enforce: warn when app has zero installations#845
Open
arpitjain099 wants to merge 1 commit into
Open
Conversation
When the Allstar GitHub App is authenticated but installed in zero organizations, EnforceAll logged count:0 and EnforceAll complete at Info level and exited silently, leaving operators with no hint that the app simply was not installed anywhere. Emit a Warn-level log in that case stating that authentication succeeded but no installations were found, and point at the missing install step. Add a regression test that exercises the zero-installations path and asserts the warning is produced. Fixes ossf#294 Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
dosubot
Bot
added
the
size:XS
|
This pull request has been marked stale because it has been open for 10 days with no activity |
Author
|
Still active on this. Let me know if there are any changes you'd like or if a maintainer can take a look when they get a chance. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #294
Problem
When the Allstar GitHub App is authenticated but installed in zero organizations,
EnforceAll(inpkg/enforce/enforce.go) lists installations, logscount:0andEnforceAll completeat INFO level, and then iterates an empty slice without enforcing anything. There is no signal that the app simply was not installed anywhere, which is the most common cause. The issue reporter spent time debugging this because invalidPRIVATE_KEY/APP_IDboth produce clear errors, but the much more likely "authenticated but not installed" case is silent.Change
After the existing
Enforcing policies on installations.log, whenlen(insts) == 0, emit alog.Warnstating that authentication succeeded but no installations were found, that no policies will be enforced, and pointing the operator at the install step (app Settings page -> Install App tab). The logging matches the surrounding zerolog style (Str("area", "bot")).Test
Added
TestEnforceAllNoInstallations, which mocksgetAppInstallationsto return an empty slice, captures the zerolog global logger into a buffer, and asserts a warn-level entry mentioning "no installations were found" is produced. It also confirmsgetAppInstallationReposis not called and the results map is empty. I verified the test is a real regression test: it fails against the unpatchedenforce.goand passes with the fix.gofmt -landgo vet ./pkg/enforce/...are both clean on the changed files.Note on docs
The original issue also suggested adding a step to
operator.mddocumenting that the app must be installed into an org. I kept this PR scoped to the code fix and its test so the behavior change is easy to review on its own. Happy to follow up with the docs update (or fold it in here) if maintainers prefer.This commit is DCO signed off (
Signed-off-by).