bugfix(auth): Update authentication logic in settings.xml, unit tests, and documentation examples

To address this issue, we've implemented substantial enhancements to the logic within settings.xml to improve the management of authentication data. Furthermore, we've updated the unit tests to align with these modifications, guaranteeing thorough validation. The documentation and examples have been meticulously revised to offer more straightforward instructions on how to effectively configure and employ this updated methodology.
2025-04-18 00:46:45 +00:00 · 2024-03-01 12:43:13 +08:00 · 2024-03-01 12:43:13 +08:00 · 0185e0f794
commit 0185e0f794
parent 9704b39bf2
5 changed files with 66 additions and 20 deletions
--- a/.github/workflows/e2e-publishing.yml
+++ b/.github/workflows/e2e-publishing.yml
@ -36,6 +36,10 @@ jobs:
          server-username: MAVEN_USERNAME
          server-password: MAVEN_CENTRAL_TOKEN
          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+        env:
+          MAVEN_USERNAME: ${{ vars.MAVEN_USERNAME }}
+          MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
      - name: Validate settings.xml
        run: |
          $xmlPath = Join-Path $HOME ".m2" "settings.xml"
@ -77,6 +81,10 @@ jobs:
          server-username: MAVEN_USERNAME
          server-password: MAVEN_CENTRAL_TOKEN
          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+        env:
+          MAVEN_USERNAME: ${{ vars.MAVEN_USERNAME }}
+          MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
      - name: Validate settings.xml is overwritten
        run: |
          $xmlPath = Join-Path $HOME ".m2" "settings.xml"
@ -114,6 +122,10 @@ jobs:
          server-password: MAVEN_CENTRAL_TOKEN
          overwrite-settings: false
          gpg-passphrase: MAVEN_GPG_PASSPHRASE
+        env:
+          MAVEN_USERNAME: ${{ vars.MAVEN_USERNAME }}
+          MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
      - name: Validate that settings.xml is not overwritten
        run: |
          $xmlPath = Join-Path $HOME ".m2" "settings.xml"
@ -145,6 +157,10 @@ jobs:
          server-password: MAVEN_CENTRAL_TOKEN
          gpg-passphrase: MAVEN_GPG_PASSPHRASE
          settings-path: ${{ runner.temp }}
+        env:
+          MAVEN_USERNAME: ${{ vars.MAVEN_USERNAME }}
+          MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
      - name: Validate settings.xml location
        run: |
          $path = Join-Path $env:RUNNER_TEMP "settings.xml"
--- a/tests/auth.test.ts
+++ b/tests/auth.test.ts
@ -1,8 +1,8 @@
-import * as io from '@actions/io';
 import * as core from '@actions/core';
+import * as io from '@actions/io';
 import * as fs from 'fs';
-import * as path from 'path';
 import os from 'os';
+import * as path from 'path';

 import * as auth from '../src/auth';
 import {M2_DIR, MVN_SETTINGS_FILE} from '../src/constants';
@ -10,6 +10,14 @@ import {M2_DIR, MVN_SETTINGS_FILE} from '../src/constants';
 const m2Dir = path.join(__dirname, M2_DIR);
 const settingsFile = path.join(m2Dir, MVN_SETTINGS_FILE);

+// escape xml special characters
+function escapeXml(unsafeStr: string) {
+  return unsafeStr
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;');
+}
+
 describe('auth tests', () => {
  let spyOSHomedir: jest.SpyInstance;
  let spyInfo: jest.SpyInstance;
@ -157,14 +165,17 @@ describe('auth tests', () => {
    const username = 'USER';
    const password = '&<>"\'\'"><&';

+    process.env['username'] = username;
+    process.env['password'] = password;
+
    const expectedSettings = `<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
  <servers>
    <server>
-      <id>${id}</id>
-      <username>\${env.${username}}</username>
-      <password>\${env.&amp;&lt;&gt;"''"&gt;&lt;&amp;}</password>
+      <id>${escapeXml(id)}</id>
+      <username>${escapeXml(username)}</username>
+      <password>${escapeXml(password)}</password>
    </server>
  </servers>
 </settings>`;
@ -178,18 +189,22 @@ describe('auth tests', () => {
    const password = '&<>"\'\'"><&';
    const gpgPassphrase = 'PASSPHRASE';

+    process.env['username'] = username;
+    process.env['password'] = password;
+    process.env['gpgPassphrase'] = gpgPassphrase;
+
    const expectedSettings = `<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
  <servers>
    <server>
-      <id>${id}</id>
-      <username>\${env.${username}}</username>
-      <password>\${env.&amp;&lt;&gt;"''"&gt;&lt;&amp;}</password>
+      <id>${escapeXml(id)}</id>
+      <username>${escapeXml(username)}</username>
+      <password>${escapeXml(password)}</password>
    </server>
    <server>
      <id>gpg.passphrase</id>
-      <passphrase>\${env.${gpgPassphrase}}</passphrase>
+      <passphrase>${escapeXml(gpgPassphrase)}</passphrase>
    </server>
  </servers>
 </settings>`;
--- a/dist/setup/index.js
+++ b/dist/setup/index.js
@ -122463,9 +122463,9 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.generate = exports.createAuthenticationSettings = exports.configureAuthentication = void 0;
-const path = __importStar(__nccwpck_require__(71017));
 const core = __importStar(__nccwpck_require__(42186));
 const io = __importStar(__nccwpck_require__(47351));
+const path = __importStar(__nccwpck_require__(71017));
 const fs = __importStar(__nccwpck_require__(57147));
 const os = __importStar(__nccwpck_require__(22037));
 const xmlbuilder2_1 = __nccwpck_require__(70151);
@ -122507,7 +122507,19 @@ function createAuthenticationSettings(id, username, password, settingsDirectory,
 }
 exports.createAuthenticationSettings = createAuthenticationSettings;
 // only exported for testing purposes
+function escapeXml(unsafeStr) {
+    return unsafeStr
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&apos;');
+}
 function generate(id, username, password, gpgPassphrase) {
+    const escapedUsername = escapeXml(username);
+    const escapedPassword = escapeXml(password);
+    let escapedGpgPassphrase = gpgPassphrase
+        ? escapeXml(gpgPassphrase)
+        : undefined;
    const xmlObj = {
        settings: {
            '@xmlns': 'http://maven.apache.org/SETTINGS/1.0.0',
@ -122517,8 +122529,8 @@ function generate(id, username, password, gpgPassphrase) {
                server: [
                    {
                        id: id,
-                        username: `\${env.${username}}`,
-                        password: `\${env.${password}}`
+                        username: escapedUsername,
+                        password: escapedPassword
                    }
                ]
            }
@ -122527,7 +122539,7 @@ function generate(id, username, password, gpgPassphrase) {
    if (gpgPassphrase) {
        const gpgServer = {
            id: 'gpg.passphrase',
-            passphrase: `\${env.${gpgPassphrase}}`
+            passphrase: escapedGpgPassphrase
        };
        xmlObj.settings.servers.server.push(gpgServer);
    }
--- a/docs/advanced-usage.md
+++ b/docs/advanced-usage.md
@ -182,7 +182,7 @@ steps:
    jdkFile: ${{ runner.temp }}/java_package.tar.gz
    java-version: '11.0.0'
    architecture: x64
-    
+
 - run: java -cp java HelloWorldApp
 ```

@ -285,7 +285,10 @@ jobs:
        server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
        gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
        gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
-
+      env:
+        MAVEN_USERNAME: ${{ vars.MAVEN_USERNAME }} # set the env variable for username
+        MAVEN_CENTRAL_TOKEN: ${{ secrets.MAVEN_CENTRAL_TOKEN }} # set the env variable for token
+        MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} # set the env variable for GPG private key passphrase
    - name: Publish to Apache Maven Central
      run: mvn deploy
      env:
@ -527,7 +530,7 @@ steps:

 ## Java-version file
 If the `java-version-file` input is specified, the action will try to extract the version from the file and install it.
-Action is able to recognize all variants of the version description according to [jenv](https://github.com/jenv/jenv). 
+Action is able to recognize all variants of the version description according to [jenv](https://github.com/jenv/jenv).
 Valid entry options:
 ```
 major versions: 8, 11, 16, 17, 21
--- a/src/auth.ts
+++ b/src/auth.ts
@ -1,6 +1,6 @@
-import * as path from 'path';
 import * as core from '@actions/core';
 import * as io from '@actions/io';
+import * as path from 'path';

 import * as fs from 'fs';
 import * as os from 'os';
@ -84,8 +84,8 @@ export function generate(
        server: [
          {
            id: id,
-            username: `\${env.${username}}`,
-            password: `\${env.${password}}`
+            username: process.env['username'],
+            password: process.env['password']
          }
        ]
      }
@ -95,7 +95,7 @@ export function generate(
  if (gpgPassphrase) {
    const gpgServer = {
      id: 'gpg.passphrase',
-      passphrase: `\${env.${gpgPassphrase}}`
+      passphrase: process.env['gpgPassphrase']
    };
    xmlObj.settings.servers.server.push(gpgServer);
  }