- signature for RPM and verify signature for associate process

release-engineering · May 13, 2015 · f31f90d · f31f90d
1 parent b22937c
commit f31f90d
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 1 deletion.
diff --git a/plugins/pulp_rpm/plugins/db/models.py b/plugins/pulp_rpm/plugins/db/models.py
@@ -188,13 +188,20 @@ def relative_path(self):
         unit_key = self.unit_key
         return os.path.join(
             unit_key['name'], unit_key['version'], unit_key['release'],
-            unit_key['arch'], unit_key['checksum'], self.metadata['filename']
+            self.signature, unit_key['arch'], unit_key['checksum'],
+            self.metadata['filename']
         )
 
     @property
     def download_path(self):
         return self.metadata['relativepath']
 
+    @property
+    def signature(self):
+        if self.metadata.get("signature"):
+            return self.metadata.get("signature").lower()
+        return 'none'
+
 
 class SRPM(RPM):
     TYPE = ids.TYPE_ID_SRPM

diff --git a/plugins/pulp_rpm/plugins/importers/yum/associate.py b/plugins/pulp_rpm/plugins/importers/yum/associate.py
@@ -4,12 +4,14 @@
 import shutil
 
 from pulp.server.db.model.criteria import UnitAssociationCriteria
+from pulp.server.managers import factory as manager_factory
 
 from pulp_rpm.common import constants
 from pulp_rpm.plugins.db import models
 from pulp_rpm.plugins.importers.yum import depsolve
 from pulp_rpm.plugins.importers.yum import existing
 
+class VerifySigException(Exception):pass
 
 _LOGGER = logging.getLogger(__name__)
 
@@ -39,6 +41,12 @@ def associate(source_repo, dest_repo, import_conduit, config, units=None):
         # TODO: so we should probably do something about that
         units = import_conduit.get_source_units()
 
+    if not config.get("allow_unsigned", False):
+        try:
+            _verify_signature(dest_repo, units)
+        except VerifySigException as e:
+            raise AssociateException("Associating Units exception while verifing signature.\n%s" % e)
+
     # get config items that we care about
     recursive = config.get(constants.CONFIG_RECURSIVE)
     if recursive is None:
@@ -358,3 +366,54 @@ def _safe_copy_unit_without_file(unit):
         if key.startswith('_'):
             del new_unit.metadata[key]
     return new_unit
+
+
+def _verify_signature(repo, units):
+    """
+    Make sure that all the units have the valid signature, otherwise
+    block this assciation.
+
+    :param repo:    dest repo
+    :tyep  repo:    pulp.plugins.model.Repository
+    :param units:           iterable of Unit objects to copy
+    :type  units:           iterable
+    """
+
+    repo_importer_manager = manager_factory.repo_importer_manager()
+    repo_importer = repo_importer_manager.get_importer(repo.id)
+    config = repo_importer.get("config", {}) or {}
+    allowed_keys = config.get('allowed_keys', None)
+
+    # the rules is:
+    # repo without allowed_keys: allow all RPMs
+    # repo with allowed_keys:    only allow RPMs with signatures from
+    #                            that key list
+    if not allowed_keys:
+        return
+
+    for unit in units:
+        if unit.type_id in (models.RPM.TYPE, models.SRPM.TYPE):
+            signature = unit.metadata.get("signature", None)
+            if not signature:
+                _LOGGER.error("No signature metadata found for Package: %s" % unit.metadata['filename'])
+                raise VerifySigException(
+                    "No signature metadata found for Package: %s" % unit.metadata['filename']
+                )
+            if signature in ('', 'none'):
+                _LOGGER.exception("Invalid Package(%s) without signature." % unit.metadata['filename'])
+                raise VerifySigException(
+                    "No signature found for Package: %s" % unit.metadata['filename']
+                )
+            else:
+                verified = False
+                for key in allowed_keys:
+                    if key.lower() == signature.lower():
+                        verified = True
+                        break
+                if not verified:
+                    _LOGGER.exception("Invalid signature: %s" % signature)
+                    raise VerifySigException(
+                        "Invalid signature(%s) found for Package: %s. Allowed Signatures %s" % (signature,
+                                                                                                unit.metadata['filename'],
+                                                                                                allowed_keys)
+                    )
diff --git a/plugins/pulp_rpm/plugins/importers/yum/upload.py b/plugins/pulp_rpm/plugins/importers/yum/upload.py
@@ -413,6 +413,8 @@ def _generate_rpm_data(type_id, rpm_filename, user_metadata=None):
     # rpm_parse.get_package_xml(..)
     file_stat = os.stat(rpm_filename)
     metadata['time'] = file_stat[stat.ST_MTIME]
+    metadata['signature_details'] = headers.sprintf("%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{none}|}|}|}|")
+    metadata['signature'] = metadata['signature_details'].split()[-1][-8:].lower()
 
     return unit_key, metadata