osbs: optionally check GPG signatures

If gpgkey option is defined in config, set gpgcheck=1 and set gpgkey=<value> in variant repo files. Fixes: #487 Signed-off-by: Qixiang Wan <qwan@redhat.com>
2017-01-17 12:54:41 +08:00 · 2017-01-17 12:54:41 +08:00 · a9b275f13b
commit a9b275f13b
parent 5d241d316a
4 changed files with 35 additions and 5 deletions
--- a/doc/configuration.rst
+++ b/doc/configuration.rst
@ -1253,7 +1253,8 @@ they are not scratch builds).
    A value for ``yum_repourls`` will be created automatically and point at a
    repository in the current compose. You can add extra repositories with
    ``repo`` key having a list of urls pointing to ``.repo`` files or
-    ``repo_from`` as a list of variants in current compose.
+    ``repo_from`` as a list of variants in current compose. ``gpgkey`` can be
+    specified to enable gpgcheck in repo files for variants.


 Example config
@ -1273,6 +1274,7 @@ Example config
            "repo_from": ["Everything"],
            # This will result in three repo urls being passed to the task.
            # They will be in this order: Server, Everything, example.com/
+            "gpgkey": 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release',
        }
    }

--- a/pungi/checks.py
+++ b/pungi/checks.py
@ -831,6 +831,7 @@ def _make_schema():
                            "priority": {"type": "number"},
                            "repo": {"$ref": "#/definitions/strings"},
                            "repo_from": {"$ref": "#/definitions/strings"},
+                            "gpgkey": {"type": "string"},
                        },
                        "required": ["url", "target"]
                    }
--- a/pungi/phases/osbs.py
+++ b/pungi/phases/osbs.py
@ -55,7 +55,8 @@ class OSBSThread(WorkerThread):
        target = config.pop('target')
        priority = config.pop('priority', None)
        repos = shortcuts.force_list(config.pop('repo', []))
-        compose_repos = [self._get_repo(compose, v)
+        gpgkey = config.pop('gpgkey', None)
+        compose_repos = [self._get_repo(compose, v, gpgkey=gpgkey)
                         for v in [variant.uid] + shortcuts.force_list(
                             config.pop('repo_from', []))]

@ -107,7 +108,7 @@ class OSBSThread(WorkerThread):
            self.pool.metadata.setdefault(
                variant.uid, {}).setdefault(arch, []).append(data)

-    def _get_repo(self, compose, variant_uid):
+    def _get_repo(self, compose, variant_uid, gpgkey=None):
        """
        Write a .repo file pointing to current variant and return URL to the
        file.
@ -123,11 +124,14 @@ class OSBSThread(WorkerThread):
        repo_file = os.path.join(compose.paths.work.tmp_dir(None, variant),
                                 'compose-rpms-%s.repo' % self.num)

+        gpgcheck = 1 if gpgkey else 0
        with open(repo_file, 'w') as f:
            f.write('[%s]\n' % compose.compose_id)
            f.write('name=Compose %s (RPMs)\n' % compose.compose_id)
            f.write('baseurl=%s\n' % translate_path(compose, os_tree))
            f.write('enabled=1\n')
-            f.write('gpgcheck=0\n')
+            f.write('gpgcheck=%s\n' % gpgcheck)
+            if gpgcheck:
+                f.write('gpgkey=%s\n' % gpgkey)

        return translate_path(compose, repo_file)
--- a/tests/test_osbs_phase.py
+++ b/tests/test_osbs_phase.py
@ -194,12 +194,15 @@ class OSBSThreadTest(helpers.PungiTestCase):
                mock.call.koji_proxy.getBuild(54321),
                mock.call.koji_proxy.listArchives(54321)])

-    def _assertRepoFile(self, variants=None):
+    def _assertRepoFile(self, variants=None, gpgkey=None):
        variants = variants or ['Server']
        for variant in variants:
            with open(self.topdir + '/work/global/tmp-%s/compose-rpms-1.repo' % variant) as f:
                lines = f.read().split('\n')
                self.assertIn('baseurl=http://root/compose/%s/$basearch/os' % variant, lines)
+                if gpgkey:
+                    self.assertIn('gpgcheck=1', lines)
+                    self.assertIn('gpgkey=%s' % gpgkey, lines)

    def _assertConfigCorrect(self, cfg):
        config = copy.deepcopy(self.compose.conf)
@ -327,6 +330,26 @@ class OSBSThreadTest(helpers.PungiTestCase):
        self._assertCorrectMetadata()
        self._assertRepoFile(['Server', 'Everything', 'Client'])

+    @mock.patch('pungi.util.resolve_git_url')
+    @mock.patch('pungi.phases.osbs.kojiwrapper.KojiWrapper')
+    def test_run_with_gpgkey_enabled(self, KojiWrapper, resolve_git_url):
+        gpgkey = 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release'
+        cfg = {
+            'url': 'git://example.com/repo?#HEAD',
+            'target': 'f24-docker-candidate',
+            'name': 'my-name',
+            'version': '1.0',
+            'repo': ['http://pkgs.example.com/my.repo'],
+            'repo_from': ['Everything', 'Client'],
+            'gpgkey': gpgkey,
+        }
+        self._assertConfigCorrect(cfg)
+        self._setupMock(KojiWrapper, resolve_git_url)
+
+        self.t.process((self.compose, self.compose.variants['Server'], cfg), 1)
+
+        self._assertRepoFile(['Server', 'Everything', 'Client'], gpgkey=gpgkey)
+
    @mock.patch('pungi.util.resolve_git_url')
    @mock.patch('pungi.phases.osbs.kojiwrapper.KojiWrapper')
    def test_run_with_extra_repos_missing_variant(self, KojiWrapper, resolve_git_url):