pipedawg 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 53733705295ce1c9b2ae80fc1c8368e7e08e7d7a0e1fcf3727fe972dd5714fb1
-  data.tar.gz: 10e86751592488fbb9972605892d79af662e60e3a3da070292cf4933f31b7981
+  metadata.gz: b2e0ba1c718b0efe498f222720490aeb2566a6f5c4e6fb1f0b56e5e9874669a5
+  data.tar.gz: 5545deb6f783e71bb5b35bb6633aed7939a9ac0e74aefb50200020976c1b6489
 SHA512:
-  metadata.gz: 11584d541a5d63f54761dee9ca878e3c79ba168ee1e5e93ec9ddccd559d869672a900a6aa25d966df4ef807a56ac0c75385644baf3bce5498ac7a68a29fd8a9a
-  data.tar.gz: 97f20d550f1cbe4bf298a2f6884f02754cd385e317d777887d11a8748d7436d8bb6db035944c6f59d2593b4e3a615db76f28c678bb392cf16ef3e6c6f92770a9
+  metadata.gz: 17fbfd9bb667f808c44e636d7133fa379d115b650102162d35b5e0fd7b6594466493663c7193ef8092d3e55c2480737bbf4e4bf5923260096ae7706200320d04
+  data.tar.gz: 338192888145922229beba1e38fa3794e2f1d7d4e197987de1b5ae7425df29f2239f47a011846b10df20723d43c93a26d26813755a33d2b193780b0812429f74

data/README.md

@@ -42,13 +42,13 @@ gem_job = Pipedawg::Job.new(
   script: ['bundle install', 'gem build *.gemspec']
 )
 
-kaniko_job = Pipedawg::KanikoJob.new(
+kaniko_build_job = Pipedawg::KanikoBuildJob.new(
   'build:kaniko',
   {needs: ['build:gem'], retry: 2},
   {context:'${CI_PROJECT_DIR}/docker',external_files: {'*.gem':'gems'}}
 )
 
-pipeline = Pipedawg::Pipeline.new 'build:image', jobs: [gem_job, kaniko_job]
+pipeline = Pipedawg::Pipeline.new 'build:image', jobs: [gem_job, kaniko_build_job]
 puts pipeline.to_yaml
 ```
 

data/lib/pipedawg/{kaniko_job.rb → kaniko_build_job.rb}

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module Pipedawg
-  # kaniko_job class
-  class KanikoJob < Job
+  # kaniko_build_job class
+  class KanikoBuildJob < Job
     attr_accessor :kaniko_opts
 
     def initialize(name = 'build', opts = {}, kaniko_opts = {}) # rubocop:disable Metrics/MethodLength

data/lib/pipedawg/qualys_scan_job.rb

@@ -2,15 +2,15 @@
 
 module Pipedawg
   # qualys_scan_job class
-  class QualysScanJob < Job
+  class QualysScanJob < Job # rubocop:disable Metrics/ClassLength
     attr_accessor :qualys_opts
 
     def initialize(name = 'build', opts = {}, qualys_opts = {})
       @qualys_opts = {
         acceptable_risk: '${QUALYS_ACCEPTABLE_IMAGE_RISK}',
-        artifacts: {
-          expire_in: '1 month', paths: ['software.json', 'vulnerabilities.json'], when: 'always'
-        }, debug: true, gateway: '${QUALYS_GATEWAY}', image: nil, password: '${QUALYS_PASSWORD}', rules: nil,
+        artifacts: { expire_in: '1 month', paths: ['software.json', 'vulnerabilities.json'], when: 'always' },
+        config: { '$CI_REGISTRY': { username: '$CI_REGISTRY_USER', password: '$CI_REGISTRY_PASSWORD' } },
+        debug: true, gateway: '${QUALYS_GATEWAY}', image: nil, password: '${QUALYS_PASSWORD}', rules: nil,
         scan_image: '${QUALYS_IMAGE}', scan_target_prefix: 'qualys_scan_target', tags: nil, user: '${QUALYS_USERNAME}',
         variables: { GIT_STRATEGY: 'clone' }
       }.merge(qualys_opts)
@@ -25,7 +25,8 @@ module Pipedawg
       opts[:rules] = qualys_opts[:rules] if qualys_opts[:rules]
       opts[:tags] = qualys_opts[:tags] if qualys_opts[:tags]
       opts[:variables] = qualys_opts[:variables] if qualys_opts[:variables]
-      opts[:script] = debug + image + token + scan_start + scan_complete + artifacts + severities + outputs
+      opts[:script] =
+        debug + config + image + clean_config + token + scan_start + scan_complete + artifacts + severities + outputs
     end
 
     private
@@ -33,8 +34,7 @@ module Pipedawg
     def debug # rubocop:disable Metrics/MethodLength
       if qualys_opts[:debug]
         Pipedawg::Util.echo_proxy_vars + [
-          'echo Qualys settings:',
-          "echo   Qualys gateway: \"#{qualys_opts[:gateway]}\"",
+          'echo Qualys settings:', "echo   Qualys gateway: \"#{qualys_opts[:gateway]}\"",
           "echo   Qualys username: \"#{qualys_opts[:user]}\"",
           "if [ \"#{qualys_opts[:password]}\" != '' ]; then " \
           'echo   Qualys password is not empty; else ' \
@@ -45,16 +45,27 @@ module Pipedawg
       end
     end
 
+    def config
+      ['export CONFIG=$(mktemp -d)', "echo #{qualys_opts[:config].to_json.inspect} > \"${CONFIG}/config.json\""]
+    end
+
     def image
       [
         "image_target=\"#{qualys_opts[:scan_target_prefix]}:$(echo #{qualys_opts[:scan_image]} | sed 's/^[^/]*\\///'| sed 's/[:/]/-/g')\"", # rubocop:disable Layout/LineLength
-        "docker pull \"#{qualys_opts[:scan_image]}\"",
+        "docker --config=\"${CONFIG}\" pull \"#{qualys_opts[:scan_image]}\"",
         "docker image tag \"#{qualys_opts[:scan_image]}\" \"${image_target}\"",
         "image_id=$(docker inspect --format=\"{{index .Id}}\" \"#{qualys_opts[:scan_image]}\" | cut -c8-19)",
         'echo "Image ID: ${image_id}"'
       ]
     end
 
+    def clean_config
+      [
+        'rm -f "${CONFIG}/config.json"',
+        'rmdir "${CONFIG}"'
+      ]
+    end
+
     def token
       ["token=$(curl -s --location --request POST \"https://#{qualys_opts[:gateway]}/auth\" --header \"Content-Type: application/x-www-form-urlencoded\" --data-urlencode \"username=#{qualys_opts[:user]}\" --data-urlencode \"password=#{qualys_opts[:password]}\" --data-urlencode \"token=true\")"] # rubocop:disable Layout/LineLength
     end

data/lib/pipedawg/skopeo_copy_job.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module Pipedawg
+  # skopeo_copy_job class
+  class SkopeoCopyJob < Job
+    attr_accessor :skopeo_opts
+
+    def initialize(name = 'build', opts = {}, skopeo_opts = {})
+      @skopeo_opts = {
+        config: { '$CI_REGISTRY': { username: '$CI_REGISTRY_USER', password: '$CI_REGISTRY_PASSWORD' } },
+        copy_image: nil, debug: true, destinations: [{ copy_image: nil, flags: [], options: {} }],
+        flags: [], logins: {}, options: {}, skopeo: 'skopeo', stage: '${CI_PROJECT_DIR}/stage',
+        image: { entrypoint: [''], name: 'quay.io/skopeo/stable:latest' },
+        trusted_ca_cert_source_files: [], trusted_ca_cert_target_file: '/etc/docker/certs.d/ca.crt'
+      }.merge(skopeo_opts)
+      super name, opts
+      update
+    end
+
+    def update # rubocop:disable Metrics/AbcSize
+      require 'json'
+      opts[:image] = skopeo_opts[:image] if skopeo_opts[:image]
+      opts[:rules] = skopeo_opts[:rules] if skopeo_opts[:rules]
+      opts[:script] = debug + config + cert_copies + login + mkstage + pull + (
+        skopeo_opts[:destinations].map { |d| push(d) }
+      ).flatten(1)
+    end
+
+    private
+
+    def debug
+      if skopeo_opts[:debug]
+        Pipedawg::Util.echo_proxy_vars
+      else
+        []
+      end
+    end
+
+    def config
+      ['export CONFIG=$(mktemp -d)', "echo #{skopeo_opts[:config].to_json.inspect} > \"${CONFIG}/config.json\""]
+    end
+
+    def cert_copies
+      ["mkdir -p $(dirname \"#{skopeo_opts[:trusted_ca_cert_target_file]}\")"] +
+        Array(skopeo_opts[:trusted_ca_cert_source_files]).map do |cert|
+          "cat \"#{cert}\" >> \"#{skopeo_opts[:trusted_ca_cert_target_file]}\""
+        end
+    end
+
+    def login
+      skopeo_opts.fetch(:logins, {}).map do |k, v|
+        "echo \"#{v['password']}\" | #{skopeo_opts[:skopeo]} login --authfile \"${CONFIG}/config.json\" --username \"#{v['username']}\" --password-stdin \"#{k}\"" # rubocop:disable Layout/LineLength
+      end
+    end
+
+    def mkstage
+      ["mkdir -p \"#{skopeo_opts[:stage]}\""]
+    end
+
+    def pull
+      copy(skopeo_opts, "docker://#{skopeo_opts[:copy_image]}", "\"dir://#{skopeo_opts[:stage]}\"")
+    end
+
+    def push(destination_opts)
+      copy(destination_opts, "\"dir://#{skopeo_opts[:stage]}\"", "docker://#{destination_opts[:copy_image]}")
+    end
+
+    def copy(opts, source, destination)
+      Array(["#{skopeo_opts[:skopeo]} copy --authfile \"${CONFIG}/config.json\"", flags(opts), options(opts), source,
+             destination].reject(&:empty?).join(' '))
+    end
+
+    def flags(opts)
+      opts.fetch(:flags, []).uniq.map { |f| "--#{f}" }.join(' ')
+    end
+
+    def options(opts)
+      opts.fetch(:options, {}).map { |k, v| "--#{k} \"#{v}\"" }.join(' ')
+    end
+  end
+end

data/lib/pipedawg/util.rb

@@ -9,6 +9,7 @@ module Pipedawg
         item.map { |i| expand_env_vars(i) }
       when Hash
         item.each { |k, v| item[k] = expand_env_vars(v) }
+        item.transform_keys! { |k| expand_env_vars(k) }
         item
       when String
         item.gsub(/\${([^} ]+)}/) do |e|

data/lib/pipedawg/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Pipedawg
-  VERSION = '0.5.0'
+  VERSION = '0.6.0'
 end

data/lib/pipedawg.rb

@@ -2,9 +2,10 @@
 
 require 'pipedawg/job'
 require 'pipedawg/helm_copy_job'
-require 'pipedawg/kaniko_job'
+require 'pipedawg/kaniko_build_job'
 require 'pipedawg/pipeline'
 require 'pipedawg/qualys_scan_job'
+require 'pipedawg/skopeo_copy_job'
 require 'pipedawg/util'
 require 'pipedawg/version'
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: pipedawg
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - harbottle
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-02-08 00:00:00.000000000 Z
+date: 2022-02-24 00:00:00.000000000 Z
 dependencies: []
 description: Generate GitLab CI pipelines.
 email:
@@ -22,9 +22,10 @@ files:
 - lib/pipedawg.rb
 - lib/pipedawg/helm_copy_job.rb
 - lib/pipedawg/job.rb
-- lib/pipedawg/kaniko_job.rb
+- lib/pipedawg/kaniko_build_job.rb
 - lib/pipedawg/pipeline.rb
 - lib/pipedawg/qualys_scan_job.rb
+- lib/pipedawg/skopeo_copy_job.rb
 - lib/pipedawg/util.rb
 - lib/pipedawg/version.rb
 homepage: https://github.com/liger1978/pipedawg