From ae44da9d01eb75e83bf68e083edb8e5839861ec9 Mon Sep 17 00:00:00 2001
From: Matthew Pirocchi <matthew.pirocchi@gmail.com>
Date: Tue, 11 Sep 2018 04:27:07 -0400
Subject: [PATCH] feat: Enable creation of strong names for .NET assemblies.
 (#643)

---
 buildspec.yaml             |  3 ++
 fetch-dotnet-snk.sh        | 61 ++++++++++++++++++++++++++++++++++++++
 tools/pkglint/lib/rules.ts | 27 +++++++++++++++++
 3 files changed, 91 insertions(+)
 create mode 100644 fetch-dotnet-snk.sh

diff --git a/buildspec.yaml b/buildspec.yaml
index cbebf7af6a8a5..ecd806c5d47dd 100644
--- a/buildspec.yaml
+++ b/buildspec.yaml
@@ -4,6 +4,9 @@ phases:
   install:
     commands:
       - /bin/bash ./install.sh
+  pre_build:
+    commands:
+      - /bin/bash ./fetch-dotnet-snk.sh
   build:
     commands:
       - /bin/bash ./build.sh
diff --git a/fetch-dotnet-snk.sh b/fetch-dotnet-snk.sh
new file mode 100644
index 0000000000000..4e606db501200
--- /dev/null
+++ b/fetch-dotnet-snk.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+set -euo pipefail
+
+# This script retrieves the .snk file needed to create strong names for .NET assemblies.
+
+function echo_usage() {
+    echo "USAGE: Set the following environment variables, then run ./fetch-dotnet-snk.sh with no arguments."
+    echo -e "\tDOTNET_STRONG_NAME_ENABLED=true"
+    echo -e "\tDOTNET_STRONG_NAME_ROLE_ARN=<ARN of a role with access to the secret. You must have iam:AssumeRole permissions for this role.>"
+    echo -e "\tDOTNET_STRONG_NAME_SECRET_REGION=<The AWS region (i.e. us-east-2) in which in the secret is stored.>"
+    echo -e "\tDOTNET_STRONG_NAME_SECRET_ID=<The name (i.e. production/my/key) or ARN of the secret containing the .snk file.>"
+}
+
+if [ -z ${DOTNET_STRONG_NAME_ENABLED:-} ]; then
+    echo "Environment variable DOTNET_STRONG_NAME_ENABLED is not set. Skipping strong-name signing."
+    exit 0
+fi
+
+echo "Retrieving SNK..."
+
+apt update -y
+apt install jq -y
+
+if [ -z ${DOTNET_STRONG_NAME_ROLE_ARN:-} ]; then
+    echo "Strong name signing is enabled, but DOTNET_STRONG_NAME_ROLE_ARN is not set."
+    echo_usage
+    exit 1
+fi
+
+if [ -z ${DOTNET_STRONG_NAME_SECRET_REGION:-}]; then
+    echo "Strong name signing is enabled, but DOTNET_STRONG_NAME_SECRET_REGION is not set."
+    echo_usage
+    exit 1
+fi
+
+if [ -z ${DOTNET_STRONG_NAME_SECRET_ID:-} ]; then
+    echo "Strong name signing is enabled, but DOTNET_STRONG_NAME_SECRET_ID is not set."
+    echo_usage
+    exit 1
+fi
+
+ROLE=$(aws sts assume-role --region ${DOTNET_STRONG_NAME_SECRET_REGION:-} --role-arn ${DOTNET_STRONG_NAME_ROLE_ARN:-} --role-session-name "jsii-dotnet-snk")
+export AWS_ACCESS_KEY_ID=$(echo $ROLE | jq -r .Credentials.AccessKeyId)
+export AWS_SECRET_ACCESS_KEY=$(echo $ROLE | jq -r .Credentials.SecretAccessKey)
+export AWS_SESSION_TOKEN=$(echo $ROLE | jq .Credentials.SessionToken)
+
+SNK_SECRET=$(aws secretsmanager get-secret-value --region ${DOTNET_STRONG_NAME_SECRET_REGION:-} --secret-id ${DOTNET_STRONG_NAME_SECRET_ID:-})
+TMP_DIR=$(mktemp -d)
+TMP_KEY="$TMP_DIR/key.snk"
+echo $SNK_SECRET | jq -r .SecretBinary | base64 --decode > $TMP_KEY
+
+for PACKAGE_PATH in packages/@aws-cdk/*; do
+    JSII_PROPERTY=$(cat "$PACKAGE_PATH/package.json" | jq -r .jsii)
+    if [ -z $JSII_PROPERTY ]; then
+        continue
+    fi
+
+    cp $TMP_KEY $PACKAGE_PATH
+done
+
+rm -rf $TMP_DIR
diff --git a/tools/pkglint/lib/rules.ts b/tools/pkglint/lib/rules.ts
index 03c55313e9998..e2ed831af7fc4 100644
--- a/tools/pkglint/lib/rules.ts
+++ b/tools/pkglint/lib/rules.ts
@@ -256,6 +256,33 @@ export class JSIIDotNetNamespaceIsRequired extends ValidationRule {
     }
 }
 
+/**
+ * Strong-naming all .NET assemblies is required.
+ */
+export class JSIIDotNetStrongNameIsRequired extends ValidationRule {
+    public validate(pkg: PackageJson): void {
+        if (!isJSII(pkg)) { return; }
+
+        const signAssembly = deepGet(pkg.json, ['jsii', 'targets', 'dotnet', 'signAssembly']) as boolean | undefined;
+        const signAssemblyExpected = true;
+        if (signAssembly !== signAssemblyExpected) {
+            pkg.report({
+                message: `.NET packages must have strong-name signing enabled.`,
+                fix: () => deepSet(pkg.json, ['jsii', 'targets', 'dotnet', 'signAssembly'], signAssemblyExpected)
+            });
+        }
+
+        const assemblyOriginatorKeyFile = deepGet(pkg.json, ['jsii', 'targets', 'dotnet', 'assemblyOriginatorKeyFile']) as string | undefined;
+        const assemblyOriginatorKeyFileExpected = "../../key.snk";
+        if (assemblyOriginatorKeyFile !== assemblyOriginatorKeyFileExpected) {
+            pkg.report({
+                message: `.NET packages must use the strong name key fetched by fetch-dotnet-snk.sh`,
+                fix: () => deepSet(pkg.json, ['jsii', 'targets', 'dotnet', 'assemblyOriginatorKeyFile'], assemblyOriginatorKeyFileExpected)
+            });
+        }
+    }
+}
+
 /**
  * The package must depend on cdk-build-tools
  */