tests/api: custom repository tests

- remove `custom-repos.sh` integratoin test - add custom repositories check to `api` tests for supported images - verify custom repositores are added to /etc/yum.repos.d - verify gpg key is saved to /etc/pki/rpm-gpg (for inline keys)
2023-02-28 18:08:49 +00:00 · 2023-02-28 18:08:49 +00:00 · 1c25d2792c
commit 1c25d2792c
parent fb63d7ad9a
8 changed files with 68 additions and 212 deletions
--- a/test/cases/api.sh
+++ b/test/cases/api.sh
@ -367,6 +367,33 @@ EOF
 esac
 export DIR_FILES_CUSTOMIZATION_BLOCK

+# Define the customizations for the images here to not have to repeat them
+# in every image-type specific file.
+case "${IMAGE_TYPE}" in
+  # The Directories and Files customization is not supported for this image type.
+  "$IMAGE_TYPE_EDGE_INSTALLER")
+    CUSTOM_GPG_KEY=
+    REPOSITORY_CUSTOMIZATION_BLOCK=
+    ;;
+  *)
+    CUSTOM_GPG_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQGiBGRBSJURBACzCoe9UNfxOUiFLq9b60weSBFdr39mLViscecDWATNvXtgRoK/\nxl/4qpayzALRCQ2Ek/pMrbKPF/3ngECuBv7S+rI4n/rIia4FNcqzYeZAz4DE4NP/\neUGvz49tWhmH17hX/rmF9kz5kLq2bDZI4GDgZW/oMDdt2ivj092Ljm9jRwCgyQy3\nWEK6RJvIcSEh9vbdwVdMPOcD/iHqNejTMFwGyZfCWB0eIOoxUOUn/ZZpELTL2UpW\nGduCf3txb5SkK7M+WDbb0S5IvNXoi0tc13STiD6Oxg2O9PkSvvYb+8zxlhNoSTwy\n54j7Rf5FlnQ3TAFfjtQ5LCx56LKK73j4RjvKW//ktm5n54exsgo9Ry/e12T46dRg\n7tIlA/91rzLm57Qyc73A7zjgIzef9O6V5ZzowC+pp/jfb5pS9hXgROekLkMgX0vg\niA5rM5OpqK4bArVP1lRWnLyvghwO+TW763RVuXlS0scfzMy4g0NgrG6j7TIOKEqz\n4xQxOuwkudqiQr/kOqKuLxQBXa+5MJkyhfPmqYw5wpqyCwFa/7Q4b3NidWlsZCB0\nZXN0IChvc2J1aWxkIHRlc3QgZ3Bna2V5KSA8b3NidWlsZEBleGFtcGxlLmNvbT6I\newQTEQIAOxYhBGB8woiEPRKBO8Cr31lulpQgMejzBQJkQUiVAhsjBQsJCAcCAiIC\nBhUKCQgLAgQWAgMBAh4HAheAAAoJEFlulpQgMejzapMAoLmUg1mNDTRUaCrN/fzm\nHYLHL6jkAJ9pEKkJQiHB6SfD0fkiD2GkELYLubkBDQRkQUiVEAQAlAAXrQ572vuw\nxI3W8GSZmOQiAYOQmOKRloLEy6VZ3NSOb9y2TXj33QTkJBPOM17AzB7E+YjZrpUt\ngl6LlXmfjMcJAcXhFaUBCilAcMwMlLl7DtnSkLnLIXYmHiN0v83BH/H0EPutOc5l\n0QIyugutifp9SJz2+EWpC4bjA7GFkQ8AAwUD/1tLEGqCJ37O8gfzYt2PWkqBEoOY\n0Z3zwVS6PWW/IIkak9dAJ0iX5NMeFWpzFNfviDPHqhEdUR55zsxyUZIZlCX5jwmA\nt7qm3cbH4HNU1Ogq3Q9hykbTPWPZVkpvNm/TO8TA2brhkz3nuS8Hbmh+rjXFOSZj\nDQBUxItuuj2hhpQEiGAEGBECACAWIQRgfMKIhD0SgTvAq99ZbpaUIDHo8wUCZEFI\nlQIbDAAKCRBZbpaUIDHo83fQAKDHgFIaggaNsvDQkj7vMX0fecHRhACfS9Bvxn2W\nWSb6T+gChmYBseZwk/k=\n=DQ3i\n-----END PGP PUBLIC KEY BLOCK-----"
+    REPOSITORY_CUSTOMIZATION_BLOCK=$(cat <<EOF
+,
+    "custom_repositories": [{
+        "id": "example",
+        "name": "Example repo",
+        "baseurl": [ "http://example.com" ],
+        "gpgkey": [ "$CUSTOM_GPG_KEY" ],
+        "check_gpg": true,
+        "enabled": true
+    }]
+EOF
+)
+    ;;
+esac
+export CUSTOM_GPG_KEY
+export REPOSITORY_CUSTOMIZATION_BLOCK
+
 # generate a temp key for user tests
 ssh-keygen -t rsa-sha2-512 -f "${WORKDIR}/usertest" -C "usertest" -N ""

--- a/test/cases/api/aws.sh
+++ b/test/cases/api/aws.sh
@ -63,7 +63,7 @@ function createReqFile() {
        "name": "user2",
        "key": "$(cat "${WORKDIR}/usertest.pub")"
      }
-    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}
+    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}
  },
  "image_request": {
      "architecture": "$ARCH",
--- a/test/cases/api/azure.sh
+++ b/test/cases/api/azure.sh
@ -84,7 +84,7 @@ function createReqFile() {
    "packages": [
      "postgresql",
      "dummy"
-    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}
+    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}
  },
  "image_request": {
    "architecture": "$ARCH",
--- a/test/cases/api/common/common.sh
+++ b/test/cases/api/common/common.sh
@ -46,6 +46,8 @@ function _instanceCheck() {

  # Verify that directories and files customization worked as expected
  verify_dirs_files_customization "$_ssh"
+
+  verify_repository_customization "$_ssh"
 }

 WORKER_REFRESH_TOKEN_PATH="/etc/osbuild-worker/token"
@ -129,3 +131,38 @@ function verify_dirs_files_customization {
    exit 1
  fi
 }
+
+# Verify that repository customizations worked as expected
+function verify_repository_customization {
+  echo "✔️ Checking custom repositories"
+  local _ssh="$1"
+  local _error=0
+
+  local _custom_repo_file="/etc/yum.repos.d/example.repo"
+  local _key_file_path="/etc/pki/rpm-gpg/RPM-GPG-KEY-example-0"
+
+  # verify that `/etc/yum.repos.d/example.repo` exists
+  # and contains path to gpg key file
+  local cust_repo_contains_key_path
+  cust_repo_contains_key_path=$($_ssh cat "$_custom_repo_file" | grep -c "${_key_file_path}")
+  if [[ "$cust_repo_contains_key_path" -le 0 ]]; then
+    echo "File $_custom_repo_file does not contain ${_key_file_path}}"
+    _error=1
+  fi
+
+  # verify that gpg key file has been saved to image
+  # and the contents match the expected gpg key
+  local local_key remote_key key_diff
+  local_key=$(echo -e "$CUSTOM_GPG_KEY")
+  remote_key=$($_ssh cat "${_key_file_path}")
+  key_diff=$(diff <(echo "$local_key") <(echo "$remote_key") | wc -l)
+  if [[ "$key_diff" -gt 0 ]]; then
+    echo "File $_key_file_path has wrong content"
+    _error=1
+  fi
+
+  if [[ "$_error" == "1" ]]; then
+    echo "Testing of custom repositories failed."
+    exit 1
+  fi
+}
--- a/test/cases/api/common/s3.sh
+++ b/test/cases/api/common/s3.sh
@ -78,7 +78,7 @@ function createReqFileGuest() {
        "name": "user2",
        "key": "$(cat "${WORKDIR}/usertest.pub")"
      }
-    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}
+    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}
  },
  "image_request": {
    "architecture": "$ARCH",
--- a/test/cases/api/gcp.sh
+++ b/test/cases/api/gcp.sh
@ -71,7 +71,7 @@ function createReqFile() {
    "packages": [
      "postgresql",
      "dummy"
-    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}
+    ]${SUBSCRIPTION_BLOCK}${DIR_FILES_CUSTOMIZATION_BLOCK}${REPOSITORY_CUSTOMIZATION_BLOCK}
  },
  "image_request": {
    "architecture": "$ARCH",
--- a/test/cases/custom-repos.sh
+++ b/test/cases/custom-repos.sh
@ -1,203 +0,0 @@
-#!/usr/bin/bash
-
-#
-# Test the ability to specify custom repositories
-#
-set -euo pipefail
-
-source /etc/os-release
-
-# Provision the software under test.
-/usr/libexec/osbuild-composer-test/provision.sh none
-
-source /usr/libexec/osbuild-composer-test/set-env-variables.sh
-source /usr/libexec/tests/osbuild-composer/shared_lib.sh
-
-if ! nvrGreaterOrEqual "osbuild-composer" "81"; then
-    echo "SKIP: test not supported on osbuild-composer < 81"
-    exit 0
-fi
-
-# Set up variables.
-case "${ID}-${VERSION_ID}" in
-    fedora*)
-        ;;
-    rhel-*)
-        ;;
-    centos-*)
-        ;;
-    *)
-        echo "unsupported distro: ${ID}-${VERSION_ID}"
-        exit 1;;
-esac
-
-TEST_UUID=$(uuidgen)
-IMAGE_KEY="osbuild-composer-test-${TEST_UUID}"
-ARTIFACTS="ci-artifacts"
-mkdir -p "${ARTIFACTS}"
-
-# Set up temporary files.
-TEMPDIR=$(mktemp -d)
-BLUEPRINT_FILE=${TEMPDIR}/blueprint.toml
-COMPOSE_START=${TEMPDIR}/compose-start-${IMAGE_KEY}.json
-COMPOSE_INFO=${TEMPDIR}/compose-info-${IMAGE_KEY}.json
-
-# Workaround the problem that 'image-info' can not read SELinux labels unknown to the host from the image
-OSBUILD_LABEL=$(matchpathcon -n "$(which osbuild)")
-sudo chcon "$OSBUILD_LABEL" /usr/libexec/osbuild-composer-test/image-info
-
-# Get the compose log.
-get_compose_log () {
-    COMPOSE_ID=$1
-    LOG_FILE=${ARTIFACTS}/osbuild-${ID}-${VERSION_ID}-${COMPOSE_ID}.log
-
-    # Download the logs.
-    sudo composer-cli compose log "${COMPOSE_ID}" | tee "${LOG_FILE}" > /dev/null
-}
-
-# Get the compose metadata.
-get_compose_metadata () {
-    COMPOSE_ID=$1
-    METADATA_FILE=${ARTIFACTS}/osbuild-${ID}-${VERSION_ID}-${COMPOSE_ID}.json
-
-    # Download the metadata.
-    sudo composer-cli compose metadata "${COMPOSE_ID}" > /dev/null
-
-    # Find the tarball and extract it.
-    TARBALL=$(basename "$(find . -maxdepth 1 -type f -name "*-metadata.tar")")
-    sudo tar -xf "${TARBALL}" -C "${TEMPDIR}"
-    sudo rm -f "${TARBALL}"
-
-    # Move the JSON file into place.
-    sudo cat "${TEMPDIR}"/"${COMPOSE_ID}".json | jq -M '.' | tee "${METADATA_FILE}" > /dev/null
-}
-
-# Build ostree image.
-build_image() {
-    blueprint_name=$1
-    image_type=$2
-
-    # Get worker unit file so we can watch the journal.
-    WORKER_UNIT=$(sudo systemctl list-units | grep -o -E "osbuild.*worker.*\.service")
-    sudo journalctl -af -n 1 -u "${WORKER_UNIT}" &
-    WORKER_JOURNAL_PID=$!
-    # Stop watching the worker journal when exiting.
-    trap 'sudo pkill -P ${WORKER_JOURNAL_PID}' EXIT
-
-    # Start the compose.
-    greenprint "🚀 Starting compose"
-    sudo composer-cli --json compose start "${blueprint_name}" "${image_type}" | tee "${COMPOSE_START}"
-    COMPOSE_ID=$(get_build_info ".build_id" "${COMPOSE_START}")
-
-    # Wait for the compose to finish.
-    greenprint "⏱ Waiting for compose to finish: ${COMPOSE_ID}"
-    while true; do
-        sudo composer-cli --json compose info "${COMPOSE_ID}" | tee "${COMPOSE_INFO}" > /dev/null
-        COMPOSE_STATUS=$(get_build_info ".queue_status" "${COMPOSE_INFO}")
-
-        # Is the compose finished?
-        if [[ ${COMPOSE_STATUS} != RUNNING ]] && [[ ${COMPOSE_STATUS} != WAITING ]]; then
-            break
-        fi
-
-        # Wait 30 seconds and try again.
-        sleep 5
-    done
-
-    # Capture the compose logs from osbuild.
-    greenprint "💬 Getting compose log and metadata"
-    get_compose_log "${COMPOSE_ID}"
-    get_compose_metadata "${COMPOSE_ID}"
-
-    # Kill the journal monitor immediately and remove the trap
-    sudo pkill -P "${WORKER_JOURNAL_PID}"
-    trap - EXIT
-
-    # Did the compose finish with success?
-    if [[ ${COMPOSE_STATUS} != FINISHED ]]; then
-        echo "Something went wrong with the compose. 😢"
-        exit 1
-    fi
-}
-
-greenprint "🚀 Checking custom repositories"
-
-REPO_ID="example"
-REPO_NAME="Example repo"
-REPO_FILENAME="custom.repo"
-REPO_BASEURL="https://example.com/download/yum"
-REPO_GPGKEY_URL="https://example.com/example-key.asc"
-REPO_GPGKEY="-----BEGIN PGP PUBLIC KEY BLOCK-----\n\nmQGiBGRBSJURBACzCoe9UNfxOUiFLq9b60weSBFdr39mLViscecDWATNvXtgRoK/\nxl/4qpayzALRCQ2Ek/pMrbKPF/3ngECuBv7S+rI4n/rIia4FNcqzYeZAz4DE4NP/\neUGvz49tWhmH17hX/rmF9kz5kLq2bDZI4GDgZW/oMDdt2ivj092Ljm9jRwCgyQy3\nWEK6RJvIcSEh9vbdwVdMPOcD/iHqNejTMFwGyZfCWB0eIOoxUOUn/ZZpELTL2UpW\nGduCf3txb5SkK7M+WDbb0S5IvNXoi0tc13STiD6Oxg2O9PkSvvYb+8zxlhNoSTwy\n54j7Rf5FlnQ3TAFfjtQ5LCx56LKK73j4RjvKW//ktm5n54exsgo9Ry/e12T46dRg\n7tIlA/91rzLm57Qyc73A7zjgIzef9O6V5ZzowC+pp/jfb5pS9hXgROekLkMgX0vg\niA5rM5OpqK4bArVP1lRWnLyvghwO+TW763RVuXlS0scfzMy4g0NgrG6j7TIOKEqz\n4xQxOuwkudqiQr/kOqKuLxQBXa+5MJkyhfPmqYw5wpqyCwFa/7Q4b3NidWlsZCB0\nZXN0IChvc2J1aWxkIHRlc3QgZ3Bna2V5KSA8b3NidWlsZEBleGFtcGxlLmNvbT6I\newQTEQIAOxYhBGB8woiEPRKBO8Cr31lulpQgMejzBQJkQUiVAhsjBQsJCAcCAiIC\nBhUKCQgLAgQWAgMBAh4HAheAAAoJEFlulpQgMejzapMAoLmUg1mNDTRUaCrN/fzm\nHYLHL6jkAJ9pEKkJQiHB6SfD0fkiD2GkELYLubkBDQRkQUiVEAQAlAAXrQ572vuw\nxI3W8GSZmOQiAYOQmOKRloLEy6VZ3NSOb9y2TXj33QTkJBPOM17AzB7E+YjZrpUt\ngl6LlXmfjMcJAcXhFaUBCilAcMwMlLl7DtnSkLnLIXYmHiN0v83BH/H0EPutOc5l\n0QIyugutifp9SJz2+EWpC4bjA7GFkQ8AAwUD/1tLEGqCJ37O8gfzYt2PWkqBEoOY\n0Z3zwVS6PWW/IIkak9dAJ0iX5NMeFWpzFNfviDPHqhEdUR55zsxyUZIZlCX5jwmA\nt7qm3cbH4HNU1Ogq3Q9hykbTPWPZVkpvNm/TO8TA2brhkz3nuS8Hbmh+rjXFOSZj\nDQBUxItuuj2hhpQEiGAEGBECACAWIQRgfMKIhD0SgTvAq99ZbpaUIDHo8wUCZEFI\nlQIbDAAKCRBZbpaUIDHo83fQAKDHgFIaggaNsvDQkj7vMX0fecHRhACfS9Bvxn2W\nWSb6T+gChmYBseZwk/k=\n=DQ3i\n-----END PGP PUBLIC KEY BLOCK-----\n"
-REPO_GPGCHECK="true"
-REPO_ENABLED="true"
-
-# Write a basic blueprint for our image.
-tee "$BLUEPRINT_FILE" > /dev/null << EOF
-name = "custom-repo"
-description = "A base system with custom repositories enabled"
-version = "0.0.1"
-
-[[customizations.repositories]]
-id="${REPO_ID}"
-name="${REPO_NAME}"
-filename="${REPO_FILENAME}"
-baseurls=[ "${REPO_BASEURL}" ]
-gpgkeys=[ "${REPO_GPGKEY}", "${REPO_GPGKEY_URL}" ]
-gpgcheck=${REPO_GPGCHECK}
-enabled=${REPO_ENABLED}
-EOF
-
-# Prepare the blueprint for the compose.
-greenprint "📋 Preparing custom-repo blueprint"
-sudo composer-cli blueprints push "${BLUEPRINT_FILE}"
-sudo composer-cli blueprints depsolve custom-repo
-
-build_image custom-repo qcow2
-
-# Download the image
-greenprint "📥 Downloading the image"
-sudo composer-cli compose image "${COMPOSE_ID}" > /dev/null
-IMAGE_FILENAME="${COMPOSE_ID}-disk.qcow2"
-
-greenprint "💬 Getting image info"
-INFO="$(sudo /usr/libexec/osbuild-composer-test/image-info "${IMAGE_FILENAME}")"
-
-# Clean compose and blueprints.
-greenprint "🧼 Clean up osbuild-composer"
-sudo composer-cli compose delete "${COMPOSE_ID}" > /dev/null
-sudo composer-cli blueprints delete custom-repo > /dev/null
-
-greenprint "📗 Checking results"
-CUSTOM_REPO_EXISTS=$(jq --arg r "custom.repo" 'any(.yum_repos[] | keys | .[] == $r; .)' <<< "${INFO}")
-echo "CUSTOM_REPO_EXISTS: ${CUSTOM_REPO_EXISTS}"
-if "${CUSTOM_REPO_EXISTS}"; then
-    greenprint "✅ Custom image-builder repo file has been created"
-else
-    echo "❌ Custom repo has not been created"
-    exit 1
-fi
-
-REPO_CONTAINS_PATH_TO_KEY=$(jq --arg r "$REPO_ID" --arg k "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-$REPO_ID-0" \
-  '.yum_repos[]."custom.repo" | to_entries | map(select(.key == $r) | .value) | any(.[] | .gpgkey | contains($k); .)' \
-  <<< "${INFO}")
-echo "REPO_CONTAINS_PATH_TO_KEY ${REPO_CONTAINS_PATH_TO_KEY}"
-if "${REPO_CONTAINS_PATH_TO_KEY}"; then
-    greenprint "✅ Custom image-builder repo file contains gpgkey file location"
-else
-    echo "❌ Custom repo does not contain gpgkey file location"
-    exit 1
-fi
-
-REPO_CONTAINS_KEY_URL=$(jq --arg r "$REPO_ID" --arg k "file:///etc/pki/rpm-gpg/RPM-GPG-KEY-$REPO_ID-0" \
-  '.yum_repos[]."custom.repo" | to_entries | map(select(.key == $r) | .value) | any(.[] | .gpgkey | contains($k); .)' \
-  <<< "${INFO}")
-echo "REPO_CONTAINS_KEY_URL: ${REPO_CONTAINS_KEY_URL}"
-if "${REPO_CONTAINS_KEY_URL}"; then
-    greenprint "✅ Custom image-builder repo file contains gpgkey url"
-else
-    echo "❌ Custom repo does not contain gpgkey url"
-    exit 1
-fi
-
-echo "🎉 All tests passed."
-exit 0