Merge pull request #1038 from sigstore/conformance-server

aaronlew02 · web-flow · commit 331ac9f01804 · 2025-08-05T15:02:52.000-04:00
Use HTTP server for conformance testing
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -1,4 +1,6 @@
 name: Conformance Tests
+permissions:
+  contents: read
 
 on:
   push:
@@ -37,11 +39,14 @@ jobs:
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1
 
-      - name: Build sigstore-java cli
-        run: ./gradlew :sigstore-cli:build
-
-      - name: Unpack sigstore-java distribution
-        run: tar -xvf ${{ github.workspace }}/sigstore-cli/build/distributions/sigstore-cli-*.tar --strip-components 1
+      - name: Build sigstore-java cli and server jar
+        run: ./gradlew :sigstore-cli:serverShadowJar
+      
+      - name: Start test server in background
+        run: java -jar ${{ github.workspace }}/sigstore-cli/build/libs/sigstore-cli-server-all.jar &
+      
+      - name: Wait for server to be ready
+        run: curl --retry-connrefused --retry 10 --retry-delay 1 --fail http://localhost:8080/
 
       - name: Set up JDK ${{ matrix.java-version }}
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
@@ -51,6 +56,6 @@ jobs:
 
       - uses: sigstore/sigstore-conformance@fd90e6b0f3046f2276a6659481de6df495dea3b9 # v0.0.18
         with:
-          entrypoint: ${{ github.workspace }}/bin/sigstore-cli
+          entrypoint: ${{ github.workspace }}/sigstore-cli/sigstore-cli-server
           environment: ${{ matrix.sigstore-env }}
           xfail: "test_verify_dsse_bundle_with_trust_root"
diff --git a/sigstore-cli/build.gradle.kts b/sigstore-cli/build.gradle.kts
@@ -1,6 +1,9 @@
+import com.github.jengelman.gradle.plugins.shadow.tasks.ShadowJar
+
 plugins {
     id("build-logic.java")
     id("application")
+    id("com.gradleup.shadow") version "9.0.0-rc3"
 }
 
 repositories {
@@ -15,6 +18,11 @@ dependencies {
     implementation(platform("com.google.oauth-client:google-oauth-client-bom:1.39.0"))
     implementation("com.google.oauth-client:google-oauth-client")
 
+    implementation("org.eclipse.jetty:jetty-server:11.0.24")
+    implementation("org.eclipse.jetty:jetty-servlet:11.0.24")
+
+    implementation("org.slf4j:slf4j-simple:2.0.17")
+
     annotationProcessor("info.picocli:picocli-codegen:4.7.6")
 }
 
@@ -25,6 +33,32 @@ tasks.compileJava {
 application {
     mainClass.set("dev.sigstore.cli.Sigstore")
 }
+
+tasks.named("shadowDistTar") {
+    enabled = false
+}
+
+tasks.named("shadowDistZip") {
+    enabled = false
+}
+
 tasks.run.configure {
     workingDir = rootProject.projectDir
 }
+
+tasks.register<ShadowJar>("serverShadowJar") {
+    archiveBaseName.set("sigstore-cli-server")
+    archiveClassifier.set("all")
+    archiveVersion.set("")
+
+    mergeServiceFiles()
+
+    from(sourceSets.main.get().output)
+    configurations = listOf(project.configurations.runtimeClasspath.get())
+
+    exclude("META-INF/*.SF", "META-INF/*.DSA", "META-INF/*.RSA")
+
+    manifest {
+        attributes("Main-Class" to "dev.sigstore.cli.ConformanceServer")
+    }
+}
diff --git a/sigstore-cli/sigstore-cli-server b/sigstore-cli/sigstore-cli-server
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -o pipefail -o errexit -o nounset
+
+CWD=$PWD
+
+ARGS_JSON="["
+for arg in "$@"; do
+  escaped_arg=$(echo -n "$arg" | jq -R -s '.')
+  ARGS_JSON="$ARGS_JSON$escaped_arg,"
+done
+if [[ $ARGS_JSON == *, ]]; then
+  ARGS_JSON="${ARGS_JSON%,}"
+fi
+ARGS_JSON="$ARGS_JSON]"
+
+JSON_PAYLOAD=$(jq -nc --arg cwd "$CWD" --argjson args "$ARGS_JSON" '{"cwd": $cwd, "args": $args}')
+
+RESPONSE=$(curl -s -X POST --header "Content-Type: application/json" --data-binary "$JSON_PAYLOAD" http://localhost:8080/execute)
+
+STDOUT=$(echo "$RESPONSE" | jq -r .stdout)
+STDERR=$(echo "$RESPONSE" | jq -r .stderr)
+EXIT_CODE=$(echo "$RESPONSE" | jq .exitCode)
+
+echo -n "$STDOUT"
+echo -n "$STDERR" >&2
+
+exit "$EXIT_CODE"
diff --git a/sigstore-cli/src/main/java/dev/sigstore/cli/ConformanceServer.java b/sigstore-cli/src/main/java/dev/sigstore/cli/ConformanceServer.java
@@ -0,0 +1,139 @@
+/*
+ * Copyright 2025 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.cli;
+
+import com.google.gson.Gson;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Map;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+
+public class ConformanceServer {
+
+  private static final Gson GSON = new Gson();
+
+  private static class ExecuteRequest {
+    String cwd;
+    String[] args;
+  }
+
+  public static void main(String[] args) throws Exception {
+    int port = 8080;
+    Server server = new Server(port);
+    server.setHandler(new ConformanceHandler());
+    server.start();
+    server.join();
+  }
+
+  public static class ConformanceHandler extends AbstractHandler {
+    @Override
+    public void handle(
+        String target,
+        Request baseRequest,
+        HttpServletRequest request,
+        HttpServletResponse response)
+        throws IOException, ServletException {
+      if ("/".equals(target)) {
+        handleHealthCheck(response);
+        baseRequest.setHandled(true);
+      } else if ("/execute".equals(target) && "POST".equals(request.getMethod())) {
+        handleExecute(request, response);
+        baseRequest.setHandled(true);
+      }
+    }
+  }
+
+  private static void handleExecute(HttpServletRequest request, HttpServletResponse response)
+      throws IOException {
+    ExecuteRequest executeRequest;
+    try (InputStream is = request.getInputStream()) {
+      String requestBody = new String(is.readAllBytes(), StandardCharsets.UTF_8);
+      executeRequest = GSON.fromJson(requestBody, ExecuteRequest.class);
+    }
+
+    // Tests should not be run in parallel, to ensure orderly input/output
+    PrintStream originalOut = System.out;
+    PrintStream originalErr = System.err;
+
+    ByteArrayOutputStream outContent = new ByteArrayOutputStream();
+    ByteArrayOutputStream errContent = new ByteArrayOutputStream();
+
+    try (PrintStream outPs = new PrintStream(outContent, true, StandardCharsets.UTF_8);
+        PrintStream errPs = new PrintStream(errContent, true, StandardCharsets.UTF_8)) {
+      System.setOut(outPs);
+      System.setErr(errPs);
+
+      Path cwd = Paths.get(executeRequest.cwd);
+      java.util.List<String> resolvedArgs = new java.util.ArrayList<>();
+
+      for (int i = 0; i < executeRequest.args.length; i++) {
+        String arg = executeRequest.args[i];
+
+        if (arg.equals("--bundle") && i + 1 < executeRequest.args.length) {
+          resolvedArgs.add(arg);
+          String filePath = executeRequest.args[++i];
+          resolvedArgs.add(cwd.resolve(filePath).toAbsolutePath().toString());
+        } else if (i == executeRequest.args.length - 1 && !arg.startsWith("-")) {
+          if (arg.contains(":")) {
+            resolvedArgs.add(arg);
+          } else {
+            resolvedArgs.add(cwd.resolve(arg).toAbsolutePath().toString());
+          }
+        } else {
+          resolvedArgs.add(arg);
+        }
+      }
+
+      int exitCode =
+          new picocli.CommandLine(new Sigstore()).execute(resolvedArgs.toArray(new String[0]));
+
+      Map<String, Object> responseMap =
+          Map.of(
+              "stdout", outContent.toString(StandardCharsets.UTF_8),
+              "stderr", errContent.toString(StandardCharsets.UTF_8),
+              "exitCode", exitCode);
+      String jsonResponse = GSON.toJson(responseMap);
+
+      response.setStatus(HttpServletResponse.SC_OK);
+      response.setContentType("application/json");
+      byte[] responseBytes = jsonResponse.getBytes(StandardCharsets.UTF_8);
+      response.setContentLength(responseBytes.length);
+
+      try (OutputStream os = response.getOutputStream()) {
+        os.write(responseBytes);
+      }
+    } finally {
+      System.setOut(originalOut);
+      System.setErr(originalErr);
+    }
+  }
+
+  private static void handleHealthCheck(HttpServletResponse response) throws IOException {
+    response.setStatus(HttpServletResponse.SC_OK);
+    response.getWriter().println("OK");
+  }
+}
