cloudapi: require gpgkey if check_gpg is set

If a user requires that packages from a certain repository are checked using a GPG key, they should specify it. Now, this is enforced to catch this issue earlier than in osbuild. Signed-off-by: Ondřej Budai <ondrej@budai.cz>
2022-03-25 09:21:09 +01:00 · 2022-03-25 09:21:09 +01:00 · 7a194bfcb5
commit 7a194bfcb5
parent af44202b1c
3 changed files with 45 additions and 12 deletions
--- a/internal/cloudapi/v2/errors.go
+++ b/internal/cloudapi/v2/errors.go
@ -42,6 +42,7 @@ const (
 	ErrorInvalidJobType               ServiceErrorCode = 26
 	ErrorInvalidOSTreeParams          ServiceErrorCode = 27
 	ErrorTenantNotFound               ServiceErrorCode = 28
+	ErrorNoGPGKey                     ServiceErrorCode = 29

 	// Internal errors, these are bugs
 	ErrorFailedToInitializeBlueprint              ServiceErrorCode = 1000
@ -107,6 +108,7 @@ func getServiceErrors() serviceErrors {
 		serviceError{ErrorInvalidNumberOfImageBuilds, http.StatusBadRequest, "Compose request has unsupported number of image builds"},
 		serviceError{ErrorInvalidOSTreeParams, http.StatusBadRequest, "Invalid OSTree parameters or parameter combination"},
 		serviceError{ErrorTenantNotFound, http.StatusBadRequest, "Tenant not found in JWT claims"},
+		serviceError{ErrorNoGPGKey, http.StatusBadRequest, "Invalid repository, when check_gpg is set, gpgkey must be specified"},

 		serviceError{ErrorFailedToInitializeBlueprint, http.StatusInternalServerError, "Failed to initialize blueprint"},
 		serviceError{ErrorFailedToGenerateManifestSeed, http.StatusInternalServerError, "Failed to generate manifest seed"},
--- a/internal/cloudapi/v2/v2.go
+++ b/internal/cloudapi/v2/v2.go
@ -1272,5 +1272,9 @@ func genRepoConfig(repo Repository) (*rpmmd.RepoConfig, error) {
 		repoConfig.IgnoreSSL = *repo.IgnoreSsl
 	}

+	if repoConfig.CheckGPG && repoConfig.GPGKey == "" {
+		return nil, HTTPError(ErrorNoGPGKey)
+	}
+
 	return repoConfig, nil
 }
--- a/internal/cloudapi/v2/v2_internal_test.go
+++ b/internal/cloudapi/v2/v2_internal_test.go
@ -230,17 +230,44 @@ func TestRepoConfigConversion(t *testing.T) {
 		assert.Equal(rc, &tc.repoConfig, "mismatch in test case %d", idx)
 	}

-	// test error
-	noURL := Repository{
-		Baseurl:     nil,
-		CheckGpg:    nil,
-		Gpgkey:      nil,
-		IgnoreSsl:   nil,
-		Metalink:    nil,
-		Mirrorlist:  nil,
-		Rhsm:        true,
-		PackageSets: nil,
+	errorTestCases := []struct {
+		repo Repository
+		err  string
+	}{
+		// invalid repo
+		{
+			repo: Repository{
+				Baseurl:     nil,
+				CheckGpg:    nil,
+				Gpgkey:      nil,
+				IgnoreSsl:   nil,
+				Metalink:    nil,
+				Mirrorlist:  nil,
+				Rhsm:        true,
+				PackageSets: nil,
+			},
+			err: HTTPError(ErrorInvalidRepository).Error(),
+		},
+
+		// check gpg required but no gpgkey given
+		{
+			repo: Repository{
+				Baseurl:     nil,
+				CheckGpg:    common.BoolToPtr(true),
+				Gpgkey:      nil,
+				IgnoreSsl:   common.BoolToPtr(true),
+				Metalink:    common.StringToPtr("http://example.org/metalink"),
+				Mirrorlist:  nil,
+				Rhsm:        true,
+				PackageSets: nil,
+			},
+			err: HTTPError(ErrorNoGPGKey).Error(),
+		},
+	}
+
+	for _, tc := range errorTestCases {
+		rc, err := genRepoConfig(tc.repo)
+		assert.Nil(rc)
+		assert.EqualError(err, tc.err)
 	}
-	_, err := genRepoConfig(noURL)
-	assert.EqualError(err, HTTPError(ErrorInvalidRepository).Error())
 }