Specify PIP_CERT when installing pip packages

* Add CHANGELOG entry * Move method `default_env` to Python class
author: mo khan <mo.khan@gmail.com> 2020-04-09 16:05:28 -0600
committer: mo khan <mo.khan@gmail.com> 2020-04-09 16:39:08 -0600
commit: 04e57e76844d7ca70d5b1a84d9b30dba1d6bee9c (patch)
tree: 05f9cf6e795b8acb54f8b7df87972588bfa38a23
parent: dda9e59a4a3ab471001998d0e68d67ab12b4ac69 (diff)
11 files changed, 59 insertions, 25 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 42c33c5..54a2fde 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # GitLab License management changelog
 
+## v3.7.1
+
+- Export `PIP_CERT` when invoking `pip` when a custom root certificate is specified. (!133)
+
 ## v3.7.0
 
 - Add `ADDITIONAL_CA_CERT_BUNDLE` to list of trusted root certificates. (!126)
diff --git a/Gemfile.lock b/Gemfile.lock
index 826a28f..3b282f0 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    license-management (3.7.0)
+    license-management (3.7.1)
       license_finder (~> 6.0.0)
       spandx (~> 0.1)
 
diff --git a/lib/license/finder/ext/pip.rb b/lib/license/finder/ext/pip.rb
index 5ef6602..084816c 100644
--- a/lib/license/finder/ext/pip.rb
+++ b/lib/license/finder/ext/pip.rb
@@ -35,10 +35,14 @@ module LicenseFinder
     def install_packages
       within_project_dir do
         shell.execute(['virtualenv -p', python_executable, '--activators=bash --seeder=app-data .venv'])
-        shell.sh([". .venv/bin/activate", "&&", :pip, :install, '-i', python.pip_index_url, '-r', @requirements_path])
+        shell.sh([". .venv/bin/activate", "&&", pip_install_command], env: python.default_env)
       end
     end
 
+    def pip_install_command
+      [:pip, :install, '-v', '-i', python.pip_index_url, '-r', @requirements_path]
+    end
+
     def python_executable
       '"$(asdf where python)/bin/python"'
     end
diff --git a/lib/license/finder/ext/pipenv.rb b/lib/license/finder/ext/pipenv.rb
index d681cc2..056b81d 100644
--- a/lib/license/finder/ext/pipenv.rb
+++ b/lib/license/finder/ext/pipenv.rb
@@ -5,8 +5,8 @@ module LicenseFinder
     def prepare
       return unless pipfile?
 
-      shell.execute([:pipenv, '--python', python.version], env: default_env)
-      shell.execute([:pipenv, :run, :pipenv, :sync, '--pypi-mirror', python.pip_index_url], env: default_env)
+      shell.execute([:pipenv, '--python', python.version], env: python.default_env)
+      shell.execute([:pipenv, :run, :pipenv, :sync, '--pypi-mirror', python.pip_index_url], env: python.default_env)
     end
 
     def current_packages
@@ -48,12 +48,5 @@ module LicenseFinder
     def lockfile_hash
       @lockfile_hash ||= JSON.parse(IO.read(detected_package_path))
     end
-
-    def default_env
-      return {} unless shell.custom_certificate_installed?
-      return {} if ENV['PIP_CERT']
-
-      { 'PIP_CERT' => shell.custom_certificate_path.to_s }
-    end
   end
 end
diff --git a/lib/license/management/python.rb b/lib/license/management/python.rb
index c5f7107..b8932f9 100644
--- a/lib/license/management/python.rb
+++ b/lib/license/management/python.rb
@@ -50,6 +50,12 @@ module License
           )
         end
       end
+
+      def default_env
+        return {} unless shell.custom_certificate_installed?
+
+        { 'PIP_CERT' => ENV.fetch('PIP_CERT', shell.custom_certificate_path.to_s) }
+      end
     end
   end
 end
diff --git a/lib/license/management/shell.rb b/lib/license/management/shell.rb
index 691a8ea..8850e60 100644
--- a/lib/license/management/shell.rb
+++ b/lib/license/management/shell.rb
@@ -33,7 +33,7 @@ module License
       private
 
       def expand(command)
-        Array(command).map(&:to_s).join(' ')
+        Array(command).flatten.map(&:to_s).join(' ')
       end
 
       def trust!(certificate)
diff --git a/lib/license/management/version.rb b/lib/license/management/version.rb
index b422fd6..fe617f9 100644
--- a/lib/license/management/version.rb
+++ b/lib/license/management/version.rb
@@ -2,6 +2,6 @@
 
 module License
   module Management
-    VERSION = '3.7.0'
+    VERSION = '3.7.1'
   end
 end
diff --git a/spec/fixtures/python/simple-setup.py b/spec/fixtures/python/simple-setup.py
index 02ee1c4..51b96a2 100644
--- a/spec/fixtures/python/simple-setup.py
+++ b/spec/fixtures/python/simple-setup.py
@@ -1,12 +1,7 @@
 #!/usr/bin/env python3
-import os
-import shutil
-
 from setuptools import find_packages
 from setuptools import setup
 
-shutil.rmtree("build", ignore_errors=True)
-
 setup(
     name="package name",
     version='1.1',
diff --git a/spec/integration/python/pip_spec.rb b/spec/integration/python/pip_spec.rb
index 2183dd1..b78f8a2 100644
--- a/spec/integration/python/pip_spec.rb
+++ b/spec/integration/python/pip_spec.rb
@@ -127,4 +127,35 @@ RSpec.describe "pip" do
       expect(report[:dependencies]).to be_empty
     end
   end
+
+  context "when connecting to a private package repository with self signed certificate" do
+    let(:index_url) { "https://#{private_pypi_host}/simple" }
+    let(:bundle) { fixture_file_content('python/pypi.crt') }
+
+    before do
+      runner.add_file('setup.py') do
+        <<~RAW
+from setuptools import setup, find_packages
+
+setup(
+    name='gitlab-sp-test-python-pip',
+    version='1.2.0',
+    packages=find_packages(),
+    install_requires=['requests'],
+)
+        RAW
+      end
+    end
+
+    it 'downloads the packages and trusts the certificate' do
+      report = runner.scan(env: {
+        'ADDITIONAL_CA_CERT_BUNDLE' => bundle,
+        'PIP_INDEX_URL' => index_url
+      })
+
+      expect(report).to match_schema(version: '2.0')
+      expect(report.dependency_names).to include('requests')
+      expect(report.licenses_for('requests')).to match_array(['Apache-2.0'])
+    end
+  end
 end
diff --git a/spec/integration/python/pipenv_spec.rb b/spec/integration/python/pipenv_spec.rb
index 9ec7d96..b54ee99 100644
--- a/spec/integration/python/pipenv_spec.rb
+++ b/spec/integration/python/pipenv_spec.rb
@@ -203,20 +203,15 @@ RSpec.describe "pipenv" do
   end
 
   context "when connecting to a private package repository with self signed certificate" do
-    let(:index_url) { "https://gitlab-airgap-pypi.us-west1-b.c.group-secure-a89fe7.internal/simple" }
+    let(:index_url) { "https://#{private_pypi_host}/simple" }
     let(:bundle) { fixture_file_content('python/pypi.crt') }
 
-    def install_airgap_hosts
-      add_host('gitlab-airgap-test.us-west1-b.c.group-secure-a89fe7.internal', '34.82.7.216')
-      add_host('gitlab-airgap-pypi.us-west1-b.c.group-secure-a89fe7.internal', '35.227.149.218')
-    end
-
     before do
       runner.add_file('Pipfile', fixture_file_content('python/airgap-Pipfile.erb', index_url: index_url))
       runner.add_file('Pipfile.lock', fixture_file_content('python/airgap-Pipfile.lock.erb', index_url: index_url))
     end
 
-    pending 'downloads the packages and trusts the certificate' do
+    it 'downloads the packages and trusts the certificate' do
       report = runner.scan(env: {
         'ADDITIONAL_CA_CERT_BUNDLE' => bundle,
         'PIP_INDEX_URL' => index_url
diff --git a/spec/support/integration_test_helper.rb b/spec/support/integration_test_helper.rb
index 6c30a99..55564fc 100644
--- a/spec/support/integration_test_helper.rb
+++ b/spec/support/integration_test_helper.rb
@@ -86,6 +86,12 @@ module IntegrationTestHelper
     end
   end
 
+  def private_pypi_host
+    @private_pypi_host ||= 'gitlab-airgap-pypi.us-west1-b.c.group-secure-a89fe7.internal'.tap do |host|
+      add_host(host, '35.227.149.218')
+    end
+  end
+
   def runner(*args)
     @runner ||= IntegrationTestRunner.new(*args)
   end
author	mo khan <mo.khan@gmail.com>	2020-04-09 16:05:28 -0600
committer	mo khan <mo.khan@gmail.com>	2020-04-09 16:39:08 -0600
commit	04e57e76844d7ca70d5b1a84d9b30dba1d6bee9c (patch)
tree	05f9cf6e795b8acb54f8b7df87972588bfa38a23
parent	dda9e59a4a3ab471001998d0e68d67ab12b4ac69 (diff)