Produce Palantir CA Plugin (#161)

Produce `com.palantir.jdks.palantir-ca` plugin for use by other Gradle plugins to enable using open source projects from within the corporate VPN.
palantir · Feb 13, 2023 · feb8d4c · feb8d4c
1 parent c320c05
commit feb8d4c
Show file tree

Hide file tree

Showing 5 changed files with 77 additions and 22 deletions.
diff --git a/changelog/@unreleased/pr-161.v2.yml b/changelog/@unreleased/pr-161.v2.yml
@@ -0,0 +1,6 @@
+type: fix
+fix:
+  description: Produce `com.palantir.jdks.palantir-ca` plugin for use by other Gradle
+    plugins to enable using open source projects from within the corporate VPN.
+  links:
+  - https://github.com/palantir/gradle-jdks/pull/161
diff --git a/gradle-jdks/build.gradle b/gradle-jdks/build.gradle
@@ -35,6 +35,12 @@ gradlePlugin {
             description = 'Auto-provisions specific versions of JDKs'
             implementationClass = 'com.palantir.gradle.jdks.JdksPlugin'
         }
+        palantirCa {
+            id = 'com.palantir.jdks.palantir-ca'
+            displayName = 'Palantir CA for gradle-jdks'
+            description = 'Includes the Palantir CA from the system truststore'
+            implementationClass = 'com.palantir.gradle.jdks.PalantirCaPlugin'
+        }
     }
 }
 

diff --git a/gradle-jdks/src/main/java/com/palantir/gradle/jdks/PalantirCaExtension.java b/gradle-jdks/src/main/java/com/palantir/gradle/jdks/PalantirCaExtension.java
@@ -0,0 +1,28 @@
+/*
+ * (c) Copyright 2022 Palantir Technologies Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.palantir.gradle.jdks;
+
+import org.gradle.api.logging.LogLevel;
+import org.gradle.api.provider.Property;
+
+public abstract class PalantirCaExtension {
+    public abstract Property<LogLevel> getLogLevel();
+
+    public PalantirCaExtension() {
+        getLogLevel().set(LogLevel.INFO);
+    }
+}
diff --git a/.../com/palantir/gradle/jdks/PalantirCa.java → ...alantir/gradle/jdks/PalantirCaPlugin.java b/.../com/palantir/gradle/jdks/PalantirCa.java → ...alantir/gradle/jdks/PalantirCaPlugin.java
@@ -34,46 +34,59 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import org.gradle.api.Plugin;
 import org.gradle.api.Project;
 import org.gradle.process.ExecResult;
 
-public final class PalantirCa {
+public final class PalantirCaPlugin implements Plugin<Project> {
     private static final BigInteger PALANTIR_3RD_GEN_SERIAL = new BigInteger("18126334688741185161");
 
-    public static void applyToRootProject(Project rootProject, boolean strict) {
-        if (rootProject.getRootProject() != rootProject) {
+    private Project rootProject;
+    private PalantirCaExtension extension;
+
+    public void apply(Project possibleRootProject) {
+        if (possibleRootProject.getRootProject() != possibleRootProject) {
             throw new IllegalArgumentException(
                     "com.palantir.jdks.palantir-ca must be applied to the root project only");
         }
 
+        rootProject = possibleRootProject;
+
+        extension = rootProject.getExtensions().create("palantirCa", PalantirCaExtension.class);
+
         rootProject.getPluginManager().apply(JdksPlugin.class);
 
-        rootProject.getExtensions().getByType(JdksExtension.class).getCaCerts().putAll(rootProject.provider(() -> {
-            Optional<String> possibleCert = readPalantirRootCaFromSystemTruststore(rootProject);
-            if (strict && possibleCert.isEmpty()) {
-                throw new RuntimeException("Could not find Palantir 3rd Gen Root CA from macos system truststore");
-            }
-            return possibleCert
-                    .map(cert -> Map.of("Palantir3rdGenRootCa", cert))
-                    .orElseGet(Map::of);
-        }));
+        rootProject
+                .getExtensions()
+                .getByType(JdksExtension.class)
+                .getCaCerts()
+                .putAll(possibleRootProject.provider(() -> readPalantirRootCaFromSystemTruststore()
+                        .map(cert -> Map.of("Palantir3rdGenRootCa", cert))
+                        .orElseGet(() -> {
+                            log("Could not find Palantir CA in system truststore");
+                            return Map.of();
+                        })));
     }
 
-    private static Optional<String> readPalantirRootCaFromSystemTruststore(Project rootProject) {
-        return selectPalantirCertificate(systemCertificates(rootProject));
+    private Optional<String> readPalantirRootCaFromSystemTruststore() {
+        return systemCertificates().flatMap(PalantirCaPlugin::selectPalantirCertificate);
     }
 
-    private static byte[] systemCertificates(Project rootProject) {
+    private Optional<byte[]> systemCertificates() {
         Os currentOs = Os.current();
 
         switch (currentOs) {
             case MACOS:
-                return macosSystemCertificates(rootProject);
+                return Optional.of(macosSystemCertificates(rootProject));
             case LINUX_GLIBC:
-                return linuxSystemCertificates();
+            case LINUX_MUSL:
+                return Optional.of(linuxSystemCertificates());
             default:
-                throw new UnsupportedOperationException(
-                        currentOs + " is not currently supported for automatic Palantir CA discovery");
+                log(
+                        "Not attempting to read Palantir CA from system truststore "
+                                + "as OS type '{}' does not yet support this",
+                        currentOs);
+                return Optional.empty();
         }
     }
 
@@ -118,7 +131,7 @@ private static Optional<String> selectPalantirCertificate(byte[] multipleCertifi
         return parseCerts(multipleCertificateBytes).stream()
                 .filter(cert -> PALANTIR_3RD_GEN_SERIAL.equals(((X509Certificate) cert).getSerialNumber()))
                 .findFirst()
-                .map(PalantirCa::encodeCertificate);
+                .map(PalantirCaPlugin::encodeCertificate);
     }
 
     private static Collection<? extends Certificate> parseCerts(byte[] multipleCertificateBytes) {
@@ -143,5 +156,7 @@ private static String encodeCertificate(Certificate palantirCert) {
         }
     }
 
-    private PalantirCa() {}
+    private void log(String format, Object... args) {
+        rootProject.getLogger().log(extension.getLogLevel().get(), format, args);
+    }
 }
diff --git a/gradle-jdks/src/test/groovy/com/palantir/gradle/jdks/PalantirCaPluginIntegrationSpec.groovy b/gradle-jdks/src/test/groovy/com/palantir/gradle/jdks/PalantirCaPluginIntegrationSpec.groovy
@@ -25,7 +25,7 @@ class PalantirCaPluginIntegrationSpec extends IntegrationSpec {
         // language=gradle
         buildFile << '''
             // Can't do strict as open source CI does not have the Palantir CA
-            com.palantir.gradle.jdks.PalantirCa.applyToRootProject(rootProject, false)
+            apply plugin: 'com.palantir.jdks.palantir-ca'
     
             jdks {
                 jdk(11) {