Verify signature calls

Signed-off-by: Sayali Gaikawad <gaiksaya@amazon.com>
opensearch-project · Feb 3, 2023 · 9816732 · 9816732
1 parent 9301207
commit 9816732
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 1 deletion.
diff --git a/tests/jenkins/TestPublishToNuget.groovy b/tests/jenkins/TestPublishToNuget.groovy
@@ -12,6 +12,7 @@ package jenkins.tests
 import jenkins.tests.BuildPipelineTest
 import static com.lesfurets.jenkins.unit.MethodCall.callArgsToString
 import static org.hamcrest.CoreMatchers.hasItem
+import static org.hamcrest.CoreMatchers.hasItems
 import static org.hamcrest.MatcherAssert.assertThat
 import org.junit.Before
 import org.junit.Test
@@ -49,6 +50,15 @@ class TestPublishToNuget extends BuildPipelineTest {
         assertThat(packCommand, hasItem('\n            dotnet pack /tmp/workspace/test-solution-file.sln --configuration Release --no-build\n            for package in `find src -name OpenSearch*.nupkg`\n                do\n                    dotnet nuget push $package --api-key API_KEY --source https://api.nuget.org/v3/index.json\n                done\n        '))
     }
 
+    @Test
+    void 'verify_signer_call'(){
+        runScript('tests/jenkins/jobs/PublishToNuget_Jenkinsfile')
+        def signcommand = getShellCommands('sign.sh')
+        assertThat(signcommand, hasItems('\n                   #!/bin/bash\n                   set +x\n                   export ROLE=SIGNER_WINDOWS_ROLE\n                   export EXTERNAL_ID=SIGNER_WINDOWS_EXTERNAL_ID\n                   export UNSIGNED_BUCKET=SIGNER_WINDOWS_UNSIGNED_BUCKET\n                   export SIGNED_BUCKET=SIGNER_WINDOWS_SIGNED_BUCKET\n                   export PROFILE_IDENTIFIER=SIGNER_WINDOWS_PROFILE_IDENTIFIER\n                   export PLATFORM_IDENTIFIER=SIGNER_WINDOWS_PLATFORM_IDENTIFIER\n\n                   /tmp/workspace/opensearch-build/sign.sh one.dll  --platform windows --overwrite \n               ',
+        '\n                   #!/bin/bash\n                   set +x\n                   export ROLE=SIGNER_WINDOWS_ROLE\n                   export EXTERNAL_ID=SIGNER_WINDOWS_EXTERNAL_ID\n                   export UNSIGNED_BUCKET=SIGNER_WINDOWS_UNSIGNED_BUCKET\n                   export SIGNED_BUCKET=SIGNER_WINDOWS_SIGNED_BUCKET\n                   export PROFILE_IDENTIFIER=SIGNER_WINDOWS_PROFILE_IDENTIFIER\n                   export PLATFORM_IDENTIFIER=SIGNER_WINDOWS_PLATFORM_IDENTIFIER\n\n                   /tmp/workspace/opensearch-build/sign.sh  two.dll  --platform windows --overwrite \n               ',
+        '\n                   #!/bin/bash\n                   set +x\n                   export ROLE=SIGNER_WINDOWS_ROLE\n                   export EXTERNAL_ID=SIGNER_WINDOWS_EXTERNAL_ID\n                   export UNSIGNED_BUCKET=SIGNER_WINDOWS_UNSIGNED_BUCKET\n                   export SIGNED_BUCKET=SIGNER_WINDOWS_SIGNED_BUCKET\n                   export PROFILE_IDENTIFIER=SIGNER_WINDOWS_PROFILE_IDENTIFIER\n                   export PLATFORM_IDENTIFIER=SIGNER_WINDOWS_PLATFORM_IDENTIFIER\n\n                   /tmp/workspace/opensearch-build/sign.sh  three.dll --platform windows --overwrite \n               '))
+    }
+
     def getShellCommands(searchString) {
         def shCommands = helper.callStack.findAll { call ->
             call.methodName == 'sh'

diff --git a/tests/jenkins/jobs/PublishToNuget_Jenkinsfile.txt b/tests/jenkins/jobs/PublishToNuget_Jenkinsfile.txt
@@ -12,6 +12,84 @@
     find src -name OpenSearch*.dll>/tmp/workspace/dlls.txt
     )
                   publishToNuget.readFile({file=/tmp/workspace/dlls.txt})
+                  publishToNuget.signArtifacts({artifactPath=one.dll , platform=windows, overwrite=true})
+                     signArtifacts.echo(PGP or Windows Signature Signing)
+                     signArtifacts.fileExists(/tmp/workspace/sign.sh)
+                     signArtifacts.dir(opensearch-build, groovy.lang.Closure)
+                        signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
+                     signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
+                     signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-role, variable=SIGNER_WINDOWS_ROLE})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-external-id, variable=SIGNER_WINDOWS_EXTERNAL_ID})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-unsigned-bucket, variable=SIGNER_WINDOWS_UNSIGNED_BUCKET})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-signed-bucket, variable=SIGNER_WINDOWS_SIGNED_BUCKET})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-profile-identifier, variable=SIGNER_WINDOWS_PROFILE_IDENTIFIER})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-platform-identifier, variable=SIGNER_WINDOWS_PLATFORM_IDENTIFIER})
+                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_WINDOWS_ROLE, SIGNER_WINDOWS_EXTERNAL_ID, SIGNER_WINDOWS_UNSIGNED_BUCKET, SIGNER_WINDOWS_SIGNED_BUCKET, SIGNER_WINDOWS_PROFILE_IDENTIFIER, SIGNER_WINDOWS_PLATFORM_IDENTIFIER], groovy.lang.Closure)
+                        signArtifacts.sh(
+                   #!/bin/bash
+                   set +x
+                   export ROLE=SIGNER_WINDOWS_ROLE
+                   export EXTERNAL_ID=SIGNER_WINDOWS_EXTERNAL_ID
+                   export UNSIGNED_BUCKET=SIGNER_WINDOWS_UNSIGNED_BUCKET
+                   export SIGNED_BUCKET=SIGNER_WINDOWS_SIGNED_BUCKET
+                   export PROFILE_IDENTIFIER=SIGNER_WINDOWS_PROFILE_IDENTIFIER
+                   export PLATFORM_IDENTIFIER=SIGNER_WINDOWS_PLATFORM_IDENTIFIER
+
+                   /tmp/workspace/opensearch-build/sign.sh one.dll  --platform windows --overwrite 
+               )
+                  publishToNuget.signArtifacts({artifactPath= two.dll , platform=windows, overwrite=true})
+                     signArtifacts.echo(PGP or Windows Signature Signing)
+                     signArtifacts.fileExists(/tmp/workspace/sign.sh)
+                     signArtifacts.dir(opensearch-build, groovy.lang.Closure)
+                        signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
+                     signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
+                     signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-role, variable=SIGNER_WINDOWS_ROLE})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-external-id, variable=SIGNER_WINDOWS_EXTERNAL_ID})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-unsigned-bucket, variable=SIGNER_WINDOWS_UNSIGNED_BUCKET})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-signed-bucket, variable=SIGNER_WINDOWS_SIGNED_BUCKET})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-profile-identifier, variable=SIGNER_WINDOWS_PROFILE_IDENTIFIER})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-platform-identifier, variable=SIGNER_WINDOWS_PLATFORM_IDENTIFIER})
+                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_WINDOWS_ROLE, SIGNER_WINDOWS_EXTERNAL_ID, SIGNER_WINDOWS_UNSIGNED_BUCKET, SIGNER_WINDOWS_SIGNED_BUCKET, SIGNER_WINDOWS_PROFILE_IDENTIFIER, SIGNER_WINDOWS_PLATFORM_IDENTIFIER], groovy.lang.Closure)
+                        signArtifacts.sh(
+                   #!/bin/bash
+                   set +x
+                   export ROLE=SIGNER_WINDOWS_ROLE
+                   export EXTERNAL_ID=SIGNER_WINDOWS_EXTERNAL_ID
+                   export UNSIGNED_BUCKET=SIGNER_WINDOWS_UNSIGNED_BUCKET
+                   export SIGNED_BUCKET=SIGNER_WINDOWS_SIGNED_BUCKET
+                   export PROFILE_IDENTIFIER=SIGNER_WINDOWS_PROFILE_IDENTIFIER
+                   export PLATFORM_IDENTIFIER=SIGNER_WINDOWS_PLATFORM_IDENTIFIER
+
+                   /tmp/workspace/opensearch-build/sign.sh  two.dll  --platform windows --overwrite 
+               )
+                  publishToNuget.signArtifacts({artifactPath= three.dll, platform=windows, overwrite=true})
+                     signArtifacts.echo(PGP or Windows Signature Signing)
+                     signArtifacts.fileExists(/tmp/workspace/sign.sh)
+                     signArtifacts.dir(opensearch-build, groovy.lang.Closure)
+                        signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
+                     signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
+                     signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-role, variable=SIGNER_WINDOWS_ROLE})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-external-id, variable=SIGNER_WINDOWS_EXTERNAL_ID})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-unsigned-bucket, variable=SIGNER_WINDOWS_UNSIGNED_BUCKET})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-signed-bucket, variable=SIGNER_WINDOWS_SIGNED_BUCKET})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-profile-identifier, variable=SIGNER_WINDOWS_PROFILE_IDENTIFIER})
+                     signArtifacts.string({credentialsId=jenkins-signer-windows-platform-identifier, variable=SIGNER_WINDOWS_PLATFORM_IDENTIFIER})
+                     signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], SIGNER_WINDOWS_ROLE, SIGNER_WINDOWS_EXTERNAL_ID, SIGNER_WINDOWS_UNSIGNED_BUCKET, SIGNER_WINDOWS_SIGNED_BUCKET, SIGNER_WINDOWS_PROFILE_IDENTIFIER, SIGNER_WINDOWS_PLATFORM_IDENTIFIER], groovy.lang.Closure)
+                        signArtifacts.sh(
+                   #!/bin/bash
+                   set +x
+                   export ROLE=SIGNER_WINDOWS_ROLE
+                   export EXTERNAL_ID=SIGNER_WINDOWS_EXTERNAL_ID
+                   export UNSIGNED_BUCKET=SIGNER_WINDOWS_UNSIGNED_BUCKET
+                   export SIGNED_BUCKET=SIGNER_WINDOWS_SIGNED_BUCKET
+                   export PROFILE_IDENTIFIER=SIGNER_WINDOWS_PROFILE_IDENTIFIER
+                   export PLATFORM_IDENTIFIER=SIGNER_WINDOWS_PLATFORM_IDENTIFIER
+
+                   /tmp/workspace/opensearch-build/sign.sh  three.dll --platform windows --overwrite 
+               )
                   publishToNuget.string({credentialsId=net-api-key, variable=API_KEY})
                   publishToNuget.withCredentials([API_KEY], groovy.lang.Closure)
                      publishToNuget.sh(

diff --git a/tests/jenkins/lib-testers/PublishToNugetLibTester.groovy b/tests/jenkins/lib-testers/PublishToNugetLibTester.groovy
@@ -25,7 +25,10 @@ class PublishToNugetLibTester extends LibFunctionTester {
 
     void configure(helper, binding){
         helper.registerAllowedMethod("checkout", [Map], {})
-        helper.addFileExistsMock('workspace/sign.sh', false)
+        binding.setVariable('GITHUB_BOT_TOKEN_NAME', 'github_bot_token_name')
+        helper.registerAllowedMethod('git', [Map])
+        helper.addFileExistsMock('/tmp/workspace/sign.sh', false)
+        helper.addReadFileMock('/tmp/workspace/dlls.txt', 'one.dll \n two.dll \n three.dll')
         helper.registerAllowedMethod("withCredentials", [Map, Closure], { args, closure ->
             closure.delegate = delegate
             return helper.callClosure(closure)