From e0e4a67f3a3d6d851c90933205bdb5b8658779b9 Mon Sep 17 00:00:00 2001
From: Lukas Gravley <admiralawkbar@github.com>
Date: Mon, 26 Apr 2021 09:00:42 -0500
Subject: [PATCH] Certs (#1470)

* adding cert

* update readme

* typo

* make exec

* spaces

* adding better way

* adding example

* make shell happy

* fix space

* adding notes

* bad var

* duh
---
 Dockerfile                 |  1 +
 README.md                  | 15 ++++++++
 lib/functions/updateSSL.sh | 79 ++++++++++++++++++++++++++++++++++++++
 lib/linter.sh              | 27 ++++++++-----
 4 files changed, 113 insertions(+), 9 deletions(-)
 create mode 100755 lib/functions/updateSSL.sh

diff --git a/Dockerfile b/Dockerfile
index 0d156502..02a75471 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -337,6 +337,7 @@ RUN wget --tries=5 -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sger
     && wget --tries=5 -q https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VERSION}/glibc-${GLIBC_VERSION}.apk \
     && apk add --no-cache \
     bash \
+    ca-certificates \
     glibc-${GLIBC_VERSION}.apk \
     gnupg \
     php7 php7-phar php7-json php7-mbstring php-xmlwriter \
diff --git a/README.md b/README.md
index 28ed5db5..d58f4bc5 100644
--- a/README.md
+++ b/README.md
@@ -245,6 +245,7 @@ But if you wish to select or exclude specific linters, we give you full control
 | **RUBY_CONFIG_FILE**               | `.ruby-lint.yml`                | Filename for [rubocop configuration](https://docs.rubocop.org/rubocop/configuration.html) (ex: `.ruby-lint.yml`, `.rubocop.yml`)                                                                                     |
 | **SUPPRESS_POSSUM**                | `false`                         | If set to `true`, will hide the ASCII possum at top of log output. Default is `false`                                                                                                                                |
 | **SNAKEMAKE_SNAKEFMT_CONFIG_FILE** | `.snakefmt.toml`                | Filename for [Snakemake configuration](https://github.com/snakemake/snakefmt#configuration) (ex: `pyproject.toml`, `.snakefmt.toml`)                                                                                 |
+| **SSL_CERT_SECRET**                | `none`                          | SSL cert to add to the **Super-Linter** trust store. This is needed for users on `self-hosted` runners or need to inject the cert for security standards (ex. ${{ secrets.SSL_CERT }})                               |
 | **SQL_CONFIG_FILE**                | `.sql-config.json`              | Filename for [SQL-Lint configuration](https://sql-lint.readthedocs.io/en/latest/files/configuration.html) (ex: `sql-config.json` , `.config.json`)                                                                   |
 | **TYPESCRIPT_ES_CONFIG_FILE**      | `.eslintrc.yml`                 | Filename for [eslint configuration](https://eslint.org/docs/user-guide/configuring#configuration-file-formats) (ex: `.eslintrc.yml`, `.eslintrc.json`)                                                               |
 | **VALIDATE_ALL_CODEBASE**          | `true`                          | Will parse the entire repository and find all files to validate across all types. **NOTE:** When set to `false`, only **new** or **edited** files will be parsed for validation.                                     |
@@ -367,6 +368,20 @@ You can checkout this repository using [Container Remote Development](https://co
 
 We will also support [GitHub Codespaces](https://github.com/features/codespaces/) once it becomes available
 
+### SSL Certs
+
+If you need to inject a SSL cert into the trust store, you will need to first copy the cert to **GitHub Secrets**
+Once you have copied the plain text certificate into **GitHub Secrets**, you can use the variable `SSL_CERT_SECRET` to point the **Super-Linter** to the files contents.
+Once found, it will load the certificate contents to a file, and to the trust store.
+- Example workflow:
+```yml
+- name: Lint Code Base
+  uses: github/super-linter@v3
+  env:
+    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    SSL_CERT_SECRET: ${{ secrets.ROOT_CA }}
+```
+
 ## Limitations
 
 Below are a list of the known limitations for the **GitHub Super-Linter**:
diff --git a/lib/functions/updateSSL.sh b/lib/functions/updateSSL.sh
new file mode 100755
index 00000000..e43ef3be
--- /dev/null
+++ b/lib/functions/updateSSL.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+################################################################################
+################################################################################
+########### Super-Linter linting Functions @admiralawkbar ######################
+################################################################################
+################################################################################
+########################## FUNCTION CALLS BELOW ################################
+################################################################################
+################################################################################
+#### Function CheckSSLCert #####################################################
+function CheckSSLCert() {
+  if [ -z "${SSL_CERT_SECRET}" ]; then
+    # No cert was passed
+    debug "User did not provide a SSL secret, moving on..."
+  else
+    # User has provided a cert file to upload
+    debug "User passed SSL secret:[${SSL_CERT_SECRET}]"
+    InstallSSLCert
+  fi
+}
+################################################################################
+#### Function InstallSSLCert ###################################################
+function InstallSSLCert() {
+  #############
+  # Base Vars #
+  #############
+  CERT_FILE='/tmp/cert.crt'
+  CERT_ROOT='/usr/local/share/ca-certificates'
+  FILE_NAME=$(basename "${CERT_FILE}" 2>&1)
+
+  #########################
+  # Echo secret into file #
+  #########################
+  echo "${SSL_CERT_SECRET}" >>"${CERT_FILE}"
+
+  ########################################
+  # Put the cert in the correct location #
+  ########################################
+  COPY_CMD=$(mv "${CERT_FILE}" "${CERT_ROOT}/${FILE_NAME}" 2>&1)
+
+  #######################
+  # Load the error code #
+  #######################
+  ERROR_CODE=$?
+
+  ##############################
+  # Check the shell for errors #
+  ##############################
+  if [ "${ERROR_CODE}" -ne 0 ]; then
+    error "ERROR! Failed to move cert into location!"
+    fatal "ERROR:[${COPY_CMD}]"
+  else
+    info "Moved cert into location, adding to trust store..."
+  fi
+
+  ##############################################
+  # Update ca-certificates to pull in the cert #
+  ##############################################
+  UPDATE_CMD=$(update-ca-certificates 2>&1)
+
+  #######################
+  # Load the error code #
+  #######################
+  ERROR_CODE=$?
+
+  ##############################
+  # Check the shell for errors #
+  ##############################
+  if [ "${ERROR_CODE}" -ne 0 ]; then
+    # ERROR
+    error "ERROR! Failed to add cert to trust store!"
+    fatal "ERROR:[${UPDATE_CMD}]"
+  else
+    # Success
+    info "Successfully added cert to trust store"
+  fi
+}
+################################################################################
diff --git a/lib/linter.sh b/lib/linter.sh
index 0b6f4bf0..00c31d72 100755
--- a/lib/linter.sh
+++ b/lib/linter.sh
@@ -44,21 +44,23 @@ export LOG_ERROR
 # Source Function Files #
 #########################
 # shellcheck source=/dev/null
+source /action/lib/functions/buildFileList.sh # Source the function script(s)
+# shellcheck source=/dev/null
+source /action/lib/functions/detectFiles.sh # Source the function script(s)
+# shellcheck source=/dev/null
+source /action/lib/functions/linterRules.sh # Source the function script(s)
+# shellcheck source=/dev/null
+source /action/lib/functions/linterVersions.sh # Source the function script(s)
+# shellcheck source=/dev/null
 source /action/lib/functions/log.sh # Source the function script(s)
 # shellcheck source=/dev/null
-source /action/lib/functions/buildFileList.sh # Source the function script(s)
+source /action/lib/functions/tapLibrary.sh # Source the function script(s)
+# shellcheck source=/dev/null
+source /action/lib/functions/updateSSL.sh # Source the function script(s)
 # shellcheck source=/dev/null
 source /action/lib/functions/validation.sh # Source the function script(s)
 # shellcheck source=/dev/null
 source /action/lib/functions/worker.sh # Source the function script(s)
-# shellcheck source=/dev/null
-source /action/lib/functions/tapLibrary.sh # Source the function script(s)
-# shellcheck source=/dev/null
-source /action/lib/functions/linterRules.sh # Source the function script(s)
-# shellcheck source=/dev/null
-source /action/lib/functions/detectFiles.sh # Source the function script(s)
-# shellcheck source=/dev/null
-source /action/lib/functions/linterVersions.sh # Source the function script(s)
 
 ###########
 # GLOBALS #
@@ -149,6 +151,8 @@ SNAKEMAKE_SNAKEFMT_FILE_NAME="${SNAKEMAKE_SNAKEFMT_CONFIG_FILE:-.snakefmt.toml}"
 # shellcheck disable=SC2034  # Variable is referenced indirectly
 SUPPRESS_POSSUM="${SUPPRESS_POSSUM:-false}"
 # shellcheck disable=SC2034  # Variable is referenced indirectly
+SSL_CERT_SECRET="${SSL_CERT_SECRET}"
+# shellcheck disable=SC2034  # Variable is referenced indirectly
 SQL_FILE_NAME="${SQL_CONFIG_FILE:-.sql-config.json}"
 # shellcheck disable=SC2034  # Variable is referenced indirectly
 TERRAFORM_FILE_NAME=".tflint.hcl"
@@ -859,6 +863,11 @@ for i in "${!LINTER_COMMANDS_ARRAY[@]}"; do
 done
 debug "---------------------------------------------"
 
+#################################
+# Check for SSL cert and update #
+#################################
+CheckSSLCert
+
 ###########################################
 # Build the list of files for each linter #
 ###########################################