From 196c6c80c658d3358296adf01e3c15783ab885be Mon Sep 17 00:00:00 2001 From: Sayali Gaikawad Date: Tue, 28 Jun 2022 12:04:20 -0700 Subject: [PATCH] Update signArtifacts lib env vars with credentials Signed-off-by: Sayali Gaikawad --- tests/jenkins/TestPromoteArtifacts.groovy | 10 +-- tests/jenkins/TestPromoteYumRepos.groovy | 10 +-- ...data-prepper-all-artifacts.jenkinsfile.txt | 24 ++++--- .../maven-sign-release.jenkinsfile.txt | 12 ++-- .../sign-standalone-artifacts.jenkinsfile.txt | 12 ++-- .../jobs/AssembleManifest_rpm_Jenkinsfile.txt | 18 +++--- ...ArtifactsQualifier_actions_Jenkinsfile.txt | 24 ++++--- ...ions_OpenSearch_Dashboards_Jenkinsfile.txt | 24 ++++--- .../PromoteArtifacts_actions_Jenkinsfile.txt | 36 ++++++----- ...ions_OpenSearch_Dashboards_Jenkinsfile.txt | 24 ++++--- .../jobs/PromoteYumRepos_Jenkinsfile.txt | 12 ++-- .../jobs/SignArtifacts_Jenkinsfile.txt | 42 +++++++------ .../lib-testers/SignArtifactsLibTester.groovy | 44 ++++++++----- vars/signArtifacts.groovy | 62 ++++++++++--------- 14 files changed, 202 insertions(+), 152 deletions(-) diff --git a/tests/jenkins/TestPromoteArtifacts.groovy b/tests/jenkins/TestPromoteArtifacts.groovy index c2a430d8a5..2851750ba7 100644 --- a/tests/jenkins/TestPromoteArtifacts.groovy +++ b/tests/jenkins/TestPromoteArtifacts.groovy @@ -43,10 +43,12 @@ class TestPromoteArtifacts extends BuildPipelineTest { binding.setVariable('ARTIFACT_PRODUCTION_BUCKET_NAME', 'prod-bucket-name') binding.setVariable('WORKSPACE', 'tests/jenkins') binding.setVariable('GITHUB_BOT_TOKEN_NAME', 'github_bot_token_name') - binding.setVariable('SIGNER_CLIENT_ROLE', 'dummy_signer_client_role') - binding.setVariable('SIGNER_CLIENT_EXTERNAL_ID', 'signer_client_external_id') - binding.setVariable('SIGNER_CLIENT_UNSIGNED_BUCKET', 'signer_client_unsigned_bucket') - binding.setVariable('SIGNER_CLIENT_SIGNED_BUCKET', 'signer_client_signed_bucket') + def signer_client_creds = ["role": "dummy_role", + "external_id": "dummy_ID", + "unsigned_bucket": "dummy_unsigned_bucket", + "signed_bucket": "dummy_signed_bucket"] + binding.setVariable('configs', signer_client_creds) + helper.registerAllowedMethod("readJSON", [Map.class], {c -> signer_client_creds}) helper.registerAllowedMethod("git", [Map]) helper.registerAllowedMethod("s3Download", [Map]) diff --git a/tests/jenkins/TestPromoteYumRepos.groovy b/tests/jenkins/TestPromoteYumRepos.groovy index 17307e7744..4a171d82bc 100644 --- a/tests/jenkins/TestPromoteYumRepos.groovy +++ b/tests/jenkins/TestPromoteYumRepos.groovy @@ -24,10 +24,12 @@ class TestPromoteYumRepos extends BuildPipelineTest { binding.setVariable('AWS_ACCOUNT_ARTIFACT', 'artifactsAccount') binding.setVariable('ARTIFACT_PRODUCTION_BUCKET_NAME', 'prod-bucket-name') binding.setVariable('GITHUB_BOT_TOKEN_NAME', 'github_bot_token_name') - binding.setVariable('SIGNER_CLIENT_ROLE', 'dummy_signer_client_role') - binding.setVariable('SIGNER_CLIENT_EXTERNAL_ID', 'signer_client_external_id') - binding.setVariable('SIGNER_CLIENT_UNSIGNED_BUCKET', 'signer_client_unsigned_bucket') - binding.setVariable('SIGNER_CLIENT_SIGNED_BUCKET', 'signer_client_signed_bucket') + def signer_client_creds = ["role": "dummy_role", + "external_id": "dummy_ID", + "unsigned_bucket": "dummy_unsigned_bucket", + "signed_bucket": "dummy_signed_bucket"] + binding.setVariable('configs', signer_client_creds) + helper.registerAllowedMethod("readJSON", [Map.class], {c -> signer_client_creds}) helper.registerAllowedMethod("git", [Map]) helper.registerAllowedMethod("withAWS", [Map, Closure], { args, closure -> closure.delegate = delegate diff --git a/tests/jenkins/jenkinsjob-regression-files/data-prepper/release-data-prepper-all-artifacts.jenkinsfile.txt b/tests/jenkins/jenkinsjob-regression-files/data-prepper/release-data-prepper-all-artifacts.jenkinsfile.txt index cc78959a78..09a19e91e6 100644 --- a/tests/jenkins/jenkinsjob-regression-files/data-prepper/release-data-prepper-all-artifacts.jenkinsfile.txt +++ b/tests/jenkins/jenkinsjob-regression-files/data-prepper/release-data-prepper-all-artifacts.jenkinsfile.txt @@ -17,14 +17,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket /tmp/workspace/sign.sh /tmp/workspace/archive --sigtype=.sig --platform=linux ) @@ -89,14 +91,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket /tmp/workspace/sign.sh /tmp/workspace/maven --type=maven --platform=linux ) diff --git a/tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt b/tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt index 60f91148c8..da39ad0144 100644 --- a/tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt +++ b/tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt @@ -16,14 +16,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket /tmp/workspace/sign.sh /tmp/workspace/artifacts/distribution-build-opensearch/1.0.0/123/linux/x64/builds/opensearch/manifest.yml --type=maven --platform=linux ) diff --git a/tests/jenkins/jenkinsjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt b/tests/jenkins/jenkinsjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt index 1eec75e275..0fb902abfa 100644 --- a/tests/jenkins/jenkinsjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt +++ b/tests/jenkins/jenkinsjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt @@ -14,14 +14,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket /tmp/workspace/sign.sh /tmp/workspace/artifacts --sigtype=.sig --platform=linux ) diff --git a/tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt b/tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt index 4490d61a10..56db0bc8bf 100644 --- a/tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt +++ b/tests/jenkins/jobs/AssembleManifest_rpm_Jenkinsfile.txt @@ -13,11 +13,11 @@ BuildManifest.getArtifactRootUrlWithoutDistribution(https://ci.opensearch.org/dbc, vars-build, 123) assembleManifest.sh(./assemble.sh "tests/data/opensearch-build-1.3.0-rpm.yml" --base-url https://ci.opensearch.org/dbc/vars-build/1.3.0/123/linux/x64) assembleManifest.signArtifacts({artifactPath=rpm/dist/opensearch, sigtype=.rpm, platform=linux}) - signArtifacts.echo(RPM Add Sign) - signArtifacts.withAWS({role=sign_asm_role, roleAccount=sign_asm_account, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) - signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-pass-id, variable=SIGNING_PASS_ID}) - signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-secret-id, variable=SIGNING_SECRET_ID}) - signArtifacts.withCredentials([SIGNING_PASS_ID, SIGNING_SECRET_ID], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-rpm-signing-props, variable=configs}) + signArtifacts.withCredentials([configs], groovy.lang.Closure) + signArtifacts.readJSON({text=configs}) + signArtifacts.echo(RPM Add Sign) + signArtifacts.withAWS({role=jenki-jenki-asm-assume-role, roleAccount=1234, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) signArtifacts.sh( set -e set +x @@ -57,8 +57,8 @@ echo "------------------------------------------------------------------------" echo "Import OpenSearch keys" - aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_PASS_ID" | jq -r .SecretBinary | base64 --decode > passphrase - aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_SECRET_ID" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - + aws secretsmanager get-secret-value --region us-west-2 --secret-id "ARN::123456" | jq -r .SecretBinary | base64 --decode > passphrase + aws secretsmanager get-secret-value --region us-west-2 --secret-id "ARN::56789" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - echo "------------------------------------------------------------------------" echo "Start Signing Rpm" @@ -85,8 +85,8 @@ echo "------------------------------------------------------------------------" echo "Clean up gpg" - gpg --batch --yes --delete-secret-keys sign_asm_keyid - gpg --batch --yes --delete-keys sign_asm_keyid + gpg --batch --yes --delete-secret-keys abcd1234 + gpg --batch --yes --delete-keys abcd1234 rm -v passphrase ) diff --git a/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_Jenkinsfile.txt index 41c2291da9..249d42b8c2 100644 --- a/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_Jenkinsfile.txt @@ -29,14 +29,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) @@ -60,14 +62,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) diff --git a/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_OpenSearch_Dashboards_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_OpenSearch_Dashboards_Jenkinsfile.txt index 5c4f7880ef..cc677a34c8 100644 --- a/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_OpenSearch_Dashboards_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteArtifactsQualifier_actions_OpenSearch_Dashboards_Jenkinsfile.txt @@ -29,14 +29,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) @@ -60,14 +62,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) diff --git a/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt index 717b762199..6ad676a413 100644 --- a/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt @@ -32,14 +32,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket tests/jenkins/sign.sh tests/jenkins/artifacts/tar/vars-build/1.3.0/33/linux/x64/tar/builds/opensearch/core-plugins --sigtype=.sig ) @@ -56,14 +58,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) @@ -107,14 +111,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) diff --git a/tests/jenkins/jobs/PromoteArtifacts_actions_OpenSearch_Dashboards_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteArtifacts_actions_OpenSearch_Dashboards_Jenkinsfile.txt index 5fbb75ddb5..43d0101a7c 100644 --- a/tests/jenkins/jobs/PromoteArtifacts_actions_OpenSearch_Dashboards_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteArtifacts_actions_OpenSearch_Dashboards_Jenkinsfile.txt @@ -29,14 +29,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) @@ -60,14 +62,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket tests/jenkins/sign.sh tests/jenkins/tests/jenkins/file/found.zip --sigtype=.sig ) diff --git a/tests/jenkins/jobs/PromoteYumRepos_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteYumRepos_Jenkinsfile.txt index 4da623bf79..f6d2d3e505 100644 --- a/tests/jenkins/jobs/PromoteYumRepos_Jenkinsfile.txt +++ b/tests/jenkins/jobs/PromoteYumRepos_Jenkinsfile.txt @@ -45,14 +45,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket /tmp/workspace/sign.sh /tmp/workspace/artifacts/releases/bundle/opensearch/1.x/yum/repodata/repomd.pom --sigtype=.sig --platform=linux ) diff --git a/tests/jenkins/jobs/SignArtifacts_Jenkinsfile.txt b/tests/jenkins/jobs/SignArtifacts_Jenkinsfile.txt index 6bf5908794..4b9dc05222 100644 --- a/tests/jenkins/jobs/SignArtifacts_Jenkinsfile.txt +++ b/tests/jenkins/jobs/SignArtifacts_Jenkinsfile.txt @@ -9,23 +9,25 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket /tmp/workspace/sign.sh /tmp/workspace/artifacts --sigtype=.sig --platform=linux ) SignArtifacts_Jenkinsfile.signArtifacts({artifactPath=/tmp/workspace/artifacts, sigtype=.rpm, platform=linux}) - signArtifacts.echo(RPM Add Sign) - signArtifacts.withAWS({role=sign_asm_role, roleAccount=sign_asm_account, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) - signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-pass-id, variable=SIGNING_PASS_ID}) - signArtifacts.string({credentialsId=jenkins-rpm-signing-asm-secret-id, variable=SIGNING_SECRET_ID}) - signArtifacts.withCredentials([SIGNING_PASS_ID, SIGNING_SECRET_ID], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-rpm-signing-props, variable=configs}) + signArtifacts.withCredentials([configs], groovy.lang.Closure) + signArtifacts.readJSON({text=configs}) + signArtifacts.echo(RPM Add Sign) + signArtifacts.withAWS({role=jenki-jenki-asm-assume-role, roleAccount=null, duration=900, roleSessionName=jenkins-signing-session}, groovy.lang.Closure) signArtifacts.sh( set -e set +x @@ -65,8 +67,8 @@ echo "------------------------------------------------------------------------" echo "Import OpenSearch keys" - aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_PASS_ID" | jq -r .SecretBinary | base64 --decode > passphrase - aws secretsmanager get-secret-value --region "sign_asm_region" --secret-id "SIGNING_SECRET_ID" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - + aws secretsmanager get-secret-value --region us-west-2 --secret-id "null" | jq -r .SecretBinary | base64 --decode > passphrase + aws secretsmanager get-secret-value --region us-west-2 --secret-id "null" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - echo "------------------------------------------------------------------------" echo "Start Signing Rpm" @@ -93,8 +95,8 @@ echo "------------------------------------------------------------------------" echo "Clean up gpg" - gpg --batch --yes --delete-secret-keys sign_asm_keyid - gpg --batch --yes --delete-keys sign_asm_keyid + gpg --batch --yes --delete-secret-keys null + gpg --batch --yes --delete-keys null rm -v passphrase ) @@ -104,14 +106,16 @@ signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main}) signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -) signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN}) - signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure) + signArtifacts.string({credentialsId=jenkins-signer-client-creds, variable=signer_client_creds}) + signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN], signer_client_creds], groovy.lang.Closure) + signArtifacts.readJSON({text=signer_client_creds}) signArtifacts.sh( #!/bin/bash set +x - export ROLE=dummy_signer_client_role - export EXTERNAL_ID=signer_client_external_id - export UNSIGNED_BUCKET=signer_client_unsigned_bucket - export SIGNED_BUCKET=signer_client_signed_bucket + export ROLE=dummy_role + export EXTERNAL_ID=dummy_ID + export UNSIGNED_BUCKET=dummy_unsigned_bucket + export SIGNED_BUCKET=dummy_signed_bucket /tmp/workspace/sign.sh /tmp/workspace/file.yml --platform=linux --type=maven ) diff --git a/tests/jenkins/lib-testers/SignArtifactsLibTester.groovy b/tests/jenkins/lib-testers/SignArtifactsLibTester.groovy index 40d502246d..f5d696ccae 100644 --- a/tests/jenkins/lib-testers/SignArtifactsLibTester.groovy +++ b/tests/jenkins/lib-testers/SignArtifactsLibTester.groovy @@ -1,7 +1,6 @@ import static org.hamcrest.CoreMatchers.notNullValue import static org.hamcrest.MatcherAssert.assertThat - class SignArtifactsLibTester extends LibFunctionTester { private String sigtype @@ -10,7 +9,7 @@ class SignArtifactsLibTester extends LibFunctionTester { private String type private String component - public SignArtifactsLibTester(sigtype, platform, artifactPath, type, component){ + public SignArtifactsLibTester(sigtype, platform, artifactPath, type, component) { this.sigtype = sigtype this.platform = platform this.artifactPath = artifactPath @@ -20,18 +19,28 @@ class SignArtifactsLibTester extends LibFunctionTester { void configure(helper, binding) { binding.setVariable('GITHUB_BOT_TOKEN_NAME', 'github_bot_token_name') - binding.setVariable('SIGNER_CLIENT_ROLE', 'dummy_signer_client_role') - binding.setVariable('SIGNER_CLIENT_EXTERNAL_ID', 'signer_client_external_id') - binding.setVariable('SIGNER_CLIENT_UNSIGNED_BUCKET', 'signer_client_unsigned_bucket') - binding.setVariable('SIGNER_CLIENT_SIGNED_BUCKET', 'signer_client_signed_bucket') - binding.setVariable('SIGN_ASM_ROLE', 'sign_asm_role') - binding.setVariable('SIGN_ASM_ACCOUNT', 'sign_asm_account') - binding.setVariable('SIGN_ASM_REGION', 'sign_asm_region') - binding.setVariable('SIGN_ASM_KEYID', 'sign_asm_keyid') - - helper.registerAllowedMethod("git", [Map]) - helper.registerAllowedMethod("withCredentials", [Map]) - helper.registerAllowedMethod("withAWS", [Map, Closure], { args, closure -> + if (this.sigtype.equals('.rpm')) { + def configs = ['account': '1234', + 'passphrase_secrets_arn': 'ARN::123456', + 'secret_key_id_secrets_arn': 'ARN::56789', + 'key_id': 'abcd1234'] + binding.setVariable('configs', configs) + helper.registerAllowedMethod('readJSON', [Map.class], { c -> configs }) + } + else { + def signer_client_creds = ['role': 'dummy_role', + 'external_id': 'dummy_ID', + 'unsigned_bucket': 'dummy_unsigned_bucket', + 'signed_bucket': 'dummy_signed_bucket'] + binding.setVariable('signer_client_creds', signer_client_creds) + helper.registerAllowedMethod('readJSON', [Map.class], { c -> signer_client_creds }) + } + helper.registerAllowedMethod('git', [Map]) + helper.registerAllowedMethod('withCredentials', [Map, Closure], { args, closure -> + closure.delegate = delegate + return helper.callClosure(closure) + }) + helper.registerAllowedMethod('withAWS', [Map, Closure], { args, closure -> closure.delegate = delegate return helper.callClosure(closure) }) @@ -40,15 +49,15 @@ class SignArtifactsLibTester extends LibFunctionTester { void parameterInvariantsAssertions(call) { assertThat(call.args.artifactPath.first(), notNullValue()) assertThat(call.args.platform.first(), notNullValue()) - if(call.args.artifactPath.first().toString().endsWith(".yml")){ + if (call.args.artifactPath.first().toString().endsWith('.yml')) { assertThat(call.args.type.first(), notNullValue()) - } else if(call.args.type.first() != 'maven'){ + } else if (call.args.type.first() != 'maven') { assertThat(call.args.sigtype.first(), notNullValue()) } } boolean expectedParametersMatcher(call) { - if(call.args.artifactPath.first().toString().endsWith(".yml")){ + if (call.args.artifactPath.first().toString().endsWith('.yml')) { return call.args.platform.first().toString().equals(this.platform) && call.args.artifactPath.first().toString().equals(this.artifactPath) && call.args.type.first().toString().equals(this.type) @@ -63,4 +72,5 @@ class SignArtifactsLibTester extends LibFunctionTester { String libFunctionName() { return 'signArtifacts' } + } diff --git a/vars/signArtifacts.groovy b/vars/signArtifacts.groovy index 491ddac51d..9052e2ffa6 100644 --- a/vars/signArtifacts.groovy +++ b/vars/signArtifacts.groovy @@ -15,15 +15,17 @@ SignArtifacts signs the given artifacts and saves the signature in the same dire @param Map[platform] - The distribution platform for signing. */ void call(Map args = [:]) { - if (args.sigtype.equals('.rpm')) { - echo "RPM Add Sign" + withCredentials([string(credentialsId: 'jenkins-rpm-signing-props', variable: 'configs')]) { + def props = readJSON(text: configs) + def signingAccount = props['account'] + def signingPassphraseSecretsArn = props['passphrase_secrets_arn'] + def signingSecretKeyIdSecretsArn = props['secret_key_id_secrets_arn'] + def signingKeyId = props['key_id'] + + echo 'RPM Add Sign' - withAWS(role: "${SIGN_ASM_ROLE}", roleAccount: "${SIGN_ASM_ACCOUNT}", duration: 900, roleSessionName: 'jenkins-signing-session') { - withCredentials([ - string(credentialsId: 'jenkins-rpm-signing-asm-pass-id', variable: 'SIGNING_PASS_ID'), - string(credentialsId: 'jenkins-rpm-signing-asm-secret-id', variable: 'SIGNING_SECRET_ID')]) - { + withAWS(role: 'jenki-jenki-asm-assume-role', roleAccount: "${signingAccount}", duration: 900, roleSessionName: 'jenkins-signing-session') { sh """ set -e set +x @@ -61,8 +63,8 @@ void call(Map args = [:]) { echo "------------------------------------------------------------------------" echo "Import OpenSearch keys" - aws secretsmanager get-secret-value --region "${SIGN_ASM_REGION}" --secret-id "${SIGNING_PASS_ID}" | jq -r .SecretBinary | base64 --decode > passphrase - aws secretsmanager get-secret-value --region "${SIGN_ASM_REGION}" --secret-id "${SIGNING_SECRET_ID}" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - + aws secretsmanager get-secret-value --region us-west-2 --secret-id "${signingPassphraseSecretsArn}" | jq -r .SecretBinary | base64 --decode > passphrase + aws secretsmanager get-secret-value --region us-west-2 --secret-id "${signingSecretKeyIdSecretsArn}" | jq -r .SecretBinary | base64 --decode | gpg --quiet --import --pinentry-mode loopback --passphrase-file passphrase - echo "------------------------------------------------------------------------" echo "Start Signing Rpm" @@ -89,56 +91,58 @@ void call(Map args = [:]) { echo "------------------------------------------------------------------------" echo "Clean up gpg" - gpg --batch --yes --delete-secret-keys $SIGN_ASM_KEYID - gpg --batch --yes --delete-keys $SIGN_ASM_KEYID + gpg --batch --yes --delete-secret-keys ${signingKeyId} + gpg --batch --yes --delete-keys ${signingKeyId} rm -v passphrase """ - - } + } } - } else { - echo "PGP Signature Signing" + echo 'PGP Signature Signing' - if( !fileExists("$WORKSPACE/sign.sh")) { + if ( !fileExists("$WORKSPACE/sign.sh")) { git url: 'https://github.com/opensearch-project/opensearch-build.git', branch: 'main' } importPGPKey() - + String arguments = generateArguments(args) // Sign artifacts - withCredentials([usernamePassword(credentialsId: "${GITHUB_BOT_TOKEN_NAME}", usernameVariable: 'GITHUB_USER', passwordVariable: 'GITHUB_TOKEN')]) { + withCredentials([usernamePassword(credentialsId: "${GITHUB_BOT_TOKEN_NAME}", usernameVariable: 'GITHUB_USER', passwordVariable: 'GITHUB_TOKEN'), + string(credentialsId: 'jenkins-signer-client-creds', variable: 'signer_client_creds')]) { + def creds = readJSON(text: signer_client_creds) + def signerClientRole = creds['role'] + def signerClientExternalId = creds['external_id'] + def signerClientUnsignedBucket = creds['unsigned_bucket'] + def signerClientSignedBucket = creds['signed_bucket'] + sh """ #!/bin/bash set +x - export ROLE=${SIGNER_CLIENT_ROLE} - export EXTERNAL_ID=${SIGNER_CLIENT_EXTERNAL_ID} - export UNSIGNED_BUCKET=${SIGNER_CLIENT_UNSIGNED_BUCKET} - export SIGNED_BUCKET=${SIGNER_CLIENT_SIGNED_BUCKET} + export ROLE=${signerClientRole} + export EXTERNAL_ID=${signerClientExternalId} + export UNSIGNED_BUCKET=${signerClientUnsignedBucket} + export SIGNED_BUCKET=${signerClientSignedBucket} $WORKSPACE/sign.sh ${arguments} """ } - } } String generateArguments(args) { - String artifactPath = args.remove("artifactPath") + String artifactPath = args.remove('artifactPath') // artifactPath is mandatory and the first argument String arguments = artifactPath // generation command line arguments - args.each{key, value -> arguments += " --${key}=${value}"} + args.each { key, value -> arguments += " --${key }=${value }"} return arguments } -void importPGPKey(){ - - sh "curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -" - +void importPGPKey() { + sh 'curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -' }