chore: Refactor login/logout actions

fortify · May 31, 2024 · eb1d7b5 · eb1d7b5
1 parent d2fc8ae
commit eb1d7b5
Show file tree

Hide file tree

Showing 11 changed files with 93 additions and 159 deletions.
diff --git a/internal/fod-login/action.yml b/internal/fod-login/action.yml
@@ -1,30 +1,18 @@
 name: 'Run "fcli fod session login" command'
-description: 'Run "fcli fod session login" command based on environment variables'
+description: 'Run "fcli fod session login" command based on environment variables, auto-logout on job termination'
 author: 'Fortify'
 runs:
   using: composite
   steps:
-    # Define login options
-    - run: |
-        if [ -z "$FOD_URL" ]; then
-          echo "ERROR: FOD_URL environment variable must be set"; exit 1;
-        fi
-        if [ -n "${FOD_CLIENT_ID}" -a -n "${FOD_CLIENT_SECRET}" ]; then
-          echo '_FOD_LOGIN_OPTS=--url "${FOD_URL}" --client-id "${FOD_CLIENT_ID}" --client-secret "${FOD_CLIENT_SECRET}" ${EXTRA_FOD_LOGIN_OPTS}' >> $GITHUB_ENV
-        elif [ -n "${FOD_USER}" -a -n "${FOD_PASSWORD}" -a -n "${FOD_TENANT}" ]; then
-          echo '_FOD_LOGIN_OPTS=--url "${FOD_URL}" -t "${FOD_TENANT}" -u "${FOD_USER}" -p "${FOD_PASSWORD}" ${EXTRA_FOD_LOGIN_OPTS}' >> $GITHUB_ENV
-        else
-          echo "ERROR: Either FOD_CLIENT_ID and FOD_CLIENT_SECRET, or FOD_TENANT, FOD_USER and FOD_PASSWORD environment variables must be set"; exit 1;
-        fi
-      shell: bash
-    # Run fcli login command; note that the calling action/workflow is responsible for installing fcli
-    - uses: fortify/github-action/internal/[email protected]
+    # If not run before: check preconditions, run fcli login command, and run 
+    # post-job fcli logout command.
+    # Note that the calling action/workflow is responsible for installing fcli
+    - uses: fortify/github-action/internal/[email protected]
+      if: ${{ !env._FOD_LOGGED_IN }}
       with:
-        cmd: '"${FCLI_CMD}" fod session login ${_FOD_LOGIN_OPTS}'  
-    # Clean up temporary environment variables
-    - run: |
-        echo '_FOD_LOGIN_OPTS=""' >> $GITHUB_ENV
-      shell: bash      
+        script: ${{ github.action_path }}/login.sh
+        post: ${{ github.action_path }}/logout.sh
+
 branding:
   icon: 'shield'
   color: 'blue'

diff --git a/internal/fod-login/login.sh b/internal/fod-login/login.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+if [ -z "$FOD_URL" ]; then
+  echo "ERROR: FOD_URL environment variable must be set"; exit 1;
+fi
+if [ -n "${FOD_CLIENT_ID}" -a -n "${FOD_CLIENT_SECRET}" ]; then
+  _FOD_LOGIN_OPTS=--url "${FOD_URL}" --client-id "${FOD_CLIENT_ID}" --client-secret "${FOD_CLIENT_SECRET}"
+elif [ -n "${FOD_USER}" -a -n "${FOD_PASSWORD}" -a -n "${FOD_TENANT}" ]; then
+  _FOD_LOGIN_OPTS=--url "${FOD_URL}" -t "${FOD_TENANT}" -u "${FOD_USER}" -p "${FOD_PASSWORD}"
+else
+  echo "ERROR: Either FOD_CLIENT_ID and FOD_CLIENT_SECRET, or FOD_TENANT, FOD_USER and FOD_PASSWORD environment variables must be set"
+  exit 1;
+fi
+${FCLI_CMD} fod session login ${_FOD_LOGIN_OPTS} ${EXTRA_FOD_LOGIN_OPTS}
+echo '_FOD_LOGGED_IN=true' >> $GITHUB_ENV 
diff --git a/internal/fod-login/logout.sh b/internal/fod-login/logout.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+if [[ "${_FOD_LOGGED_IN}" == "true" ]]; then
+  echo '_FOD_LOGGED_IN=false' >> $GITHUB_ENV
+  ${FCLI_CMD} fod session logout
+fi
diff --git a/internal/fod-logout/action.yml b/internal/fod-logout/action.yml
diff --git a/internal/run-script/action.yml b/internal/run-script/action.yml
@@ -0,0 +1,20 @@
+name: Run a script with optional post-job cleanup
+
+description: 'Action to execute a bash script, optionally executing another script on job completion.'
+
+inputs:
+  script:
+    description: 'Script to run'
+    required: true
+  post:
+    description: 'Script to run on job completion'
+    required: false
+  key:
+    description: 'Name of the state variable used to detect the post step.'
+    required: false
+    default: POST
+
+runs:
+  using: 'node20'
+  main: 'main.js'
+  post: 'main.js'
diff --git a/internal/run-script/main.js b/internal/run-script/main.js
@@ -0,0 +1,21 @@
+const { spawn } = require("child_process");
+const { appendFileSync } = require("fs");
+const { EOL } = require("os");
+
+function run(script) {
+  if ( script ) {
+      const subprocess = spawn(`bash -c ${script}`, { stdio: "inherit", shell: true });
+      subprocess.on("exit", (exitCode) => {
+        process.exitCode = exitCode;
+      });
+  }
+}
+
+const key = process.env.INPUT_KEY.toUpperCase();
+
+if ( process.env[`STATE_${key}`] !== undefined ) { // Are we in the 'post' step?
+  run(process.env.INPUT_POST);
+} else { // Otherwise, this is the main step
+  appendFileSync(process.env.GITHUB_STATE, `${key}=true${EOL}`);
+  run(process.env.INPUT_MAIN);
+}
diff --git a/internal/with-post-step/package-lock.json → internal/run-script/package-lock.json b/internal/with-post-step/package-lock.json → internal/run-script/package-lock.json
diff --git a/internal/sc-sast-login/action.yml b/internal/sc-sast-login/action.yml
@@ -7,27 +7,31 @@ runs:
     # TODO If we wait for scan completion, potentially we could generate a CIToken if 
     #      SSC_USER and SSC_PASSWORD have been set, and then revoke the token once the
     #      scan has been successfully processed on SSC.
-    # Define login options
-    - run: |
-        if [ -z "$SSC_URL" ]; then
-          echo "ERROR: SSC_URL environment variable must be set"; exit 1;
-        fi
-        if [ -z "$SC_SAST_TOKEN" ]; then
-          echo "ERROR: SC_SAST_TOKEN environment variable must be set"; exit 1;
-        fi
-        if [ -z "SSC_TOKEN" ]; then
-          echo "ERROR: SSC_TOKEN environment variable must be set"; exit 1;
-        fi
-        echo '_SC_SAST_LOGIN_OPTS=--ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS}' >> $GITHUB_ENV
-      shell: bash
-    # Run fcli login command; note that the calling action/workflow is responsible for installing fcli
-    - uses: fortify/github-action/internal/[email protected]
+
+    # If not run before: check preconditions, run fcli login command, and run 
+    # post-job fcli logout command.
+    # Note that the calling action/workflow is responsible for installing fcli
+    - uses: fortify/github-action/internal/[email protected]
+      if: ${{ !env._SC_SAST_LOGGED_IN }
       with:
-        cmd: '"${FCLI_CMD}" sc-sast session login ${_SC_SAST_LOGIN_OPTS}' 
-    # Clean up temporary environment variables
-    - run: |
-        echo '_SC_SAST_LOGIN_OPTS=""' >> $GITHUB_ENV
-      shell: bash              
+        main: |
+          if [ -z "$SSC_URL" ]; then
+            echo "ERROR: SSC_URL environment variable must be set"; exit 1;
+          fi
+          if [ -z "$SC_SAST_TOKEN" ]; then
+            echo "ERROR: SC_SAST_TOKEN environment variable must be set"; exit 1;
+          fi
+          if [ -z "SSC_TOKEN" ]; then
+            echo "ERROR: SSC_TOKEN environment variable must be set"; exit 1;
+          fi
+          "${FCLI_CMD}" sc-sast session login --ssc-url "${SSC_URL}" -t "${SSC_TOKEN}" -c "${SC_SAST_TOKEN}" ${EXTRA_SC_SAST_LOGIN_OPTS}
+          echo '_SC_SAST_LOGGED_IN=true' >> $GITHUB_ENV 
+        post: |
+          if [[] "${_SC_SAST_LOGGED_IN}" == "true" ]; then
+            echo '_SC_SAST_LOGGED_IN=false' >> $GITHUB_ENV
+            "${FCLI_CMD}" sc-sast session logout --no-revoke-token
+          fi
+            
 branding:
   icon: 'shield'
   color: 'blue'

diff --git a/internal/sc-sast-logout/action.yml b/internal/sc-sast-logout/action.yml
diff --git a/internal/with-post-step/action.yml b/internal/with-post-step/action.yml
diff --git a/internal/with-post-step/main.js b/internal/with-post-step/main.js