Add Collection Signing Feature - Standalone Mode

[rochacbruno]

Description 🛠

• Sets access policies for signing
• Surface sign permissions on _ui/me
• Add /sign/collection/ endpoint for on-demand signing
• Add signed_only field to the remote serializer
• Surface signatures on v3/content/collections
• Surface signature data on _ui/collection* endpoints
• Add sign state annotations to the _ui/ endpoints
• Add sign state filtering to the _ui/ endpoints
• Add signing tasks
• Call sign_and_move when AUTO_SIGN is configured on /move/ endpoint
  (when dest repo is golden)
• Changed move tasks to move signatures with collections
• Added logging for signatures
• Added integration tests

functionalities

Acessing signatures (for CLI and Sync)

GET /api/automation-hub/content/published/v3/collections/namespace/collection/versions/1.0.0/
...
"signatures": [
        {
            "signature": "-----BEGIN PGP SIGNATURE-----\n\niQHIBAABCAAyFiEE6+0XDoyUgOIqHQWbFSUOnsCmJXcFAmHhg0EUHGdhbGF4eTNA\nYW5zaWJsZS5jb20ACgkQFSUOnsCmJXeKmgv/ed8eSOLr4SMbjP+cJILG5749UqfT\nmUz3+3eDfpe2YJpNGfWavWuMbuYAiujWDXsN46qhOdAFwvdkWxRj2GDK/V+1qB+P\nixtQQZ7Drpc8eEOVYYjFIH8+NoXmoeJCKL9ifOmIgtpapzBt09H1qVTIWuzPhmb0\nSt98nGLcEQeXHxzfebSx06NlKEt0n607hur9nZ+Lwy5I7jZtiEgcyezejQAzoQFv\nwcA52IgOnruyMLP6QdjVPJg/ZzqrvrlLe33zSIGr5271TW4YVgOHzV7aOcUVWpKr\nR4m2GXFEQ+fcEeZf65bprb4ndxFlNlpc4yXiDP3vTvBwKoxzYKdtUzlZmO2zN32A\nozRBClFiw0W++NUL/6zl/cUNGuA0CUBGzsRFF8uOijCFVTZ3pvnF+2hk4RpzUkcc\n52VGddFiFvcPhdMVLNitk2J3qhybGHETi0CP4opDUTHXkZC0hsIOLfRlqg7KxtXl\nl99SrE5bsWnpaVAFRinSGcopRWsd28iQbXvJ\n=8dHK\n-----END PGP SIGNATURE-----\n",
            "pubkey_fingerprint": "EBED170E8C9480E22A1D059B15250E9EC0A62577",
            "signing_service": "ansible-default",
            "pulp_created": "2022-01-14T14:05:53.835605Z"
        }
    ],
...

Signing on-demand via API

curl -X POST \
  'http://0.0.0.0:8002/api/automation-hub/v3/sign/collections/' \
  -H 'Accept: */*' \
  -H 'Authorization: Token a64a0ab93948c92febf2c0611dc1b189f9f37cdd' \
  -H 'Content-Type: application/json' \
  -d '{
    "signing_service": "ansible-default",
    "repository": "published",
    "namespace": "bla",
    "collection": "zaz",
    "version": "1.5.0",
    "content_units": ["*"]
}'

Acessing signatures and sign states via _ui/

GET http://0.0.0.0:5001/api/automation-hub/_ui/v1/collection-versions/?limit=2

...
 "signatures": []
      },
      "contents": [],
      "sign_state": "unsigned",
...
"all_versions": [
    {
      "version": "4.0.0",
      "created": "2022-01-24 17:04:33.344202+00:00",
      "sign_state": "unsigned"
    },
    {
      "version": "3.0.0",
      "created": "2022-01-24 17:04:32.851448+00:00",
      "sign_state": "unsigned"
    },

http://0.0.0.0:5001/api/automation-hub/_ui/v1/repo/staging/?deprecated=false

  "sign_state": "unsigned",
      "total_versions": 1,
      "signed_versions": 0,
      "unsigned_versions": 1

How to determine if the system has signing enabled?

/api/automation-hub/_ui/v1/feature-flags/

{
  "collection_auto_sign": true,    # this system signs during approval
  "collection_signing": true,    # there is a signing service and keys for collections
  "execution_environments": true
}

Or by checking on:

/api/automation-hub/_ui/v1/settings/

"GALAXY_COLLECTION_SIGNING_SERVICE": "ansible-default",
"GALAXY_AUTO_SIGN_COLLECTIONS": true

Filtering by sign state

/api/automation-hub/_ui/v1/repo/staging/?deprecated=false&sign_state=unsigned,partial
# options are [signed, unsigned, partial]

This endpoint accepts other filters such as namespace, name, version

Permissions on http://0.0.0.0:5001/api/automation-hub/_ui/v1/me/

"model_permissions": {
    "sign_collections_on_namespace": true,
    "sign_collections_on_repository": true,

on approval dashboard the permission is "move_collection": true, as if user can move the sign is automatic

NOTE: CRC mode, upload process will be implemented on a separate PR.

Issue: AAH-312
Replaces #1076

Reviewer Checklists 👀

Developer reviewer:

• Code looks sound, good architectural decisions, no code smells
• There is a Jira issue associated (note that "No-Issue" should be rarely used)
• Tests are included in galaxy_ng/tests/integration or galaxy_ng/tests/functional, and they fully cover necessary test scenarios… or tests not needed

QE reviewer (exceptions):

• Tests are included in galaxy_ng/tests/integration or galaxy_ng/tests/functional, and they fully cover necessary test scenarios… or tests not needed
• PR meets applicable Acceptance Criteria for associated Jira issue

Note: when merging, include the Jira issue link in the squashed commit

[rochacbruno]

/retest

10:04:13 /var/lib/jenkins/workspace/ansible-galaxy_ng-pr-check/bonfire/cicd/_common_deploy_logic.sh: line 75: bonfire: command not found

[rochacbruno]

/retest

[rochacbruno]

/retest

[rochacbruno]

/retest

[brumik]

From the UI perspective all the required features are implemented and works as the UI expects it.

[rochacbruno]

@brum @newswangerd last commit changes

signing URL

Base URL: _ui/v1/collection_signing/ 
(the above replaces the v3/sign/collections and works in the same way)

Optional URLS:
- _ui/v1/collection_signing/<repository>/
- _ui/v1/collection_signing/<repository>/<namespace>/
- _ui/v1/collection_signing/<repository>/<namespace>/<collection>/
- _ui/v1/collection_signing/<repository>/<namespace>/<collection>/<version>/

permission

Permission now requires repo + namespace

[rochacbruno]

/retest

[newswangerd]

Two small changes, but other than that LGTM.

[netlify]

✅ Deploy Preview for galaxyng ready!

Name	Link
🔨 Latest commit	4b00084
🔍 Latest deploy log	https://app.netlify.com/sites/galaxyng/deploys/623c89bf9d958000095d8e5e
😎 Deploy Preview	https://deploy-preview-1145--galaxyng.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.