From 6bc534d7b4df7bb558dd3ca3e9f922ef5ebf0882 Mon Sep 17 00:00:00 2001
From: Florian Hennig <florian.hennig@committance.com>
Date: Wed, 16 Oct 2024 21:35:59 +0200
Subject: [PATCH] fix(newer-sonar-image): permissions for custom certificates

this should fix https://gitlab.com/to-be-continuous/sonar/-/issues/26
fix typo in log and variable name

Signed-off-by: Florian Hennig florian.hennig@committance.com
---
 templates/gitlab-ci-sonar.yml | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/templates/gitlab-ci-sonar.yml b/templates/gitlab-ci-sonar.yml
index e5faa4d..656b46c 100644
--- a/templates/gitlab-ci-sonar.yml
+++ b/templates/gitlab-ci-sonar.yml
@@ -147,15 +147,17 @@ stages:
     then
       return
     fi
+    # creat a writable folder for the keystore and certs
+    mkdir -p /tmp/certs
 
     # import in system
-    if echo "$certs" >> /etc/ssl/certs/ca-certificates.crt
+    if echo "$certs" >> /tmp/certs/ca-certificates.crt
     then
-      log_info "CA certificates imported in \\e[33;1m/etc/ssl/certs/ca-certificates.crt\\e[0m"
+      log_info "CA certificates imported in \\e[33;1m/tmp/certs/ca-certificates.crt\\e[0m"
     fi
-    if echo "$certs" >> /etc/ssl/cert.pem
+    if echo "$certs" >> /tmp/certs/cert.pem
     then
-      log_info "CA certificates imported in \\e[33;1m/etc/ssl/cert.pem\\e[0m"
+      log_info "CA certificates imported in \\e[33;1m/tmp/certs/cert.pem\\e[0m"
     fi
 
     # import in Java keystore (if keytool command found)
@@ -167,6 +169,10 @@ stages:
       keystore=${JAVA_KEYSTORE_PATH:-$(ls -1 $javahome/jre/lib/security/cacerts 2>/dev/null || ls -1 $javahome/lib/security/cacerts 2>/dev/null || echo "")}
       if [[ -f "$keystore" ]]
       then
+        # copy keystore into writable folder
+        cp -L -r --no-preserve=mode "$keystore" /tmp/writable_keystore
+        # set writable keystore as keystore
+        keystore="/tmp/writable_keystore"
         storepass=${JAVA_KEYSTORE_PASSWORD:-changeit}
         nb_certs=$(echo "$certs" | grep -c 'END CERTIFICATE')
         log_info "importing $nb_certs certificates in Java keystore \\e[33;1m$keystore\\e[0m..."
@@ -427,8 +433,19 @@ sonar:
         log_warn '$SONAR_AUTH_TOKEN variable detected: use $SONAR_TOKEN instead (see doc)'
         export SONAR_TOKEN="$SONAR_AUTH_TOKEN"
       fi
+    - |
+      if [[ -z "$CUSTOM_CA_CERTS" ]]
+      then
+        log_info '$CUSTOM_CA_CERTS not set: using default keystore'
+      else
+        log_info '$CUSTOM_CA_CERTS variable detected: using writable keystore path (/tmp/writable_keystore)'
+        export CUSTOM_KEYSTORE_PATH="/tmp/writable_keystore"
+        export CUSTOM_KEYSTORE_PASSWORD="changeit"
+      fi
     - >-
-      sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args 
+      sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args
+      ${CUSTOM_KEYSTORE_PATH:+-Dsonar.scanner.truststorePath=$CUSTOM_KEYSTORE_PATH}
+      ${CUSTOM_KEYSTORE_PASSWORD:+-Dsonar.scanner.truststorePassword=$CUSTOM_KEYSTORE_PASSWORD}
       ${SONAR_LOGIN:+-Dsonar.login=$SONAR_LOGIN} 
       ${SONAR_PASSWORD:+-Dsonar.password=$SONAR_PASSWORD} 
       ${SONAR_PROJECT_KEY:+-Dsonar.projectKey=$SONAR_PROJECT_KEY} 
-- 
GitLab