sonarExecuteScan: add custom certificate support (#819)

* feat(sonar): load TLS certificates * allow verbose property * handle whitespaces * cleanup * disable default verbosity on wget * correct test file name * add test case for custom certificates * import StandardCharsets * change cleanup * correct pull-request provider name * correct pull-request provider name * correct pull-request provider name
2024-12-12 10:55:20 +02:00 · 2019-08-11 22:42:34 +02:00 · 2019-08-11 22:42:34 +02:00 · f3f4c741be
commit f3f4c741be
parent f0a3dd9a39
3 changed files with 70 additions and 9 deletions
--- a/resources/default_pipeline_environment.yml
+++ b/resources/default_pipeline_environment.yml
@ -501,7 +501,7 @@ steps:
    dockerImage: 'maven:3.5-jdk-8'
    instance: 'SonarCloud'
    options: []
-    pullRequestProvider: 'github'
+    pullRequestProvider: 'GitHub'
    sonarScannerDownloadUrl: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.3.0.1492-linux.zip'
  testsPublishResults:
    failOnError: false
--- a/test/groovy/SonarExecuteScanTest.groovy
+++ b/test/groovy/SonarExecuteScanTest.groovy
@ -146,7 +146,7 @@ class SonarExecuteScanTest extends BasePiperTest {
            containsString('-Dsonar.pullrequest.key=42'),
            containsString('-Dsonar.pullrequest.base=master'),
            containsString('-Dsonar.pullrequest.branch=feature/anything'),
-            containsString('-Dsonar.pullrequest.provider=github'),
+            containsString('-Dsonar.pullrequest.provider=GitHub'),
            containsString('-Dsonar.pullrequest.github.repository=testOrg/testRepo')
        )))
        assertJobStatusSuccess()
@ -234,4 +234,21 @@ class SonarExecuteScanTest extends BasePiperTest {
        assertThat(jscr.shell, hasItem(containsString('-Dsonar.organization=TestOrg-github')))
        assertJobStatusSuccess()
    }
+
+    @Test
+    void testWithCustomTlsCertificates() throws Exception {
+        jsr.step.sonarExecuteScan(
+            script: nullScript,
+            juStabUtils: utils,
+            customTlsCertificateLinks: [
+                'http://url.to/my.cert'
+            ]
+        )
+        // asserts
+        assertThat(jscr.shell, allOf(
+            hasItem(containsString('wget --directory-prefix .certificates/ --no-verbose http://url.to/my.cert')),
+            hasItem(containsString('keytool -import -noprompt -storepass changeit -keystore .sonar-scanner/jre/lib/security/cacerts -alias \'my.cert\' -file \'.certificates/my.cert\''))
+        ))
+        assertJobStatusSuccess()
+    }
 }
--- a/vars/sonarExecuteScan.groovy
+++ b/vars/sonarExecuteScan.groovy
@ -7,6 +7,8 @@ import static com.sap.piper.Prerequisites.checkScript
 import groovy.transform.Field
 import groovy.text.SimpleTemplateEngine

+import java.nio.charset.StandardCharsets
+
@Field String STEP_NAME = getClass().getName()

@Field Set GENERAL_CONFIG_KEYS = [
@ -40,8 +42,17 @@ import groovy.text.SimpleTemplateEngine
     * @possibleValues Jenkins credential id
     */
    'sonarTokenCredentialsId',
+    /**
+     * Print more detailed information into the log.
+     * @possibleValues `true`, `false`
+     */
+    'verbose'
 ]
@Field Set STEP_CONFIG_KEYS = GENERAL_CONFIG_KEYS.plus([
+    /**
+     * List containing download links of custom TLS certificates. This is required to ensure trusted connections to instances with custom certificates.
+     */
+    'customTlsCertificateLinks',
    /**
     * Pull-Request voting only:
     * Disables the pull-request decoration with inline comments.
@ -110,14 +121,20 @@ void call(Map parameters = [:]) {

        def worker = { config ->
            withSonarQubeEnv(config.instance) {
-                loadSonarScanner(config)
+                try{
+                    loadSonarScanner(config)

-                if(config.organization) config.options.add("sonar.organization=${config.organization}")
-                if(config.projectVersion) config.options.add("sonar.projectVersion=${config.projectVersion}")
-                // prefix options
-                config.options = config.options.collect { it.startsWith('-D') ? it : "-D${it}" }
+                    loadCertificates(config)

-                sh "PATH=\$PATH:${env.WORKSPACE}/.sonar-scanner/bin sonar-scanner ${config.options.join(' ')}"
+                    if(config.organization) config.options.add("sonar.organization=${config.organization}")
+                    if(config.projectVersion) config.options.add("sonar.projectVersion=${config.projectVersion}")
+                    // prefix options
+                    config.options = config.options.collect { it.startsWith('-D') ? it : "-D${it}" }
+
+                    sh "PATH=\$PATH:${env.WORKSPACE}/.sonar-scanner/bin sonar-scanner ${config.options.join(' ')}"
+                }finally{
+                    sh 'rm -rf .sonar-scanner .certificates .scannerwork'
+                }
            }
        }

@ -158,7 +175,7 @@ void call(Map parameters = [:]) {
                    config.options.add("sonar.pullrequest.branch=${env.BRANCH_NAME}")
                    config.options.add("sonar.pullrequest.provider=${config.pullRequestProvider}")
                    switch(config.pullRequestProvider){
-                        case 'github':
+                        case 'GitHub':
                            config.options.add("sonar.pullrequest.github.repository=${config.githubOrg}/${config.githubRepo}")
                            break
                        default: error "Pull-Request provider '${config.pullRequestProvider}' is not supported!"
@ -191,3 +208,30 @@ private void loadSonarScanner(config){
        mv ${foldername} .sonar-scanner
    """
 }
+
+private void loadCertificates(Map config) {
+    String certificateFolder = '.certificates/'
+    List wgetOptions = [
+        "--directory-prefix ${certificateFolder}"
+    ]
+    List keytoolOptions = [
+        '-import',
+        '-noprompt',
+        '-storepass changeit',
+        '-keystore .sonar-scanner/jre/lib/security/cacerts'
+    ]
+    if (config.customTlsCertificateLinks){
+        if(config.verbose){
+            wgetOptions.push('--verbose')
+            keytoolOptions.push('-v')
+        }else{
+            wgetOptions.push('--no-verbose')
+        }
+        config.customTlsCertificateLinks.each { url ->
+            def filename = new File(url).getName()
+            filename = URLDecoder.decode(filename, StandardCharsets.UTF_8.name())
+            sh "wget ${wgetOptions.join(' ')} ${url}"
+            sh "keytool ${keytoolOptions.join(' ')} -alias '${filename}' -file '${certificateFolder}${filename}'"
+        }
+    }
+}