cloudapi: require gpgkey if check_gpg is set

If a user requires that packages from a certain repository are checked using
a GPG key, they should specify it. Now, this is enforced to catch this issue
earlier than in osbuild.

Signed-off-by: Ondřej Budai <ondrej@budai.cz>

internal/cloudapi/v2/errors.go

@@ -42,6 +42,7 @@ const (
 	ErrorInvalidJobType               ServiceErrorCode = 26
 	ErrorInvalidOSTreeParams          ServiceErrorCode = 27
 	ErrorTenantNotFound               ServiceErrorCode = 28
+	ErrorNoGPGKey                     ServiceErrorCode = 29
 
 	// Internal errors, these are bugs
 	ErrorFailedToInitializeBlueprint              ServiceErrorCode = 1000
@@ -107,6 +108,7 @@ func getServiceErrors() serviceErrors {
 		serviceError{ErrorInvalidNumberOfImageBuilds, http.StatusBadRequest, "Compose request has unsupported number of image builds"},
 		serviceError{ErrorInvalidOSTreeParams, http.StatusBadRequest, "Invalid OSTree parameters or parameter combination"},
 		serviceError{ErrorTenantNotFound, http.StatusBadRequest, "Tenant not found in JWT claims"},
+		serviceError{ErrorNoGPGKey, http.StatusBadRequest, "Invalid repository, when check_gpg is set, gpgkey must be specified"},
 
 		serviceError{ErrorFailedToInitializeBlueprint, http.StatusInternalServerError, "Failed to initialize blueprint"},
 		serviceError{ErrorFailedToGenerateManifestSeed, http.StatusInternalServerError, "Failed to generate manifest seed"},

internal/cloudapi/v2/v2.go

@@ -1272,5 +1272,9 @@ func genRepoConfig(repo Repository) (*rpmmd.RepoConfig, error) {
 		repoConfig.IgnoreSSL = *repo.IgnoreSsl
 	}
 
+	if repoConfig.CheckGPG && repoConfig.GPGKey == "" {
+		return nil, HTTPError(ErrorNoGPGKey)
+	}
+
 	return repoConfig, nil
 }

internal/cloudapi/v2/v2_internal_test.go

@@ -230,17 +230,44 @@ func TestRepoConfigConversion(t *testing.T) {
 		assert.Equal(rc, &tc.repoConfig, "mismatch in test case %d", idx)
 	}
 
-	// test error
+	errorTestCases := []struct {
-	noURL := Repository{
+		repo Repository
-		Baseurl:     nil,
+		err  string
-		CheckGpg:    nil,
+	}{
-		Gpgkey:      nil,
+		// invalid repo
-		IgnoreSsl:   nil,
+		{
-		Metalink:    nil,
+			repo: Repository{
-		Mirrorlist:  nil,
+				Baseurl:     nil,
-		Rhsm:        true,
+				CheckGpg:    nil,
-		PackageSets: nil,
+				Gpgkey:      nil,
+				IgnoreSsl:   nil,
+				Metalink:    nil,
+				Mirrorlist:  nil,
+				Rhsm:        true,
+				PackageSets: nil,
+			},
+			err: HTTPError(ErrorInvalidRepository).Error(),
+		},
+
+		// check gpg required but no gpgkey given
+		{
+			repo: Repository{
+				Baseurl:     nil,
+				CheckGpg:    common.BoolToPtr(true),
+				Gpgkey:      nil,
+				IgnoreSsl:   common.BoolToPtr(true),
+				Metalink:    common.StringToPtr("http://example.org/metalink"),
+				Mirrorlist:  nil,
+				Rhsm:        true,
+				PackageSets: nil,
+			},
+			err: HTTPError(ErrorNoGPGKey).Error(),
+		},
+	}
+
+	for _, tc := range errorTestCases {
+		rc, err := genRepoConfig(tc.repo)
+		assert.Nil(rc)
+		assert.EqualError(err, tc.err)
 	}
-	_, err := genRepoConfig(noURL)
-	assert.EqualError(err, HTTPError(ErrorInvalidRepository).Error())
 }