From 359100e1a12256a71881f9ea3d3edd4d8366deed Mon Sep 17 00:00:00 2001 From: Achilleas Koutsou Date: Wed, 21 Jul 2021 21:19:09 +0200 Subject: [PATCH] test/api.sh: more robust edge commit validation Instead of inspecting the tarball directly, extract it and use ostree to verify the ref and commit ID. Adds some data to the CI artifacts directory: - Build manifest - Tarball file list for s3 edge commit with s3 upload - Build metadata --- test/cases/api.sh | 48 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 10 deletions(-) diff --git a/test/cases/api.sh b/test/cases/api.sh index 764bc02ee..7ccc9524f 100755 --- a/test/cases/api.sh +++ b/test/cases/api.sh @@ -14,6 +14,9 @@ set -euxo pipefail +ARTIFACTS=ci-artifacts +mkdir -p "${ARTIFACTS}" + source /etc/os-release DISTRO_CODE="${DISTRO_CODE:-${ID}_${VERSION_ID//./}}" @@ -409,6 +412,11 @@ function createReqFileAWS() { EOF } +# +# Global var for ostree ref (only used in aws.s3 now) +# +OSTREE_REF="test/rhel/8/edge" + function createReqFileAWSS3() { cat > "$REQUEST_FILE" << EOF { @@ -424,7 +432,7 @@ function createReqFileAWSS3() { "image_type": "rhel-edge-commit", "repositories": $(jq ".\"$ARCH\"" /usr/share/tests/osbuild-composer/repositories/"$DISTRO".json), "ostree": { - "ref": "test/rhel/8/edge" + "ref": "${OSTREE_REF}" }, "upload_request": { "type": "aws.s3", @@ -625,6 +633,12 @@ test "$UPLOAD_STATUS" = "success" test "$UPLOAD_TYPE" = "$CLOUD_PROVIDER" test $((INIT_COMPOSES+1)) = "$SUBS_COMPOSES" +# +# Save the Manifest from the osbuild-composer store +# NOTE: The rest of the job data can contain sensitive information +# +sudo jq -rM .args.manifest /var/lib/osbuild-composer/jobs/"${COMPOSE_ID}".json > "${ARTIFACTS}/manifest.json" + # # Verify the Cloud-provider specific upload_status options # @@ -794,8 +808,20 @@ function verifyInAWSS3() { # Download the commit using the Presigned URL curl "${S3_URL}" --output "${WORKDIR}/edge-commit.tar" + # extract tarball and save file list to artifacts directroy + local COMMIT_DIR + COMMIT_DIR="${WORKDIR}/edge-commit" + mkdir -p "${COMMIT_DIR}" + tar xvf "${WORKDIR}/edge-commit.tar" -C "${COMMIT_DIR}" > "${ARTIFACTS}/edge-commit-filelist.txt" + # Verify that the commit contains the ref we defined in the request - tar tvf "${WORKDIR}/edge-commit.tar" "repo/refs/heads/test/rhel/8/edge" + sudo dnf install -y ostree + local COMMIT_REF + COMMIT_REF=$(ostree refs --repo "${COMMIT_DIR}/repo") + if [[ "${COMMIT_REF}" != "${OSTREE_REF}" ]]; then + echo "Commit ref in archive does not match request 😠" + exit 1 + fi # verify that the commit hash matches the metadata local API_COMMIT_ID @@ -807,8 +833,9 @@ function verifyInAWSS3() { --cert /etc/osbuild-composer/client-crt.pem \ https://localhost/api/composer/v1/compose/"$COMPOSE_ID"/metadata | jq -r '.ostree_commit') + local TAR_COMMIT_ID - TAR_COMMIT_ID=$(tar xf "${WORKDIR}/edge-commit.tar" "repo/refs/heads/test/rhel/8/edge" -O) + TAR_COMMIT_ID=$(ostree rev-parse --repo "${COMMIT_DIR}/repo" "${OSTREE_REF}") if [[ "${API_COMMIT_ID}" != "${TAR_COMMIT_ID}" ]]; then echo "Commit ID returned from API does not match Commit ID in archive 😠" @@ -923,14 +950,15 @@ esac # Verify selected package (postgresql) is included in package list function verifyPackageList() { + # Save build metadata to artifacts directory for troubleshooting + curl --silent \ + --show-error \ + --cacert /etc/osbuild-composer/ca-crt.pem \ + --key /etc/osbuild-composer/client-key.pem \ + --cert /etc/osbuild-composer/client-crt.pem \ + https://localhost/api/composer/v1/compose/"$COMPOSE_ID"/metadata --output "${ARTIFACTS}/metadata.json" local PACKAGENAMES - PACKAGENAMES=$(curl \ - --silent \ - --show-error \ - --cacert /etc/osbuild-composer/ca-crt.pem \ - --key /etc/osbuild-composer/client-key.pem \ - --cert /etc/osbuild-composer/client-crt.pem \ - https://localhost/api/composer/v1/compose/"$COMPOSE_ID"/metadata | jq -r '.packages[].name') + PACKAGENAMES=$(jq -rM '.packages[].name' "${ARTIFACTS}/metadata.json") if ! grep -q postgresql <<< "${PACKAGENAMES}"; then echo "'postgresql' not found in compose package list 😠"