Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add parameter 'strictNoSignature' to make missing signatures explicit in keys map #44

Merged
merged 12 commits into from
Nov 15, 2019
Merged
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/main/java/org/simplify4u/plugins/ArtifactInfo.java
Original file line number Diff line number Diff line change
Expand Up @@ -76,4 +76,8 @@ private boolean isMatchPattern(Pattern pattern, String str) {
public boolean isKeyMatch(PGPPublicKey key) {
return keyInfo.isKeyMatch(key);
}

public boolean isNoKey() {
return keyInfo.isNoKey();
}
}
8 changes: 8 additions & 0 deletions src/main/java/org/simplify4u/plugins/KeyInfo.java
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@ public KeyInfo(String strKeys) {
throw new IllegalArgumentException("null key not allowed");
}

if (strKeys.trim().isEmpty()) {
return;
}

for (String key : strKeys.split(",")) {
key = key.trim();
if (key.startsWith("0x")) {
Expand Down Expand Up @@ -97,4 +101,8 @@ private boolean compareArrays(byte[] keyBytes, byte[] fingerprint) {
}
return true;
}

public boolean isNoKey() {
return keysID.isEmpty();
}
}
13 changes: 11 additions & 2 deletions src/main/java/org/simplify4u/plugins/KeysMap.java
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,15 @@ public void load(String locale) throws ResourceNotFoundException, IOException {
}
}

public boolean isNoKey(Artifact artifact) {
for (ArtifactInfo artifactInfo : keysMapList) {
if (artifactInfo.isMatch(artifact)) {
return artifactInfo.isNoKey();
}
}
return false;
}

public boolean isValidKey(Artifact artifact, PGPPublicKey key) {
if (keysMapList.isEmpty()) {
return true;
Expand All @@ -80,12 +89,12 @@ private Map<String, String> loadKeysMap(final InputStream inputStream)
if (!currentLine.isEmpty() && !isCommentLine(currentLine)) {
final String[] parts = currentLine.split("=");

if (parts.length != 2) {
if (parts.length > 2) {
throw new IllegalArgumentException(
"Property line is malformed: " + currentLine);
}

keysMaps.put(parts[0], parts[1]);
keysMaps.put(parts[0], parts.length == 1 ? "" : parts[1]);
}
}

Expand Down
23 changes: 21 additions & 2 deletions src/main/java/org/simplify4u/plugins/PGPVerifyMojo.java
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,12 @@ public class PGPVerifyMojo extends AbstractMojo {
@Parameter(property = "pgpverify.failNoSignature", defaultValue = "false")
private boolean failNoSignature;

/**
* Fail the build if any artifact without key is not present in the keys list.
*/
@Parameter(property = "pgpverify.strictNoSignature", defaultValue = "false")
private boolean strictNoSignature;
cobratbq marked this conversation as resolved.
Show resolved Hide resolved

/**
* Fail the build if any dependency has a weak signature.
*
Expand Down Expand Up @@ -356,7 +362,7 @@ private void verifyArtifacts(Set<Artifact> artifacts)
for (Artifact artifact : artifacts) {
final Artifact ascArtifact = resolveAscArtifact(artifact);

if (ascArtifact != null) {
if (ascArtifact != null || strictNoSignature) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move this logic to resolveAscArtifact method - so we don't need null to map

artifactToAsc.put(artifact, ascArtifact);
}
}
Expand Down Expand Up @@ -391,7 +397,7 @@ private Artifact resolveAscArtifact(Artifact artifact) throws MojoExecutionExcep
if (failNoSignature) {
getLog().error("No signature for " + artifact.getId());
throw new MojoExecutionException("No signature for " + artifact.getId());
} else {
} else if (!strictNoSignature) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

call verifySignatureUnavailable in this place and throw exception - so only this place will be changed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC this will result in build failing at the first unlisted, unsigned artifact. So you lose the ability to list all unsigned artifacts, so the user can solve them in one go. Your thoughts?

getLog().warn("No signature for " + artifact.getId());
}
}
Expand Down Expand Up @@ -481,6 +487,19 @@ private void verifyArtifactSignatures(Map<Artifact, Artifact> artifactToAsc)

private boolean verifyPGPSignature(Artifact artifact, Artifact ascArtifact)
throws MojoFailureException {
if (ascArtifact == null) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it will be not necessary if we don't put nulls

if (keysMap.isNoKey(artifact)) {
final String logMessage = String.format("%s PGP Signature unavailable, consistent with keys map.", artifact.getId());
if (quiet) {
getLog().debug(logMessage);
} else {
getLog().info(logMessage);
}
return true;
}
getLog().error("Artifact without signature not listed in keys map: " + artifact.getId());
return false;
}
final File artifactFile = artifact.getFile();
final File signatureFile = ascArtifact.getFile();
final Map<Integer, String> weakSignatures = ImmutableMap.<Integer, String>builder()
Expand Down
18 changes: 17 additions & 1 deletion src/test/java/org/simplify4u/plugins/KeyInfoTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@

import static org.simplify4u.plugins.TestUtils.getPGPgpPublicKey;
import static org.testng.Assert.assertEquals;
import static org.testng.Assert.assertTrue;
import static org.testng.AssertJUnit.assertFalse;

/**
* @author Slawomir Jaranowski.
Expand All @@ -37,7 +39,7 @@ public Object[][] keys() {
{"0x123456789abcdef0,0x0fedcba987654321", 0x123456789abcdef0L, true},
{"0x123456789abcdef0, 0x0fedcba987654321", 0x123456789abcdef0L, true},
{"0x123456789abcdef0", 0x231456789abcdef0L, false},
{"0x123456789abcdef0, 0x0fedcba987654321", 0x321456789abcdef0L, false}
{"0x123456789abcdef0, 0x0fedcba987654321", 0x321456789abcdef0L, false},
cobratbq marked this conversation as resolved.
Show resolved Hide resolved
};
}

Expand All @@ -47,4 +49,18 @@ public void testIsKeyMatch(String strKeys, long key, boolean match) throws Excep
KeyInfo keyInfo = new KeyInfo(strKeys);
assertEquals(keyInfo.isKeyMatch(getPGPgpPublicKey(key)), match);
}

@Test
public void testIsNoKey() {

KeyInfo keyInfo = new KeyInfo("");
assertTrue(keyInfo.isNoKey());
}

@Test
public void testIsNoKeyIncorrect() {

KeyInfo keyInfo = new KeyInfo("0x123456789abcdef0");
assertFalse(keyInfo.isNoKey());
}
}
16 changes: 16 additions & 0 deletions src/test/java/org/simplify4u/plugins/KeysMapTest.java
Original file line number Diff line number Diff line change
Expand Up @@ -106,4 +106,20 @@ public void keysProcessedInEncounterOrder() throws Exception {
getArtifact("test", "test-package", "1.0.0"),
getPGPgpPublicKey(0xA6ADFC93EF34893EL)));
}

@Test
public void artifactsWithoutKeysProcessed() throws Exception {
keysMap.load("/keysMap3.list");

assertTrue(
keysMap.isNoKey(
getArtifact("test", "test-package", "1.0.0")));
assertFalse(
keysMap.isValidKey(
getArtifact("test", "test-package", "1.0.0"),
getPGPgpPublicKey(0xA6ADFC93EF34893EL)));
assertFalse(
keysMap.isNoKey(
getArtifact("test", "test-package-2", "1.0.0")));
}
}
17 changes: 17 additions & 0 deletions src/test/resources/keysMap3.list
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#
# Copyright 2015 Slawomir Jaranowski
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
test:test-package:*=
test:test-package-2:*=0xA6ADFC93EF34893E