From e629ba5d38fb8435529d201370e06015ec6e54b3 Mon Sep 17 00:00:00 2001
From: Geoff Greer <geoff@greer.fm>
Date: Tue, 13 Feb 2024 11:56:20 -0800
Subject: [PATCH 1/2] Move CI test into its own script.

---
 .github/workflows/ci.yaml | 36 ++++--------------------------------
 test/iam-grant-revoke.sh  | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 32 deletions(-)
 create mode 100755 test/iam-grant-revoke.sh

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 0eb50e42..ea008302 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -66,38 +66,10 @@ jobs:
       - name: Build baton
         working-directory: ./baton
         run: go build ./cmd/baton
-      - name: Grant entitlements
+      - name: Test grant/revoking entitlements
         env:
+          BATON: ./baton/baton
+          BATON_AWS: ./baton-aws
           BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::737118012813:group/ci-test-group:member' --grant-principal 'arn:aws:iam::737118012813:user/ci-test-user' --grant-principal-type 'iam_user'
-      - name: Check for grant before revoking
-        env:
-          BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: ./baton-aws && ./baton/baton grants --entitlement='group:arn:aws:iam::737118012813:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::737118012813:user/ci-test-user"'
-      - name: Grant already-granted entitlement
-        env:
-          BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::737118012813:group/ci-test-group:member' --grant-principal 'arn:aws:iam::737118012813:user/ci-test-user' --grant-principal-type 'iam_user'
-      - name: Revoke grants
-        env:
-          BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: ./baton-aws --revoke-grant 'group:arn:aws:iam::737118012813:group/ci-test-group:member:iam_user:arn:aws:iam::737118012813:user/ci-test-user'
-      - name: Check grant was revoked
-        env:
-          BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: ./baton-aws && ./baton/baton grants --entitlement='group:arn:aws:iam::737118012813:group/ci-test-group:member' --output-format=json | jq --exit-status 'if .grants then .grants[]?.principal.id.resource != "arn:aws:iam::737118012813:user/ci-test-user" else . end'
-      - name: Grant entitlements
-        env:
-          BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::737118012813:group/ci-test-group:member' --grant-principal 'arn:aws:iam::737118012813:user/ci-test-user' --grant-principal-type 'iam_user'
-      - name: Check grant was re-granted
-        env:
-          BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: ./baton-aws && ./baton/baton grants --entitlement='group:arn:aws:iam::737118012813:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::737118012813:user/ci-test-user"'
+        run: ./test/iam-grant-revoke.sh
diff --git a/test/iam-grant-revoke.sh b/test/iam-grant-revoke.sh
new file mode 100755
index 00000000..5130d080
--- /dev/null
+++ b/test/iam-grant-revoke.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -exo pipefail
+
+ # CI test for use with CI AWS account
+if [ -z "$BATON_AWS" ]; then
+  echo "BATON_AWS not set. using baton-aws"
+  BATON_AWS=baton-aws
+fi
+if [ -z "$BATON" ]; then
+  echo "BATON not set. using baton"
+  BATON=baton
+fi
+
+# Error on unbound variables now that we've set BATON & BATON_AWS
+set -u
+
+# Grant entitlements
+$BATON_AWS --grant-entitlement 'group:arn:aws:iam::425848093043:group/ci-test-group:member' --grant-principal 'arn:aws:iam::425848093043:user/ci-test-user' --grant-principal-type 'iam_user'
+
+# Check for grant before revoking
+$BATON_AWS
+$BATON grants --entitlement='group:arn:aws:iam::425848093043:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::425848093043:user/ci-test-user"'
+
+# Revoke grants
+$BATON_AWS --revoke-grant 'group:arn:aws:iam::425848093043:group/ci-test-group:member:iam_user:arn:aws:iam::425848093043:user/ci-test-user'
+
+# Check grant was revoked
+$BATON_AWS
+$BATON grants --entitlement='group:arn:aws:iam::425848093043:group/ci-test-group:member' --output-format=json | jq --exit-status 'if .grants then .grants[]?.principal.id.resource != "arn:aws:iam::425848093043:user/ci-test-user" else . end'
+
+# Grant entitlements
+$BATON_AWS --grant-entitlement 'group:arn:aws:iam::425848093043:group/ci-test-group:member' --grant-principal 'arn:aws:iam::425848093043:user/ci-test-user' --grant-principal-type 'iam_user'
+
+# Check grant was re-granted
+$BATON_AWS
+$BATON grants --entitlement='group:arn:aws:iam::425848093043:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::425848093043:user/ci-test-user"'

From c99f1627694402fcfb1939ee2dd9d30b7a4262a1 Mon Sep 17 00:00:00 2001
From: Geoff Greer <geoff@greer.fm>
Date: Tue, 27 Aug 2024 14:17:39 -0700
Subject: [PATCH 2/2] Test both IAM and SSO sync/grant/revoke.

---
 .github/workflows/ci.yaml | 19 ++++++++++++++--
 test/grant-revoke.sh      | 46 +++++++++++++++++++++++++++++++++++++++
 test/iam-grant-revoke.sh  | 37 -------------------------------
 3 files changed, 63 insertions(+), 39 deletions(-)
 create mode 100755 test/grant-revoke.sh
 delete mode 100755 test/iam-grant-revoke.sh

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ea008302..4f1666a8 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -66,10 +66,25 @@ jobs:
       - name: Build baton
         working-directory: ./baton
         run: go build ./cmd/baton
-      - name: Test grant/revoking entitlements
+      - name: Test grant/revoking IAM entitlements
         env:
           BATON: ./baton/baton
           BATON_AWS: ./baton-aws
           BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        run: ./test/iam-grant-revoke.sh
+          BATON_ENTITLEMENT: "group:arn:aws:iam::737118012813:group/ci-test-group:member"
+          BATON_PRINCIPAL: "arn:aws:iam::737118012813:user/ci-test-user"
+          BATON_PRINCIPAL_TYPE: "iam_user"
+          BATON_GRANT: "group:arn:aws:iam::737118012813:group/ci-test-group:member:iam_user:arn:aws:iam::737118012813:user/ci-test-user"
+        run: ./test/grant-revoke.sh
+      - name: Test grant/revoking SSO entitlements
+        env:
+          BATON: ./baton/baton
+          BATON_AWS: ./baton-aws
+          BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          BATON_ENTITLEMENT: "sso_group:arn:aws:identitystore:us-east-1::d-90679d1878/group/9458d408-40b1-709f-4f45-92be754928e5:member"
+          BATON_PRINCIPAL: "arn:aws:identitystore:us-east-1::d-90679d1878/user/54982488-f0d1-70c1-1dd5-6db47f7add45"
+          BATON_PRINCIPAL_TYPE: "sso_user"
+          BATON_GRANT: "8418c428-1061-70cc-01da-b38b652ab0e6"
+        run: ./test/grant-revoke.sh
diff --git a/test/grant-revoke.sh b/test/grant-revoke.sh
new file mode 100755
index 00000000..8e676da9
--- /dev/null
+++ b/test/grant-revoke.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+set -exo pipefail
+
+ # CI test for use with CI AWS account
+if [ -z "$BATON_AWS" ]; then
+  echo "BATON_AWS not set. using baton-aws"
+  BATON_AWS=baton-aws
+fi
+if [ -z "$BATON" ]; then
+  echo "BATON not set. using baton"
+  BATON=baton
+fi
+
+# Error on unbound variables now that we've set BATON & BATON_AWS
+set -u
+
+# Sync
+$BATON_AWS
+
+# Grant entitlement
+$BATON_AWS --grant-entitlement="$BATON_ENTITLEMENT" --grant-principal="$BATON_PRINCIPAL" --grant-principal-type="$BATON_PRINCIPAL_TYPE"
+
+# Check for grant before revoking
+$BATON_AWS
+$BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --exit-status ".grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" )"
+
+# Grant already-granted entitlement
+$BATON_AWS --grant-entitlement="$BATON_ENTITLEMENT" --grant-principal="$BATON_PRINCIPAL" --grant-principal-type="$BATON_PRINCIPAL_TYPE"
+
+# Get grant ID
+BATON_GRANT=$($BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --raw-output --exit-status ".grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" ).grant.id")
+
+# Revoke grants
+$BATON_AWS --revoke-grant="$BATON_GRANT"
+
+# Check grant was revoked
+$BATON_AWS
+$BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --exit-status "if .grants then [ .grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" ) ] | length == 0 else . end"
+
+# Re-grant entitlement
+$BATON_AWS --grant-entitlement="$BATON_ENTITLEMENT" --grant-principal="$BATON_PRINCIPAL" --grant-principal-type="$BATON_PRINCIPAL_TYPE"
+
+# Check grant was re-granted
+$BATON_AWS
+$BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --exit-status ".grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" )"
diff --git a/test/iam-grant-revoke.sh b/test/iam-grant-revoke.sh
deleted file mode 100755
index 5130d080..00000000
--- a/test/iam-grant-revoke.sh
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-set -exo pipefail
-
- # CI test for use with CI AWS account
-if [ -z "$BATON_AWS" ]; then
-  echo "BATON_AWS not set. using baton-aws"
-  BATON_AWS=baton-aws
-fi
-if [ -z "$BATON" ]; then
-  echo "BATON not set. using baton"
-  BATON=baton
-fi
-
-# Error on unbound variables now that we've set BATON & BATON_AWS
-set -u
-
-# Grant entitlements
-$BATON_AWS --grant-entitlement 'group:arn:aws:iam::425848093043:group/ci-test-group:member' --grant-principal 'arn:aws:iam::425848093043:user/ci-test-user' --grant-principal-type 'iam_user'
-
-# Check for grant before revoking
-$BATON_AWS
-$BATON grants --entitlement='group:arn:aws:iam::425848093043:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::425848093043:user/ci-test-user"'
-
-# Revoke grants
-$BATON_AWS --revoke-grant 'group:arn:aws:iam::425848093043:group/ci-test-group:member:iam_user:arn:aws:iam::425848093043:user/ci-test-user'
-
-# Check grant was revoked
-$BATON_AWS
-$BATON grants --entitlement='group:arn:aws:iam::425848093043:group/ci-test-group:member' --output-format=json | jq --exit-status 'if .grants then .grants[]?.principal.id.resource != "arn:aws:iam::425848093043:user/ci-test-user" else . end'
-
-# Grant entitlements
-$BATON_AWS --grant-entitlement 'group:arn:aws:iam::425848093043:group/ci-test-group:member' --grant-principal 'arn:aws:iam::425848093043:user/ci-test-user' --grant-principal-type 'iam_user'
-
-# Check grant was re-granted
-$BATON_AWS
-$BATON grants --entitlement='group:arn:aws:iam::425848093043:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::425848093043:user/ci-test-user"'