diff --git a/README.md b/README.md index 211a2ce9..ac29ab7f 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ a release version. If there were any commits after last tag, project is in SNAPS intuitive philosophy, alongside with [Semantic Versioning](http://semver.org/) rules, makes it a lot easier to manage project versions along SCM tag versions. -JDK11+ & Gradle 6+ required. +JDK11+ & Gradle 7+ required. ## Basic usage diff --git a/build.gradle.kts b/build.gradle.kts index 726820b3..d135f5ae 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -49,7 +49,7 @@ sourceSets { } val jgitVersion = "6.8.0.202311291450-r" -val jschVersion = "0.1.55" +val jschVersion = "0.2.16" val jschAgentVersion = "0.0.9" dependencies { @@ -60,22 +60,21 @@ dependencies { runtimeOnly("org.eclipse.jgit:org.eclipse.jgit.gpg.bc:$jgitVersion") implementation("org.eclipse.jgit:org.eclipse.jgit:$jgitVersion") - implementation("org.eclipse.jgit:org.eclipse.jgit.ssh.jsch:$jgitVersion") - implementation("com.jcraft:jsch:$jschVersion") - implementation("com.jcraft:jsch.agentproxy.core:$jschAgentVersion") - implementation("com.jcraft:jsch.agentproxy.jsch:$jschAgentVersion") - implementation("com.jcraft:jsch.agentproxy.sshagent:$jschAgentVersion") - implementation("com.jcraft:jsch.agentproxy.pageant:$jschAgentVersion") - implementation("com.jcraft:jsch.agentproxy.usocket-jna:$jschAgentVersion") - implementation("com.jcraft:jsch.agentproxy.usocket-nc:$jschAgentVersion") + implementation("org.eclipse.jgit:org.eclipse.jgit.ssh.jsch:$jgitVersion") { + exclude("com.jcraft", "jsch") + } + implementation("com.github.mwiede:jsch:$jschVersion") implementation("com.github.zafarkhaja:java-semver:0.9.0") + runtimeOnly("org.bouncycastle:bcprov-jdk18on:1.77") + runtimeOnly("com.kohlschutter.junixsocket:junixsocket-core:2.8.3") + runtimeOnly("net.java.dev.jna:jna-platform:5.14.0") testImplementation("org.ajoberstar.grgit:grgit-core:4.1.0") { exclude("org.eclipse.jgit", "org.eclipse.jgit.ui") exclude("org.eclipse.jgit", "org.eclipse.jgit") } testImplementation("org.testcontainers:spock:1.17.6") - testImplementation("org.spockframework:spock-core:2.2-groovy-2.5") + testImplementation("org.spockframework:spock-core:2.3-groovy-3.0") testImplementation("cglib:cglib-nodep:3.3.0") testImplementation("org.objenesis:objenesis:3.3") testImplementation("org.apache.sshd:sshd-core:2.12.0") @@ -181,13 +180,14 @@ nexusPublishing { } } -if (System.getenv("GPG_KEY_ID") != null) { - signing { - useInMemoryPgpKeys( - System.getenv("GPG_KEY_ID"), - System.getenv("GPG_PRIVATE_KEY"), - System.getenv("GPG_PRIVATE_KEY_PASSWORD") - ) - sign(publishing.publications) +signing { + setRequired { + System.getenv("GPG_KEY_ID") != null } + useInMemoryPgpKeys( + System.getenv("GPG_KEY_ID"), + System.getenv("GPG_PRIVATE_KEY"), + System.getenv("GPG_PRIVATE_KEY_PASSWORD") + ) + sign(publishing.publications) } diff --git a/docker/Dockerfile b/docker/Dockerfile index 52ca9509..c464dd00 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,13 +1,13 @@ -FROM jkarlos/git-server-docker +FROM rockstorm/git-server:2.43 -RUN passwd -d git \ - && sed -i 's/^PasswordAuthentication.*/PasswordAuthentication yes/g' /etc/ssh/sshd_config \ - && echo "PermitEmptyPasswords yes" >> /etc/ssh/sshd_config \ - && ls /etc/init.d \ - && mkdir -p repos \ - && git init --bare repos/rejecting-repo \ - && echo -e "#!/bin/sh\necho 'I reject this push!' >&2\nexit 1" > repos/rejecting-repo/hooks/pre-receive \ - && chmod +x repos/rejecting-repo/hooks/pre-receive \ - && sh /etc/init.d/sshd restart +RUN mkdir -p /srv/git/repos/rejecting-repo \ + && mkdir -p /home/git/.ssh \ + && echo -e "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCu0nkKWfkHn7bqz4VwFNORWZYZp1jKuiom/E3I5XzGMZTmo2M9TWIRGPsx1h+5GYnFiGo8DYaJv1T//nnE2lAWJ7e9Cj9dJQ5wx3EwJc9twHEzBF8hstpzCZS2UVlsWlkKkVwH8py54wh/xoG1mcAH/am5QBxcFarHqmMaN9YU6tXv2ipbpd5BsXUDvh0WOS/j/iylD2ACUYe+iBzC/FrZDeJR6Kkbomb+1Pxr7ffail5WzihpHcF6lR1hG98f8pDtJUo00n5mmZPp3ZxFmssIHbv9ZdU6x0vgEs9qBO1p0tILhVLhNHq3oLumWRtEzdH7AP1VjNCQ3aMy4MpJo+xUHD28btWS5N4wVpAQCZqVu5ucz/5jnsdluQVEd4grUu4nKgFiHPA0/o938fDO7tO2HOp3QhdFK+zlP6Q0H4XOZTk3kYn+9yymT294lqM+NeFApSdGSCROJI5HZQaQJX2tkjAy5eJYQcBzko6+KVL+mWZ8/D54NJX0O87FN0205NM= user@host" >> /home/git/.ssh/authorized_keys \ + && chown -R git:git /home/git/.ssh \ + && chmod 700 /home/git/.ssh \ + && chmod 600 /home/git/.ssh/authorized_keys \ + && git init --bare /srv/git/repos/rejecting-repo \ + && echo -e "#!/bin/sh\necho 'I reject this push!' >&2\nexit 1" > /srv/git/repos/rejecting-repo/hooks/pre-receive \ + && chmod +x /srv/git/repos/rejecting-repo/hooks/pre-receive -CMD ["sh", "start.sh"] +CMD ["/usr/sbin/sshd", "-D"] \ No newline at end of file diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index 7454180f..e708b1c0 100644 Binary files a/gradle/wrapper/gradle-wrapper.jar and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 3ab0b725..f371643e 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,5 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.9.1-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-7.0-bin.zip zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/gradlew b/gradlew index 1b6c7873..4f906e0c 100755 --- a/gradlew +++ b/gradlew @@ -1,7 +1,7 @@ -#!/bin/sh +#!/usr/bin/env sh # -# Copyright © 2015-2021 the original authors. +# Copyright 2015 the original author or authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,101 +17,67 @@ # ############################################################################## -# -# Gradle start up script for POSIX generated by Gradle. -# -# Important for running: -# -# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is -# noncompliant, but you have some other compliant shell such as ksh or -# bash, then to run this script, type that shell name before the whole -# command line, like: -# -# ksh Gradle -# -# Busybox and similar reduced shells will NOT work, because this script -# requires all of these POSIX shell features: -# * functions; -# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», -# «${var#prefix}», «${var%suffix}», and «$( cmd )»; -# * compound commands having a testable exit status, especially «case»; -# * various built-in commands including «command», «set», and «ulimit». -# -# Important for patching: -# -# (2) This script targets any POSIX shell, so it avoids extensions provided -# by Bash, Ksh, etc; in particular arrays are avoided. -# -# The "traditional" practice of packing multiple parameters into a -# space-separated string is a well documented source of bugs and security -# problems, so this is (mostly) avoided, by progressively accumulating -# options in "$@", and eventually passing that to Java. -# -# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, -# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; -# see the in-line comments for details. -# -# There are tweaks for specific operating systems such as AIX, CygWin, -# Darwin, MinGW, and NonStop. -# -# (3) This script is generated from the Groovy template -# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt -# within the Gradle project. -# -# You can find Gradle at https://github.com/gradle/gradle/. -# +## +## Gradle start up script for UN*X +## ############################################################################## # Attempt to set APP_HOME - # Resolve links: $0 may be a link -app_path=$0 - -# Need this for daisy-chained symlinks. -while - APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path - [ -h "$app_path" ] -do - ls=$( ls -ld "$app_path" ) - link=${ls#*' -> '} - case $link in #( - /*) app_path=$link ;; #( - *) app_path=$APP_HOME$link ;; - esac +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi done - -APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null APP_NAME="Gradle" -APP_BASE_NAME=${0##*/} +APP_BASE_NAME=`basename "$0"` # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD=maximum +MAX_FD="maximum" warn () { echo "$*" -} >&2 +} die () { echo echo "$*" echo exit 1 -} >&2 +} # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "$( uname )" in #( - CYGWIN* ) cygwin=true ;; #( - Darwin* ) darwin=true ;; #( - MSYS* | MINGW* ) msys=true ;; #( - NONSTOP* ) nonstop=true ;; +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -121,9 +87,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD=$JAVA_HOME/jre/sh/java + JAVACMD="$JAVA_HOME/jre/sh/java" else - JAVACMD=$JAVA_HOME/bin/java + JAVACMD="$JAVA_HOME/bin/java" fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -132,7 +98,7 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD=java + JAVACMD="java" which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the @@ -140,95 +106,80 @@ location of your Java installation." fi # Increase the maximum file descriptors if we can. -if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then - case $MAX_FD in #( - max*) - MAX_FD=$( ulimit -H -n ) || - warn "Could not query maximum file descriptor limit" - esac - case $MAX_FD in #( - '' | soft) :;; #( - *) - ulimit -n "$MAX_FD" || - warn "Could not set maximum file descriptor limit to $MAX_FD" - esac +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi fi -# Collect all arguments for the java command, stacking in reverse order: -# * args from the command line -# * the main class name -# * -classpath -# * -D...appname settings -# * --module-path (only if needed) -# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi # For Cygwin or MSYS, switch paths to Windows format before running java -if "$cygwin" || "$msys" ; then - APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) - CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) - - JAVACMD=$( cygpath --unix "$JAVACMD" ) - +if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi # Now convert the arguments - kludge to limit ourselves to /bin/sh - for arg do - if - case $arg in #( - -*) false ;; # don't mess with options #( - /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath - [ -e "$t" ] ;; #( - *) false ;; - esac - then - arg=$( cygpath --path --ignore --mixed "$arg" ) + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" fi - # Roll the args list around exactly as many times as the number of - # args, so each arg winds up back in the position where it started, but - # possibly modified. - # - # NB: a `for` loop captures its iteration list before it begins, so - # changing the positional parameters here affects neither the number of - # iterations, nor the values presented in `arg`. - shift # remove old arg - set -- "$@" "$arg" # push replacement arg + i=`expr $i + 1` done + case $i in + 0) set -- ;; + 1) set -- "$args0" ;; + 2) set -- "$args0" "$args1" ;; + 3) set -- "$args0" "$args1" "$args2" ;; + 4) set -- "$args0" "$args1" "$args2" "$args3" ;; + 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac fi -# Collect all arguments for the java command; -# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of -# shell script including quotes and variable substitutions, so put them in -# double quotes to make sure that they get re-expanded; and -# * put everything else in single quotes, so that it's not re-expanded. - -set -- \ - "-Dorg.gradle.appname=$APP_BASE_NAME" \ - -classpath "$CLASSPATH" \ - org.gradle.wrapper.GradleWrapperMain \ - "$@" - -# Use "xargs" to parse quoted args. -# -# With -n1 it outputs one arg per line, with the quotes and backslashes removed. -# -# In Bash we could simply go: -# -# readarray ARGS < <( xargs -n1 <<<"$var" ) && -# set -- "${ARGS[@]}" "$@" -# -# but POSIX shell has neither arrays nor command substitution, so instead we -# post-process each arg (as a line of input to sed) to backslash-escape any -# character that might be a shell metacharacter, then use eval to reverse -# that process (while maintaining the separation between arguments), and wrap -# the whole thing up as a single "set" statement. -# -# This will of course break if any of these variables contains a newline or -# an unmatched quote. -# +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=`save "$@"` -eval "set -- $( - printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | - xargs -n1 | - sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | - tr '\n' ' ' - )" '"$@"' +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" exec "$JAVACMD" "$@" diff --git a/src/integration/groovy/pl/allegro/tech/build/axion/release/RemoteRejectionTest.groovy b/src/integration/groovy/pl/allegro/tech/build/axion/release/RemoteRejectionTest.groovy index 5ecc8c8e..d0e74778 100644 --- a/src/integration/groovy/pl/allegro/tech/build/axion/release/RemoteRejectionTest.groovy +++ b/src/integration/groovy/pl/allegro/tech/build/axion/release/RemoteRejectionTest.groovy @@ -16,6 +16,7 @@ import pl.allegro.tech.build.axion.release.infrastructure.git.SshConnector import spock.lang.Shared import spock.lang.Specification +import java.nio.file.Files import java.nio.file.Paths import static pl.allegro.tech.build.axion.release.TagPrefixConf.fullPrefix @@ -33,6 +34,8 @@ class RemoteRejectionTest extends Specification { def "should return error on push failure"() { given: File repoDir = File.createTempDir('axion-release', 'tmp') + String privateKey = Files.readString(Paths.get(getClass().getResource("/id_rsa").toURI())) + ScmIdentity keyIdentity = ScmIdentity.keyIdentity(privateKey, "UrbanCookieCollective") Git.cloneRepository() .setDirectory(repoDir) @@ -40,10 +43,10 @@ class RemoteRejectionTest extends Specification { @Override void configure(Transport transport) { SshTransport sshTransport = (SshTransport) transport - sshTransport.setSshSessionFactory(new SshConnector(ScmIdentity.defaultIdentityWithoutAgents())) + sshTransport.setSshSessionFactory(new SshConnector(keyIdentity)) } }) - .setURI("ssh://git@${gitServerContainer.getContainerIpAddress()}:${gitServerContainer.firstMappedPort}/git-server/repos/rejecting-repo") + .setURI("ssh://git@${gitServerContainer.getHost()}:${gitServerContainer.firstMappedPort}/srv/git/repos/rejecting-repo") .call() GitRepository repository = new GitRepository(ScmPropertiesBuilder.scmProperties(repoDir).build()) @@ -53,7 +56,7 @@ class RemoteRejectionTest extends Specification { repository.commit(['*'], 'commit after ' + fullPrefix() + 'custom') when: - ScmPushResult result = repository.push(ScmIdentity.defaultIdentityWithoutAgents(), new ScmPushOptions('origin', false), true) + ScmPushResult result = repository.push(keyIdentity, new ScmPushOptions('origin', false), true) then: !result.success diff --git a/src/main/java/pl/allegro/tech/build/axion/release/infrastructure/git/SshAgentIdentityRepositoryFactory.java b/src/main/java/pl/allegro/tech/build/axion/release/infrastructure/git/SshAgentIdentityRepositoryFactory.java index 7132402c..e1e3b1c2 100644 --- a/src/main/java/pl/allegro/tech/build/axion/release/infrastructure/git/SshAgentIdentityRepositoryFactory.java +++ b/src/main/java/pl/allegro/tech/build/axion/release/infrastructure/git/SshAgentIdentityRepositoryFactory.java @@ -1,143 +1,77 @@ package pl.allegro.tech.build.axion.release.infrastructure.git; -import com.jcraft.jsch.IdentityRepository; -import com.jcraft.jsch.agentproxy.Connector; -import com.jcraft.jsch.agentproxy.RemoteIdentityRepository; -import com.jcraft.jsch.agentproxy.USocketFactory; -import com.jcraft.jsch.agentproxy.connector.PageantConnector; -import com.jcraft.jsch.agentproxy.connector.SSHAgentConnector; -import com.jcraft.jsch.agentproxy.usocket.JNAUSocketFactory; -import com.jcraft.jsch.agentproxy.usocket.NCUSocketFactory; -import org.gradle.api.logging.Logger; -import org.gradle.api.logging.Logging; - import java.io.PrintWriter; import java.io.StringWriter; import java.util.Optional; -/** - * Content of this class is based on GrGit 2.x agent connector implementation. - * TODO: add link to github - *
- * GrGit dropped support for JSch in favor of using native SSH command. However for the limited operations used by
- * axion-release-plugin, JSch seems to be sufficient.
- */
-class SshAgentIdentityRepositoryFactory {
-
- private static final Logger logger = Logging.getLogger(SshAgentIdentityRepositoryFactory.class);
-
- static Optional