From 1fa3756eb7506f4246f0ceb329d3895037d2acc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Bl=C3=A4cker?= Date: Tue, 3 Sep 2024 09:22:07 +0700 Subject: [PATCH 1/8] replaces git token and renames variables --- .github/workflows/protectAuditorsGroup.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/protectAuditorsGroup.yml b/.github/workflows/protectAuditorsGroup.yml index 71afd805f..232570aaa 100644 --- a/.github/workflows/protectAuditorsGroup.yml +++ b/.github/workflows/protectAuditorsGroup.yml @@ -7,12 +7,9 @@ jobs: check_membership: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Compare Group Members env: - GH_PAT: ${{ secrets.GIT_TOKEN }} + GH_PAT: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -38,16 +35,20 @@ jobs: ##### Get members of each group echo "Fetching members of $SC_ADMINS..." - groupAMembers=$(getTeamMembers $ORG_NAME $SC_ADMINS) + SC_ADMINS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_ADMINS") + + echo "SC_ADMINS: $SC_ADMINS_MEMBERS" echo "Fetching members of $SC_CORE..." - groupBMembers=$(getTeamMembers $ORG_NAME $SC_CORE) + SC_CORE_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_CORE") + echo "SC_CORE: $SC_CORE_MEMBERS" echo "Fetching members of $AUDITORS..." - groupCMembers=$(getTeamMembers $ORG_NAME $AUDITORS) + AUDITORS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$AUDITORS") + echo "AUDITORS: $AUDITORS_MEMBERS" ##### Check overlap between smart-contract-core and auditors - overlap=$(echo "$groupAMembers" | grep -Fxf - <(echo "$groupCMembers")) + overlap=$(echo "$SC_ADMINS_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) if [ -n "$overlap" ]; then echo -e "\033[31mERROR: The following members are in both $SC_ADMINS and $AUDITORS: $overlap\033[0m" echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" @@ -57,7 +58,7 @@ jobs: fi ##### Check overlap between smart-contract-admins and auditors - overlap2=$(echo "$groupBMembers" | grep -Fxf - <(echo "$groupCMembers")) + overlap2=$(echo "$SC_CORE_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) if [ -n "$overlap2" ]; then echo -e "\033[31mERROR: The following members are in both $SC_CORE and $AUDITORS: $overlap2\033[0m" echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" From def08a5d228fd5d7898d48e704a5a5c71ed5a61b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Bl=C3=A4cker?= Date: Tue, 3 Sep 2024 09:27:49 +0700 Subject: [PATCH 2/8] test --- .github/workflows/protectAuditorsGroup.yml | 50 ++++++++++++++-------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/.github/workflows/protectAuditorsGroup.yml b/.github/workflows/protectAuditorsGroup.yml index 232570aaa..3974494f8 100644 --- a/.github/workflows/protectAuditorsGroup.yml +++ b/.github/workflows/protectAuditorsGroup.yml @@ -4,7 +4,7 @@ on: push: jobs: - check_membership: + protect-auditors-group: runs-on: ubuntu-latest steps: - name: Compare Group Members @@ -16,7 +16,7 @@ jobs: ##### unset the default git token (does not have sufficient rights to get team members) unset GITHUB_TOKEN ##### use the Personal Access Token to log into git CLI - echo $GH_PAT | gh auth login --with-token + echo $GH_PAT | gh auth login --with-token || { echo "GitHub authentication failed"; exit 1; } # Function to get team members getTeamMembers() { @@ -35,34 +35,46 @@ jobs: ##### Get members of each group echo "Fetching members of $SC_ADMINS..." - SC_ADMINS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_ADMINS") + SC_ADMINS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_ADMINS") || { echo "Failed to fetch members of $SC_ADMINS"; exit 1; } echo "SC_ADMINS: $SC_ADMINS_MEMBERS" echo "Fetching members of $SC_CORE..." - SC_CORE_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_CORE") + SC_CORE_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_CORE") || { echo "Failed to fetch members of $SC_CORE"; exit 1; } echo "SC_CORE: $SC_CORE_MEMBERS" echo "Fetching members of $AUDITORS..." - AUDITORS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$AUDITORS") + AUDITORS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$AUDITORS") || { echo "Failed to fetch members of $AUDITORS"; exit 1; } echo "AUDITORS: $AUDITORS_MEMBERS" - ##### Check overlap between smart-contract-core and auditors - overlap=$(echo "$SC_ADMINS_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) - if [ -n "$overlap" ]; then - echo -e "\033[31mERROR: The following members are in both $SC_ADMINS and $AUDITORS: $overlap\033[0m" - echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" - exit 1 - else - echo -e "\033[32mNo overlap found between $SC_ADMINS and $AUDITORS.\033[0m" - fi + echo "Checking overlap between SC_ADMINS and AUDITORS..." + OVERLAP=$(echo "$SC_ADMINS_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) || { echo "Overlap check failed"; exit 1; } - ##### Check overlap between smart-contract-admins and auditors - overlap2=$(echo "$SC_CORE_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) - if [ -n "$overlap2" ]; then - echo -e "\033[31mERROR: The following members are in both $SC_CORE and $AUDITORS: $overlap2\033[0m" + if [ -n "$OVERLAP" ]; then + echo -e "\033[31mERROR: The following git users are members of both $SC_ADMINS and $AUDITORS groups: $overlap\033[0m" echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" exit 1 else - echo -e "\033[32mNo overlap found between $SC_CORE and $AUDITORS.\033[0m" + echo -e "\033[32mNo overlap found between $SC_ADMINS and $AUDITORS.\033[0m" fi + + + # ##### Check overlap between smart-contract-core and auditors + # overlap=$(echo "$SC_ADMINS_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) + # if [ -n "$overlap" ]; then + # echo -e "\033[31mERROR: The following members are in both $SC_ADMINS and $AUDITORS: $overlap\033[0m" + # echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" + # exit 1 + # else + # echo -e "\033[32mNo overlap found between $SC_ADMINS and $AUDITORS.\033[0m" + # fi + + # ##### Check overlap between smart-contract-admins and auditors + # overlap2=$(echo "$SC_CORE_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) + # if [ -n "$overlap2" ]; then + # echo -e "\033[31mERROR: The following members are in both $SC_CORE and $AUDITORS: $overlap2\033[0m" + # echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" + # exit 1 + # else + # echo -e "\033[32mNo overlap found between $SC_CORE and $AUDITORS.\033[0m" + # fi From 55f8b3c42d58c7af4096ac057ac7ad61a485ea02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Bl=C3=A4cker?= Date: Tue, 3 Sep 2024 09:30:22 +0700 Subject: [PATCH 3/8] test --- .github/workflows/protectAuditorsGroup.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/protectAuditorsGroup.yml b/.github/workflows/protectAuditorsGroup.yml index 3974494f8..7c729d781 100644 --- a/.github/workflows/protectAuditorsGroup.yml +++ b/.github/workflows/protectAuditorsGroup.yml @@ -7,6 +7,9 @@ jobs: protect-auditors-group: runs-on: ubuntu-latest steps: + - name: Check grep version + run: grep --version + - name: Compare Group Members env: GH_PAT: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} From 09eeaf4c9a9fddc89f2f8c573e2883e515973748 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Bl=C3=A4cker?= Date: Tue, 3 Sep 2024 09:32:32 +0700 Subject: [PATCH 4/8] test --- .github/workflows/protectAuditorsGroup.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/protectAuditorsGroup.yml b/.github/workflows/protectAuditorsGroup.yml index 7c729d781..7f26d4724 100644 --- a/.github/workflows/protectAuditorsGroup.yml +++ b/.github/workflows/protectAuditorsGroup.yml @@ -50,8 +50,19 @@ jobs: AUDITORS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$AUDITORS") || { echo "Failed to fetch members of $AUDITORS"; exit 1; } echo "AUDITORS: $AUDITORS_MEMBERS" + # Convert string to sorted lines and remove empty lines + echo "$SC_ADMINS_MEMBERS" | tr ' ' '\n' | sort | uniq > sc_admins_sorted.txt + echo "$AUDITORS_MEMBERS" | tr ' ' '\n' | sort | uniq > auditors_sorted.txt + + # Check if both files exist and are not empty + if [ ! -s sc_admins_sorted.txt ] || [ ! -s auditors_sorted.txt ]; then + echo -e "\033[31mERROR: One of the membership lists is empty or failed to be generated.\033[0m" + exit 1 + fi + echo "Checking overlap between SC_ADMINS and AUDITORS..." - OVERLAP=$(echo "$SC_ADMINS_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) || { echo "Overlap check failed"; exit 1; } + # OVERLAP=$(echo "$SC_ADMINS_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) || { echo "Overlap check failed"; exit 1; } + OVERLAP=$(comm -12 sc_admins_sorted.txt auditors_sorted.txt) if [ -n "$OVERLAP" ]; then echo -e "\033[31mERROR: The following git users are members of both $SC_ADMINS and $AUDITORS groups: $overlap\033[0m" From a113a73a99c293d243554e012b930237836f5d78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Bl=C3=A4cker?= Date: Tue, 3 Sep 2024 09:35:54 +0700 Subject: [PATCH 5/8] test --- .github/workflows/protectAuditorsGroup.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/protectAuditorsGroup.yml b/.github/workflows/protectAuditorsGroup.yml index 7f26d4724..a71fd8ac0 100644 --- a/.github/workflows/protectAuditorsGroup.yml +++ b/.github/workflows/protectAuditorsGroup.yml @@ -52,6 +52,7 @@ jobs: # Convert string to sorted lines and remove empty lines echo "$SC_ADMINS_MEMBERS" | tr ' ' '\n' | sort | uniq > sc_admins_sorted.txt + echo "$SC_CORE_MEMBERS" | tr ' ' '\n' | sort | uniq > sc_core_sorted.txt echo "$AUDITORS_MEMBERS" | tr ' ' '\n' | sort | uniq > auditors_sorted.txt # Check if both files exist and are not empty @@ -60,8 +61,7 @@ jobs: exit 1 fi - echo "Checking overlap between SC_ADMINS and AUDITORS..." - # OVERLAP=$(echo "$SC_ADMINS_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) || { echo "Overlap check failed"; exit 1; } + echo "Checking for git users that are members of both $SC_ADMINS and $AUDITORS team..." OVERLAP=$(comm -12 sc_admins_sorted.txt auditors_sorted.txt) if [ -n "$OVERLAP" ]; then @@ -72,6 +72,17 @@ jobs: echo -e "\033[32mNo overlap found between $SC_ADMINS and $AUDITORS.\033[0m" fi + echo "Checking for git users that are members of both $SC_CORE and $AUDITORS team..." + OVERLAP=$(comm -12 sc_admins_sorted.txt auditors_sorted.txt) + + if [ -n "$OVERLAP" ]; then + echo -e "\033[31mERROR: The following git users are members of both $SC_CORE and $AUDITORS groups: $overlap\033[0m" + echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" + exit 1 + else + echo -e "\033[32mNo overlap found between $SC_CORE and $AUDITORS.\033[0m" + fi + # ##### Check overlap between smart-contract-core and auditors # overlap=$(echo "$SC_ADMINS_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) From b345a2e2dca54598dd5c54c7f35654625bfaf09f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Bl=C3=A4cker?= Date: Tue, 3 Sep 2024 09:38:01 +0700 Subject: [PATCH 6/8] test --- .github/workflows/protectAuditorsGroup.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/protectAuditorsGroup.yml b/.github/workflows/protectAuditorsGroup.yml index a71fd8ac0..ec90021a6 100644 --- a/.github/workflows/protectAuditorsGroup.yml +++ b/.github/workflows/protectAuditorsGroup.yml @@ -64,16 +64,19 @@ jobs: echo "Checking for git users that are members of both $SC_ADMINS and $AUDITORS team..." OVERLAP=$(comm -12 sc_admins_sorted.txt auditors_sorted.txt) + echo "OVERLAP: $OVERLAP" + if [ -n "$OVERLAP" ]; then - echo -e "\033[31mERROR: The following git users are members of both $SC_ADMINS and $AUDITORS groups: $overlap\033[0m" - echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" - exit 1 + echo -e "\033[31mERROR: The following git users are members of both $SC_ADMINS and $AUDITORS groups: $overlap\033[0m" + echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" + exit 1 else - echo -e "\033[32mNo overlap found between $SC_ADMINS and $AUDITORS.\033[0m" + echo -e "\033[32mNo overlap found between $SC_ADMINS and $AUDITORS.\033[0m" fi echo "Checking for git users that are members of both $SC_CORE and $AUDITORS team..." OVERLAP=$(comm -12 sc_admins_sorted.txt auditors_sorted.txt) + echo "OVERLAP: $OVERLAP" if [ -n "$OVERLAP" ]; then echo -e "\033[31mERROR: The following git users are members of both $SC_CORE and $AUDITORS groups: $overlap\033[0m" From 9bc5f0be216ec39929aca4fdccfb23ba65db3aa6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Bl=C3=A4cker?= Date: Tue, 3 Sep 2024 09:39:37 +0700 Subject: [PATCH 7/8] test --- .github/workflows/protectAuditorsGroup.yml | 32 ++-------------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/.github/workflows/protectAuditorsGroup.yml b/.github/workflows/protectAuditorsGroup.yml index ec90021a6..7549ecb1a 100644 --- a/.github/workflows/protectAuditorsGroup.yml +++ b/.github/workflows/protectAuditorsGroup.yml @@ -40,15 +40,11 @@ jobs: echo "Fetching members of $SC_ADMINS..." SC_ADMINS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_ADMINS") || { echo "Failed to fetch members of $SC_ADMINS"; exit 1; } - echo "SC_ADMINS: $SC_ADMINS_MEMBERS" - echo "Fetching members of $SC_CORE..." SC_CORE_MEMBERS=$(getTeamMembers "$ORG_NAME" "$SC_CORE") || { echo "Failed to fetch members of $SC_CORE"; exit 1; } - echo "SC_CORE: $SC_CORE_MEMBERS" echo "Fetching members of $AUDITORS..." AUDITORS_MEMBERS=$(getTeamMembers "$ORG_NAME" "$AUDITORS") || { echo "Failed to fetch members of $AUDITORS"; exit 1; } - echo "AUDITORS: $AUDITORS_MEMBERS" # Convert string to sorted lines and remove empty lines echo "$SC_ADMINS_MEMBERS" | tr ' ' '\n' | sort | uniq > sc_admins_sorted.txt @@ -64,10 +60,8 @@ jobs: echo "Checking for git users that are members of both $SC_ADMINS and $AUDITORS team..." OVERLAP=$(comm -12 sc_admins_sorted.txt auditors_sorted.txt) - echo "OVERLAP: $OVERLAP" - if [ -n "$OVERLAP" ]; then - echo -e "\033[31mERROR: The following git users are members of both $SC_ADMINS and $AUDITORS groups: $overlap\033[0m" + echo -e "\033[31mERROR: The following git users are members of both $SC_ADMINS and $AUDITORS groups: $OVERLAP\033[0m" echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" exit 1 else @@ -79,30 +73,10 @@ jobs: echo "OVERLAP: $OVERLAP" if [ -n "$OVERLAP" ]; then - echo -e "\033[31mERROR: The following git users are members of both $SC_CORE and $AUDITORS groups: $overlap\033[0m" + echo -e "\033[31mERROR: The following git users are members of both $SC_CORE and $AUDITORS groups: $OVERLAP\033[0m" echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" exit 1 else echo -e "\033[32mNo overlap found between $SC_CORE and $AUDITORS.\033[0m" + echo -e "\033[32mAll checks passed\033[0m" fi - - - # ##### Check overlap between smart-contract-core and auditors - # overlap=$(echo "$SC_ADMINS_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) - # if [ -n "$overlap" ]; then - # echo -e "\033[31mERROR: The following members are in both $SC_ADMINS and $AUDITORS: $overlap\033[0m" - # echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" - # exit 1 - # else - # echo -e "\033[32mNo overlap found between $SC_ADMINS and $AUDITORS.\033[0m" - # fi - - # ##### Check overlap between smart-contract-admins and auditors - # overlap2=$(echo "$SC_CORE_MEMBERS" | grep -Fxf - <(echo "$AUDITORS_MEMBERS")) - # if [ -n "$overlap2" ]; then - # echo -e "\033[31mERROR: The following members are in both $SC_CORE and $AUDITORS: $overlap2\033[0m" - # echo -e "\033[31mAuditors must be external personnel and cannot be team members or admins\033[0m" - # exit 1 - # else - # echo -e "\033[32mNo overlap found between $SC_CORE and $AUDITORS.\033[0m" - # fi From 436b95310ad89512bc7935aab3fb3f548878e19f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Bl=C3=A4cker?= Date: Tue, 3 Sep 2024 09:46:05 +0700 Subject: [PATCH 8/8] updates comments --- .github/workflows/protectAuditorsGroup.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/protectAuditorsGroup.yml b/.github/workflows/protectAuditorsGroup.yml index 7549ecb1a..7fcbd35c1 100644 --- a/.github/workflows/protectAuditorsGroup.yml +++ b/.github/workflows/protectAuditorsGroup.yml @@ -1,3 +1,7 @@ +# Protect Auditors Group +# - makes sure that members of the auditor group cannot be members of a any smart-contract group +# - this ensures that no member can have multiple roles and use this to bypass audit requirements + name: Protect Auditors Group on: @@ -7,9 +11,6 @@ jobs: protect-auditors-group: runs-on: ubuntu-latest steps: - - name: Check grep version - run: grep --version - - name: Compare Group Members env: GH_PAT: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }} @@ -70,7 +71,6 @@ jobs: echo "Checking for git users that are members of both $SC_CORE and $AUDITORS team..." OVERLAP=$(comm -12 sc_admins_sorted.txt auditors_sorted.txt) - echo "OVERLAP: $OVERLAP" if [ -n "$OVERLAP" ]; then echo -e "\033[31mERROR: The following git users are members of both $SC_CORE and $AUDITORS groups: $OVERLAP\033[0m"