Merge pull request #376 from step-security/rc-7

Release 2.7.0

.github/workflows/canary.yml

@@ -41,3 +41,9 @@ jobs:
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
+
+    - name: Canary TLS test
+      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      env:
+        PAT: ${{ secrets.PAT }}
+        canary-tls: true

.github/workflows/recurring-int-tests.yml

@@ -22,3 +22,18 @@ jobs:
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
+
+  int-tls-tests:
+    name: int tls tests
+    runs-on: ubuntu-latest
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - name: Canary test
+      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      env:
+        PAT: ${{ secrets.PAT }}
+        canary-tls: true

action.yml

@@ -33,7 +33,7 @@ branding:
   icon: "check-square"
   color: "green"
 runs:
-  using: "node16"
+  using: "node20"
   pre: "dist/pre/index.js"
   main: "dist/index.js"
   post: "dist/post/index.js"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "step-security-harden-runner",
-  "version": "2.6.1",
+  "version": "2.7.0",
   "description": "Security agent for GitHub-hosted runner: block egress traffic & detect code overwrite to prevent breaches",
   "main": "index.js",
   "scripts": {

src/checksum.ts

@@ -2,16 +2,21 @@ import * as core from "@actions/core";
 import * as crypto from "crypto";
 import * as fs from "fs";
 
-export function verifyChecksum(downloadPath: string) {
+export function verifyChecksum(downloadPath: string, is_tls: boolean) {
   const fileBuffer: Buffer = fs.readFileSync(downloadPath);
   const checksum: string = crypto
     .createHash("sha256")
     .update(fileBuffer)
     .digest("hex"); // checksum of downloaded file
 
-  const expectedChecksum: string =
+  let expectedChecksum: string =
     "ceb925c78e5c79af4f344f08f59bbdcf3376d20d15930a315f9b24b6c4d0328a"; // checksum for v0.13.5
 
+  if (is_tls) {
+    expectedChecksum =
+      "204c82116e8c0eebf5409bb2b81aa5d96fe32f0c5abc1cb0364ee70937c32056"; // checksum for tls_agent
+  }
+
   if (checksum !== expectedChecksum) {
     core.setFailed(
       `Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`

src/configs.ts

@@ -0,0 +1,5 @@
+export const STEPSECURITY_ENV = "agent"; // agent or int
+
+export const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
+
+export const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";

src/interfaces.ts

@@ -9,6 +9,7 @@ export interface Configuration {
   disable_telemetry: boolean;
   disable_sudo: boolean;
   disable_file_monitoring: boolean;
+  is_github_hosted: boolean;
   private: string;
 }
 

src/policy-utils.test.ts

@@ -1,6 +1,7 @@
 import nock from "nock";
-import { API_ENDPOINT, fetchPolicy, mergeConfigs } from "./policy-utils";
+import { fetchPolicy, mergeConfigs } from "./policy-utils";
 import { Configuration, PolicyResponse } from "./interfaces";
+import { STEPSECURITY_API_URL } from "./configs";
 
 test("success: fetching policy", async () => {
   let owner = "h0x0er";
@@ -14,7 +15,7 @@ test("success: fetching policy", async () => {
     disable_sudo: false,
     disable_file_monitoring: false,
   };
-  const policyScope = nock(`${API_ENDPOINT}`)
+  const policyScope = nock(`${STEPSECURITY_API_URL}`)
     .get(`/github/${owner}/actions/policies/${policyName}`)
     .reply(200, response);
 
@@ -37,6 +38,7 @@ test("merge configs", async () => {
     disable_sudo: false,
     disable_file_monitoring: false,
     private: "true",
+    is_github_hosted: true,
   };
   let policyResponse: PolicyResponse = {
     owner: "h0x0er",
@@ -60,6 +62,7 @@ test("merge configs", async () => {
     disable_sudo: false,
     disable_file_monitoring: false,
     private: "true",
+    is_github_hosted: true,
   };
 
   localConfig = mergeConfigs(localConfig, policyResponse);

src/policy-utils.ts

@@ -1,19 +1,17 @@
 import { HttpClient } from "@actions/http-client";
 import { PolicyResponse, Configuration } from "./interfaces";
-
-export const API_ENDPOINT = "https://agent.api.stepsecurity.io/v1";
+import { STEPSECURITY_API_URL } from "./configs";
 
 export async function fetchPolicy(
   owner: string,
   policyName: string,
   idToken: string
 ): Promise<PolicyResponse> {
-
   if (idToken === "") {
     throw new Error("[PolicyFetch]: id-token in empty");
   }
 
-  let policyEndpoint = `${API_ENDPOINT}/github/${owner}/actions/policies/${policyName}`;
+  let policyEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/policies/${policyName}`;
 
   let httpClient = new HttpClient();
 
@@ -25,24 +23,24 @@ export async function fetchPolicy(
   let err = undefined;
 
   let retry = 0;
-  while(retry < 3){
-    try{
-      console.log(`Attempt: ${retry+1}`)
+  while (retry < 3) {
+    try {
+      console.log(`Attempt: ${retry + 1}`);
       response = await httpClient.getJson<PolicyResponse>(
         policyEndpoint,
         headers
       );
       break;
-    }catch(e){
-      err = e
+    } catch (e) {
+      err = e;
     }
-    retry += 1
+    retry += 1;
     await sleep(1000);
   }
 
-  if(response === undefined && err !== undefined){
-    throw new Error(`[Policy Fetch] ${err}`)
-  }else{
+  if (response === undefined && err !== undefined) {
+    throw new Error(`[Policy Fetch] ${err}`);
+  } else {
     return response.result;
   }
 }