Skip to content

Commit

Permalink
Merge pull request #229 from cgwalters/no-sigverify-prep
Browse files Browse the repository at this point in the history
Add a helper for generating sigpolicy
  • Loading branch information
cgwalters authored Dec 15, 2023
2 parents 2ee270f + 9138153 commit 5463470
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 16 deletions.
13 changes: 5 additions & 8 deletions lib/src/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ use fn_error_context::context;
use ostree::gio;
use ostree_container::store::PrepareResult;
use ostree_ext::container as ostree_container;
use ostree_ext::container::SignatureSource;
use ostree_ext::keyfileext::KeyFileExt;
use ostree_ext::ostree;
use std::ffi::OsString;
Expand All @@ -20,6 +19,7 @@ use std::process::Command;
use crate::deploy::RequiredHostSpec;
use crate::spec::Host;
use crate::spec::ImageReference;
use crate::utils::sigpolicy_from_opts;

/// Perform an upgrade operation
#[derive(Debug, Parser)]
Expand Down Expand Up @@ -363,13 +363,10 @@ async fn switch(opts: SwitchOpts) -> Result<()> {
transport,
name: opts.target.to_string(),
};
let sigverify = if opts.no_signature_verification {
SignatureSource::ContainerPolicyAllowInsecure
} else if let Some(remote) = opts.ostree_remote.as_ref() {
SignatureSource::OstreeRemote(remote.to_string())
} else {
SignatureSource::ContainerPolicy
};
let sigverify = sigpolicy_from_opts(
opts.no_signature_verification,
opts.ostree_remote.as_deref(),
);
let target = ostree_container::OstreeImageReference { sigverify, imgref };
let target = ImageReference::from(target);

Expand Down
13 changes: 5 additions & 8 deletions lib/src/install.rs
Original file line number Diff line number Diff line change
Expand Up @@ -32,14 +32,14 @@ use rustix::fs::MetadataExt;
use fn_error_context::context;
use ostree::gio;
use ostree_ext::container as ostree_container;
use ostree_ext::container::SignatureSource;
use ostree_ext::ostree;
use ostree_ext::prelude::Cast;
use serde::{Deserialize, Serialize};

use self::baseline::InstallBlockDeviceOpts;
use crate::containerenv::ContainerExecutionInfo;
use crate::task::Task;
use crate::utils::sigpolicy_from_opts;

/// The default "stateroot" or "osname"; see https://github.com/ostreedev/ostree/issues/2794
const STATEROOT_DEFAULT: &str = "default";
Expand Down Expand Up @@ -917,13 +917,10 @@ async fn prepare_install(

// Parse the target CLI image reference options and create the *target* image
// reference, which defaults to pulling from a registry.
let target_sigverify = if target_opts.target_no_signature_verification {
SignatureSource::ContainerPolicyAllowInsecure
} else if let Some(remote) = target_opts.target_ostree_remote.as_deref() {
SignatureSource::OstreeRemote(remote.to_string())
} else {
SignatureSource::ContainerPolicy
};
let target_sigverify = sigpolicy_from_opts(
target_opts.target_no_signature_verification,
target_opts.target_ostree_remote.as_deref(),
);
let target_imgname = target_opts
.target_imgref
.as_deref()
Expand Down
35 changes: 35 additions & 0 deletions lib/src/utils.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ use std::process::Command;

use anyhow::{Context, Result};
use ostree::glib;
use ostree_ext::container::SignatureSource;
use ostree_ext::ostree;

/// Try to look for keys injected by e.g. rpm-ostree requesting machine-local
Expand Down Expand Up @@ -52,6 +53,20 @@ pub(crate) fn spawn_editor(tmpf: &tempfile::NamedTempFile) -> Result<()> {
Ok(())
}

/// Convert a combination of values (likely from CLI parsing) into a signature source
pub(crate) fn sigpolicy_from_opts(
disable_verification: bool,
ostree_remote: Option<&str>,
) -> SignatureSource {
if disable_verification {
SignatureSource::ContainerPolicyAllowInsecure
} else if let Some(remote) = ostree_remote {
SignatureSource::OstreeRemote(remote.to_owned())
} else {
SignatureSource::ContainerPolicy
}
}

/// Output a warning message
pub(crate) fn warning(s: &str) {
anstream::eprintln!(
Expand Down Expand Up @@ -94,3 +109,23 @@ fn test_find_mount_option() {
assert_eq!(find_mount_option(V1, "rw"), None);
assert_eq!(find_mount_option(V1, "somethingelse"), None);
}

#[test]
fn test_sigpolicy_from_opts() {
assert_eq!(
sigpolicy_from_opts(false, None),
SignatureSource::ContainerPolicy
);
assert_eq!(
sigpolicy_from_opts(true, None),
SignatureSource::ContainerPolicyAllowInsecure
);
assert_eq!(
sigpolicy_from_opts(false, Some("foo")),
SignatureSource::OstreeRemote("foo".to_owned())
);
assert_eq!(
sigpolicy_from_opts(true, Some("foo")),
SignatureSource::ContainerPolicyAllowInsecure
);
}

0 comments on commit 5463470

Please sign in to comment.