-
Notifications
You must be signed in to change notification settings - Fork 0
119 lines (105 loc) · 3.49 KB
/
pr.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: Pull request
on:
pull_request:
branches:
- main
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 2
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- name: golangci-lint
uses: golangci/golangci-lint-action@v4
with:
version: v1.58.2
test:
name: Unit Test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
with:
go-version-file: 'go.mod'
- name: Install dependencies
run: go mod download
- name: Run Tests
run: go test -cover `go list ./... | grep -v 'pkg/client'`
lint-helm:
name: Lint Helm
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: azure/setup-helm@v4
- name: Helm Lint
run: helm lint charts/radix-oauth-guard
integration-test:
name: Integration test
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v4
with:
go-version-file: 'go.mod'
- name: Install dependencies
run: go mod download
- name: Install oauth guard
run: go install .
- uses: actions/github-script@v7
id: get-id-token
with:
script: return await core.getIDToken()
result-encoding: string
- uses: actions/github-script@v7
id: get-invalid-aud-id-token
with:
script: return await core.getIDToken("invalid-audience")
result-encoding: string
- name: Test Auth
env:
LOG_PRETTY: True
LOG_LEVEL: Trace
ISSUER: "https://token.actions.githubusercontent.com"
AUDIENCE: "https://github.com/equinor"
SUBJECTS: repo:equinor/radix-oauth-guard:pull_request,testmultiplesubjects
GH_TOKEN: ${{ steps.get-id-token.outputs.result }}
INVALID_GH_TOKEN: ${{ steps.get-invalid-aud-id-token.outputs.result }}
run: |
function assert() {
local token="${1}"
local expected="${2}"
local msg="${3}"
CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --silent --header "Authorization: Bearer ${token}" http://localhost:8000/auth)
printf "Test: %15s: Result %s == %s: " "${msg}" "${expected}" "${CURL_RESPONSE}"
if [ "${expected}" != "${CURL_RESPONSE}" ]; then
printf "Failed\n\n"
exit 255
fi
printf "OK\n\n"
}
radix-oauth-guard &
GO_PID=$!
sleep 2s
assert "${GH_TOKEN}" "200" "Valid token is OK"
assert "" "401" "No token is unauthorized"
assert "ABCD${GH_TOKEN}" "401" "Invalid token is unauthorized"
assert "${INVALID_GH_TOKEN}" "401" "Wrong Audience is unauthorized"
kill -9 $GO_PID
# Test different subject
SUBJECTS=WRONG_SUBJECT radix-oauth-guard &
GO_PID=$!
sleep 2s
assert "${GH_TOKEN}" "403" "Wrong Subject is Forbidden"
kill -9 $GO_PID
: