Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support adding CA Certificates #1

Merged
merged 10 commits into from
Apr 29, 2022
Merged

Support adding CA Certificates #1

merged 10 commits into from
Apr 29, 2022

Conversation

CRogers
Copy link
Contributor

@CRogers CRogers commented Apr 28, 2022
edited
Loading

Before this PR

There's no way to get a CA certificate installed into the downloaded JDK's lib/security/cacerts root truststore. For companies that use TLS interception internally this means any test that reaches out to the internet will fail.

Going from people having their own JDKs with this manually added to our JDKs they have no/little control over means this could be a real sticking point basically immediately.

After this PR

==COMMIT_MSG==
Provide a way to add CA certs to all installed JDKs.
==COMMIT_MSG==

Possible downsides?

@changelog-app
Copy link

changelog-app bot commented Apr 28, 2022
edited by CRogers
Loading

Generate changelog in changelog/@unreleased

Type

  • Feature
  • Improvement
  • Fix
  • Break
  • Deprecation
  • Manual task
  • Migration

Description

Provide a way to add CA certs to all installed JDKs.

Check the box to generate changelog(s)

  • Generate changelog entry

@CRogers CRogers marked this pull request as ready for review April 28, 2022 18:59
@CRogers CRogers requested a review from carterkozak April 28, 2022 18:59
carterkozak
carterkozak reviewed Apr 29, 2022
View reviewed changes
gradle-jdks/src/test/groovy/com/palantir/gradle/jdks/JdksPluginIntegrationSpec.groovy Outdated
Comment on lines 130 to 132
'printCaTruststoreAliases',
// TODO: avoid resolving from root configuration somehow, removed in Gradle 8
'--warning-mode=none')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like we may not need to suppress warnings here either?

Suggested change
'printCaTruststoreAliases',
// TODO: avoid resolving from root configuration somehow, removed in Gradle 8
'--warning-mode=none')
'printCaTruststoreAliases')

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻 yep, will fix it up with the conflicts

carterkozak
carterkozak reviewed Apr 29, 2022
View reviewed changes
gradle-jdks/src/main/java/com/palantir/gradle/jdks/JdkManager.java

jdkSpec.caCerts().caCerts().forEach((name, caCertFile) -> {
addCaCert(javaHome, name, caCertFile);
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, given two projects which use azul-17 x86_64, what happens if both projects specify completely different certificates? Do we need to include the certificates in our cache key? I'm not sure that we should mutate the jvm in a potentially leaky way such that tests pass on project B only if you've run project A first.

Copy link
Contributor Author

@CRogers CRogers Apr 29, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made the CA certificates configurable at the root level/all jdks level, so all the jdks will have the same CA certs. misread what you wrote

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Certificates are included in the cache key:

gradle-jdks/gradle-jdks/src/main/java/com/palantir/gradle/jdks/JdkSpec.java

Lines 35 to 40 in 8c10819

String.join("\n", "Distribution: %s", "Version: %s", "Os: %s", "Arch: %s", "CaCerts: %s"),
distributionName().uiName(),
release().version(),
release().os(),
release().arch(),
caCerts().combinedInSortedOrder());

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah fantastic, I missed that in the block above :-)

carterkozak
carterkozak reviewed Apr 29, 2022
View reviewed changes
gradle-jdks/src/main/java/com/palantir/gradle/jdks/JdksExtension.java Outdated
@@ -31,6 +32,8 @@ public abstract class JdksExtension {

protected abstract MapProperty<JavaLanguageVersion, JdkExtension> getJdks();

public abstract MapProperty<String, File> getCaCerts();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be cleaner to take PEM formatted CA certs as strings, that way we don't need to think about file I/O. iirc they can be fed to keytool via stdin when no -file is specified.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, nice spot! I did this initially but figured keytool just always needs a file

carterkozak
carterkozak approved these changes Apr 29, 2022
View reviewed changes
Copy link
Contributor

@carterkozak carterkozak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm!

@bulldozer-bot bulldozer-bot bot merged commit d6838aa into develop Apr 29, 2022
@bulldozer-bot bulldozer-bot bot deleted the callumr/ca-certifactes branch April 29, 2022 17:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carterkozak carterkozak carterkozak approved these changes

Assignees
No one assigned
Labels
merge when ready no changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@CRogers @carterkozak @svc-changelog