bool, error) {
-	workflow := Workflow{}
+	workflow := metadata.Workflow{}
 	updated := false
 	err := yaml.Unmarshal([]byte(inputYaml), &workflow)
 	if err != nil {
@@ -18,7 +25,7 @@ func AddAction(inputYaml, action string) (string, bool, error) {
 
 	for jobName, job := range workflow.Jobs {
 		// Skip adding action for reusable jobs
-		if IsCallingReusableWorkflow(job) {
+		if metadata.IsCallingReusableWorkflow(job) {
 			continue
 		}
 		alreadyPresent := false
@@ -49,9 +56,9 @@ func addAction(inputYaml, jobName, action string) (string, error) {
 		return "", fmt.Errorf("unable to parse yaml %v", err)
 	}
 
-	jobNode := iterateNode(&t, jobName, "!!map", 0)
+	jobNode := permissions.IterateNode(&t, jobName, "!!map", 0)
 
-	jobNode = iterateNode(&t, "steps", "!!seq", jobNode.Line)
+	jobNode = permissions.IterateNode(&t, "steps", "!!seq", jobNode.Line)
 
 	if jobNode == nil {
 		return "", fmt.Errorf("jobName %s not found in the input yaml", jobName)

addaction.go renamed to remediation/workflow/hardenrunner/addaction.go

@@ -1,4 +1,4 @@
-package main
+package hardenrunner
 
 import (
 	"io/ioutil"
@@ -11,8 +11,8 @@ func TestAddAction(t *testing.T) {
 		inputYaml string
 		action    string
 	}
-	const inputDirectory = "./testfiles/addaction/input"
-	const outputDirectory = "./testfiles/addaction/output"
+	const inputDirectory = "../../../testfiles/addaction/input"
+	const outputDirectory = "../../../testfiles/addaction/output"
 	tests := []struct {
 		name        string
 		args        args

addaction_test.go renamed to remediation/workflow/hardenrunner/addaction_test.go

@@ -1,4 +1,4 @@
-package main
+package workflow
 
 import (
 	"context"
@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/google/go-github/v40/github"
+	metadata "github.com/step-security/secure-workflows/remediation/workflow/metadata"
 	"golang.org/x/oauth2"
 )
 
@@ -22,7 +23,7 @@ func CreateIssue(Action string) (int, error) {
 	// is action
 	if len(Action) > 0 {
 		// is kb not found
-		_, err := GetActionKnowledgeBase(Action)
+		_, err := metadata.GetActionKnowledgeBase(Action)
 
 		if err != nil {
 			// does issue already exist?

issue.go renamed to remediation/workflow/issue.go

@@ -1,4 +1,4 @@
-package main
+package workflow
 
 import (
 	"os"

issue_test.go renamed to remediation/workflow/issue_test.go

@@ -1,4 +1,4 @@
-package main
+package workflow
 
 import (
 	"strings"

metadata.go renamed to remediation/workflow/metadata.go

@@ -1,4 +1,4 @@
-package main
+package metadata
 
 import (
 	"errors"
@@ -156,11 +156,10 @@ func (p *Permissions) UnmarshalYAML(unmarshal func(interface{}) error) error {
 
 func GetActionKnowledgeBase(action string) (*ActionMetadata, error) {
 	kbFolder := os.Getenv("KBFolder")
-
 	// converting actionKey to lowercase to fix ISSUE#286
 	action = strings.ToLower(action)
 	if kbFolder == "" {
-		kbFolder = "knowledge-base/actions"
+		kbFolder = "../../knowledge-base/actions"
 	}
 
 	input, err := ioutil.ReadFile(path.Join(kbFolder, action, "action-security.yml"))

actionmetadata.go renamed to remediation/workflow/metadata/actionmetadata.go

@@ -1,4 +1,4 @@
-package main
+package metadata
 
 import (
 	"context"
@@ -20,7 +20,7 @@ func TestKnowledgeBase(t *testing.T) {
 	kbFolder := os.Getenv("KBFolder")
 
 	if kbFolder == "" {
-		kbFolder = "knowledge-base/actions"
+		kbFolder = "../../../knowledge-base/actions"
 	}
 
 	lintIssues := []string{}
@@ -181,8 +181,8 @@ func TestKnowledgeBase(t *testing.T) {
 
 func doesActionRepoExist(filePath string) bool {
 	splitOnSlash := strings.Split(filePath, "/")
-	owner := splitOnSlash[2]
-	repo := splitOnSlash[3]
+	owner := splitOnSlash[5]
+	repo := splitOnSlash[6]
 
 	PAT := os.Getenv("PAT")
 	if len(PAT) == 0 {
@@ -207,13 +207,13 @@ func doesActionRepoExist(filePath string) bool {
 	ref.Ref = *branch
 
 	// does the path to folder is correct for action repository
-	if len(splitOnSlash) > 5 {
-		folder := strings.Join(splitOnSlash[4:len(splitOnSlash)-1], "/")
+	if len(splitOnSlash) > 8 {
+		folder := strings.Join(splitOnSlash[7:len(splitOnSlash)-1], "/")
 		folder += "/action.yml"
 		_, _, _, err = client.Repositories.GetContents(context.Background(), owner, repo, folder, &ref)
 
 		if err != nil {
-			folder := strings.Join(splitOnSlash[4:len(splitOnSlash)-1], "/")
+			folder := strings.Join(splitOnSlash[7:len(splitOnSlash)-1], "/")
 			folder += "/action.yaml" // try out .yaml extension as well
 			_, _, _, err = client.Repositories.GetContents(context.Background(), owner, repo, folder, &ref)
 

actionmetadata_test.go renamed to remediation/workflow/metadata/actionmetadata_test.go

@@ -1,11 +1,12 @@
-package main
+package workflow
 
 import (
 	"io/ioutil"
 
 	"github.com/aws/aws-sdk-go/service/dynamodb"
 	"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbattribute"
 	"github.com/aws/aws-sdk-go/service/dynamodb/dynamodbiface"
+	metadata "github.com/step-security/secure-workflows/remediation/workflow/metadata"
 	"gopkg.in/yaml.v3"
 )
 
@@ -21,13 +22,13 @@ func (m *mockDynamoDBClient) PutItem(input *dynamodb.PutItemInput) (*dynamodb.Pu
 
 func (m *mockDynamoDBClient) Scan(input *dynamodb.ScanInput) (*dynamodb.ScanOutput, error) {
 
-	actionPermissionsYaml, err := ioutil.ReadFile("./testfiles/action-permissions.yml")
+	actionPermissionsYaml, err := ioutil.ReadFile("../../testfiles/action-permissions.yml")
 
 	if err != nil {
 		return nil, err
 	}
 
-	actionPermissions := ActionPermissions{}
+	actionPermissions := metadata.ActionPermissions{}
 
 	err = yaml.Unmarshal(actionPermissionsYaml, &actionPermissions)