Remove auth method only used in runner
This commit is contained in:
Henry Mercer
parent
b498c79130
commit
8c8a9b1231
6 changed files with 5 additions and 213 deletions
|
|
@ -1,16 +1,15 @@
|
|||
import * as fs from "fs";
|
||||
import * as os from "os";
|
||||
import path from "path";
|
||||
import * as stream from "stream";
|
||||
|
||||
import * as core from "@actions/core";
|
||||
import * as github from "@actions/github";
|
||||
import test, { ExecutionContext } from "ava";
|
||||
import test from "ava";
|
||||
import * as sinon from "sinon";
|
||||
|
||||
import * as api from "./api-client";
|
||||
import { Config } from "./config-utils";
|
||||
import { getRunnerLogger, Logger } from "./logging";
|
||||
import { getRunnerLogger } from "./logging";
|
||||
import { setupTests } from "./testing-utils";
|
||||
import * as util from "./util";
|
||||
|
||||
|
|
@ -240,65 +239,6 @@ test("getGitHubVersion", async (t) => {
|
|||
t.deepEqual({ type: util.GitHubVariant.DOTCOM }, v3);
|
||||
});
|
||||
|
||||
test("getGitHubAuth", async (t) => {
|
||||
const msgs: string[] = [];
|
||||
const mockLogger = {
|
||||
warning: (msg: string) => msgs.push(msg),
|
||||
} as unknown as Logger;
|
||||
|
||||
// eslint-disable-next-line @typescript-eslint/no-floating-promises
|
||||
t.throwsAsync(async () => util.getGitHubAuth(mockLogger, "abc", true));
|
||||
|
||||
process.env.GITHUB_TOKEN = "123";
|
||||
t.is("123", await util.getGitHubAuth(mockLogger, undefined, undefined));
|
||||
t.is(msgs.length, 0);
|
||||
t.is("abc", await util.getGitHubAuth(mockLogger, "abc", undefined));
|
||||
t.is(msgs.length, 1); // warning expected
|
||||
|
||||
msgs.length = 0;
|
||||
await mockStdInForAuth(t, mockLogger, "def", "def");
|
||||
await mockStdInForAuth(t, mockLogger, "def", "", "def");
|
||||
await mockStdInForAuth(
|
||||
t,
|
||||
mockLogger,
|
||||
"def",
|
||||
"def\n some extra garbage",
|
||||
"ghi"
|
||||
);
|
||||
await mockStdInForAuth(t, mockLogger, "defghi", "def", "ghi\n123");
|
||||
|
||||
await mockStdInForAuthExpectError(t, mockLogger, "");
|
||||
await mockStdInForAuthExpectError(t, mockLogger, "", " ", "abc");
|
||||
await mockStdInForAuthExpectError(
|
||||
t,
|
||||
mockLogger,
|
||||
" def\n some extra garbage",
|
||||
"ghi"
|
||||
);
|
||||
t.is(msgs.length, 0);
|
||||
});
|
||||
|
||||
async function mockStdInForAuth(
|
||||
t: ExecutionContext<any>,
|
||||
mockLogger: Logger,
|
||||
expected: string,
|
||||
...text: string[]
|
||||
) {
|
||||
const stdin = stream.Readable.from(text) as any;
|
||||
t.is(expected, await util.getGitHubAuth(mockLogger, undefined, true, stdin));
|
||||
}
|
||||
|
||||
async function mockStdInForAuthExpectError(
|
||||
t: ExecutionContext<unknown>,
|
||||
mockLogger: Logger,
|
||||
...text: string[]
|
||||
) {
|
||||
const stdin = stream.Readable.from(text) as any;
|
||||
await t.throwsAsync(async () =>
|
||||
util.getGitHubAuth(mockLogger, undefined, true, stdin)
|
||||
);
|
||||
}
|
||||
|
||||
const ML_POWERED_JS_STATUS_TESTS: Array<[string[], string]> = [
|
||||
// If no packs are loaded, status is false.
|
||||
[[], "false"],
|
||||
|
|
|
|||
66
src/util.ts
66
src/util.ts
|
|
@ -1,7 +1,6 @@
|
|||
import * as fs from "fs";
|
||||
import * as os from "os";
|
||||
import * as path from "path";
|
||||
import { Readable } from "stream";
|
||||
import { promisify } from "util";
|
||||
|
||||
import * as core from "@actions/core";
|
||||
|
|
@ -397,71 +396,6 @@ export function apiVersionInRange(
|
|||
return undefined;
|
||||
}
|
||||
|
||||
/**
|
||||
* Retrieves the github auth token for use with the runner. There are
|
||||
* three possible locations for the token:
|
||||
*
|
||||
* 1. from the cli (considered insecure)
|
||||
* 2. from stdin
|
||||
* 3. from the GITHUB_TOKEN environment variable
|
||||
*
|
||||
* If both 1 & 2 are specified, then an error is thrown.
|
||||
* If 1 & 3 or 2 & 3 are specified, then the environment variable is ignored.
|
||||
*
|
||||
* @param githubAuth a github app token or PAT
|
||||
* @param fromStdIn read the github app token or PAT from stdin up to, but excluding the first whitespace
|
||||
* @param readable the readable stream to use for getting the token (defaults to stdin)
|
||||
*
|
||||
* @return a promise resolving to the auth token.
|
||||
*/
|
||||
export async function getGitHubAuth(
|
||||
logger: Logger,
|
||||
githubAuth: string | undefined,
|
||||
fromStdIn: boolean | undefined,
|
||||
readable = process.stdin as Readable
|
||||
): Promise<string> {
|
||||
if (githubAuth && fromStdIn) {
|
||||
throw new Error(
|
||||
"Cannot specify both `--github-auth` and `--github-auth-stdin`. Please use `--github-auth-stdin`, which is more secure."
|
||||
);
|
||||
}
|
||||
|
||||
if (githubAuth) {
|
||||
logger.warning(
|
||||
"Using `--github-auth` via the CLI is insecure. Use `--github-auth-stdin` instead."
|
||||
);
|
||||
return githubAuth;
|
||||
}
|
||||
|
||||
if (fromStdIn) {
|
||||
return new Promise((resolve, reject) => {
|
||||
let token = "";
|
||||
readable.on("data", (data) => {
|
||||
token += data.toString("utf8");
|
||||
});
|
||||
readable.on("end", () => {
|
||||
token = token.split(/\s+/)[0].trim();
|
||||
if (token) {
|
||||
resolve(token);
|
||||
} else {
|
||||
reject(new Error("Standard input is empty"));
|
||||
}
|
||||
});
|
||||
readable.on("error", (err) => {
|
||||
reject(err);
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
if (process.env.GITHUB_TOKEN) {
|
||||
return process.env.GITHUB_TOKEN;
|
||||
}
|
||||
|
||||
throw new Error(
|
||||
"No GitHub authentication token was specified. Please provide a token via the GITHUB_TOKEN environment variable, or by adding the `--github-auth-stdin` flag and passing the token via standard input."
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* This error is used to indicate a runtime failure of an exhaustivity check enforced at compile time.
|
||||
*/
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue