29f66a251f
Version 5.22 introduced a new option to /etc/containers/policy.json called
keyPaths, see
https://github.com/containers/image/pull/1609
EL9 immediately took advantage of this new feature and started using it, see
04645c4a84
This quickly became an issue in our code: The go library (containers/image)
parses the configuration file very strictly and refuses to create a client
when policy.json with an unknown key is present on the filesystem. As we
used 5.21.1 that doesn't know the new key, our unit tests started to
failing when containers-common was present.
Reproducer:
podman run --pull=always --rm -it centos:stream9
dnf install -y dnf-plugins-core
dnf config-manager --set-enabled crb
dnf install -y gpgme-devel libassuan-devel krb5-devel golang git-core
git clone https://github.com/osbuild/osbuild-composer
cd osbuild-composer
# install the new containers-common and run the test
dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/44.el9/x86_64/containers-common-1-44.el9.x86_64.rpm
go test -count 1 ./...
# this returns:
--- FAIL: TestClientResolve (0.00s)
client_test.go:31:
Error Trace: client_test.go:31
Error: Received unexpected error:
Unknown key "keyPaths"
invalid policy in "/etc/containers/policy.json"
github.com/containers/image/v5/signature.NewPolicyFromFile
/osbuild-composer/vendor/github.com/containers/image/v5/signature/policy_config.go:88
github.com/osbuild/osbuild-composer/internal/container.NewClient
/osbuild-composer/internal/container/client.go:123
github.com/osbuild/osbuild-composer/internal/container_test.TestClientResolve
/osbuild-composer/internal/container/client_test.go:29
testing.tRunner
/usr/lib/golang/src/testing/testing.go:1439
runtime.goexit
/usr/lib/golang/src/runtime/asm_amd64.s:1571
Test: TestClientResolve
client_test.go:32:
Error Trace: client_test.go:32
Error: Expected value not to be nil.
Test: TestClientResolve
When run with an older containers-common, it succeeds:
dnf install -y https://kojihub.stream.centos.org/kojifiles/packages/containers-common/1/40.el9/x86_64/containers-common-1-40.el9.x86_64.rpm
go test -count 1 ./...
PASS
To sum it up, I had to upgrade github.com/containers/image/v5 to v5.22.0.
Unfortunately, this wasn't so simple, see
go get github.com/containers/image/v5@latest
go: github.com/containers/image/v5@v5.22.0 requires
github.com/letsencrypt/boulder@v0.0.0-20220331220046-b23ab962616e requires
github.com/honeycombio/beeline-go@v1.1.1 requires
github.com/gobuffalo/pop/v5@v5.3.1 requires
github.com/mattn/go-sqlite3@v2.0.3+incompatible: reading github.com/mattn/go-sqlite3/go.mod at revision v2.0.3: unknown revision v2.0.3
It turns out that github.com/mattn/go-sqlite3@v2.0.3+incompatible has been
recently retracted https://github.com/mattn/go-sqlite3/pull/998 and this
broke a ton of packages depending on it. I was able to fix it by adding
exclude github.com/mattn/go-sqlite3 v2.0.3+incompatible
to our go.mod, see
https://github.com/mattn/go-sqlite3/issues/975#issuecomment-955661657
After adding it,
go get github.com/containers/image/v5@latest
succeeded and tools/prepare-source.sh took care of the rest.
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
74 lines
2.4 KiB
Go
74 lines
2.4 KiB
Go
package revocation
|
|
|
|
import (
|
|
"fmt"
|
|
"sort"
|
|
"strings"
|
|
|
|
"golang.org/x/crypto/ocsp"
|
|
)
|
|
|
|
// Reason is used to specify a certificate revocation reason
|
|
type Reason int
|
|
|
|
// ReasonToString provides a map from reason code to string
|
|
var ReasonToString = map[Reason]string{
|
|
ocsp.Unspecified: "unspecified",
|
|
ocsp.KeyCompromise: "keyCompromise",
|
|
ocsp.CACompromise: "cACompromise",
|
|
ocsp.AffiliationChanged: "affiliationChanged",
|
|
ocsp.Superseded: "superseded",
|
|
ocsp.CessationOfOperation: "cessationOfOperation",
|
|
ocsp.CertificateHold: "certificateHold",
|
|
// 7 is unused
|
|
ocsp.RemoveFromCRL: "removeFromCRL",
|
|
ocsp.PrivilegeWithdrawn: "privilegeWithdrawn",
|
|
ocsp.AACompromise: "aAcompromise",
|
|
}
|
|
|
|
// UserAllowedReasons contains the subset of Reasons which users are
|
|
// allowed to use
|
|
var UserAllowedReasons = map[Reason]struct{}{
|
|
ocsp.Unspecified: {},
|
|
ocsp.KeyCompromise: {},
|
|
ocsp.AffiliationChanged: {},
|
|
ocsp.Superseded: {},
|
|
ocsp.CessationOfOperation: {},
|
|
}
|
|
|
|
// AdminAllowedReasons contains the subset of Reasons which admins are allowed
|
|
// to use. Reasons not found here will soon be forbidden from appearing in CRLs
|
|
// or OCSP responses by root programs.
|
|
var AdminAllowedReasons = map[Reason]struct{}{
|
|
ocsp.Unspecified: {},
|
|
ocsp.KeyCompromise: {},
|
|
ocsp.AffiliationChanged: {},
|
|
ocsp.Superseded: {},
|
|
ocsp.CessationOfOperation: {},
|
|
ocsp.PrivilegeWithdrawn: {},
|
|
}
|
|
|
|
// UserAllowedReasonsMessage contains a string describing a list of user allowed
|
|
// revocation reasons. This is useful when a revocation is rejected because it
|
|
// is not a valid user supplied reason and the allowed values must be
|
|
// communicated. This variable is populated during package initialization.
|
|
var UserAllowedReasonsMessage = ""
|
|
|
|
func init() {
|
|
// Build a slice of ints from the allowed reason codes.
|
|
// We want a slice because iterating `UserAllowedReasons` will change order
|
|
// and make the message unpredictable and cumbersome for unit testing.
|
|
// We use []ints instead of []Reason to use `sort.Ints` without fuss.
|
|
var allowed []int
|
|
for reason := range UserAllowedReasons {
|
|
allowed = append(allowed, int(reason))
|
|
}
|
|
sort.Ints(allowed)
|
|
|
|
var reasonStrings []string
|
|
for _, reason := range allowed {
|
|
reasonStrings = append(reasonStrings, fmt.Sprintf("%s (%d)",
|
|
ReasonToString[Reason(reason)], reason))
|
|
}
|
|
UserAllowedReasonsMessage = strings.Join(reasonStrings, ", ")
|
|
}
|