Add mvn configuration

Add functionality to configure and export maven
options on the basis of encrypted yaml containing
needed credentials

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,32 +0,0 @@
----
-name: Bug report
-about: Create a bug report
-title: ''
-labels: bug, needs triage
-assignees: ''
-
----
-
-**Description:**
-A clear and concise description of what the bug is.
-
-**Task version:**
-Specify the task version
-
-**Platform:**
-- [ ] Ubuntu
-- [ ] macOS
-- [ ] Windows
-
-**Runner type:**
-- [ ] Hosted
-- [ ] Self-hosted
-
-**Repro steps:**  
-A description with steps to reproduce the issue. If your have a public example or repo to share, please provide the link.
-
-**Expected behavior:**
-A description of what you expected to happen.
-
-**Actual behavior:**
-A description of what is actually happening.

.github/ISSUE_TEMPLATE/config.yml

@@ -1 +0,0 @@
-blank_issues_enabled: false

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,16 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: feature request, needs triage
-assignees: ''
----
-
-**Description:**
-Describe your proposal.
-
-**Justification:**
-Justification or a use case for your proposal.
-
-**Are you willing to submit a PR?**
-<!--- We accept contributions! -->

.github/workflows/licensed.yml

@@ -1,20 +0,0 @@
-name: Licensed
-
-on:
-  push: {branches: main}
-  pull_request: {branches: main}
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    name: Check licenses
-    steps:
-      - uses: actions/checkout@v2
-      - run: npm ci
-      - name: Install licensed
-        run: |
-          cd $RUNNER_TEMP
-          curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/2.12.2/licensed-2.12.2-linux-x64.tar.gz
-          sudo tar -xzf licensed.tar.gz
-          sudo mv licensed /usr/local/bin/licensed
-      - run: licensed status

.github/workflows/workflow.yml

@@ -5,7 +5,7 @@ jobs:
     runs-on: ${{ matrix.operating-system }}
     strategy:
       matrix:
-        operating-system: [ubuntu-latest, windows-latest]
+        operating-system: [ubuntu-latest]
     steps:
     - name: Checkout
       uses: actions/checkout@v2
@@ -24,7 +24,7 @@ jobs:
     runs-on: ${{ matrix.operating-system }}
     strategy:
       matrix:
-        operating-system: [ubuntu-latest, windows-latest]
+        operating-system: [ubuntu-latest]
     steps:
     - name: Checkout
       uses: actions/checkout@v2

action.yml

@@ -9,6 +9,11 @@ inputs:
        Early access versions can be specified in the form of e.g. 14-ea,
        14.0.0-ea, or 14.0.0-ea.28'
     required: true
+  maven-creds:
+    description: 'Maven credential needed to setup MTLS. Credentails In the format
+        of base64 encoded yaml containing following fields also containing 
+        base64 blobs ( CA_CERT, CERT, KEY, SETTINGS, SECURITY_SETTINGS)'
+    required: true
   java-package:
     description: 'The package type (jre, jdk, jdk+fx)'
     required: false

package.json

@@ -25,23 +25,24 @@
   "license": "MIT",
   "dependencies": {
     "@actions/core": "^1.0.0",
-    "@actions/exec": "^1.0.0",
+    "@actions/exec": "^1.0.4",
-    "@actions/http-client": "^1.0.8",
+    "@actions/http-client": "^1.0.9",
     "@actions/io": "^1.0.0",
-    "@actions/tool-cache": "^1.3.1",
+    "@actions/tool-cache": "^1.6.1",
+    "@tradeshift/actions-credentials-yaml": "^0.7.0",
     "semver": "^6.1.1",
-    "xmlbuilder2": "^2.1.2"
+    "xmlbuilder2": "^2.4.0"
   },
   "devDependencies": {
     "@types/jest": "^24.0.13",
-    "@types/node": "^12.0.4",
+    "@types/node": "^12.20.1",
-    "@types/semver": "^6.0.0",
+    "@types/semver": "^6.2.2",
     "@zeit/ncc": "^0.20.5",
     "jest": "^24.8.0",
     "jest-circus": "^24.7.1",
     "prettier": "^1.19.1",
     "ts-jest": "^24.0.2",
-    "typescript": "^3.5.1"
+    "typescript": "^3.9.9"
   },
   "husky": {
     "skipCI": true,

src/auth.ts

@@ -5,6 +5,7 @@ import * as core from '@actions/core';
 import * as io from '@actions/io';
 import {create as xmlCreate} from 'xmlbuilder2';
 import * as constants from './constants';
+import * as yamlCreds from '@tradeshift/actions-credentials-yaml';
 
 export const M2_DIR = '.m2';
 export const SETTINGS_FILE = 'settings.xml';
@@ -13,7 +14,8 @@ export async function configAuthentication(
   id: string,
   username: string,
   password: string,
-  gpgPassphrase: string | undefined = undefined
+  gpgPassphrase: string | undefined = undefined,
+  mvnCredsBlob: string | undefined = undefined
 ) {
   console.log(
     `creating ${SETTINGS_FILE} with server-id: ${id};`,
@@ -34,6 +36,10 @@ export async function configAuthentication(
     settingsDirectory,
     generate(id, username, password, gpgPassphrase)
   );
+
+  if (mvnCredsBlob) {
+    await setupMvnMTLSCfg(mvnCredsBlob, settingsDirectory);
+  }
 }
 
 // only exported for testing purposes
@@ -85,3 +91,56 @@ async function write(directory: string, settings: string) {
     flag: 'w'
   });
 }
+
+async function setupMvnMTLSCfg(credBlob: string, settingsDir: string) {
+  // this is what we need to set
+  //  ~/.m2/settings.xml
+  // ~/.m2/settings-security.xml
+  // mkdir -p ~/certs
+  // ~/certs/certificate.p12
+  // ~/rootca.crt
+  // export MAVEN_OPTS="-Djavax.net.ssl.keyStore=~/certs/certificate.p12 -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword=${MAVEN_P12_PASSWORD}"
+
+  const creds = await yamlCreds.parseCredsToObject<yamlCreds.CredsMvn>(
+    credBlob
+  );
+  const certDir = path.join(os.homedir(), 'certs');
+
+  fs.writeFileSync(
+    path.join(settingsDir, 'settings.xml'),
+    btoa(creds.MVN_SETTINGS),
+    {
+      encoding: 'utf-8',
+      flag: 'w'
+    }
+  );
+
+  fs.writeFileSync(
+    path.join(settingsDir, 'settings-security.xml'),
+    btoa(creds.MVN_SECURITY_SETTINGS),
+    {
+      encoding: 'utf-8',
+      flag: 'w'
+    }
+  );
+
+  await io.mkdirP(certDir);
+  fs.writeFileSync(path.join(certDir, 'rootca.crt'), btoa(creds.MTLS_CA_CERT), {
+    encoding: 'utf-8',
+    flag: 'w'
+  });
+
+  const p12Path = path.join(certDir, 'certificate.p12');
+  fs.writeFileSync(p12Path, btoa(creds.MVN_P12), {
+    encoding: 'utf-8',
+    flag: 'w'
+  });
+
+  const password = btoa(creds.MVN_P12_PASSWORD);
+  core.exportVariable(
+    'MAVEN_OPTS',
+    `-Djavax.net.ssl.keyStore=${p12Path} -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStorePassword=${password}`
+  );
+
+  core.debug(`added maven opts for MTLS access`);
+}

src/constants.ts

@@ -9,6 +9,7 @@ export const INPUT_SERVER_PASSWORD = 'server-password';
 export const INPUT_SETTINGS_PATH = 'settings-path';
 export const INPUT_GPG_PRIVATE_KEY = 'gpg-private-key';
 export const INPUT_GPG_PASSPHRASE = 'gpg-passphrase';
+export const INPUT_MAVEN_CREDS = 'maven-creds';
 
 export const INPUT_DEFAULT_GPG_PRIVATE_KEY = undefined;
 export const INPUT_DEFAULT_GPG_PASSPHRASE = 'GPG_PASSPHRASE';

src/setup-java.ts

@@ -12,6 +12,10 @@ async function run() {
       version = core.getInput(constants.INPUT_JAVA_VERSION, {required: true});
     }
 
+    const mavenCredsBlob = core.getInput(constants.INPUT_MAVEN_CREDS, {
+      required: true
+    });
+
     const arch = core.getInput(constants.INPUT_ARCHITECTURE, {required: true});
     if (!['x86', 'x64'].includes(arch)) {
       throw new Error(`architecture "${arch}" is not in [x86 | x64]`);
@@ -45,7 +49,13 @@ async function run() {
       core.setSecret(gpgPrivateKey);
     }
 
-    await auth.configAuthentication(id, username, password, gpgPassphrase);
+    await auth.configAuthentication(
+      id,
+      username,
+      password,
+      gpgPassphrase,
+      mavenCredsBlob
+    );
 
     if (gpgPrivateKey) {
       core.info('importing private key');