Update sign.py to only sign specific file types (#303)

Signed-off-by: Marc Handalian <handalm@amazon.com>

bundle-workflow/src/sign.py

@@ -24,7 +24,6 @@
 basepath = os.path.dirname(os.path.abspath(args.manifest.name))
 signer = Signer()
 
-signer = Signer()
 for component in manifest.components:
 
     if args.component and args.component != component.name:
@@ -37,10 +36,6 @@
         if args.type and args.type != artifact_type:
             continue
 
-        artifact_list = component.artifacts[artifact_type]
-        for artifact in artifact_list:
-            location = os.path.join(basepath, artifact)
-            signer.sign(location)
-            signer.verify(location + ".asc")
+        signer.sign(component.artifacts[artifact_type])
 
 print("Done.")

bundle-workflow/src/signing_workflow/__init__.py

@@ -0,0 +1,7 @@
+#  SPDX-License-Identifier: Apache-2.0
+#
+#  The OpenSearch Contributors require contributions made to
+#  this file be licensed under the Apache-2.0 license or a
+#  compatible open source license.
+
+# This page intentionally left blank.

bundle-workflow/src/signing_workflow/signer.py

@@ -7,6 +7,7 @@
 # compatible open source license.
 
 import os
+import pathlib
 import sys
 
 from git.git_repository import GitRepository
@@ -20,11 +21,26 @@
 
 
 class Signer:
+
+    ACCEPTED_FILE_TYPES = ['.zip', '.jar', '.war', '.pom', '.module', '.tar.gz']
+
     def __init__(self):
         self.git_repo = GitRepository(self.get_repo_url(), "HEAD")
         self.git_repo.execute("./bootstrap", subdirname="src")
         self.git_repo.execute("rm config.cfg", subdirname="src")
 
+    def sign_artifacts(self, artifacts, basepath):
+        for artifact in artifacts:
+            if self.is_invalid_file_type(artifact):
+                print(f'Skipping signing of file ${artifact}')
+                continue
+            location = os.path.join(basepath, artifact)
+            self.sign(location)
+            self.verify(location + ".asc")
+
+    def is_invalid_file_type(self, file_name):
+        return ''.join(pathlib.Path(file_name).suffixes) not in Signer.ACCEPTED_FILE_TYPES
+
     def get_repo_url(self):
         if "GITHUB_TOKEN" in os.environ:
             return "https://${GITHUB_TOKEN}@github.com/opensearch-project/opensearch-signer-client.git"

bundle-workflow/tests/signing_workflow/__init__.py

@@ -0,0 +1,11 @@
+#  SPDX-License-Identifier: Apache-2.0
+#
+#  The OpenSearch Contributors require contributions made to
+#  this file be licensed under the Apache-2.0 license or a
+#  compatible open source license.
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../.."))
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../../src"))

bundle-workflow/tests/signing_workflow/test_sign.py

@@ -0,0 +1,33 @@
+import unittest
+from unittest.mock import MagicMock, call, patch
+
+from src.signing_workflow.signer import Signer
+
+
+class TestSigner(unittest.TestCase):
+
+    @patch('src.signing_workflow.signer.GitRepository')
+    def test_accepted_file_types(self, git_repo):
+
+        artifacts = [
+            'bad-xml.xml',
+            'the-jar.jar',
+            'the-zip.zip',
+            'the-war.war',
+            'the-pom.pom',
+            'the-module.module',
+            'the-tar.tar.gz',
+            'random-file.txt',
+        ]
+        expected = [
+            call('/path/the-jar.jar'),
+            call('/path/the-zip.zip'),
+            call('/path/the-war.war'),
+            call('/path/the-pom.pom'),
+            call('/path/the-module.module'),
+            call('/path/the-tar.tar.gz'),
+        ]
+        signer = Signer()
+        signer.sign = MagicMock()
+        signer.sign_artifacts(artifacts, '/path')
+        self.assertEqual(signer.sign.call_args_list, expected)