actions/gradle
1
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2025-08-24 10:51:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

Ignore SSL certificate validation when fetching Develocity short-lived access token if develocity-allow-untrusted-server is enabled (#575)

Browse Source 
The request for a short lived access token fails if the server
certificate is self signed and `develocity-allow-untrusted-server` is
set to true.

I wasn't sure how to write a test for this since nock does not seem to
support mocking a ssl error response.
This commit is contained in:
Eric Haag 2025-03-13 09:54:21 -05:00 committed by GitHub
commit c1bdc4d73b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 32 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sources/src/develocity/build-scan.ts
View File

@ -28,7 +28,11 @@ export async function setup(config: BuildScanConfig): Promise<void> {
maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree()) maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree())
} }
return setupToken(config.getDevelocityAccessKey(), config.getDevelocityTokenExpiry()) return setupToken(
config.getDevelocityAccessKey(),
config.getDevelocityAllowUntrustedServer(),
config.getDevelocityTokenExpiry()
)
} }
function maybeExportVariable(variableName: string, value: unknown): void { function maybeExportVariable(variableName: string, value: unknown): void {

24
sources/src/develocity/short-lived-token.ts
View File

@ -3,11 +3,15 @@ import * as core from '@actions/core'
import {BuildScanConfig} from '../configuration' import {BuildScanConfig} from '../configuration'
import {recordDeprecation} from '../deprecation-collector' import {recordDeprecation} from '../deprecation-collector'
export async function setupToken(develocityAccessKey: string, develocityTokenExpiry: string): Promise<void> { export async function setupToken(
develocityAccessKey: string,
develocityAllowUntrustedServer: boolean | undefined,
develocityTokenExpiry: string
): Promise<void> {
if (develocityAccessKey) { if (develocityAccessKey) {
try { try {
core.debug('Fetching short-lived token...') core.debug('Fetching short-lived token...')
const tokens = await getToken(develocityAccessKey, develocityTokenExpiry) const tokens = await getToken(develocityAccessKey, develocityAllowUntrustedServer, develocityTokenExpiry)
if (tokens != null && !tokens.isEmpty()) { if (tokens != null && !tokens.isEmpty()) {
core.debug(`Got token(s), setting the access key env vars`) core.debug(`Got token(s), setting the access key env vars`)
const token = tokens.raw() const token = tokens.raw()
@ -41,10 +45,14 @@ function handleMissingAccessToken(): void {
} }
} }
export async function getToken(accessKey: string, expiry: string): Promise<DevelocityAccessCredentials | null> { export async function getToken(
accessKey: string,
allowUntrustedServer: undefined | boolean,
expiry: string
): Promise<DevelocityAccessCredentials | null> {
const empty: Promise<DevelocityAccessCredentials | null> = new Promise(r => r(null)) const empty: Promise<DevelocityAccessCredentials | null> = new Promise(r => r(null))
const develocityAccessKey = DevelocityAccessCredentials.parse(accessKey) const develocityAccessKey = DevelocityAccessCredentials.parse(accessKey)
const shortLivedTokenClient = new ShortLivedTokenClient() const shortLivedTokenClient = new ShortLivedTokenClient(allowUntrustedServer)
if (develocityAccessKey == null) { if (develocityAccessKey == null) {
return empty return empty
@ -67,10 +75,16 @@ export async function getToken(accessKey: string, expiry: string): Promise<Devel
} }
class ShortLivedTokenClient { class ShortLivedTokenClient {
httpc = new httpm.HttpClient('gradle/actions/setup-gradle') httpc: httpm.HttpClient
maxRetries = 3 maxRetries = 3
retryInterval = 1000 retryInterval = 1000
constructor(develocityAllowUntrustedServer: boolean | undefined) {
this.httpc = new httpm.HttpClient('gradle/actions/setup-gradle', undefined, {
ignoreSslError: develocityAllowUntrustedServer
})
}
async fetchToken(serverUrl: string, accessKey: HostnameAccessKey, expiry: string): Promise<HostnameAccessKey> { async fetchToken(serverUrl: string, accessKey: HostnameAccessKey, expiry: string): Promise<HostnameAccessKey> {
const queryParams = expiry ? `?expiresInHours=${expiry}` : '' const queryParams = expiry ? `?expiresInHours=${expiry}` : ''
const sanitizedServerUrl = !serverUrl.endsWith('/') ? `${serverUrl}/` : serverUrl const sanitizedServerUrl = !serverUrl.endsWith('/') ? `${serverUrl}/` : serverUrl

16
sources/test/jest/short-lived-token.test.ts
View File

@ -39,7 +39,7 @@ describe('short lived tokens', () => {
message: 'connect ECONNREFUSED 127.0.0.1:3333', message: 'connect ECONNREFUSED 127.0.0.1:3333',
code: 'ECONNREFUSED' code: 'ECONNREFUSED'
}) })
await expect(getToken('localhost=key0', '')) await expect(getToken('localhost=key0', false, ''))
.resolves .resolves
.toBeNull() .toBeNull()
}) })
@ -50,14 +50,14 @@ describe('short lived tokens', () => {
.times(3) .times(3)
.reply(500, 'Internal error') .reply(500, 'Internal error')
expect.assertions(1) expect.assertions(1)
await expect(getToken('dev=xyz', '')) await expect(getToken('dev=xyz', false, ''))
.resolves .resolves
.toBeNull() .toBeNull()
}) })
it('get short lived token returns null when access key is empty', async () => { it('get short lived token returns null when access key is empty', async () => {
expect.assertions(1) expect.assertions(1)
await expect(getToken('', '')) await expect(getToken('', false, ''))
.resolves .resolves
.toBeNull() .toBeNull()
}) })
@ -67,7 +67,7 @@ describe('short lived tokens', () => {
.post('/api/auth/token') .post('/api/auth/token')
.reply(200, 'token') .reply(200, 'token')
expect.assertions(1) expect.assertions(1)
await expect(getToken('dev=key1', '')) await expect(getToken('dev=key1', false, ''))
.resolves .resolves
.toEqual({"keys": [{"hostname": "dev", "key": "token"}]}) .toEqual({"keys": [{"hostname": "dev", "key": "token"}]})
}) })
@ -80,7 +80,7 @@ describe('short lived tokens', () => {
.post('/api/auth/token') .post('/api/auth/token')
.reply(200, 'token2') .reply(200, 'token2')
expect.assertions(1) expect.assertions(1)
await expect(getToken('dev=key1;prod=key2', '')) await expect(getToken('dev=key1;prod=key2', false, ''))
.resolves .resolves
.toEqual({"keys": [{"hostname": "dev", "key": "token1"}, {"hostname": "prod", "key": "token2"}]}) .toEqual({"keys": [{"hostname": "dev", "key": "token1"}, {"hostname": "prod", "key": "token2"}]})
}) })
@ -97,7 +97,7 @@ describe('short lived tokens', () => {
.post('/api/auth/token') .post('/api/auth/token')
.reply(200, 'token2') .reply(200, 'token2')
expect.assertions(1) expect.assertions(1)
await expect(getToken('dev=key1;bogus=key0;prod=key2', '')) await expect(getToken('dev=key1;bogus=key0;prod=key2', false, ''))
.resolves .resolves
.toEqual({"keys": [{"hostname": "dev", "key": "token1"}, {"hostname": "prod", "key": "token2"}]}) .toEqual({"keys": [{"hostname": "dev", "key": "token1"}, {"hostname": "prod", "key": "token2"}]})
}) })
@ -112,7 +112,7 @@ describe('short lived tokens', () => {
.times(3) .times(3)
.reply(500, 'Internal Error') .reply(500, 'Internal Error')
expect.assertions(1) expect.assertions(1)
await expect(getToken('dev=key1;bogus=key0', '')) await expect(getToken('dev=key1;bogus=key0', false, ''))
.resolves .resolves
.toBeNull() .toBeNull()
}) })
@ -122,7 +122,7 @@ describe('short lived tokens', () => {
.post('/api/auth/token?expiresInHours=4') .post('/api/auth/token?expiresInHours=4')
.reply(200, 'token') .reply(200, 'token')
expect.assertions(1) expect.assertions(1)
await expect(getToken('dev=key1', '4')) await expect(getToken('dev=key1', false, '4'))
.resolves .resolves
.toEqual({"keys": [{"hostname": "dev", "key": "token"}]}) .toEqual({"keys": [{"hostname": "dev", "key": "token"}]})
}) })