From d9eb3fed321b2cc3ed34d84d6f3cb75efa455373 Mon Sep 17 00:00:00 2001 From: Sayali Gaikawad <61760125+gaiksaya@users.noreply.github.com> Date: Wed, 30 Nov 2022 11:27:44 -0800 Subject: [PATCH] Fix verification of signed gems (#56) * Fix ruby gems verification Signed-off-by: Sayali Gaikawad --- build.gradle | 2 +- tests/jenkins/TestPublishToRubyGems.groovy | 9 ++++++--- .../PublishToRubyGemWithArgs_Jenkinsfile.txt | 10 +++++++++- .../jobs/PublishToRubyGems_JenkinsFile.txt | 10 +++++++++- vars/publishToRubyGems.groovy | 17 +++++++++++++---- 5 files changed, 38 insertions(+), 10 deletions(-) diff --git a/build.gradle b/build.gradle index 02633d054..9a2856ae2 100644 --- a/build.gradle +++ b/build.gradle @@ -120,7 +120,7 @@ jacocoTestReport { } } -String version = '1.4.1' +String version = '1.4.2' task updateVersion { doLast { diff --git a/tests/jenkins/TestPublishToRubyGems.groovy b/tests/jenkins/TestPublishToRubyGems.groovy index 038e02045..1055879ed 100644 --- a/tests/jenkins/TestPublishToRubyGems.groovy +++ b/tests/jenkins/TestPublishToRubyGems.groovy @@ -24,9 +24,11 @@ class TestPublishToRubyGems extends BuildPipelineTest { super.setUp() super.testPipeline('tests/jenkins/jobs/PublishToRubyGems_JenkinsFile') def curlCommands = getCommands('sh', 'curl') + def gemCommands = getCommands('sh', 'gem') assertThat(curlCommands, hasItem( - "gem cert --add /tmp/workspace/certs/opensearch-rubygems.pem && cd /tmp/workspace/dist && gem install `ls *.gem` -P HighSecurity && curl --fail --data-binary @`ls *.gem` -H 'Authorization:API_KEY' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems" + "cd /tmp/workspace/dist && curl --fail --data-binary @`ls *.gem` -H 'Authorization:API_KEY' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems".toString() )) + assertThat(gemCommands, hasItem("\n gem cert --add /tmp/workspace/certs/opensearch-rubygems.pem\n cd /tmp/workspace/dist && gemNameWithVersion=\$(ls *.gem)\n gem install \$gemNameWithVersion\n gemName=\$(echo \$gemNameWithVersion | sed -E 's/(-[0-9.]+.gem\$)//g')\n gem uninstall \$gemName\n gem install \$gemNameWithVersion -P HighSecurity\n ")) } @Test @@ -35,9 +37,10 @@ class TestPublishToRubyGems extends BuildPipelineTest { super.setUp() super.testPipeline('tests/jenkins/jobs/PublishToRubyGemWithArgs_Jenkinsfile') def curlCommands = getCommands('sh', 'curl') + def gemCommands = getCommands('sh', 'gem') assertThat(curlCommands, hasItem( - "gem cert --add /tmp/workspace/certificate/path && cd /tmp/workspace/test && gem install `ls *.gem` -P HighSecurity && curl --fail --data-binary @`ls *.gem` -H 'Authorization:API_KEY' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems" - )) + "cd /tmp/workspace/test && curl --fail --data-binary @`ls *.gem` -H 'Authorization:API_KEY' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems".toString())) + assertThat(gemCommands, hasItem("\n gem cert --add /tmp/workspace/certificate/path\n cd /tmp/workspace/test && gemNameWithVersion=\$(ls *.gem)\n gem install \$gemNameWithVersion\n gemName=\$(echo \$gemNameWithVersion | sed -E 's/(-[0-9.]+.gem\$)//g')\n gem uninstall \$gemName\n gem install \$gemNameWithVersion -P HighSecurity\n ")) } def getCommands(method, text) { diff --git a/tests/jenkins/jobs/PublishToRubyGemWithArgs_Jenkinsfile.txt b/tests/jenkins/jobs/PublishToRubyGemWithArgs_Jenkinsfile.txt index f1fc3643b..8fb8cd3ac 100644 --- a/tests/jenkins/jobs/PublishToRubyGemWithArgs_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PublishToRubyGemWithArgs_Jenkinsfile.txt @@ -4,6 +4,14 @@ PublishToRubyGemWithArgs_Jenkinsfile.stage(publishRubyGems, groovy.lang.Closure) PublishToRubyGemWithArgs_Jenkinsfile.script(groovy.lang.Closure) PublishToRubyGemWithArgs_Jenkinsfile.publishToRubyGems({apiKeyCredentialId=ruby-api-key, gemsDir=test, publicCertPath=certificate/path}) + publishToRubyGems.sh( + gem cert --add /tmp/workspace/certificate/path + cd /tmp/workspace/test && gemNameWithVersion=$(ls *.gem) + gem install $gemNameWithVersion + gemName=$(echo $gemNameWithVersion | sed -E 's/(-[0-9.]+.gem$)//g') + gem uninstall $gemName + gem install $gemNameWithVersion -P HighSecurity + ) publishToRubyGems.string({credentialsId=ruby-api-key, variable=API_KEY}) publishToRubyGems.withCredentials([API_KEY], groovy.lang.Closure) - publishToRubyGems.sh(gem cert --add /tmp/workspace/certificate/path && cd /tmp/workspace/test && gem install `ls *.gem` -P HighSecurity && curl --fail --data-binary @`ls *.gem` -H 'Authorization:API_KEY' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems) + publishToRubyGems.sh(cd /tmp/workspace/test && curl --fail --data-binary @`ls *.gem` -H 'Authorization:API_KEY' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems) diff --git a/tests/jenkins/jobs/PublishToRubyGems_JenkinsFile.txt b/tests/jenkins/jobs/PublishToRubyGems_JenkinsFile.txt index 35b044026..b0df09929 100644 --- a/tests/jenkins/jobs/PublishToRubyGems_JenkinsFile.txt +++ b/tests/jenkins/jobs/PublishToRubyGems_JenkinsFile.txt @@ -4,6 +4,14 @@ PublishToRubyGems_JenkinsFile.stage(publishRubyGems, groovy.lang.Closure) PublishToRubyGems_JenkinsFile.script(groovy.lang.Closure) PublishToRubyGems_JenkinsFile.publishToRubyGems({apiKeyCredentialId=ruby-api-key}) + publishToRubyGems.sh( + gem cert --add /tmp/workspace/certs/opensearch-rubygems.pem + cd /tmp/workspace/dist && gemNameWithVersion=$(ls *.gem) + gem install $gemNameWithVersion + gemName=$(echo $gemNameWithVersion | sed -E 's/(-[0-9.]+.gem$)//g') + gem uninstall $gemName + gem install $gemNameWithVersion -P HighSecurity + ) publishToRubyGems.string({credentialsId=ruby-api-key, variable=API_KEY}) publishToRubyGems.withCredentials([API_KEY], groovy.lang.Closure) - publishToRubyGems.sh(gem cert --add /tmp/workspace/certs/opensearch-rubygems.pem && cd /tmp/workspace/dist && gem install `ls *.gem` -P HighSecurity && curl --fail --data-binary @`ls *.gem` -H 'Authorization:API_KEY' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems) + publishToRubyGems.sh(cd /tmp/workspace/dist && curl --fail --data-binary @`ls *.gem` -H 'Authorization:API_KEY' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems) diff --git a/vars/publishToRubyGems.groovy b/vars/publishToRubyGems.groovy index 87ed32235..d9cdee620 100644 --- a/vars/publishToRubyGems.groovy +++ b/vars/publishToRubyGems.groovy @@ -14,13 +14,22 @@ Note: Please make sure the gem is already signed. @param args.gemsDir - The directory containing the gem to be published. Defaults to 'dist' @params args.publicCertPath - The relative path to public key. Defaults to 'certs/opensearch-rubygems.pem' */ + + void call(Map args = [:]) { String releaseArtifactsDir = args.gemsDir ? "${WORKSPACE}/${args.gemsDir}" : "${WORKSPACE}/dist" String certPath = args.publicCertPath ? "${WORKSPACE}/${args.publicCertPath}" : "${WORKSPACE}/certs/opensearch-rubygems.pem" + sh """ + gem cert --add ${certPath} + cd ${releaseArtifactsDir} && gemNameWithVersion=\$(ls *.gem) + gem install \$gemNameWithVersion + gemName=\$(echo \$gemNameWithVersion | sed -E 's/(-[0-9.]+.gem\$)//g') + gem uninstall \$gemName + gem install \$gemNameWithVersion -P HighSecurity + """ + withCredentials([string(credentialsId: "${args.apiKeyCredentialId}", variable: 'API_KEY')]) { - sh """gem cert --add ${certPath} && \ - cd ${releaseArtifactsDir} && gem install `ls *.gem` -P HighSecurity && \ - curl --fail --data-binary @`ls *.gem` -H 'Authorization:${API_KEY}' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems""" - } + sh "cd ${releaseArtifactsDir} && curl --fail --data-binary @`ls *.gem` -H 'Authorization:${API_KEY}' -H 'Content-Type: application/octet-stream' https://rubygems.org/api/v1/gems" + } }