This is right when PR-952 landed, which is what we are updating
from. This will use SSL certification and also re-enable auto
kerberos authorization via config files for composer.
Instead of manually copying credentials around, use the new
copy-creds.sh script. Also don't manually initialize kerberos,
because that is now done automatically by the worker and the
builder.
This script is intended to be called between "run-koji-container"
and "run-builder". It will copy the kerberos keytabs out of the
temporary directory generated by "run-koji-container" as well as
copying the SSL/TLS certificates from host to the share dir so
that the plugin ca use it to authenticate itself to composer.
This will create the a certificate authority (CA) and then create
a cert for composer and another one for the worker. The worker
one can also be used by the koji plugin.
The configuration file is needed to get subjectAltName working.
Add support for client side certificates via a new configuration
option: "ssl_cert", which should be a path to the certificate or
a comma separated list of paths to certificates.
Additionally, the "ssl_verify" option controls how the server
certificate is validated. This can either be a boolean ("True",
"False") or a path to a CA file.
NB: The url for the composer host must contain "https" for the
ssl/tls engine to kick in.
When used as a stand-alone koji API client, two new command
line options are provided, --cert and --ca. See their help
text for a description.
Use the standard session and options mock object together with the
new composer mock object to simulate a successful compose:
the mock composer will accept the request and also status calls
for it, which will immediately return with success. The plugin
should then return and indicate a successful compose.
Use httpretty to mock composer responses. Create a helper method
to configure a session object that should result in a valid
compose request. Simulate a bad request by asking for an arch
that the mock composer will refuse and check the correct exception
is thrown in the builder plugin.
Use the requests python package, which is more convenient to use,
and also supports sessions, where global options, like TLS certs
can be set.
Adapt the container and the spec file to install and require
the python package.
Add the requests and httpretty packages to the test environment.
The former will be used in the builder plugin and the latter for
mocking http requests.
Create a new plugintest.PluginTest class that shares the plugin
loading code that is common to all plugin testing. Adapt the
existing (hub, builder) tests.
Also correct the name for test_builder.TestHubPlugin to
TestBuilderPlugin.
Create a github action that accepts any command with args and runs
it in a container that is prepared with all the dependencies for
koji (hub, builder, command line), so all tests, like pylint or
unit tests can run in it.
Instead of creating a compose from integration.sh, use the new
python based integration tests. The integration.sh script will
this just setup the environment and the actual tests are all
found in test/integration/
The 'koji' parameter for the compose request is called that way to
follow the OpenAPI spec, so silence the "redefined-outer-name"
warning.
The handler function needs have the actual task arguments and thus
on purpose deviates from the argument list of the base class'
handler method. So silence that.
