Add tls-inspection capability (#368)

step-security · Jan 29, 2024 · 4a63cda · 4a63cda
1 parent dece111
commit 4a63cda
Show file tree

Hide file tree

Showing 12 changed files with 264 additions and 74 deletions.
diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml
@@ -41,3 +41,9 @@ jobs:
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
+
+    - name: Canary TLS test
+      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      env:
+        PAT: ${{ secrets.PAT }}
+        canary-tls: true
diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml
@@ -22,3 +22,18 @@ jobs:
       env:
         PAT: ${{ secrets.PAT }}
         canary: true
+
+  int-tls-tests:
+    name: int tls tests
+    runs-on: ubuntu-latest
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - name: Canary test
+      uses: docker://ghcr.io/step-security/integration-test/int:latest
+      env:
+        PAT: ${{ secrets.PAT }}
+        canary-tls: true
diff --git a/dist/pre/index.js b/dist/pre/index.js
diff --git a/dist/pre/index.js.map b/dist/pre/index.js.map
diff --git a/src/checksum.ts b/src/checksum.ts
@@ -2,16 +2,21 @@ import * as core from "@actions/core";
 import * as crypto from "crypto";
 import * as fs from "fs";
 
-export function verifyChecksum(downloadPath: string) {
+export function verifyChecksum(downloadPath: string, is_tls: boolean) {
   const fileBuffer: Buffer = fs.readFileSync(downloadPath);
   const checksum: string = crypto
     .createHash("sha256")
     .update(fileBuffer)
     .digest("hex"); // checksum of downloaded file
 
-  const expectedChecksum: string =
+  let expectedChecksum: string =
     "ceb925c78e5c79af4f344f08f59bbdcf3376d20d15930a315f9b24b6c4d0328a"; // checksum for v0.13.5
 
+  if (is_tls) {
+    expectedChecksum =
+      "204c82116e8c0eebf5409bb2b81aa5d96fe32f0c5abc1cb0364ee70937c32056"; // checksum for tls_agent
+  }
+
   if (checksum !== expectedChecksum) {
     core.setFailed(
       `Checksum verification failed, expected ${expectedChecksum} instead got ${checksum}`

diff --git a/src/configs.ts b/src/configs.ts
@@ -0,0 +1,5 @@
+export const STEPSECURITY_ENV = "agent"; // agent or int
+
+export const STEPSECURITY_API_URL = `https://${STEPSECURITY_ENV}.api.stepsecurity.io/v1`;
+
+export const STEPSECURITY_WEB_URL = "https://app.stepsecurity.io";
diff --git a/src/interfaces.ts b/src/interfaces.ts
@@ -9,6 +9,7 @@ export interface Configuration {
   disable_telemetry: boolean;
   disable_sudo: boolean;
   disable_file_monitoring: boolean;
+  is_github_hosted: boolean;
   private: string;
 }