Merge branch 'gradle-multi-certs' into 'master'

Allow gradle to fetch from TLS endpoint with custom cert chain

See merge request gitlab-org/security-products/license-management!144

11 files changed, 152 insertions, 12 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1bf3445..e2c4a75 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # GitLab License management changelog
 
+## v3.7.5
+
+- Install multiple x509 certificates from `ADDITIONAL_CA_CERT_BUNDLE` into system trust store. (!144)
+- Install multiple x509 certificates from `ADDITIONAL_CA_CERT_BUNDLE` into java trust store. (!144)
+
 ## v3.7.4
 
 - Install Java key store when `ADDITIONAL_CA_CERT_BUNDLE` is provided. (!139)
diff --git a/Dockerfile b/Dockerfile
index 4390330..2c7207c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,10 +12,13 @@ RUN apt-get update -q \
   && gem build *.gemspec
 
 # Install org.codehaus.mojo:license-maven-plugin to $HOME/.m2/repository
+# Install gradle.plugin.com.hierynomus.gradle.plugins:license-gradle-plugin to $HOME/.m2/repository
 FROM debian:stable AS license-maven-plugin-builder
 RUN apt-get update -q \
   && apt-get install -y --no-install-recommends maven \
-  && mvn license:license-list
+  && mvn license:license-list \
+  && mvn dependency:get -Dartifact=gradle.plugin.com.hierynomus.gradle.plugins:license-gradle-plugin:0.15.0 -DremoteRepositories=https://plugins.gradle.org/m2 \
+  && mvn dependency:get -Dartifact=org.codehaus.plexus:plexus-utils:2.0.6
 
 FROM debian:stable-slim as tools-builder
 ENV ASDF_DATA_DIR="/opt/asdf"
diff --git a/Gemfile.lock b/Gemfile.lock
index 5721e1b..9e3f73f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    license-management (3.7.4)
+    license-management (3.7.5)
       license_finder (~> 6.0.0)
       spandx (~> 0.1)
 
diff --git a/config/.gradle/init.gradle b/config/.gradle/init.gradle
index 9664914..b8cc7f1 100644
--- a/config/.gradle/init.gradle
+++ b/config/.gradle/init.gradle
@@ -1,8 +1,7 @@
 initscript {
   repositories {
-    maven {
-      url "https://plugins.gradle.org/m2/"
-    }
+    maven { url uri('/root/.m2/repository') }
+    maven { url "https://plugins.gradle.org/m2" }
   }
   dependencies {
     classpath "gradle.plugin.com.hierynomus.gradle.plugins:license-gradle-plugin:0.15.0"
diff --git a/lib/license/finder/ext/gradle.rb b/lib/license/finder/ext/gradle.rb
index 2c3ce01..3357042 100644
--- a/lib/license/finder/ext/gradle.rb
+++ b/lib/license/finder/ext/gradle.rb
@@ -21,7 +21,7 @@ module LicenseFinder
       _stdout, _stderr, status = Dir.chdir(project_path) do
         shell.execute([
           @command,
-          ENV.fetch('GRADLE_CLI_OPTS', '--exclude-task=test'),
+          ENV.fetch('GRADLE_CLI_OPTS', '--exclude-task=test --no-daemon --debug'),
           'downloadLicenses'
         ], env: { 'TERM' => 'noop' })
       end
diff --git a/lib/license/management/shell.rb b/lib/license/management/shell.rb
index f16537d..9ff59c4 100644
--- a/lib/license/management/shell.rb
+++ b/lib/license/management/shell.rb
@@ -3,6 +3,7 @@
 module License
   module Management
     class Shell
+      SPLIT_SCRIPT = "'BEGIN {x=0;} /BEGIN CERT/{x++} { print > \"custom.\" x \".crt\" }'"
       attr_reader :custom_certificate_path, :logger
 
       def initialize(logger: License::Management.logger, certificate: ENV['ADDITIONAL_CA_CERT_BUNDLE'])
@@ -18,7 +19,7 @@ module License
         stdout, stderr, status = Open3.capture3(env, expanded_command)
 
         logger.debug(stdout) unless stdout.nil? || stdout.empty?
-        logger.error(stderr) unless status.success?
+        logger.error(stderr) unless stderr.nil? || stderr.empty?
         [stdout, stderr, status]
       end
 
@@ -40,9 +41,26 @@ module License
         return unless present?(certificate)
 
         custom_certificate_path.write(certificate)
-        execute("openssl x509 -in #{custom_certificate_path} -text -noout")
-        execute('update-ca-certificates -v')
-        execute("keytool -importcert -file #{custom_certificate_path} -trustcacerts -noprompt")
+        Dir.chdir custom_certificate_path.dirname do
+          execute([:awk, SPLIT_SCRIPT, '<', custom_certificate_path])
+          execute('update-ca-certificates -v')
+
+          Dir.glob('custom.*.crt').each do |path|
+            full_path = File.expand_path(path)
+            execute([:openssl, :x509, '-in', full_path, '-text', '-noout'])
+            execute([
+              :keytool,
+              '-importcert',
+              '-alias', Time.now.to_i,
+              '-file', full_path,
+              '-trustcacerts',
+              '-noprompt',
+              '-storepass', 'changeit',
+              '-keystore', "#{ENV['JAVA_HOME']}/jre/lib/security/cacerts"
+            ])
+            execute(["keytool -list -v -storepass changeit"])
+          end
+        end
       end
 
       def present?(item)
diff --git a/lib/license/management/version.rb b/lib/license/management/version.rb
index bc5d85c..64d34f7 100644
--- a/lib/license/management/version.rb
+++ b/lib/license/management/version.rb
@@ -2,6 +2,6 @@
 
 module License
   module Management
-    VERSION = '3.7.4'
+    VERSION = '3.7.5'
   end
 end
diff --git a/spec/fixtures/java/gradle/offline-environment/build.gradle b/spec/fixtures/java/gradle/offline-environment/build.gradle
new file mode 100644
index 0000000..6e44ce9
--- /dev/null
+++ b/spec/fixtures/java/gradle/offline-environment/build.gradle
@@ -0,0 +1,19 @@
+group "com.gitlab.security_products"
+version "0.0.1"
+
+apply plugin: "java"
+
+ext { mavenHost = System.getenv('PRIVATE_MAVEN_HOST') }
+
+repositories {
+  maven { url "https://$mavenHost/artifactory/mvn/" }
+}
+
+dependencies {
+  testCompile "junit:junit:4.12"
+  compile "com.fasterxml.jackson.core:jackson-databind:2.9.2"
+  compile "io.netty:netty:3.9.1.Final"
+  compile "org.apache.geode:geode-core:1.1.1"
+  compile "org.apache.maven:maven-artifact:3.3.9"
+  compile "org.mozilla:rhino:1.7.10"
+}
diff --git a/spec/fixtures/java/gradle/offline-environment/bundle.crt b/spec/fixtures/java/gradle/offline-environment/bundle.crt
new file mode 100644
index 0000000..398c90f
--- /dev/null
+++ b/spec/fixtures/java/gradle/offline-environment/bundle.crt
@@ -0,0 +1,49 @@
+-----BEGIN CERTIFICATE-----
+MIID7jCCAtagAwIBAgIJAI21kFz1PLI3MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYD
+VQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQg
+V2lkZ2l0cyBQdHkgTHRkMUQwQgYDVQQDDDtnaXRsYWItYWlyZ2FwLWp2bS51cy13
+ZXN0MS1iLmMuZ3JvdXAtc2VjdXJlLWE4OWZlNy5pbnRlcm5hbDAeFw0yMDA0MTcw
+NjE4NTFaFw0yMTA0MTcwNjE4NTFaMIGLMQswCQYDVQQGEwJBVTETMBEGA1UECAwK
+U29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMUQw
+QgYDVQQDDDtnaXRsYWItYWlyZ2FwLWp2bS51cy13ZXN0MS1iLmMuZ3JvdXAtc2Vj
+dXJlLWE4OWZlNy5pbnRlcm5hbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAK7lgNeL7Z6pj/vNLDw0QWuv6VKhY6jqd6Rdd03FJ1kG6pG4iUREhaH6UKjF
+IYBFQFHtH+WJV78nU3D5WQayAhKxPJMPeLfVmeBxO+3rFtVCylgkytqJEP4fEkwP
+lOyiUWVa6pcRkdijE5Y9pi+7buagZMZoCyQITiVOgqMsTwuxUDmuhDZQx8cmyfiq
+zV7STaKVYx4h7P7p5cOhXaMPg7mKbCEIjrRfxcA4BZTlFOt+/8uyqQDfTXarl4gp
+buv/zSzZtrFbsyc0MmTY40foKkMuTKHwbaVjoRqiqYzGyEhBuSYdaNQMTHWAGl4e
+Ts3dIC8ysmEyWyxsUdBYhkHoi0ECAwEAAaNTMFEwHQYDVR0OBBYEFDC4YeQ2AxrR
+3aXK63Y4+KWbdq0tMB8GA1UdIwQYMBaAFDC4YeQ2AxrR3aXK63Y4+KWbdq0tMA8G
+A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAF8D6h0e8ogZQrX+YRDc
+FMvz2vYv6Oo2cLG5u5YSX1bJeOQHcCmmAvYBA+Pqjomxw9csRmktcy69hxIbvccn
+m7jCF3hasOoCivM5ifSmdXSBqmnmaQUErEhF+g9VIl696dR4H+47ewTmDc+2uzvP
+FFEfV/gC7QLIhMlpYJUn2/y4SgPjp08zJqulDDZL++srUqFktfiKyehriQXBn1M8
+JsW9G0at1fufKpFIgQWve0QtE1haBF+g6SGXQ/+guZnw5stUJ7ksFheJu4WsEPIx
+vtRkKZ60p/Hpq7tmO5UG5fKK1tuyBSj3vxewBBYtgH23h7/c7KxoeDIOnyNRshoA
+7Dg=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIUe5OYnWvcwt2MgCpVSUgvFa8E3D0wDQYJKoZIhvcNAQEL
+BQAwgbAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMSEwHwYDVQQK
+DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxRTBDBgNVBAMMPGdpdGxhYi1haXJn
+YXAtdGVzdC51cy13ZXN0MS1iLmMuZ3JvdXAtc2VjdXJlLWE4OWZlNy5pbnRlcm5h
+bDEiMCAGCSqGSIb3DQEJARYTbGNoYXJsZXNAZ2l0bGFiLmNvbTAeFw0yMDAzMDky
+MTU1NDhaFw0yMTAzMDkyMTU1NDhaMIGwMQswCQYDVQQGEwJVUzETMBEGA1UECAwK
+Q2FsaWZvcm5pYTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMUUw
+QwYDVQQDDDxnaXRsYWItYWlyZ2FwLXRlc3QudXMtd2VzdDEtYi5jLmdyb3VwLXNl
+Y3VyZS1hODlmZTcuaW50ZXJuYWwxIjAgBgkqhkiG9w0BCQEWE2xjaGFybGVzQGdp
+dGxhYi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDypJmnetUl
+HhXOLLFS+/sc8NoDMM3R9zN98x71iSK4Jn6a94vFYpg/8DU2mg7e972VvT1NKEHK
+1+BGbgDMtbAiBeca+cWpJdswiWL69yNEozWRq69soUq1zcBu+MFnAdtB0SzK2ohd
+R9aJqJmy9aVaEYZFRGktpjLObQZ/qVysCUo8Ts9dfSu50+DqEmVnmDkbgqNl4y7W
+7x2PNCG+6m40+PGnHTdTpnah9DARqJhj/ORHfbFz/a+zHMlU+SDw06dqKBjwxEW3
+azjRDgmC4bGXj/Qbt7VUJriFCA0W22v4VqMTMhU0PWOw5MJa/cT82avlaA5bBskj
+kN6wJ5WwabsDAgMBAAGjUzBRMB0GA1UdDgQWBBQ0siXTvUqJwrslaeYax0K64mLH
+KjAfBgNVHSMEGDAWgBQ0siXTvUqJwrslaeYax0K64mLHKjAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCNI1pKNMiTcx3msHVOmVHhA44ocJbl6Jws
+ztpp7aSduKI/Ib4FvONLSV5kJDhQ2Q9dBQWQiSsqoEIfvU3RWuAeU69fl/ojHOTy
+JwXiitWT0QZ1rXGIak+tYAHOyHn42nfiHg0H9D67DZ0uDQdQ7Uqwwe+21eqz/vQ9
+3Edj7C5Oag+Uf1zdAR60+zMm4DZJ0guDfQXhRuYF1GTll5avpxZA0QMhGgysekXe
+IPcVVawMK/ChUcbktFylIAu9ohWrJHU5KuDrzhEOyG+0hEFGFnzYfpJSADIHvNNS
+Gtpf/YEZclLD7wHrkhbeIThnU/Z9q270dm15wEGO9MLACEob6DZo
+-----END CERTIFICATE-----
diff --git a/spec/fixtures/java/gradle/offline-environment/settings.gradle b/spec/fixtures/java/gradle/offline-environment/settings.gradle
new file mode 100644
index 0000000..b8fe7d3
--- /dev/null
+++ b/spec/fixtures/java/gradle/offline-environment/settings.gradle
@@ -0,0 +1 @@
+rootProject.name = 'sample-project-gradle'
diff --git a/spec/integration/java/gradle_spec.rb b/spec/integration/java/gradle_spec.rb
index b81e69f..d2ddaf1 100644
--- a/spec/integration/java/gradle_spec.rb
+++ b/spec/integration/java/gradle_spec.rb
@@ -49,6 +49,52 @@ plugins {
     end
   end
 
+  context 'when scanning a project that needs to connect to multiple TLS endpoints with different custom certificate chains' do
+    subject do
+      runner.scan(env: {
+        'ADDITIONAL_CA_CERT_BUNDLE' => fixture_file_content('java/gradle/offline-environment/bundle.crt'),
+        'PRIVATE_MAVEN_HOST' => private_maven_host
+      })
+    end
+
+    before do
+      runner.mount(dir: fixture_file('java/gradle/offline-environment/'))
+    end
+
+    specify { expect(subject).to match_schema(version: '2.0') }
+
+    specify do
+      expect(subject.dependency_names).to match_array([
+        "antlr",
+        "commons-beanutils",
+        "commons-io",
+        "commons-lang",
+        "commons-lang3",
+        "fastutil",
+        "findbugs-annotations",
+        "geode-common",
+        "geode-core",
+        "geode-json",
+        "jackson-annotations",
+        "jackson-core",
+        "jackson-databind",
+        "javax.resource-api",
+        "javax.transaction-api",
+        "jgroups",
+        "jna",
+        "jopt-simple",
+        "log4j-api",
+        "log4j-core",
+        "maven-artifact",
+        "netty",
+        "plexus-utils",
+        "rhino",
+        "shiro-core",
+        "slf4j-api"
+      ])
+    end
+  end
+
   context "when scanning a gradle project with a custom option to generate a profiler report" do
     let(:report) { runner.scan(env: { 'GRADLE_CLI_OPTS' => '--profile' }) }
 
@@ -94,7 +140,7 @@ plugins {
   end
 
   [
-    { java: '8', gradle: ['2.9', '3.5'] },
+    { java: '8', gradle: ['2.14', '3.5'] },
     { java: '11', gradle: ['4.9', '5.6', '6.3'] }
   ].each do |item|
     item[:gradle].each do |gradle_version|