Fix signing service using deprecated functionality

closes: #8608 https://pulp.plan.io/issues/8608 closes: #7891 https://pulp.plan.io/issues/7891
pulp · Jul 21, 2021 · 5aa0a6c · 5aa0a6c
1 parent 1e0e453
commit 5aa0a6c
Show file tree

Hide file tree

Showing 14 changed files with 52 additions and 52 deletions.
diff --git a/.github/workflows/scripts/post_before_script.sh b/.github/workflows/scripts/post_before_script.sh
@@ -3,18 +3,16 @@
 set -euv
 
 cmd_stdin_prefix bash -c "cat > /root/sign-metadata.sh" < "$GITHUB_WORKSPACE"/pulp_rpm/tests/functional/sign-metadata.sh
-cmd_stdin_prefix bash -c "cat > /root/sign.py" < "$PWD"/.github/workflows/scripts/sign.py
 
 cmd_prefix bash -c "curl -L https://github.com/pulp/pulp-fixtures/raw/master/common/GPG-PRIVATE-KEY-pulp-qe | gpg --import"
-cmd_prefix bash -c "curl -O https://github.com/pulp/pulp-fixtures/raw/master/common/GPG-KEY-pulp-qe"
-cmd_prefix chmod a+x /root/sign-metadata.sh /root/sign.py
+cmd_prefix bash -c "curl -O -L https://github.com/pulp/pulp-fixtures/raw/master/common/GPG-KEY-pulp-qe"
+cmd_prefix chmod a+x /root/sign-metadata.sh
 
-# If KEY_FINGERPRINT changes, change it in sign.py as well.
 KEY_FINGERPRINT="6EDF301256480B9B801EBA3D05A5E6DA269D9D98"
 TRUST_LEVEL="6"
 echo "$KEY_FINGERPRINT:$TRUST_LEVEL:" | cmd_stdin_prefix gpg --import-ownertrust
 
-cmd_prefix bash -c "django-admin shell < /root/sign.py"
+cmd_prefix bash -c "pulpcore-manager add-signing-service sign-metadata /root/sign-metadata.sh \"Pulp QE\""
 
 echo "machine pulp
 login admin

diff --git a/.github/workflows/scripts/sign.py b/.github/workflows/scripts/sign.py
diff --git a/CHANGES/7891.misc b/CHANGES/7891.misc
@@ -0,0 +1 @@
+Unskip ConsumeSignedRepomdTestCase tests.
diff --git a/CHANGES/8608.bugfix b/CHANGES/8608.bugfix
@@ -0,0 +1 @@
+Updated the signing service code to be compatible with pulpcore 3.10+.
diff --git a/docs/_scripts/install_from_signed_repository.sh b/docs/_scripts/install_from_signed_repository.sh
@@ -2,7 +2,7 @@
 
 BASE_URL=$(http "$BASE_ADDR""$DISTRIBUTION_HREF" | jq -r '.base_url')
 BASE_PATH=$(http "$BASE_ADDR""$DISTRIBUTION_HREF" | jq -r '.base_path')
-PUBLIC_KEY_URL="$BASE_URL"/repodata/public.key
+PUBLIC_KEY_URL="$BASE_URL"/repodata/repomd.xml.key
 
 echo "Setting up a YUM repository."
 sudo dnf config-manager --add-repo "$BASE_URL"

diff --git a/docs/workflows/metadata_signing.rst b/docs/workflows/metadata_signing.rst
@@ -26,9 +26,6 @@ The publication will automatically contain a detached ascii-armored signature an
 Both, the detached signature and the public key, are used by package managers during the process of
 verification.
 
-.. note::
-  The public key **must** be stored as public.key to prevent any path issues.
-
 Installing Packages
 -------------------
 

diff --git a/pulp_rpm/app/models/repository.py b/pulp_rpm/app/models/repository.py
@@ -1,4 +1,3 @@
-import urllib.parse
 import textwrap
 
 from gettext import gettext as _
@@ -438,7 +437,7 @@ class RpmDistribution(Distribution):
     repository_config_file_name = "config.repo"
 
     def content_handler(self, path):
-        """Serve config.repo and public.key."""
+        """Serve config.repo and repomd.xml.key."""
         if path == self.repository_config_file_name:
             base_url = f"{settings.CONTENT_ORIGIN}{settings.CONTENT_PATH_PREFIX}{self.base_path}/"
             publication = self.publication.cast()
@@ -457,11 +456,11 @@ def content_handler(self, path):
             signing_service = repository.metadata_signing_service
             if signing_service:
                 gpgkey_path = urlpath_sanitize(
-                    settings.CONTENT_ORIGIN, settings.CONTENT_PATH_PREFIX
+                    settings.CONTENT_ORIGIN,
+                    settings.CONTENT_PATH_PREFIX,
+                    self.base_path,
+                    "/repodata/repomd.xml.key",
                 )
-                gpgkey_path = urllib.parse.urljoin(gpgkey_path, self.base_path, True)
-                gpgkey_path += "/repodata/public.key"
-
                 val += f"gpgkey={gpgkey_path}\n"
 
             return Response(body=val)

diff --git a/pulp_rpm/app/tasks/publishing.py b/pulp_rpm/app/tasks/publishing.py
@@ -288,6 +288,11 @@ def publish(
     repository = repository_version.repository.cast()
     checksum_types = checksum_types or {}
 
+    if metadata_signing_service:
+        metadata_signing_service = AsciiArmoredDetachedSigningService.objects.get(
+            pk=metadata_signing_service
+        )
+
     checksum_types["original"] = repository.original_checksum_types
 
     log.info(
@@ -592,7 +597,7 @@ def generate_repo_metadata(
 
     if metadata_signing_service:
         signing_service = AsciiArmoredDetachedSigningService.objects.get(
-            pk=metadata_signing_service.pk
+            pk=metadata_signing_service
         )
         sign_results = signing_service.sign(repomd_path)
 
@@ -611,11 +616,15 @@ def generate_repo_metadata(
         )
 
         # publish a public key required for further verification
-        PublishedMetadata.create_from_file(
-            relative_path=os.path.join(repodata_path, os.path.basename(sign_results["key"])),
-            publication=publication,
-            file=File(open(sign_results["key"], "rb")),
-        )
+        pubkey_name = "repomd.xml.key"
+        with open(pubkey_name, "wb+") as f:
+            f.write(signing_service.public_key.encode("utf-8"))
+            f.flush()
+            PublishedMetadata.create_from_file(
+                relative_path=os.path.join(repodata_path, pubkey_name),
+                publication=publication,
+                file=File(f),
+            )
     else:
         PublishedMetadata.create_from_file(
             relative_path=os.path.join(repodata_path, os.path.basename(repomd_path)),

diff --git a/pulp_rpm/app/viewsets.py b/pulp_rpm/app/viewsets.py
@@ -250,12 +250,17 @@ def create(self, request):
             "sqlite_metadata", repository.sqlite_metadata
         )
 
+        if repository.metadata_signing_service:
+            signing_service_pk = repository.metadata_signing_service.pk
+        else:
+            signing_service_pk = None
+
         result = dispatch(
             tasks.publish,
             [repository_version.repository],
             kwargs={
-                "repository_version_pk": str(repository_version.pk),
-                "metadata_signing_service": repository.metadata_signing_service,
+                "repository_version_pk": repository_version.pk,
+                "metadata_signing_service": signing_service_pk,
                 "checksum_types": checksum_types,
                 "gpgcheck_options": gpgcheck_options,
                 "sqlite_metadata": sqlite_metadata,

diff --git a/pulp_rpm/tests/functional/api/test_consume_content.py b/pulp_rpm/tests/functional/api/test_consume_content.py
@@ -106,7 +106,6 @@ def do_test(self, policy):
         self.assertEqual(rpm_name, rpm[0])
 
 
-@unittest.skip("Temporarily broken due to GHA migration")
 class ConsumeSignedRepomdTestCase(PulpTestCase):
     """A test case that verifies the publishing of a signed repository."""
 
@@ -121,6 +120,11 @@ def setUpClass(cls):
         signing_services = cls.api_client.using_handler(api.page_handler).get(
             "pulp/api/v3/signing-services/", params={"name": "sign-metadata"}
         )
+        # NOTE: This is not used by the CI, only by local tests. The CI uses a separate
+        # environment for API tests and Pulp, so the API tests don't have direct access
+        # to run terminal commands. And cli.Client has issues with it as well.
+        #
+        # In the event of issues go look at post_before_script.sh.
         if not signing_services:
             init_signed_repo_configuration()
 
@@ -171,7 +175,7 @@ def check_config_dot_repo_options(self, gpgcheck=0, repo_gpgcheck=0, has_signing
 
         if has_signing_service:
             self.assertIn(
-                bytes(f'gpgkey={distribution["base_url"]}repodata/public.key', "utf-8"),
+                bytes(f'gpgkey={distribution["base_url"]}repodata/repomd.xml.key', "utf-8"),
                 response.content,
                 options,
             )
@@ -219,7 +223,7 @@ def init_repository_config(self, distribution):
             ("sudo", "dnf", "config-manager", "--add-repo", distribution["base_url"])
         )
         repo_id = "*{}_".format(distribution["base_path"])
-        public_key_url = f"{distribution['base_url']}repodata/public.key"
+        public_key_url = f"{distribution['base_url']}repodata/repomd.xml.key"
         self.cli_client.run(
             (
                 "sudo",

diff --git a/pulp_rpm/tests/functional/constants.py b/pulp_rpm/tests/functional/constants.py
@@ -373,6 +373,7 @@
 ]
 
 PULP_FIXTURES_COMMON_URL = "https://github.com/pulp/pulp-fixtures/raw/master/common/"
+PUBLIC_GPG_KEY_URL = urljoin(PULP_FIXTURES_COMMON_URL, "GPG-KEY-pulp-qe")
 PRIVATE_GPG_KEY_URL = urljoin(PULP_FIXTURES_COMMON_URL, "GPG-PRIVATE-KEY-pulp-qe")
 
 RPM_CUSTOM_REPO_METADATA_FIXTURE_URL = urljoin(PULP_FIXTURES_BASE_URL, "rpm-repo-metadata/")

diff --git a/pulp_rpm/tests/functional/content_handler/test_config_repo.py b/pulp_rpm/tests/functional/content_handler/test_config_repo.py
@@ -59,7 +59,7 @@ def testConfigRepoInListingUnsigned(self):
 
         self.assertEqual(resp.status_code, 200)
         self.assertIn(b"config.repo", resp.content)
-        self.assertNotIn(b"public.key", resp.content)
+        self.assertNotIn(b"repomd.xml.key", resp.content)
 
     def testConfigRepoUnsigned(self):
         """Whether config.repo can be downloaded and has the right content."""

diff --git a/pulp_rpm/tests/functional/sign-metadata.sh b/pulp_rpm/tests/functional/sign-metadata.sh
@@ -3,21 +3,16 @@
 FILE_PATH=$1
 SIGNATURE_PATH="$1.asc"
 
-PUBLIC_KEY_PATH="$(cd "$(dirname $1)" && pwd)/public.key"
 GPG_KEY_ID="Pulp QE"
 
-# Export a public key
-gpg --armor --export "${GPG_KEY_ID}" > ${PUBLIC_KEY_PATH}
-
 # Create a detached signature
 gpg --quiet --batch --homedir ~/.gnupg/ --detach-sign --local-user "${GPG_KEY_ID}" \
    --armor --output ${SIGNATURE_PATH} ${FILE_PATH}
 
 # Check the exit status
 STATUS=$?
 if [[ ${STATUS} -eq 0 ]]; then
-   echo {\"file\": \"${FILE_PATH}\", \"signature\": \"${SIGNATURE_PATH}\", \
-       \"key\": \"${PUBLIC_KEY_PATH}\"}
+   echo {\"file\": \"${FILE_PATH}\", \"signature\": \"${SIGNATURE_PATH}\"}
 else
    exit ${STATUS}
 fi
diff --git a/pulp_rpm/tests/functional/utils.py b/pulp_rpm/tests/functional/utils.py
@@ -192,11 +192,11 @@ def init_signed_repo_configuration():
     commands. Then, it creates a new signing service on the fly.
     """
     # download the private key
-    completed_process = subprocess.run(
+    priv_key = subprocess.run(
         ("wget", "-q", "-O", "-", PRIVATE_GPG_KEY_URL), stdout=subprocess.PIPE
-    )
+    ).stdout
     # import the downloaded private key
-    subprocess.run(("gpg", "--import"), input=completed_process.stdout)
+    subprocess.run(("gpg", "--import"), input=priv_key)
 
     # set the imported key to the maximum trust level
     key_fingerprint = "6EDF301256480B9B801EBA3D05A5E6DA269D9D98"
@@ -206,14 +206,14 @@ def init_signed_repo_configuration():
     # create a new signing service
     utils_dir_path = os.path.dirname(os.path.realpath(__file__))
     signing_script_path = os.path.join(utils_dir_path, "sign-metadata.sh")
+
     subprocess.run(
         (
-            "django-admin",
-            "shell",
-            "-c",
-            "from pulpcore.app.models.content import AsciiArmoredDetachedSigningService;"
-            "AsciiArmoredDetachedSigningService.objects.create(name='sign-metadata',"
-            f"script='{signing_script_path}')",
+            "pulpcore-manager",
+            "add-signing-service",
+            "sign-metadata",
+            f"{signing_script_path}",
+            "Pulp QE",
         )
     )