From 6440c7398239864bf06dd65f6800d5beefe34ba2 Mon Sep 17 00:00:00 2001 From: Antonio Aversa Date: Thu, 28 Nov 2024 07:36:28 +0100 Subject: [PATCH] SQSCANGHA-56 Support GitHub self-hosted runners without keytool --- .github/qa-sq-behind-ngix/compose.yml | 26 ++++++ .github/qa-sq-behind-ngix/nginx.conf | 54 +++++++++++++ .github/workflows/qa.yml | 110 +++++++++++++++++++++++++- action.yml | 3 +- run-sonar-scanner.sh | 4 +- 5 files changed, 193 insertions(+), 4 deletions(-) create mode 100644 .github/qa-sq-behind-ngix/compose.yml create mode 100644 .github/qa-sq-behind-ngix/nginx.conf diff --git a/.github/qa-sq-behind-ngix/compose.yml b/.github/qa-sq-behind-ngix/compose.yml new file mode 100644 index 0000000..0c35001 --- /dev/null +++ b/.github/qa-sq-behind-ngix/compose.yml @@ -0,0 +1,26 @@ +services: + sonarqube: + image: sonarqube:lts-community + ports: + - 9000:9000 + healthcheck: + test: 'grep -Fq "SonarQube is operational" /opt/sonarqube/logs/sonar.log' + interval: 10s + timeout: 5s + retries: 20 + start_period: 2m + + https-proxy: + image: nginx + ports: + - 4443:4443 + volumes: + - $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/nginx.conf:/etc/nginx/nginx.conf:ro + - $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/server.crt:/etc/nginx/server.crt:ro + - $GITHUB_WORKSPACE/.github/qa-sq-behind-ngix/server.key:/etc/nginx/server.key:ro + healthcheck: + test: ["CMD", "curl", "--fail", "localhost:8080/health"] + interval: 10s + timeout: 5s + retries: 20 + start_period: 2m \ No newline at end of file diff --git a/.github/qa-sq-behind-ngix/nginx.conf b/.github/qa-sq-behind-ngix/nginx.conf new file mode 100644 index 0000000..fd588d6 --- /dev/null +++ b/.github/qa-sq-behind-ngix/nginx.conf @@ -0,0 +1,54 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + + keepalive_timeout 65; + + include /etc/nginx/conf.d/*.conf; + + server { + listen 8080; + + location /health { + access_log off; + add_header 'Content-Type' 'text/plain'; + return 200 "healthy\n"; + } + } + + server { + listen 4443 ssl; + + ssl_protocols TLSv1.1 TLSv1.2; + ssl_certificate /etc/nginx/server.crt; + ssl_certificate_key /etc/nginx/server.key; + + access_log /var/log/nginx/localhost; + error_log /var/log/nginx/localhost.error debug; + + location / { + proxy_pass http://sonarqube:9000; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto https; + } + } +} diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml index f4bd70c..e85a913 100644 --- a/.github/workflows/qa.yml +++ b/.github/workflows/qa.yml @@ -274,4 +274,112 @@ jobs: SONAR_HOST_URL: http://not_actually_used - name: Assert run: | - ./test/assertFileExists ~/.sonar/ssl/truststore.p12 \ No newline at end of file + ./test/assertFileExists ~/.sonar/ssl/truststore.p12 + analysisWithSslCertificate: + name: > + Analysis takes into account 'SONAR_ROOT_CERT' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Generate server certificate + run: | + openssl req \ + -newkey rsa:4096 \ + -x509 \ + -sha256 \ + -addext "subjectAltName = DNS:localhost" \ + -days 3650 \ + -nodes \ + -out server.crt \ + -subj "/C=CH/ST=Geneva/L=Geneva/O=Server/OU=Dept" \ + -keyout server.key + working-directory: .github/qa-sq-behind-ngix + - name: Start nginx and SonarQube via Docker Compose + run: docker compose up -d --wait + working-directory: .github/qa-sq-behind-ngix + - name: Read correct server certificate + run: | + # read server.crt from .github/qa-sq-behind-ngix/ and store into the SONAR_ROOT_CERT_VALID + # environment variable, to be able to read it in the next step + { + echo 'SONAR_ROOT_CERT_VALID<<==========' + cat .github/qa-sq-behind-ngix/server.crt + echo ========== + } >> $GITHUB_ENV + - name: Run action with the correct SSL certificate + uses: ./ + env: + SONAR_ROOT_CERT: ${{ env.SONAR_ROOT_CERT_VALID }} + SONAR_HOST_URL: https://localhost:4443 + with: + args: -Dsonar.login=admin -Dsonar.password=admin + projectBaseDir: ./test/example-project + - name: Clear imported SSL certificates + run: | + rm -f ~/.sonar/ssl/truststore.p12 + - name: Run action with an invalid SSL certificate + id: invalid_ssl_certificate + continue-on-error: true + uses: ./ + env: + SONAR_ROOT_CERT: | + -----BEGIN CERTIFICATE----- + INVALID + -----END CERTIFICATE----- + SONAR_HOST_URL: https://localhost:4443 + with: + args: -Dsonar.login=admin -Dsonar.password=admin + projectBaseDir: ./test/example-project + - name: Assert failure of previous step + if: steps.invalid_ssl_certificate.outcome == 'success' + run: exit 1 + - name: Clear imported SSL certificates + run: | + rm -f ~/.sonar/ssl/truststore.p12 + - name: Run action with the wrong SSL certificate + id: wrong_ssl_certificate + continue-on-error: true + uses: ./ + env: + SONAR_ROOT_CERT: | + -----BEGIN CERTIFICATE----- + MIIFlTCCA32gAwIBAgIUXK4LyGUFe4ZVL93StPXCoJzmnLMwDQYJKoZIhvcNAQEL + BQAwTzELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu + ZXZhMQ8wDQYDVQQKDAZTZXJ2ZXIxDTALBgNVBAsMBERlcHQwHhcNMjQxMTAxMDgx + MzM3WhcNMzQxMDMwMDgxMzM3WjBPMQswCQYDVQQGEwJDSDEPMA0GA1UECAwGR2Vu + ZXZhMQ8wDQYDVQQHDAZHZW5ldmExDzANBgNVBAoMBlNlcnZlcjENMAsGA1UECwwE + RGVwdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK5m0V6IFFykib77 + nmlN7weS9q3D6YGEj+8hRNQViL9KduUoLjoKpONIihU5kfIg+5SkGygjHRkBvIp3 + b0HQqhkwtGln3/FxxaSfGEguLHgzXR8JDQSyJ8UKIGOPCH93n1rUip5Ok1iExVup + HtkiVDRoCC9cRjZXbGOKrO6VBT4RvakpkaqCdXYikV244B5ElM7kdFdz8fso78Aq + xekb9dM0f21uUaDBKCIhRcxWeafp0CJIoejTq0+PF7qA2qIY5UHqWElWO5NsvQ8+ + MqKkIdsOa1pYNuH/5eQ59k9KSE92ps1xTKweW000GfPqxx8IQ/e4aAd2SaMTKvN6 + aac6piWBeJ7AssgWwkg/3rnZB5seQIrWjIUePmxJ4c0g0eL9cnVpYF0K/Dldle/G + wg0zi1g709rBI1TYj9xwrivxSwEQupz8OdKqOmgqrKHJJ/CCLl+JdFYjgwl3NWLH + wsU639H1bMXIJoQujg9U47e9fXbwiqdkMQzt7rPGkOBBaAkSctAReiXnWy+CbVEM + QFHDrnD5YUJRd5t/DUuWuqhR2QhfUvRClPUKoVqB/iOu2IumlgDEDA8jb1dxEW+W + iaYokQCS94OpxOJ8aeReSt9bghT0vc9ifCLWvuE1iBjujdK32ekKSY9DCZyBHXsG + J9N1nt1qd/k7QqWOkuPjr1JrTIMbAgMBAAGjaTBnMB0GA1UdDgQWBBQw4ESReEk+ + AIxwjHRqPkESzMv1bTAfBgNVHSMEGDAWgBQw4ESReEk+AIxwjHRqPkESzMv1bTAP + BgNVHRMBAf8EBTADAQH/MBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0B + AQsFAAOCAgEAE8WefoZN23aOSe79ZN7zRBWP8DdPgFAqg5XUhfc9bCIVfJ4XMpEe + 3lzRhgjwDm4naEs35QWOhPZH2vx8XrEKnZNI6vKO8JzaCsivgngk8bsWnvhwSXy5 + eFdc99K+FOmOHevDmeiimoQnikffnSULRhQYzE2Qwyo9iky8703/+D3IKEC/8exC + rlyGMUV/Nqj+4M+57DiZ6OXeFuunfoFB7vmcDZygqDhKoHhVRyu8qN6PeK2fvUFK + EjeRtvA0GkdlOtLIF2g5yBTK2ykkt/oLUoAolfYUTKcoV2/FS0gVR5ovmEpKyBcP + H9hzr16a8dtrEqOf/oKHQSLwxn8afmS354HJ75sq9SujOtIWpHfyH5IgqtUpiBN/ + bzvKs/QZjtGlqvquOTkdh9L4oxTXqG7zEStZyo/v9g5jf1Tq195b2DNFwVUZIcbb + u2d4CvAZ1yNr+8ax/kTwBSY8WU+mCtmvowFstdvsJXVXJKnUO6EZOdbg0GxTBVyE + zMsnPcnkOwV5TJIKKhonrgrwmPmQ9IOV9BrThVxujjjEbAdA6jM9PMiXzuDukldm + QBRwNbczGbdsHkMKHmQnrTqOyQyI4KCXF08kcOm4C1P+Whrvi0DXkqHnyKvBE0td + dciInBoeHwUs2eclz7gP7pMBJUlFUkKfQxwxGLIqZSXnlAFBfW6hHLI= + -----END CERTIFICATE----- + SONAR_HOST_URL: https://localhost:4443 + with: + args: -Dsonar.login=admin -Dsonar.password=admin + projectBaseDir: ./test/example-project + - name: Assert failure of previous step + if: steps.wrong_ssl_certificate.outcome == 'success' + run: exit 1 \ No newline at end of file diff --git a/action.yml b/action.yml index 14854e5..743c81c 100644 --- a/action.yml +++ b/action.yml @@ -42,4 +42,5 @@ runs: run: ${GITHUB_ACTION_PATH}/run-sonar-scanner.sh ${{ inputs.args }} shell: bash env: - INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }} \ No newline at end of file + INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }} + SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre \ No newline at end of file diff --git a/run-sonar-scanner.sh b/run-sonar-scanner.sh index 13c2f69..14caadc 100755 --- a/run-sonar-scanner.sh +++ b/run-sonar-scanner.sh @@ -25,11 +25,11 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then echo "Adding SSL certificate to the Scanner truststore" rm -f $RUNNER_TEMP/tmpcert.pem echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem - # Use keytool for now, as SonarQube 11.6 won't support openssl generated keystores + # Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores # keytool require a password > 6 characters, so we wan't use the default password 'sonar' store_pass=changeit mkdir -p ~/.sonar/ssl - keytool -storetype PKCS12 -keystore ~/.sonar/ssl/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem + $SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore ~/.sonar/ssl/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem scanner_args+=("-Dsonar.scanner.truststorePassword=$store_pass") fi