Add git-secrets to verification tasks (#4072)

Author: rli

build.gradle.kts

@@ -7,6 +7,7 @@ import software.aws.toolkits.gradle.changelog.tasks.GenerateGithubChangeLog
 plugins {
     id("base")
     id("toolkit-changelog")
+    id("toolkit-git-secrets")
     id("toolkit-jacoco-report")
     id("org.jetbrains.gradle.plugin.idea-ext")
 }

buildSrc/build.gradle.kts

@@ -10,6 +10,7 @@ buildscript {
 
 plugins {
     `kotlin-dsl`
+    `java-gradle-plugin`
 }
 
 
@@ -25,11 +26,13 @@ dependencies {
     implementation(libs.gradlePlugin.kotlin)
     implementation(libs.gradlePlugin.testLogger)
     implementation(libs.gradlePlugin.testRetry)
+    implementation(libs.gradlePlugin.undercouch.download)
     implementation(libs.jgit)
 
     testImplementation(libs.assertj)
     testImplementation(libs.junit4)
     testImplementation(libs.bundles.mockito)
+    testImplementation(gradleTestKit())
 
     testRuntimeOnly(libs.junit5.jupiterVintage)
 }

buildSrc/src/main/kotlin/toolkit-git-secrets.gradle.kts

@@ -0,0 +1,48 @@
+// Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+import de.undercouch.gradle.tasks.download.Download
+import org.gradle.nativeplatform.platform.internal.DefaultNativePlatform
+
+plugins {
+    id("de.undercouch.download")
+}
+
+val downloadGitSecrets = tasks.register<Download>("downloadGitSecrets") {
+    src("https://raw.githubusercontent.com/awslabs/git-secrets/master/git-secrets")
+    dest("$buildDir/git-secrets")
+    onlyIfModified(true)
+    useETag(true)
+}
+
+val gitSecrets = tasks.register<Exec>("gitSecrets") {
+    onlyIf {
+        !DefaultNativePlatform.getCurrentOperatingSystem().isWindows
+    }
+
+    dependsOn(downloadGitSecrets)
+    workingDir(project.rootDir)
+    val path = "$buildDir${File.pathSeparator}"
+    val patchendEnv = environment.apply { replace("PATH", path + getOrDefault("PATH", "")) }
+    environment = patchendEnv
+
+    commandLine("/bin/sh", "$buildDir/git-secrets", "--register-aws")
+
+    // cleaner than having multiple separate exec tasks
+    doLast {
+        exec {
+            workingDir(project.rootDir)
+            commandLine("git", "config", "--add", "secrets.allowed", "123456789012")
+        }
+
+        exec {
+            workingDir(project.rootDir)
+            environment = patchendEnv
+            commandLine("/bin/sh", "$buildDir/git-secrets", "--scan")
+        }
+    }
+}
+
+tasks.findByName("check")?.let {
+    it.dependsOn(gitSecrets)
+}

buildSrc/src/test/kotlin/software/aws/toolkits/gradle/GitSecretsTest.kt

@@ -0,0 +1,95 @@
+// Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+package software.aws.toolkits.gradle
+
+import org.assertj.core.api.Assertions.assertThat
+import org.eclipse.jgit.api.Git
+import org.eclipse.jgit.storage.file.FileRepositoryBuilder
+import org.gradle.testfixtures.ProjectBuilder
+import org.gradle.testkit.runner.GradleRunner
+import org.gradle.testkit.runner.TaskOutcome
+import org.gradle.testkit.runner.UnexpectedBuildFailure
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertThrows
+import org.junit.jupiter.api.io.TempDir
+import java.io.File
+import kotlin.io.path.writeText
+
+class GitSecretsTest {
+    @Test
+    fun `plugin can be applied`() {
+        val project = ProjectBuilder.builder().build()
+        project.getPluginManager().apply("toolkit-git-secrets")
+    }
+
+    @Test
+    fun `passes when no secrets`(@TempDir tempDir: File) {
+        tempDir.mkdirs()
+        val repo = FileRepositoryBuilder()
+            .setWorkTree(tempDir)
+            .build()
+        repo.create()
+
+        tempDir
+            .resolve("build.gradle.kts")
+            .writeText(
+                """
+                plugins {
+                    id("toolkit-git-secrets")
+                }
+                """.trimIndent()
+            )
+
+        Git.wrap(repo).add().addFilepattern(".").call()
+
+        val result = GradleRunner.create()
+            .withProjectDir(tempDir)
+            .withArguments("gitSecrets")
+            .withPluginClasspath()
+            .build()
+
+        assertThat(result.task(":gitSecrets")?.outcome).isEqualTo(TaskOutcome.SUCCESS)
+    }
+
+    @Test
+    fun `fails when contains secrets`(@TempDir tempDir: File) {
+        tempDir.mkdirs()
+        val repo = FileRepositoryBuilder()
+            .setWorkTree(tempDir)
+            .build()
+        repo.create()
+
+        tempDir
+            .resolve("build.gradle.kts")
+            .apply {
+                writeText(
+                    """
+                    plugins {
+                        id("toolkit-git-secrets")
+                    }
+                    """.trimIndent()
+                )
+
+                appendText(
+                    buildString {
+                        appendLine()
+                        // split to avoid tripping git-secrets
+                        append("// AKI")
+                        append("AXXXXXXXXXXXXXXXX")
+                    }
+                )
+
+                Git.wrap(repo).add().addFilepattern(".").call()
+            }
+
+        val failure = assertThrows<UnexpectedBuildFailure> {
+            GradleRunner.create()
+                .withProjectDir(tempDir)
+                .withArguments("gitSecrets")
+                .withPluginClasspath()
+                .build()
+        }
+        assertThat(failure.message).contains("Matched one or more prohibited patterns")
+    }
+}

buildspec/linuxTests.yml

@@ -16,7 +16,10 @@ phases:
       - useradd codebuild-user
       - dnf install -y acl
       - chown -R codebuild-user:codebuild-user /codebuild/output
+      - chown -R codebuild-user:codebuild-user /codebuild/local-cache
       - setfacl -m d:o::rwx,o::rwx /root
+      # (CVE-2022-24765) fatal: detected dubious ownership in repository
+      - su codebuild-user -c "git config --global --add safe.directory \"$CODEBUILD_SRC_DIR\""
 
   build:
     commands:

gradle/libs.versions.toml

@@ -27,6 +27,7 @@ testRetry = "1.5.2"
 slf4j = "1.7.36"
 sshd = "2.11.0"
 wiremock = "2.35.0"
+undercouch-download = "5.2.1"
 zjsonpatch = "0.4.11"
 
 [libraries]
@@ -70,6 +71,7 @@ gradlePlugin-intellij = { module = "org.jetbrains.intellij:org.jetbrains.intelli
 gradlePlugin-kotlin = { module = "org.jetbrains.kotlin:kotlin-gradle-plugin", version.ref = "kotlin" }
 gradlePlugin-testLogger = { module = "com.adarshr:gradle-test-logger-plugin", version.ref = "testLogger" }
 gradlePlugin-testRetry = { module = "org.gradle:test-retry-gradle-plugin", version.ref = "testRetry" }
+gradlePlugin-undercouch-download = { module = "de.undercouch:gradle-download-task", version.ref = "undercouch-download" }
 intellijRemoteFixtures = { module = "com.intellij.remoterobot:remote-fixtures", version.ref = "intellijRemoteRobot" }
 intellijRemoteRobot = { module = "com.intellij.remoterobot:remote-robot", version.ref = "intellijRemoteRobot" }
 jackson-datetime = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jsr310", version.ref = "jackson" }

jetbrains-core/tst/software/aws/toolkits/jetbrains/services/telemetry/TelemetryServiceTest.kt

@@ -198,7 +198,7 @@ class TelemetryServiceTest {
 
         telemetryService.record(
             MetricEventMetadata(
-                awsAccount = "222222222222",
+                awsAccount = "123456789012",
                 awsRegion = "bar-region"
             )
         ) {
@@ -207,7 +207,7 @@ class TelemetryServiceTest {
         telemetryService.dispose()
 
         verify(batcher).enqueue(eventCaptor.capture())
-        assertMetricEventsContains(eventCaptor.allValues, "Foo", "222222222222", "bar-region")
+        assertMetricEventsContains(eventCaptor.allValues, "Foo", "123456789012", "bar-region")
     }
 
     @Test

resources/build.gradle.kts

@@ -7,7 +7,7 @@ import software.aws.toolkits.gradle.resources.ValidateMessages
 plugins {
     id("toolkit-kotlin-conventions")
     id("toolkit-testing")
-    id("de.undercouch.download") version "5.2.1"
+    id("de.undercouch.download")
 }
 
 sourceSets {