Merge pull request #12111 from mlschroe/master

[backend] Support "allowrootforbuild" as build flag, support a rekorserver in the registry config
openSUSE · Jan 19, 2022 · b50a3b6 · b50a3b6
2 parents 64cb80b + 20052a5
commit b50a3b6
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 21 deletions.
diff --git a/src/backend/BSPublisher/Container.pm b/src/backend/BSPublisher/Container.pm
@@ -226,7 +226,7 @@ sub upload_all_containers {
 	  undef $gun unless defined $pubkey;
 	}
 	$have_some_trust = 1 if $gun;
-	do_local_uploads($extrep, $projid, $repoid, $repository, $gun, $containers, $pubkey, $signargs, $multicontainer, $uptags);
+	do_local_uploads($extrep, $projid, $repoid, $repository, $gun, $containers, $pubkey, $signargs, $multicontainer, $uptags, $registry->{'rekorserver'});
 	my $pullserver = $registry->{'server'};
 	undef $pullserver if $pullserver && $pullserver eq 'local:';
 	if ($pullserver) {
@@ -267,7 +267,7 @@ sub upload_all_containers {
     for my $repository (@{$old_container_repositories->{$regname} || []}) {
       next if $uploads{$repository};
       if ($registryserver eq 'local:') {
-        do_local_uploads($extrep, $projid, $repoid, $repository, undef, $containers, $pubkey, $signargs, $multicontainer, {});
+        do_local_uploads($extrep, $projid, $repoid, $repository, undef, $containers, $pubkey, $signargs, $multicontainer, {}, $registry->{'rekorserver'});
 	next;
       }
       my $containerdigests = '';
@@ -415,6 +415,7 @@ sub upload_to_registry {
     unlink($pubkeyfile);
     writestr($pubkeyfile, undef, $pubkey);
     push @opts, '--cosign', '-p', $pubkeyfile, '-G', $gun, @signargs;
+    push @opts, '--rekor', $registry->{'rekorserver'} if $registry->{'rekorserver'};
   }
   my @cmd = ("$INC[0]/bs_regpush", '--dest-creds', '-', @opts, '-F', $containerdigestfile, $registryserver, $repository, @uploadfiles);
   print "Uploading to registry: @cmd\n";
@@ -554,7 +555,7 @@ sub delete_container_repositories {
 }
 
 sub do_local_uploads {
-  my ($extrep, $projid, $repoid, $repository, $gun, $containers, $pubkey, $signargs, $multicontainer, $uptags) = @_;
+  my ($extrep, $projid, $repoid, $repository, $gun, $containers, $pubkey, $signargs, $multicontainer, $uptags, $rekorserver) = @_;
 
   my %todo;
   my @tempfiles;
@@ -579,7 +580,7 @@ sub do_local_uploads {
     }
   }
   eval {
-    BSPublisher::Registry::push_containers("$projid/$repoid", $repository, $gun, $multicontainer, \%todo, $pubkey, $signargs);
+    BSPublisher::Registry::push_containers("$projid/$repoid", $repository, $gun, $multicontainer, \%todo, $pubkey, $signargs, $rekorserver);
   };
   unlink($_) for @tempfiles;
   die($@) if $@;

diff --git a/src/backend/BSTUF.pm b/src/backend/BSTUF.pm
@@ -24,21 +24,14 @@ package BSTUF;
 
 use JSON::XS ();
 use MIME::Base64 ();
-use Digest::SHA;
+use Digest::SHA ();
 
 use BSUtil;
 use BSASN1;
 use BSX509;
 
 use strict;
 
-sub keydata2asn1 {
-  my ($keydata) = @_;
-  die("need an rsa pubkey\n") unless ($keydata->{'algo'} || '') eq 'rsa';
-  my $pubkey = BSASN1::pack_sequence(BSASN1::pack_integer_mpi($keydata->{'mpis'}->[0]->{'data'}), BSASN1::pack_integer_mpi($keydata->{'mpis'}->[1]->{'data'}));
-  return BSASN1::pack_sequence(BSASN1::pack_sequence($BSX509::oid_rsaencryption, BSASN1::pack_null()), BSASN1::pack_bytes($pubkey));
-}
-
 sub rfc3339time {
   my ($t) = @_;
   my @gt = gmtime($t || time());
@@ -58,7 +51,7 @@ sub mktbscert {
   my ($cn, $not_before, $not_after, $subjectkeyinfo) = @_;
   my $certversion = BSASN1::pack_tagged(0, BSASN1::pack_integer(2));
   my $certserial = BSX509::pack_random_serial();
-  my $sigalgo = BSASN1::pack_sequence($BSX509::oid_sha256withrsaencryption, BSASN1::pack_null());
+  my $sigalgo = BSX509::pack_sigalgo('rsa', 'sha256');
   my $issuer = BSX509::pack_distinguished_name([ $BSX509::oid_common_name, $cn ]);
   my $validity = BSX509::pack_validity($not_before, $not_after);
   my $basic_constraints = BSASN1::pack_sequence();
@@ -75,7 +68,7 @@ sub mktbscert {
 sub mkcert {
   my ($tbscert, $signfunc) = @_;
   my $signature = $signfunc->($tbscert);
-  my $sigalgo = BSASN1::pack_sequence($BSX509::oid_sha256withrsaencryption, BSASN1::pack_null());
+  my $sigalgo = BSX509::pack_sigalgo('rsa', 'sha256');
   my $cert = BSASN1::pack_sequence($tbscert, $sigalgo, BSASN1::pack_bytes($signature));
   return BSASN1::der2pem($cert, 'CERTIFICATE');
 }

diff --git a/src/backend/bs_getbinariesproxy b/src/backend/bs_getbinariesproxy
@@ -52,8 +52,8 @@ my $gettimeout = 3600;
 
 my $port = 5254;        
 my $proto = 'http';        
-$port = $1 if $BSConfig::getbinariesproxyserver =~ /:(\d+)$/;
-$proto = $1 if $BSConfig::getbinariesproxyserver =~ /^(https):/;
+$port = $1 if $BSConfig::getbinariesproxyserver && $BSConfig::getbinariesproxyserver =~ /:(\d+)$/;
+$proto = $1 if $BSConfig::getbinariesproxyserver && $BSConfig::getbinariesproxyserver =~ /^(https):/;
 
 
 my $cachedir = "$BSConfig::bsdir/getbinariesproxycache";
@@ -76,7 +76,7 @@ sub set_maxopen() {
   }
   POSIX::close($_) for @fd;
   $maxopen = @fd;
-  print "could open $maxopen file descriptors\n";
+  print "file descriptor limit is $maxopen\n";
 }
 
 sub move_entry_into_cache {
@@ -439,6 +439,12 @@ sub hello {
   return "<hello name=\"Getbinaries Proxy Server\" />\n";
 }
 
+sub run {
+  my ($conf) = @_;
+  set_maxopen();
+  BSServer::server($conf);
+}
+
 my $dispatches = [
   '/' => \&hello,
   '/getbinaries $project $repository $arch binaries: nometa:bool? metaonly:bool? module* workerid? now:num? server:' => \&getbinaries,
@@ -451,11 +457,10 @@ my $conf = {
   'dispatches' => $dispatches,
   'setkeepalive' => 1,
   'maxchild' => 40,
+  'run' => \&run,
 };
 
 $conf->{'maxchild'} = $BSConfig::getbinariesproxyserver_maxchild if $BSConfig::getbinariesproxyserver_maxchild;
 
-set_maxopen() unless @ARGV && ($ARGV[0] eq '--test' || $ARGV[0] eq '--stop' || $ARGV[0] eq '--exit');
-
 BSStdServer::server('bs_getbinariesproxy', \@ARGV, $conf);
 
diff --git a/src/backend/bs_notar b/src/backend/bs_notar
@@ -39,6 +39,7 @@ use BSUtil;
 use BSPGP;
 use BSBearer;
 use BSTUF;
+use BSX509;
 
 use strict;
 
@@ -266,7 +267,7 @@ my $pubkey_data = BSPGP::pk2keydata($gpgpubkey) || {};
 die("need an rsa pubkey for container signing\n") unless ($pubkey_data->{'algo'} || '') eq 'rsa';
 my $pubkey_times = BSPGP::pk2times($gpgpubkey) || {};
 # generate pub key and cert from pgp key data
-my $pub_bin = BSTUF::keydata2asn1($pubkey_data);
+my $pub_bin = BSX509::keydata2pubkey($pubkey_data);
 
 # create new to-be-signed cert
 my $root_expire = $pubkey_times->{'key_expire'} + $root_extra_expire;

diff --git a/src/backend/bs_worker b/src/backend/bs_worker
@@ -3478,7 +3478,7 @@ sub dobuild {
   push @args, '--clean';
   push @args, '--changelog';
   push @args, '--oldpackages', $oldpkgdir if $oldpkgdir && -d $oldpkgdir;
-  push @args, '--norootforbuild' unless $buildinfo->{'rootforbuild'} || ($BSConfig::norootexceptions && grep {"$projid/$packid" =~ /^$_$/} keys %$BSConfig::norootexceptions);
+  push @args, '--norootforbuild' unless !$BSConfig::norootexceptions || $bconf->{'buildflags:allowrootforbuild'} || $buildinfo->{'rootforbuild'} || grep {"$projid/$packid" =~ /^$_$/} keys %$BSConfig::norootexceptions;
   push @args, '--baselibs-internal';
   push @args, '--dist', "$buildroot/.build.config";
   push @args, '--rpmlist', "$buildroot/.build.rpmlist";