actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2025-12-14 18:31:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add QA tests

Browse source
This commit is contained in:
Antonio Aversa 2024-11-22 17:55:24 +01:00
parent f5bbdad66c
commit 0da496f537
4 changed files with 249 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
.github/qa-sq-behind-ngix/compose.yml vendored Normal file
View file

@ -0,0 +1,27 @@
services:
sonarqube:
image: sonarqube:lts-community
ports:
- 9000:9000
healthcheck:
test: 'grep -Fq "SonarQube is operational" /opt/sonarqube/logs/sonar.log'
interval: 10s
timeout: 5s
retries: 20
start_period: 2m
https-proxy:
image: nginx
ports:
- 4443:4443
volumes:
- $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/nginx.conf:/etc/nginx/nginx.conf:ro
- $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/ca.crt:/etc/nginx/client_certs/ca.crt:ro
- $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/server.crt:/etc/nginx/server.crt:ro
- $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/server.key:/etc/nginx/server.key:ro
healthcheck:
test: ["CMD", "curl", "--fail", "localhost:8080/health"]
interval: 10s
timeout: 5s
retries: 20
start_period: 2m

69
.github/qa-sq-behind-ngix/generate-certificates.sh vendored Executable file
View file

@ -0,0 +1,69 @@
#!/bin/sh
set -eux
echo Generating server certificate...
openssl req \
-newkey rsa:4096 \
-x509 \
-sha256 \
-addext "subjectAltName = DNS:localhost" \
-days 3650 \
-nodes \
-out server.crt \
-subj "/C=CH/ST=Geneva/L=Geneva/O=Server/OU=Dept" \
-keyout server.key
echo Generating client certificate...
# Generate Certificate Authority key
openssl genrsa \
-passout pass:test42 \
-des3 \
-out ca.key 4096 \
# Generate Certificate Authority certificate
openssl req \
-passin pass:test42 \
-new \
-x509 \
-days 365 \
-key ca.key \
-out ca.crt \
-subj "/C=CH/ST=Geneva/L=Geneva/O=CertificateAuthority/OU=ExpertDepartment"
# Generating Client certificate key
openssl genrsa \
-passout pass:test42 \
-des3 \
-out user.key 4096
# Generating Client certificate certificate
openssl req \
-passin pass:test42 \
-new \
-key user.key \
-out user.csr \
-subj "/C=CH/ST=Geneva/L=Geneva/O=UserOrg/OU=UserDepartment"
# Sign the certificate
openssl x509 \
-passin pass:test42 \
-req \
-days 365 \
-in user.csr \
-CA ca.crt \
-CAkey ca.key \
-set_serial 01 \
-out user.crt
# Generate a PKCS12 format certificate
openssl pkcs12 \
-passin pass:test42 \
-passout pass:test42 \
-export \
-out user.p12 \
-inkey user.key \
-in user.crt \
-certfile ca.crt

54
.github/qa-sq-behind-ngix/nginx.conf vendored Normal file
View file

@ -0,0 +1,54 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
server {
listen 8080;
location /health {
access_log off;
add_header 'Content-Type' 'text/plain';
return 200 "healthy\n";
}
}
server {
listen 4443 ssl;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
access_log /var/log/nginx/localhost;
error_log /var/log/nginx/localhost.error debug;
location / {
proxy_pass http://sonarqube:9000;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
}
}
}

100
.github/workflows/qa.yml vendored
View file

@ -274,4 +274,102 @@ jobs:
SONAR_HOST_URL: http://not_actually_used
- name: Assert
run: |
./test/assertFileExists ~/.sonar/ssl/truststore.p12
./test/assertFileExists ~/.sonar/ssl/truststore.p12
analysisWithSslCertificate:
name: >
Analysis takes into account 'SONAR_ROOT_CERT'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate certificates
run: ./generate-certificates.sh
working-directory: .github/qa-sq-behind-ngix
- name: Start nginx and SonarQube via Docker Compose
run: docker compose up -d --wait
working-directory: .github/qa-sq-behind-ngix
- name: Read correct client certificate from
run: |
# read server.crt from .github/qa-sq-behind-ngix/ and store into the SONAR_ROOT_CERT_VALID
# environment variable, to be able to read it in the next step
{
echo 'SONAR_ROOT_CERT_VALID<<=========='
cat .github/qa-sq-behind-ngix/server.crt
echo ==========
} >> $GITHUB_ENV
- name: Run action with the correct SSL certificate
uses: ./
env:
SONAR_ROOT_CERT: ${{ env.SONAR_ROOT_CERT_VALID }}
SONAR_HOST_URL: https://localhost:4443
with:
args: -Dsonar.login=admin -Dsonar.password=admin
projectBaseDir: ./test/example-project
- name: Clear imported certificates
run: |
rm -f ~/.sonar/ssl/truststore.p12
- name: Run action with an invalid SSL certificate
id: invalid_ssl_certificate
continue-on-error: true
uses: ./
env:
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
INVALID
-----END CERTIFICATE-----
SONAR_HOST_URL: https://localhost:4443
with:
args: -Dsonar.login=admin -Dsonar.password=admin
projectBaseDir: ./test/example-project
- name: Assert failure of previous step
if: steps.invalid_ssl_certificate.outcome == 'success'
run: exit 1
- name: Clear imported certificates
run: |
rm -f ~/.sonar/ssl/truststore.p12
- name: Run action with the wrong SSL certificate
id: wrong_ssl_certificate
continue-on-error: true
uses: ./
env:
SONAR_ROOT_CERT: |
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIUXK4LyGUFe4ZVL93StPXCoJzmnLMwDQYJKoZIhvcNAQEL
BQAwTzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu
ZXZhMQ8wDQYDVQQKDAZTZXJ2ZXIxDTALBgNVBAsMBERlcHQwHhcNMjQxMTAxMDgx
MzM3WhcNMzQxMDMwMDgxMzM3WjBPMQswCQYDVQQGEwJDSDEPMA0GA1UECAwGR2Vu
ZXZhMQ8wDQYDVQQHDAZHZW5ldmExDzANBgNVBAoMBlNlcnZlcjENMAsGA1UECwwE
RGVwdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK5m0V6IFFykib77
nmlN7weS9q3D6YGEj+8hRNQViL9KduUoLjoKpONIihU5kfIg+5SkGygjHRkBvIp3
b0HQqhkwtGln3/FxxaSfGEguLHgzXR8JDQSyJ8UKIGOPCH93n1rUip5Ok1iExVup
HtkiVDRoCC9cRjZXbGOKrO6VBT4RvakpkaqCdXYikV244B5ElM7kdFdz8fso78Aq
xekb9dM0f21uUaDBKCIhRcxWeafp0CJIoejTq0+PF7qA2qIY5UHqWElWO5NsvQ8+
MqKkIdsOa1pYNuH/5eQ59k9KSE92ps1xTKweW000GfPqxx8IQ/e4aAd2SaMTKvN6
aac6piWBeJ7AssgWwkg/3rnZB5seQIrWjIUePmxJ4c0g0eL9cnVpYF0K/Dldle/G
wg0zi1g709rBI1TYj9xwrivxSwEQupz8OdKqOmgqrKHJJ/CCLl+JdFYjgwl3NWLH
wsU639H1bMXIJoQujg9U47e9fXbwiqdkMQzt7rPGkOBBaAkSctAReiXnWy+CbVEM
QFHDrnD5YUJRd5t/DUuWuqhR2QhfUvRClPUKoVqB/iOu2IumlgDEDA8jb1dxEW+W
iaYokQCS94OpxOJ8aeReSt9bghT0vc9ifCLWvuE1iBjujdK32ekKSY9DCZyBHXsG
J9N1nt1qd/k7QqWOkuPjr1JrTIMbAgMBAAGjaTBnMB0GA1UdDgQWBBQw4ESReEk+
AIxwjHRqPkESzMv1bTAfBgNVHSMEGDAWgBQw4ESReEk+AIxwjHRqPkESzMv1bTAP
BgNVHRMBAf8EBTADAQH/MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0B
AQsFAAOCAgEAE8WefoZN23aOSe79ZN7zRBWP8DdPgFAqg5XUhfc9bCIVfJ4XMpEe
3lzRhgjwDm4naEs35QWOhPZH2vx8XrEKnZNI6vKO8JzaCsivgngk8bsWnvhwSXy5
eFdc99K+FOmOHevDmeiimoQnikffnSULRhQYzE2Qwyo9iky8703/+D3IKEC/8exC
rlyGMUV/Nqj+4M+57DiZ6OXeFuunfoFB7vmcDZygqDhKoHhVRyu8qN6PeK2fvUFK
EjeRtvA0GkdlOtLIF2g5yBTK2ykkt/oLUoAolfYUTKcoV2/FS0gVR5ovmEpKyBcP
H9hzr16a8dtrEqOf/oKHQSLwxn8afmS354HJ75sq9SujOtIWpHfyH5IgqtUpiBN/
bzvKs/QZjtGlqvquOTkdh9L4oxTXqG7zEStZyo/v9g5jf1Tq195b2DNFwVUZIcbb
u2d4CvAZ1yNr+8ax/kTwBSY8WU+mCtmvowFstdvsJXVXJKnUO6EZOdbg0GxTBVyE
zMsnPcnkOwV5TJIKKhonrgrwmPmQ9IOV9BrThVxujjjEbAdA6jM9PMiXzuDukldm
QBRwNbczGbdsHkMKHmQnrTqOyQyI4KCXF08kcOm4C1P+Whrvi0DXkqHnyKvBE0td
dciInBoeHwUs2eclz7gP7pMBJUlFUkKfQxwxGLIqZSXnlAFBfW6hHLI=
-----END CERTIFICATE-----
SONAR_HOST_URL: https://localhost:4443
with:
args: -Dsonar.login=admin -Dsonar.password=admin
projectBaseDir: ./test/example-project
- name: Assert failure of previous step
if: steps.wrong_ssl_certificate.outcome == 'success'
run: exit 1