osbs: optionally check GPG signatures

If gpgkey option is defined in config, set gpgcheck=1 and set
gpgkey=<value> in variant repo files.

Fixes: #487
Signed-off-by: Qixiang Wan <qwan@redhat.com>
This commit is contained in:
Qixiang Wan 2017-01-17 12:54:41 +08:00
parent 5d241d316a
commit a9b275f13b
4 changed files with 35 additions and 5 deletions

View File

@ -1253,7 +1253,8 @@ they are not scratch builds).
A value for ``yum_repourls`` will be created automatically and point at a
repository in the current compose. You can add extra repositories with
``repo`` key having a list of urls pointing to ``.repo`` files or
``repo_from`` as a list of variants in current compose.
``repo_from`` as a list of variants in current compose. ``gpgkey`` can be
specified to enable gpgcheck in repo files for variants.
Example config
@ -1273,6 +1274,7 @@ Example config
"repo_from": ["Everything"],
# This will result in three repo urls being passed to the task.
# They will be in this order: Server, Everything, example.com/
"gpgkey": 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release',
}
}

View File

@ -831,6 +831,7 @@ def _make_schema():
"priority": {"type": "number"},
"repo": {"$ref": "#/definitions/strings"},
"repo_from": {"$ref": "#/definitions/strings"},
"gpgkey": {"type": "string"},
},
"required": ["url", "target"]
}

View File

@ -55,7 +55,8 @@ class OSBSThread(WorkerThread):
target = config.pop('target')
priority = config.pop('priority', None)
repos = shortcuts.force_list(config.pop('repo', []))
compose_repos = [self._get_repo(compose, v)
gpgkey = config.pop('gpgkey', None)
compose_repos = [self._get_repo(compose, v, gpgkey=gpgkey)
for v in [variant.uid] + shortcuts.force_list(
config.pop('repo_from', []))]
@ -107,7 +108,7 @@ class OSBSThread(WorkerThread):
self.pool.metadata.setdefault(
variant.uid, {}).setdefault(arch, []).append(data)
def _get_repo(self, compose, variant_uid):
def _get_repo(self, compose, variant_uid, gpgkey=None):
"""
Write a .repo file pointing to current variant and return URL to the
file.
@ -123,11 +124,14 @@ class OSBSThread(WorkerThread):
repo_file = os.path.join(compose.paths.work.tmp_dir(None, variant),
'compose-rpms-%s.repo' % self.num)
gpgcheck = 1 if gpgkey else 0
with open(repo_file, 'w') as f:
f.write('[%s]\n' % compose.compose_id)
f.write('name=Compose %s (RPMs)\n' % compose.compose_id)
f.write('baseurl=%s\n' % translate_path(compose, os_tree))
f.write('enabled=1\n')
f.write('gpgcheck=0\n')
f.write('gpgcheck=%s\n' % gpgcheck)
if gpgcheck:
f.write('gpgkey=%s\n' % gpgkey)
return translate_path(compose, repo_file)

View File

@ -194,12 +194,15 @@ class OSBSThreadTest(helpers.PungiTestCase):
mock.call.koji_proxy.getBuild(54321),
mock.call.koji_proxy.listArchives(54321)])
def _assertRepoFile(self, variants=None):
def _assertRepoFile(self, variants=None, gpgkey=None):
variants = variants or ['Server']
for variant in variants:
with open(self.topdir + '/work/global/tmp-%s/compose-rpms-1.repo' % variant) as f:
lines = f.read().split('\n')
self.assertIn('baseurl=http://root/compose/%s/$basearch/os' % variant, lines)
if gpgkey:
self.assertIn('gpgcheck=1', lines)
self.assertIn('gpgkey=%s' % gpgkey, lines)
def _assertConfigCorrect(self, cfg):
config = copy.deepcopy(self.compose.conf)
@ -327,6 +330,26 @@ class OSBSThreadTest(helpers.PungiTestCase):
self._assertCorrectMetadata()
self._assertRepoFile(['Server', 'Everything', 'Client'])
@mock.patch('pungi.util.resolve_git_url')
@mock.patch('pungi.phases.osbs.kojiwrapper.KojiWrapper')
def test_run_with_gpgkey_enabled(self, KojiWrapper, resolve_git_url):
gpgkey = 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release'
cfg = {
'url': 'git://example.com/repo?#HEAD',
'target': 'f24-docker-candidate',
'name': 'my-name',
'version': '1.0',
'repo': ['http://pkgs.example.com/my.repo'],
'repo_from': ['Everything', 'Client'],
'gpgkey': gpgkey,
}
self._assertConfigCorrect(cfg)
self._setupMock(KojiWrapper, resolve_git_url)
self.t.process((self.compose, self.compose.variants['Server'], cfg), 1)
self._assertRepoFile(['Server', 'Everything', 'Client'], gpgkey=gpgkey)
@mock.patch('pungi.util.resolve_git_url')
@mock.patch('pungi.phases.osbs.kojiwrapper.KojiWrapper')
def test_run_with_extra_repos_missing_variant(self, KojiWrapper, resolve_git_url):