particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

blueprint: add gpgkey validation

Browse source 
Add custom repo gpg keys validation checks to
make sure that a gpg key is either a valid key
or a valid url.
This commit is contained in:
Gianluca Zuccarelli 2023-04-24 12:25:48 +01:00 committed by Gianluca Zuccarelli
parent 72d33c8651
commit f59e248bc8
2 changed files with 52 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

18
internal/blueprint/repository_customizations.go
View file

@ -3,6 +3,7 @@ package blueprint
import (
"fmt"
"net/url"
"strings"
"github.com/osbuild/osbuild-composer/internal/fsnode"
"github.com/osbuild/osbuild-composer/internal/rpmmd"
@ -35,6 +36,23 @@ func validateCustomRepository(repo *RepositoryCustomization) error {
if repo.GPGCheck != nil && *repo.GPGCheck && len(repo.GPGKeys) == 0 {
return fmt.Errorf("Repository gpg check is set to true but no gpg keys are provided")
}
for _, key := range repo.GPGKeys {
// check for a valid GPG key prefix & contains GPG suffix
keyIsGPGKey := strings.HasPrefix(key, "-----BEGIN PGP PUBLIC KEY BLOCK-----") && strings.Contains(key, "-----END PGP PUBLIC KEY BLOCK-----")
// check for a valid URL
keyIsURL := false
_, err := url.ParseRequestURI(key)
if err == nil {
keyIsURL = true
}
if !keyIsGPGKey && !keyIsURL {
return fmt.Errorf("Repository gpg key is not a valid URL or a valid gpg key")
}
}
return nil
}

48
internal/blueprint/repository_customizations_test.go
View file

@ -65,6 +65,20 @@ func TestGetCustomRepositories(t *testing.T) {
},
wantErr: fmt.Errorf("Repository gpg check is set to true but no gpg keys are provided"),
},
{
name: "Test invalid GPG keys error",
expectedCustomizations: Customizations{
Repositories: []RepositoryCustomization{
{
Id: "example-1",
BaseURLs: []string{"http://example-1.com"},
GPGKeys: []string{"invalid"},
GPGCheck: common.ToPtr(true),
},
},
},
wantErr: fmt.Errorf("Repository gpg key is not a valid URL or a valid gpg key"),
},
}
for _, tt := range testCases {
@ -245,14 +259,14 @@ func TestCustomRepoToRepoConfigAndGPGKeys(t *testing.T) {
{
Id: "example-1",
BaseURLs: []string{"http://example-1.com"},
GPGKeys: []string{"fake-gpg-key-1"},
GPGKeys: []string{"-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-1-----END PGP PUBLIC KEY BLOCK-----\n"},
GPGCheck: common.ToPtr(true),
SSLVerify: true,
},
{
Id: "example-2",
BaseURLs: []string{"http://example-2.com"},
GPGKeys: []string{"fake-gpg-key-2"},
GPGKeys: []string{"-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-2-----END PGP PUBLIC KEY BLOCK-----\n"},
GPGCheck: common.ToPtr(true),
SSLVerify: true,
},
@ -276,24 +290,30 @@ func TestCustomRepoToRepoConfigAndGPGKeys(t *testing.T) {
},
},
WantGPGKeys: []*fsnode.File{
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-1-0", nil, nil, nil, []byte("fake-gpg-key-1"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-2-0", nil, nil, nil, []byte("fake-gpg-key-1"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-1-0", nil, nil, nil, []byte("-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-1-----END PGP PUBLIC KEY BLOCK-----\n"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-2-0", nil, nil, nil, []byte("-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-1-----END PGP PUBLIC KEY BLOCK-----\n"))),
},
},
{
Name: "Test multiple inline gpgkeys",
Repos: []RepositoryCustomization{
{
Id: "example-1",
BaseURLs: []string{"http://example-1.com"},
GPGKeys: []string{"fake-gpg-key-1", "fake-gpg-key-2"},
Id: "example-1",
BaseURLs: []string{"http://example-1.com"},
GPGKeys: []string{
"-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-1-----END PGP PUBLIC KEY BLOCK-----\n",
"-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-2-----END PGP PUBLIC KEY BLOCK-----\n",
},
GPGCheck: common.ToPtr(true),
SSLVerify: true,
},
{
Id: "example-2",
BaseURLs: []string{"http://example-2.com"},
GPGKeys: []string{"fake-gpg-key-1", "fake-gpg-key-2"},
Id: "example-2",
BaseURLs: []string{"http://example-2.com"},
GPGKeys: []string{
"-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-1-----END PGP PUBLIC KEY BLOCK-----\n",
"-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-2-----END PGP PUBLIC KEY BLOCK-----\n",
},
GPGCheck: common.ToPtr(true),
SSLVerify: true,
},
@ -317,10 +337,10 @@ func TestCustomRepoToRepoConfigAndGPGKeys(t *testing.T) {
},
},
WantGPGKeys: []*fsnode.File{
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-1-0", nil, nil, nil, []byte("fake-gpg-key-1"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-1-1", nil, nil, nil, []byte("fake-gpg-key-2"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-2-0", nil, nil, nil, []byte("fake-gpg-key-1"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-2-1", nil, nil, nil, []byte("fake-gpg-key-2"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-1-0", nil, nil, nil, []byte("-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-1-----END PGP PUBLIC KEY BLOCK-----\n"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-1-1", nil, nil, nil, []byte("-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-2-----END PGP PUBLIC KEY BLOCK-----\n"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-2-0", nil, nil, nil, []byte("-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-1-----END PGP PUBLIC KEY BLOCK-----\n"))),
ensureFileCreation(fsnode.NewFile("/etc/pki/rpm-gpg/RPM-GPG-KEY-example-2-1", nil, nil, nil, []byte("-----BEGIN PGP PUBLIC KEY BLOCK-----fake-gpg-key-2-----END PGP PUBLIC KEY BLOCK-----\n"))),
},
},
}