step-security/harden-runner
1
0
Fork 0
mirror of https://github.com/step-security/harden-runner.git synced 2026-06-06 01:47:05 +00:00
Code Issues Projects Releases Packages Wiki Activity
harden-runner/src/policy-utils.ts
Varun Sharma d11f2c1d65 fix bug where status code was not being preserved
2025-09-06 11:34:53 -07:00

82 lines
2.1 KiB
TypeScript
Raw Blame History

import { HttpClient } from "@actions/http-client";
import { PolicyResponse, Configuration } from "./interfaces";
import { STEPSECURITY_API_URL } from "./configs";
export async function fetchPolicy(
owner: string,
policyName: string,
idToken: string
): Promise<PolicyResponse> {
if (idToken === "") {
throw new Error("[PolicyFetch]: id-token in empty");
}
let policyEndpoint = `${STEPSECURITY_API_URL}/github/${owner}/actions/policies/${policyName}`;
let httpClient = new HttpClient();
let headers = {};
headers["Authorization"] = `Bearer ${idToken}`;
headers["Source"] = "github-actions";
let response = undefined;
let err = undefined;
let retry = 0;
while (retry < 3) {
try {
console.log(`Attempt: ${retry + 1}`);
response = await httpClient.getJson<PolicyResponse>(
policyEndpoint,
headers
);
break;
} catch (e) {
err = e;
}
retry += 1;
await sleep(1000);
}
if (response === undefined && err !== undefined) {
// Preserve the original error's statusCode if it exists
const error = new Error(`[Policy Fetch] ${err}`);
if (err.statusCode !== undefined) {
(error as any).statusCode = err.statusCode;
}
throw error;
} else {
return response.result;
}
}
export function mergeConfigs(
localConfig: Configuration,
remoteConfig: PolicyResponse
) {
if (localConfig.allowed_endpoints === "") {
localConfig.allowed_endpoints = remoteConfig.allowed_endpoints.join(" ");
}
if (remoteConfig.disable_sudo !== undefined) {
localConfig.disable_sudo = remoteConfig.disable_sudo;
}
if (remoteConfig.disable_sudo_and_containers !== undefined) {
localConfig.disable_sudo_and_containers = remoteConfig.disable_sudo_and_containers;
}
if (remoteConfig.disable_file_monitoring !== undefined) {
localConfig.disable_file_monitoring = remoteConfig.disable_file_monitoring;
}
if (remoteConfig.egress_policy !== undefined) {
localConfig.egress_policy = remoteConfig.egress_policy;
}
return localConfig;
}
function sleep(ms: number) {
return new Promise((resolve) => {
setTimeout(resolve, ms);
});
}
Reference in a new issue View git blame Copy permalink