sources: MTLS and proxy support for ostree

2024-09-19 15:40:38 +02:00 · 2024-09-19 15:40:38 +02:00 · ef24311f77
commit ef24311f77
parent dd16c2b769
12 changed files with 472 additions and 15 deletions
--- a/sources/test/test_curl_source.py
+++ b/sources/test/test_curl_source.py
@ -11,7 +11,7 @@ from unittest.mock import patch
 import pytest

 import osbuild.testutil
-from osbuild.testutil.net import http_serve_directory, https_serve_directory
+from osbuild.testutil.net import http_serve_directory, https_serve_directory, https_serve_directory_mtls

 SOURCES_NAME = "org.osbuild.curl"

@ -106,7 +106,7 @@ def test_curl_download_many_fail(curl_parallel):
    assert 'http://localhost:9876/random-not-exists: error code 7' in str(exp.value)


-def make_test_sources(fake_httpd_root, port, n_files, start_n=0, cacert=""):
+def make_test_sources(fake_httpd_root, port, n_files, start_n=0, cacert="", secret_name=""):
    """
    Create test sources for n_file. All files have the names
    0,1,2...
@ -127,6 +127,8 @@ def make_test_sources(fake_httpd_root, port, n_files, start_n=0, cacert=""):
        }
        if cacert:
            val["secrets"] = {}
+            if secret_name != "":
+                val["secrets"]["name"] = secret_name
            val["secrets"]["ssl_ca_cert"] = cacert
        sources[key] = val
        (fake_httpd_root / name).write_text(name, encoding="utf8")
@ -401,3 +403,33 @@ def test_curl_download_many_mixed_certs(tmp_path, monkeypatch, sources_module, c

            assert httpds.reqs.count == 2
            assert httpds2.reqs.count == 2
+
+
+def test_curl_download_mtls(tmp_path, monkeypatch, sources_service):
+    fake_httpd_root = tmp_path / "fake-httpd-root"
+    cert_dir = pathlib.Path(__file__).parent.parent.parent / "test/data/certs"
+    cacert = cert_dir / "test-ca.crt"
+    assert cacert.exists()
+    servercert = cert_dir / "localhost-server.crt"
+    assert servercert.exists()
+    serverkey = cert_dir / "localhost-server.key"
+    assert serverkey.exists()
+    clientcert = cert_dir / "client1-client.crt"
+    assert clientcert.exists()
+    clientkey = cert_dir / "client1-client.key"
+    assert clientkey.exists()
+
+    monkeypatch.setenv("OSBUILD_SOURCES_CURL_SSL_CA_CERT", cacert.as_posix())
+    monkeypatch.setenv("OSBUILD_SOURCES_CURL_SSL_CLIENT_CERT", clientcert.as_posix())
+    monkeypatch.setenv("OSBUILD_SOURCES_CURL_SSL_CLIENT_KEY", clientkey.as_posix())
+
+    with https_serve_directory_mtls(fake_httpd_root, ca_cert=cacert,
+                                    server_cert=servercert, server_key=serverkey) as httpds:
+        test_sources = make_test_sources(
+            fake_httpd_root, httpds.server_port, 1, cacert=cacert, secret_name="org.osbuild.mtls")
+
+        sources_service.cache = tmp_path / "curl-download-dir"
+        sources_service.cache.mkdir()
+        sources_service.fetch_all(test_sources)
+
+        assert httpds.reqs.count == 1
--- a/sources/test/test_ostree_source.py
+++ b/sources/test/test_ostree_source.py
@ -0,0 +1,70 @@
+#!/usr/bin/python3
+
+import pathlib
+
+from osbuild.testutil.net import http_serve_directory, https_serve_directory
+from osbuild.util import ostree
+
+SOURCES_NAME = "org.osbuild.ostree"
+
+
+def test_ostree_source_not_exists(tmp_path, sources_service):
+    checksum = "sha256:1111111111111111111111111111111111111111111111111111111111111111"
+    sources_service.setup({"cache": tmp_path, "options": {}})
+    assert not sources_service.exists(checksum, None)
+
+
+def test_ostree_source_exists(tmp_path, sources_service):
+    sources_service.setup({"cache": tmp_path, "options": {}})
+    repo = tmp_path / "org.osbuild.ostree" / "repo"
+    commit = ostree.cli("commit", f"--repo={repo}", "--orphan", "/var/empty")
+    assert sources_service.exists("sha256:" + commit.stdout, None)
+
+
+def make_test_sources(proto, port, fake_commit, **secrets):
+    sources = {
+        fake_commit: {
+            "remote": {
+                "url": f"{proto}://localhost:{port}",
+            }
+        }
+    }
+    if secrets:
+        sources[fake_commit]["remote"]["secrets"] = secrets
+    return sources
+
+
+def make_repo(root):
+    ostree.cli("init", f"--repo={root}")
+    return ostree.cli("commit", f"--repo={root}", "--orphan", "/var/empty").stdout.rstrip()
+
+
+def test_ostree_pull_plain(tmp_path, sources_service):
+    fake_httpd_root = tmp_path / "fake-httpd-root"
+    fake_httpd_root.mkdir(exist_ok=True)
+    fake_commit = make_repo(fake_httpd_root)
+
+    with http_serve_directory(fake_httpd_root) as httpd:
+        test_sources = make_test_sources("http", httpd.server_port, fake_commit)
+        sources_service.setup({"cache": tmp_path, "options": {}})
+        sources_service.fetch_all(test_sources)
+        assert sources_service.exists("sha256:" + fake_commit, None)
+
+
+def test_ostree_pull_plain_mtls(tmp_path, sources_service, monkeypatch):
+    fake_httpd_root = tmp_path / "fake-httpd-root"
+    fake_httpd_root.mkdir(exist_ok=True)
+    fake_commit = make_repo(fake_httpd_root)
+
+    cert_dir = pathlib.Path(__file__).parent.parent.parent / "test" / "data" / "certs"
+    cert1 = cert_dir / "cert1.pem"
+    assert cert1.exists()
+    key1 = cert_dir / "key1.pem"
+    assert key1.exists()
+
+    with https_serve_directory(fake_httpd_root, cert1, key1) as httpd:
+        monkeypatch.setenv("OSBUILD_SOURCES_OSTREE_INSECURE", "1")
+        test_sources = make_test_sources("https", httpd.server_port, fake_commit, name="org.osbuild.mtls")
+        sources_service.setup({"cache": tmp_path, "options": {}})
+        sources_service.fetch_all(test_sources)
+        assert sources_service.exists("sha256:" + fake_commit, None)