From acabf416a4109dcde5a9a964136575fdeb3e9bc5 Mon Sep 17 00:00:00 2001
From: Marc Handalian <handalm@amazon.com>
Date: Mon, 23 Aug 2021 15:36:46 -0700
Subject: [PATCH] Update sign.py to only sign specific file types

Signed-off-by: Marc Handalian <handalm@amazon.com>
---
 bundle-workflow/src/sign.py                   |  7 +---
 .../src/signing_workflow/__init__.py          |  7 ++++
 .../src/signing_workflow/signer.py            | 16 +++++++++
 .../tests/signing_workflow/__init__.py        | 11 +++++++
 .../tests/signing_workflow/test_sign.py       | 33 +++++++++++++++++++
 5 files changed, 68 insertions(+), 6 deletions(-)
 create mode 100644 bundle-workflow/src/signing_workflow/__init__.py
 create mode 100644 bundle-workflow/tests/signing_workflow/__init__.py
 create mode 100644 bundle-workflow/tests/signing_workflow/test_sign.py

diff --git a/bundle-workflow/src/sign.py b/bundle-workflow/src/sign.py
index 499bc807fd..66fde41135 100755
--- a/bundle-workflow/src/sign.py
+++ b/bundle-workflow/src/sign.py
@@ -18,7 +18,6 @@
 basepath = os.path.dirname(os.path.abspath(args.manifest.name))
 signer = Signer()
 
-signer = Signer()
 for component in manifest.components:
 
     if args.component and args.component != component.name:
@@ -31,10 +30,6 @@
         if args.type and args.type != artifact_type:
             continue
 
-        artifact_list = component.artifacts[artifact_type]
-        for artifact in artifact_list:
-            location = os.path.join(basepath, artifact)
-            signer.sign(location)
-            signer.verify(location + ".asc")
+        signer.sign(component.artifacts[artifact_type])
 
 print("Done.")
diff --git a/bundle-workflow/src/signing_workflow/__init__.py b/bundle-workflow/src/signing_workflow/__init__.py
new file mode 100644
index 0000000000..2fee7d03b3
--- /dev/null
+++ b/bundle-workflow/src/signing_workflow/__init__.py
@@ -0,0 +1,7 @@
+#  SPDX-License-Identifier: Apache-2.0
+#
+#  The OpenSearch Contributors require contributions made to
+#  this file be licensed under the Apache-2.0 license or a
+#  compatible open source license.
+
+# This page intentionally left blank.
diff --git a/bundle-workflow/src/signing_workflow/signer.py b/bundle-workflow/src/signing_workflow/signer.py
index f35058f3cf..d05dc38c21 100644
--- a/bundle-workflow/src/signing_workflow/signer.py
+++ b/bundle-workflow/src/signing_workflow/signer.py
@@ -4,6 +4,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 import os
+import pathlib
 import sys
 
 from git.git_repository import GitRepository
@@ -17,11 +18,26 @@
 
 
 class Signer:
+
+    ACCEPTED_FILE_TYPES = ['.zip', '.jar', '.war', '.pom', '.module', '.tar.gz']
+
     def __init__(self):
         self.git_repo = GitRepository(self.get_repo_url(), "HEAD")
         self.git_repo.execute("./bootstrap", subdirname="src")
         self.git_repo.execute("rm config.cfg", subdirname="src")
 
+    def sign_artifacts(self, artifacts, basepath):
+        for artifact in artifacts:
+            if self.is_invalid_file_type(artifact):
+                print(f'Skipping signing of file ${artifact}')
+                continue
+            location = os.path.join(basepath, artifact)
+            self.sign(location)
+            self.verify(location + ".asc")
+
+    def is_invalid_file_type(self, file_name):
+        return ''.join(pathlib.Path(file_name).suffixes) not in Signer.ACCEPTED_FILE_TYPES
+
     def get_repo_url(self):
         if "GITHUB_TOKEN" in os.environ:
             return "https://${GITHUB_TOKEN}@github.com/opensearch-project/opensearch-signer-client.git"
diff --git a/bundle-workflow/tests/signing_workflow/__init__.py b/bundle-workflow/tests/signing_workflow/__init__.py
new file mode 100644
index 0000000000..a461c5e0e8
--- /dev/null
+++ b/bundle-workflow/tests/signing_workflow/__init__.py
@@ -0,0 +1,11 @@
+#  SPDX-License-Identifier: Apache-2.0
+#
+#  The OpenSearch Contributors require contributions made to
+#  this file be licensed under the Apache-2.0 license or a
+#  compatible open source license.
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../.."))
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../../src"))
diff --git a/bundle-workflow/tests/signing_workflow/test_sign.py b/bundle-workflow/tests/signing_workflow/test_sign.py
new file mode 100644
index 0000000000..96050c1530
--- /dev/null
+++ b/bundle-workflow/tests/signing_workflow/test_sign.py
@@ -0,0 +1,33 @@
+import unittest
+from unittest.mock import MagicMock, call, patch
+
+from src.signing_workflow.signer import Signer
+
+
+class TestSigner(unittest.TestCase):
+
+    @patch('src.signing_workflow.signer.GitRepository')
+    def test_accepted_file_types(self, git_repo):
+
+        artifacts = [
+            'bad-xml.xml',
+            'the-jar.jar',
+            'the-zip.zip',
+            'the-war.war',
+            'the-pom.pom',
+            'the-module.module',
+            'the-tar.tar.gz',
+            'random-file.txt',
+        ]
+        expected = [
+            call('/path/the-jar.jar'),
+            call('/path/the-zip.zip'),
+            call('/path/the-war.war'),
+            call('/path/the-pom.pom'),
+            call('/path/the-module.module'),
+            call('/path/the-tar.tar.gz'),
+        ]
+        signer = Signer()
+        signer.sign = MagicMock()
+        signer.sign_artifacts(artifacts, '/path')
+        self.assertEqual(signer.sign.call_args_list, expected)