createiso: Block reuse if unsigned packages are allowed

We can have a compose with unsigned packages.

By the time the next compose is generated, the packages could have been
signed. However, the new compose would still reuse the ISO with unsigned
copies.

Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
(cherry picked from commit d546a49299)
This commit is contained in:
Lubomír Sedlář 2024-05-02 15:09:43 +02:00 committed by Stepan Oksanichenko
parent be4fd75a7a
commit ce2c222dc2
Signed by: soksanichenko
GPG Key ID: AB9983172AB1E45B
4 changed files with 98 additions and 12 deletions

View File

@ -189,6 +189,14 @@ class CreateisoPhase(PhaseLoggerMixin, PhaseBase):
if not old_config: if not old_config:
self.logger.info("%s - no config for old compose", log_msg) self.logger.info("%s - no config for old compose", log_msg)
return False return False
# Disable reuse if unsigned packages are allowed. The older compose
# could have unsigned packages, and those may have been signed since
# then. We want to regenerate the ISO to have signatures.
if None in self.compose.conf["sigkeys"]:
self.logger.info("%s - unsigned packages are allowed", log_msg)
return False
# Convert current configuration to JSON and back to encode it similarly # Convert current configuration to JSON and back to encode it similarly
# to the old one # to the old one
config = json.loads(json.dumps(self.compose.conf)) config = json.loads(json.dumps(self.compose.conf))

View File

@ -205,6 +205,14 @@ class ExtraIsosThread(WorkerThread):
if not old_config: if not old_config:
self.pool.log_info("%s - no config for old compose", log_msg) self.pool.log_info("%s - no config for old compose", log_msg)
return False return False
# Disable reuse if unsigned packages are allowed. The older compose
# could have unsigned packages, and those may have been signed since
# then. We want to regenerate the ISO to have signatures.
if None in compose.conf["sigkeys"]:
self.pool.log_info("%s - unsigned packages are allowed", log_msg)
return False
# Convert current configuration to JSON and back to encode it similarly # Convert current configuration to JSON and back to encode it similarly
# to the old one # to the old one
config = json.loads(json.dumps(compose.conf)) config = json.loads(json.dumps(compose.conf))

View File

@ -1386,7 +1386,9 @@ class CreateisoTryReusePhaseTest(helpers.PungiTestCase):
) )
def test_old_config_changed(self): def test_old_config_changed(self):
compose = helpers.DummyCompose(self.topdir, {"createiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"createiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
old_config = compose.conf.copy() old_config = compose.conf.copy()
old_config["release_version"] = "2" old_config["release_version"] = "2"
compose.load_old_compose_config.return_value = old_config compose.load_old_compose_config.return_value = old_config
@ -1399,12 +1401,30 @@ class CreateisoTryReusePhaseTest(helpers.PungiTestCase):
phase.try_reuse(cmd, compose.variants["Server"], "x86_64", opts) phase.try_reuse(cmd, compose.variants["Server"], "x86_64", opts)
) )
def test_no_old_metadata(self): @mock.patch("pungi.phases.createiso.read_json_file")
def test_unsigned_packages_allowed(self, read_json_file):
compose = helpers.DummyCompose(self.topdir, {"createiso_allow_reuse": True}) compose = helpers.DummyCompose(self.topdir, {"createiso_allow_reuse": True})
compose.load_old_compose_config.return_value = compose.conf.copy() compose.load_old_compose_config.return_value = compose.conf.copy()
phase = createiso.CreateisoPhase(compose, mock.Mock()) phase = createiso.CreateisoPhase(compose, mock.Mock())
phase.logger = self.logger phase.logger = self.logger
cmd = {"disc_num": 1, "disc_count": 1} cmd = {"disc_num": 1, "disc_count": 1}
opts = CreateIsoOpts(volid="new-volid")
read_json_file.return_value = {"opts": {"volid": "old-volid"}}
self.assertFalse(
phase.try_reuse(cmd, compose.variants["Server"], "x86_64", opts)
)
def test_no_old_metadata(self):
compose = helpers.DummyCompose(
self.topdir, {"createiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
compose.load_old_compose_config.return_value = compose.conf.copy()
phase = createiso.CreateisoPhase(compose, mock.Mock())
phase.logger = self.logger
cmd = {"disc_num": 1, "disc_count": 1}
opts = CreateIsoOpts() opts = CreateIsoOpts()
self.assertFalse( self.assertFalse(
@ -1413,7 +1433,9 @@ class CreateisoTryReusePhaseTest(helpers.PungiTestCase):
@mock.patch("pungi.phases.createiso.read_json_file") @mock.patch("pungi.phases.createiso.read_json_file")
def test_volume_id_differs(self, read_json_file): def test_volume_id_differs(self, read_json_file):
compose = helpers.DummyCompose(self.topdir, {"createiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"createiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
compose.load_old_compose_config.return_value = compose.conf.copy() compose.load_old_compose_config.return_value = compose.conf.copy()
phase = createiso.CreateisoPhase(compose, mock.Mock()) phase = createiso.CreateisoPhase(compose, mock.Mock())
phase.logger = self.logger phase.logger = self.logger
@ -1429,7 +1451,9 @@ class CreateisoTryReusePhaseTest(helpers.PungiTestCase):
@mock.patch("pungi.phases.createiso.read_json_file") @mock.patch("pungi.phases.createiso.read_json_file")
def test_packages_differ(self, read_json_file): def test_packages_differ(self, read_json_file):
compose = helpers.DummyCompose(self.topdir, {"createiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"createiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
compose.load_old_compose_config.return_value = compose.conf.copy() compose.load_old_compose_config.return_value = compose.conf.copy()
phase = createiso.CreateisoPhase(compose, mock.Mock()) phase = createiso.CreateisoPhase(compose, mock.Mock())
phase.logger = self.logger phase.logger = self.logger
@ -1451,7 +1475,9 @@ class CreateisoTryReusePhaseTest(helpers.PungiTestCase):
@mock.patch("pungi.phases.createiso.read_json_file") @mock.patch("pungi.phases.createiso.read_json_file")
def test_runs_perform_reuse(self, read_json_file): def test_runs_perform_reuse(self, read_json_file):
compose = helpers.DummyCompose(self.topdir, {"createiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"createiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
compose.load_old_compose_config.return_value = compose.conf.copy() compose.load_old_compose_config.return_value = compose.conf.copy()
phase = createiso.CreateisoPhase(compose, mock.Mock()) phase = createiso.CreateisoPhase(compose, mock.Mock())
phase.logger = self.logger phase.logger = self.logger

View File

@ -1156,7 +1156,9 @@ class ExtraisoTryReusePhaseTest(helpers.PungiTestCase):
) )
def test_buildinstall_changed(self): def test_buildinstall_changed(self):
compose = helpers.DummyCompose(self.topdir, {"extraiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"extraiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
thread = extra_isos.ExtraIsosThread(compose, mock.Mock()) thread = extra_isos.ExtraIsosThread(compose, mock.Mock())
thread.logger = self.logger thread.logger = self.logger
thread.bi = mock.Mock() thread.bi = mock.Mock()
@ -1170,7 +1172,9 @@ class ExtraisoTryReusePhaseTest(helpers.PungiTestCase):
) )
def test_no_old_config(self): def test_no_old_config(self):
compose = helpers.DummyCompose(self.topdir, {"extraiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"extraiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
thread = extra_isos.ExtraIsosThread(compose, mock.Mock()) thread = extra_isos.ExtraIsosThread(compose, mock.Mock())
thread.logger = self.logger thread.logger = self.logger
opts = CreateIsoOpts() opts = CreateIsoOpts()
@ -1182,7 +1186,9 @@ class ExtraisoTryReusePhaseTest(helpers.PungiTestCase):
) )
def test_old_config_changed(self): def test_old_config_changed(self):
compose = helpers.DummyCompose(self.topdir, {"extraiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"extraiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
old_config = compose.conf.copy() old_config = compose.conf.copy()
old_config["release_version"] = "2" old_config["release_version"] = "2"
compose.load_old_compose_config.return_value = old_config compose.load_old_compose_config.return_value = old_config
@ -1197,7 +1203,9 @@ class ExtraisoTryReusePhaseTest(helpers.PungiTestCase):
) )
def test_no_old_metadata(self): def test_no_old_metadata(self):
compose = helpers.DummyCompose(self.topdir, {"extraiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"extraiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
compose.load_old_compose_config.return_value = compose.conf.copy() compose.load_old_compose_config.return_value = compose.conf.copy()
thread = extra_isos.ExtraIsosThread(compose, mock.Mock()) thread = extra_isos.ExtraIsosThread(compose, mock.Mock())
thread.logger = self.logger thread.logger = self.logger
@ -1211,7 +1219,9 @@ class ExtraisoTryReusePhaseTest(helpers.PungiTestCase):
@mock.patch("pungi.phases.extra_isos.read_json_file") @mock.patch("pungi.phases.extra_isos.read_json_file")
def test_volume_id_differs(self, read_json_file): def test_volume_id_differs(self, read_json_file):
compose = helpers.DummyCompose(self.topdir, {"extraiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"extraiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
compose.load_old_compose_config.return_value = compose.conf.copy() compose.load_old_compose_config.return_value = compose.conf.copy()
thread = extra_isos.ExtraIsosThread(compose, mock.Mock()) thread = extra_isos.ExtraIsosThread(compose, mock.Mock())
thread.logger = self.logger thread.logger = self.logger
@ -1228,7 +1238,9 @@ class ExtraisoTryReusePhaseTest(helpers.PungiTestCase):
@mock.patch("pungi.phases.extra_isos.read_json_file") @mock.patch("pungi.phases.extra_isos.read_json_file")
def test_packages_differ(self, read_json_file): def test_packages_differ(self, read_json_file):
compose = helpers.DummyCompose(self.topdir, {"extraiso_allow_reuse": True}) compose = helpers.DummyCompose(
self.topdir, {"extraiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
compose.load_old_compose_config.return_value = compose.conf.copy() compose.load_old_compose_config.return_value = compose.conf.copy()
thread = extra_isos.ExtraIsosThread(compose, mock.Mock()) thread = extra_isos.ExtraIsosThread(compose, mock.Mock())
thread.logger = self.logger thread.logger = self.logger
@ -1250,7 +1262,7 @@ class ExtraisoTryReusePhaseTest(helpers.PungiTestCase):
) )
@mock.patch("pungi.phases.extra_isos.read_json_file") @mock.patch("pungi.phases.extra_isos.read_json_file")
def test_runs_perform_reuse(self, read_json_file): def test_unsigned_packages(self, read_json_file):
compose = helpers.DummyCompose(self.topdir, {"extraiso_allow_reuse": True}) compose = helpers.DummyCompose(self.topdir, {"extraiso_allow_reuse": True})
compose.load_old_compose_config.return_value = compose.conf.copy() compose.load_old_compose_config.return_value = compose.conf.copy()
thread = extra_isos.ExtraIsosThread(compose, mock.Mock()) thread = extra_isos.ExtraIsosThread(compose, mock.Mock())
@ -1273,6 +1285,38 @@ class ExtraisoTryReusePhaseTest(helpers.PungiTestCase):
}, },
} }
self.assertFalse(
thread.try_reuse(
compose, compose.variants["Server"], "x86_64", "abcdef", opts
)
)
@mock.patch("pungi.phases.extra_isos.read_json_file")
def test_runs_perform_reuse(self, read_json_file):
compose = helpers.DummyCompose(
self.topdir, {"extraiso_allow_reuse": True, "sigkeys": ["abcdef"]}
)
compose.load_old_compose_config.return_value = compose.conf.copy()
thread = extra_isos.ExtraIsosThread(compose, mock.Mock())
thread.logger = self.logger
thread.perform_reuse = mock.Mock()
new_graft_points = os.path.join(self.topdir, "new_graft_points")
helpers.touch(new_graft_points)
opts = CreateIsoOpts(graft_points=new_graft_points, volid="volid")
old_graft_points = os.path.join(self.topdir, "old_graft_points")
helpers.touch(old_graft_points)
dummy_iso_path = "dummy-iso-path/dummy.iso"
read_json_file.return_value = {
"opts": {
"graft_points": old_graft_points,
"volid": "volid",
"output_dir": os.path.dirname(dummy_iso_path),
"iso_name": os.path.basename(dummy_iso_path),
},
}
self.assertTrue( self.assertTrue(
thread.try_reuse( thread.try_reuse(
compose, compose.variants["Server"], "x86_64", "abcdef", opts compose, compose.variants["Server"], "x86_64", "abcdef", opts