Skip to content

Commit

Permalink
Add flag validation to prevent lambda execution with incorrect settings
Browse files Browse the repository at this point in the history
  • Loading branch information
agnes-gajda committed Feb 8, 2024
1 parent eafae9a commit fdf4510
Show file tree
Hide file tree
Showing 5 changed files with 34 additions and 39 deletions.
40 changes: 11 additions & 29 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,48 +4,30 @@ name: release
on:
push:
tags:
- '*'
- 'v[0-9]+.[0-9]+.[0-9]+*'

jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v3

- name: Setup go
uses: actions/setup-go@v4
with:
go-version: '1.20.x'

- name: Install staticcheck
run: go install honnef.co/go/tools/cmd/staticcheck@latest

- name: Run staticcheck
run: staticcheck ./...

- name: Run Tests
run: go test -p 1 -cover -race -v ./...
permissions:
contents: write

jobs:
release:
runs-on: ubuntu-latest
needs: [ test ]
steps:
- name: Checkout
uses: actions/checkout@v3

- name: Unshallow
run: git fetch --prune --unshallow
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true

- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: '1.20.x'
go-version: '1.21.x'

- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v4
uses: goreleaser/goreleaser-action@v5
with:
version: latest
args: release --rm-dist
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
11 changes: 11 additions & 0 deletions cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"context"
"fmt"
"os"
"regexp"

"github.com/aws/aws-lambda-go/events"
"github.com/aws/aws-lambda-go/lambda"
Expand Down Expand Up @@ -50,6 +51,16 @@ var rootCmd = &cobra.Command{
Long: `A command line tool to enable you to synchronise your Google
Apps (Google Workspace) users to AWS Single Sign-on (AWS SSO)
Complete documentation is available at https://github.com/awslabs/ssosync`,
PreRun: func(cmd *cobra.Command, args []string) {
awsGroupMatch, flagErr := cmd.Flags().GetString("aws-group-match")
if flagErr != nil {
log.Fatal("flag `aws-group-match` does not exist", flagErr)
}
_, compileErr := regexp.Compile(awsGroupMatch)
if compileErr != nil {
log.Fatalf("invalid aws-group-match flag value %s", awsGroupMatch, compileErr)
}
},
RunE: func(cmd *cobra.Command, args []string) error {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
Expand Down
14 changes: 7 additions & 7 deletions internal/fac/extensions.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,29 +10,29 @@ import (
log "github.com/sirupsen/logrus"
)

// ErrNoAWSGroups indicates no AWS groups were received.
var ErrNoAWSGroups = errors.New("received no AWS groups")
// NoAWSGroupsErr indicates no AWS groups were received.
var NoAWSGroupsErr = errors.New("received no AWS groups")

// ErrorBadRegex represents a regex compilation error.
type ErrorBadRegex struct {
// BadRegexError represents a regex compilation error.
type BadRegexError struct {
Message string
Err error
}

func (e ErrorBadRegex) Error() string {
func (e BadRegexError) Error() string {
return e.Message
}

// MatchAWSGroups will filter out the AWS groups that don't match the regex.
// Returns an error on failure, a list of AWS groups that match on success.
func MatchAWSGroups(awsGroups []*aws.Group, matchRegex string) ([]*aws.Group, error) {
if len(awsGroups) == 0 {
return nil, ErrNoAWSGroups
return nil, NoAWSGroupsErr
}

awsGroupRegex, err := regexp.Compile(matchRegex)
if err != nil {
return nil, ErrorBadRegex{Message: fmt.Sprintf("can't compile regex %s", matchRegex), Err: err}
return nil, BadRegexError{Message: fmt.Sprintf("can't compile regex %s", matchRegex), Err: err}
}

matchedGroups := make([]*aws.Group, 0)
Expand Down
6 changes: 3 additions & 3 deletions internal/fac/extensions_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,19 +54,19 @@ func TestMatchAWSGroups(t *testing.T) {
name: "returns an error when input groups empty",
awsGroupMatch: "aws-group-*",
inputGroups: []*aws.Group{},
expectedErr: ErrNoAWSGroups,
expectedErr: NoAWSGroupsErr,
},
{
name: "returns an error when input groups nil",
awsGroupMatch: "aws-group-*",
inputGroups: []*aws.Group{},
expectedErr: ErrNoAWSGroups,
expectedErr: NoAWSGroupsErr,
},
{
name: "returns an error when regex invalid",
awsGroupMatch: "[^0-1",
inputGroups: []*aws.Group{{DisplayName: "aws-group-A"}},
expectedErr: ErrorBadRegex{
expectedErr: BadRegexError{
Message: "can't compile regex [^0-1",
Err: &syntax.Error{Code: syntax.ErrMissingBracket, Expr: "[^0-1"},
},
Expand Down
2 changes: 2 additions & 0 deletions internal/sync.go
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,8 @@ func (s *syncGSuite) SyncGroupsUsers(query, awsGroupMatch string) error {
onlyAWSGroupsFromGoogle, matchErr := fac.MatchAWSGroups(awsGroups, awsGroupMatch)
if err != nil {
log.Errorf("error filtering AWS groups by %s", matchErr)
// Will continue with the full group which will delete the non Google groups.
// This flow is prevented by adding pre-run flag validation.
} else {
awsGroups = onlyAWSGroupsFromGoogle
}
Expand Down

0 comments on commit fdf4510

Please sign in to comment.