feat(api): artifact managed in artifactory are signed by CDS API (#6595)

Author: fsamin

engine/api/workflow/workflow_run_results.go

@@ -10,10 +10,12 @@ import (
 	"time"
 
 	"github.com/go-gorp/gorp"
+	"github.com/jfrog/jfrog-client-go/artifactory/services/utils"
 	"github.com/lib/pq"
 	"github.com/rockbears/log"
 
 	art "github.com/ovh/cds/contrib/integrations/artifactory"
+	"github.com/ovh/cds/engine/api/authentication"
 	"github.com/ovh/cds/engine/api/database/gorpmapping"
 	"github.com/ovh/cds/engine/cache"
 	"github.com/ovh/cds/engine/gorpmapper"
@@ -468,6 +470,8 @@ func ResyncWorkflowRunResultsRoutine(ctx context.Context, DBFunc func() *gorp.Db
 	}
 }
 
+type ArtifactSignature map[string]string
+
 func FindOldestWorkflowRunsWithResultToSync(ctx context.Context, dbmap *gorp.DbMap) ([]int64, error) {
 	var results []int64
 	_, err := dbmap.Select(&results, "select distinct workflow_run_id from workflow_run_result where sync is NULL order by workflow_run_id asc limit 100")
@@ -645,7 +649,6 @@ func SyncRunResultArtifactManagerByRunID(ctx context.Context, db gorpmapper.SqlE
 		return handleSyncError(sdk.Errorf("unable to prepare build info for artifact manager"))
 	}
 
-	log.Debug(ctx, "artifact manager build info request: %+v", buildInfoRequest)
 	log.Info(ctx, "Creating Artifactory Build %s %s on project %s...\n", buildInfoRequest.Name, buildInfoRequest.Number, artifactoryProjectKey)
 
 	// Instanciate artifactory client
@@ -680,6 +683,99 @@ func SyncRunResultArtifactManagerByRunID(ctx context.Context, db gorpmapper.SqlE
 		}
 	}
 
+	// Push git info as properties
+	for _, result := range runResults {
+		if result.Type != sdk.WorkflowRunResultTypeArtifactManager {
+			continue
+		}
+
+		artifact, err := result.GetArtifactManager()
+		if err != nil {
+			ctx := log.ContextWithStackTrace(ctx, err)
+			log.Error(ctx, "unable to get artifact from result %s: %v", result.ID, err)
+			continue
+		}
+
+		maturity := lowMaturitySuffixFromConfig
+		if result.DataSync != nil && result.DataSync.LatestPromotionOrRelease() != nil {
+			maturity = result.DataSync.LatestPromotionOrRelease().ToMaturity
+		}
+		localRepository := fmt.Sprintf("%s-%s", artifact.RepoName, maturity)
+
+		fi, err := artifactClient.GetFileInfo(artifact.RepoName, artifact.Path)
+		if err != nil {
+			ctx := log.ContextWithStackTrace(ctx, err)
+			log.Error(ctx, "unable to get artifact info from result %s: %v", result.ID, err)
+			continue
+		}
+
+		existingProperties, err := artifactClient.GetProperties(localRepository, artifact.Path)
+		if err != nil {
+			ctx := log.ContextWithStackTrace(ctx, err)
+			log.Error(ctx, "unable to get artifact properties from result %s: %v", result.ID, err)
+			continue
+		}
+
+		if sdk.MapHasKeys(existingProperties, "cds.signature") {
+			log.Debug(ctx, "artifact is already signed by cds")
+			continue
+		}
+
+		// Push git properties as artifact properties
+		props := utils.NewProperties()
+		signedProps := make(ArtifactSignature)
+
+		props.AddProperty("cds.project", wr.Workflow.ProjectKey)
+		signedProps["cds.project"] = wr.Workflow.ProjectKey
+		props.AddProperty("cds.workflow", wr.Workflow.Name)
+		signedProps["cds.workflow"] = wr.Workflow.Name
+		if wr.Version != nil {
+			props.AddProperty("cds.version", *wr.Version)
+			signedProps["cds.version"] = *wr.Version
+		}
+		props.AddProperty("cds.run", strconv.FormatInt(wr.Number, 10))
+		signedProps["cds.run"] = strconv.FormatInt(wr.Number, 10)
+
+		if gitUrl != "" {
+			props.AddProperty("git.url", gitUrl)
+		}
+		signedProps["git.url"] = gitUrl
+		if gitHash != "" {
+			props.AddProperty("git.hash", gitHash)
+		}
+		signedProps["git.hash"] = gitHash
+		if gitBranch != "" {
+			props.AddProperty("git.branch", gitBranch)
+			signedProps["git.branch"] = gitBranch
+		}
+
+		// Prepare artifact signature
+		signedProps["repository"] = artifact.RepoName
+		signedProps["type"] = artifact.RepoType
+		signedProps["path"] = artifact.Path
+		signedProps["name"] = artifact.Name
+		signedProps["md5"] = fi.Checksums.Md5
+		signedProps["sha1"] = fi.Checksums.Sha1
+		signedProps["sha256"] = fi.Checksums.Sha256
+
+		// Sign the properties with main CDS authentication key pair
+		signature, err := authentication.SignJWS(signedProps, time.Now(), 0)
+		if err != nil {
+			ctx := log.ContextWithStackTrace(ctx, err)
+			log.Error(ctx, "unable to get artifact properties from result %s: %v", result.ID, err)
+			continue
+		}
+
+		log.Info(ctx, "artifact %s%s signature: %s", localRepository, artifact.Path, signature)
+
+		props.AddProperty("cds.signature", signature)
+		if err := artifactClient.SetProperties(localRepository, artifact.Path, props); err != nil {
+			ctx := log.ContextWithStackTrace(ctx, err)
+			log.Error(ctx, "unable to set artifact properties from result %s: %v", result.ID, err)
+			continue
+		}
+	}
+
 	for _, result := range runResults {
 		if result.DataSync == nil {
 			result.DataSync = new(sdk.WorkflowRunResultSync)

sdk/artifact_manager/artifactory/client.go

@@ -14,6 +14,7 @@ import (
 	"github.com/jfrog/jfrog-client-go/artifactory"
 	"github.com/jfrog/jfrog-client-go/artifactory/services"
 	"github.com/jfrog/jfrog-client-go/artifactory/services/utils"
+	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 	"github.com/pkg/errors"
 
 	"github.com/ovh/cds/sdk"
@@ -89,6 +90,33 @@ func (c *Client) SetProperties(repoName string, filePath string, props *utils.Pr
 	return nil
 }
 
+func (c *Client) GetProperties(repoName string, filePath string) (map[string][]string, error) {
+	type PropertiesResponse struct {
+		Properties map[string][]string `json:"properties"`
+	}
+	if !strings.HasPrefix(filePath, "/") {
+		filePath = "/" + filePath
+	}
+	var rp = services.NewCreateReplicationService(c.Asm.Client())
+	rp.ArtDetails = c.Asm.GetConfig().GetServiceDetails()
+	var httpDetails = rp.ArtDetails.CreateHttpClientDetails()
+	propUrl := fmt.Sprintf("%sapi/storage/%s%s?properties", c.Asm.GetConfig().GetServiceDetails().GetUrl(), repoName, filePath)
+
+	resp, body, _, err := c.Asm.Client().SendGet(propUrl, true, &httpDetails)
+	if err != nil {
+		return nil, errors.Errorf("unable to get properties on %s%s: %v", repoName, filePath, err)
+	}
+	if resp.StatusCode >= http.StatusBadRequest {
+		return nil, errors.WithStack(errorutils.CheckError(errors.New(fmt.Sprintf("GET Properties Artifactory on %s%s response: [%d] %v\n", repoName, filePath, resp.StatusCode, string(body)))))
+	}
+
+	var props PropertiesResponse
+	if err := json.Unmarshal(body, &props); err != nil {
+		return nil, errors.Errorf("unable get properties, unable to read response: %s: %v", string(body), err)
+	}
+	return props.Properties, nil
+}
+
 type DeleteBuildRequest struct {
 	Project         string   `json:"project"`
 	BuildName       string   `json:"buildName"`

sdk/artifact_manager/interface.go

@@ -2,6 +2,7 @@ package artifact_manager
 
 import (
 	"context"
+
 	buildinfo "github.com/jfrog/build-info-go/entities"
 	"github.com/jfrog/jfrog-client-go/artifactory/services"
 	"github.com/jfrog/jfrog-client-go/artifactory/services/utils"
@@ -15,6 +16,7 @@ type ArtifactManager interface {
 	GetFileInfo(repoName string, filePath string) (sdk.FileInfo, error)
 	GetRepository(repoName string) (*services.RepositoryDetails, error)
 	GetFolderInfo(repoName string, folderPath string) (*utils.FolderInfo, error)
+	GetProperties(repoName string, filePath string) (map[string][]string, error)
 	SetProperties(repoName string, filePath string, values *utils.Properties) error
 	DeleteBuild(project string, buildName string, buildVersion string) error
 	PublishBuildInfo(project string, request *buildinfo.BuildInfo) error

sdk/artifact_manager/mock_artifact_manager/interface_mock.go

@@ -382,3 +382,24 @@ func NoPath(path string) string {
 	}
 	return filepath.Base(CleanPath(path))
 }
+
+func MapHasKeys(i interface{}, expectedKeys ...interface{}) bool {
+	valueOf := reflect.ValueOf(i)
+	if valueOf.Kind() != reflect.Map {
+		return false
+	}
+	actualKeyValues := valueOf.MapKeys()
+	for _, expectedKey := range expectedKeys {
+		var found = false
+		for _, actualKey := range actualKeyValues {
+			if actualKey.Equal(reflect.ValueOf(expectedKey)) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+	return true
+}

sdk/common.go

@@ -126,3 +126,55 @@ func TestNoPath(t *testing.T) {
 		})
 	}
 }
+
+func TestMapHasKeys(t *testing.T) {
+	type args struct {
+		i            interface{}
+		expectedKeys []interface{}
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "should return true",
+			args: args{
+				i:            map[string]string{"a": "a", "b": "b"},
+				expectedKeys: []interface{}{"a", "b"},
+			},
+			want: true,
+		},
+		{
+			name: "should return false (one key is missing)",
+			args: args{
+				i:            map[string]string{"a": "a", "b": "b"},
+				expectedKeys: []interface{}{"a", "b", "c"},
+			},
+			want: false,
+		},
+		{
+			name: "should return false (wrong key type)",
+			args: args{
+				i:            map[string]string{"a": "a", "b": "b"},
+				expectedKeys: []interface{}{1, 2},
+			},
+			want: false,
+		},
+		{
+			name: "should return false (wrong  type)",
+			args: args{
+				i:            "foo",
+				expectedKeys: []interface{}{1, 2},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := MapHasKeys(tt.args.i, tt.args.expectedKeys...); got != tt.want {
+				t.Errorf("MapHasKeys() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

sdk/common_test.go

@@ -16,6 +16,6 @@ build-plugin:
 	--rm \
 	-e "GOOS=$(OS)" \
 	-e "GOARCH=$(ARCH)" \
-	golang:1.18 \
+	golang:1.20 \
 	/bin/bash -c \
 	"cd /go/src/github.com/ovh/cds/tests/fixtures/04SCWorkflowRunSimplePlugin && go version && CGO_ENABLED=0 go build -installsuffix cgo -ldflags '-extldflags "-static"' -o plugin-simple-$(OS)-$(ARCH) ."

tests/fixtures/04SCWorkflowRunSimplePlugin/Makefile

@@ -11,11 +11,11 @@ plugin-simple-darwin-amd64:
 	$(MAKE) build-plugin OS=darwin ARCH=amd64
 
 build-plugin:
-	@docker run \
+	docker run \
 	--mount type=bind,source=$$(pwd)/../../../,dst=/go/src/github.com/ovh/cds \
 	--rm \
 	-e "GOOS=$(OS)" \
 	-e "GOARCH=$(ARCH)" \
-	golang:1.18 \
+	golang:1.20 \
 	/bin/bash -c \
 	"cd /go/src/github.com/ovh/cds/tests/fixtures/ITSCWRKFLW15 && go version && CGO_ENABLED=0 go build -installsuffix cgo -ldflags '-extldflags "-static"' -o plugin-simple-integ-$(OS)-$(ARCH) ."

tests/fixtures/ITSCWRKFLW15/Makefile

@@ -3,9 +3,10 @@ package main
 import (
 	"context"
 	"fmt"
-	"github.com/ovh/cds/sdk/grpcplugin/integrationplugin"
 	"strconv"
 
+	"github.com/ovh/cds/sdk/grpcplugin/integrationplugin"
+
 	"github.com/golang/protobuf/ptypes/empty"
 
 	"github.com/ovh/cds/sdk"