Extract function to generate import keytool command
What does this MR do?
This change updates the command to import a custom X509 certificate using keytool. The -cacerts option is not available in the Java 8 keystore. Java 11, 13, 14 do support the -cacerts option but this is unnecessary if specify the keystore path using the -keystore option. The implementation provided in this MR of the keytool invocation should work for Java 8, 11, 13, and 14.
I was able to reproduce this defect by applying the following .gitlab-ci.yml file as can be seen in this job.
dependency_scanning:
variables:
DS_JAVA_VERSION: "8"
ADDITIONAL_CA_CERT_BUNDLE: |
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----The combination of specifying Java 8 with an ADDITIONAL_CA_CERT_BUNDLE variable produced the following error:
[DEBU] [gemnasium-maven] [2020-09-09T15:02:59Z] ▶ /opt/asdf/shims/keytool -importcert -file /etc/ssl/certs/ca-cert-additional-gitlab-bundle.pem -cacerts -storepass changeit -noprompt
Illegal option: -cacertsThe updated command produces the following output.
[DEBU] [gemnasium-maven] [2020-09-15T23:00:34Z] ▶ /opt/asdf/shims/keytool -importcert -alias custom -file /etc/ssl/certs/ca-cert-additional-gitlab-bundle.pem -trustcacerts -noprompt -storepass changeit -keystore /opt/asdf/installs/java/adoptopenjdk-14.0.1+7.1/lib/security/cacerts
Certificate was added to keystoreI was able to verify this change using the integration tests defined in here.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by mo khan