From 913815311cf10a9ade2f69778b79d7ead2202ac5 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 15 Dec 2023 15:55:23 -0500
Subject: [PATCH] Add a helper for generating sigpolicy

Prep for further refactoring, targeting
https://github.com/containers/bootc/issues/218
This will help us find the places we're synthesizing a policy.

No functional changes intended.

Signed-off-by: Colin Walters <walters@verbum.org>
---
 lib/src/cli.rs     | 13 +++++--------
 lib/src/install.rs | 13 +++++--------
 lib/src/utils.rs   | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/lib/src/cli.rs b/lib/src/cli.rs
index 215feef06..020ce3e63 100644
--- a/lib/src/cli.rs
+++ b/lib/src/cli.rs
@@ -9,7 +9,6 @@ use fn_error_context::context;
 use ostree::gio;
 use ostree_container::store::PrepareResult;
 use ostree_ext::container as ostree_container;
-use ostree_ext::container::SignatureSource;
 use ostree_ext::keyfileext::KeyFileExt;
 use ostree_ext::ostree;
 use std::ffi::OsString;
@@ -20,6 +19,7 @@ use std::process::Command;
 use crate::deploy::RequiredHostSpec;
 use crate::spec::Host;
 use crate::spec::ImageReference;
+use crate::utils::sigpolicy_from_opts;
 
 /// Perform an upgrade operation
 #[derive(Debug, Parser)]
@@ -362,13 +362,10 @@ async fn switch(opts: SwitchOpts) -> Result<()> {
         transport,
         name: opts.target.to_string(),
     };
-    let sigverify = if opts.no_signature_verification {
-        SignatureSource::ContainerPolicyAllowInsecure
-    } else if let Some(remote) = opts.ostree_remote.as_ref() {
-        SignatureSource::OstreeRemote(remote.to_string())
-    } else {
-        SignatureSource::ContainerPolicy
-    };
+    let sigverify = sigpolicy_from_opts(
+        opts.no_signature_verification,
+        opts.ostree_remote.as_deref(),
+    );
     let target = ostree_container::OstreeImageReference { sigverify, imgref };
     let target = ImageReference::from(target);
 
diff --git a/lib/src/install.rs b/lib/src/install.rs
index f43a99043..621eca150 100644
--- a/lib/src/install.rs
+++ b/lib/src/install.rs
@@ -32,7 +32,6 @@ use rustix::fs::MetadataExt;
 use fn_error_context::context;
 use ostree::gio;
 use ostree_ext::container as ostree_container;
-use ostree_ext::container::SignatureSource;
 use ostree_ext::ostree;
 use ostree_ext::prelude::Cast;
 use serde::{Deserialize, Serialize};
@@ -40,6 +39,7 @@ use serde::{Deserialize, Serialize};
 use self::baseline::InstallBlockDeviceOpts;
 use crate::containerenv::ContainerExecutionInfo;
 use crate::task::Task;
+use crate::utils::sigpolicy_from_opts;
 
 /// The default "stateroot" or "osname"; see https://github.com/ostreedev/ostree/issues/2794
 const STATEROOT_DEFAULT: &str = "default";
@@ -916,13 +916,10 @@ async fn prepare_install(
 
     // Parse the target CLI image reference options and create the *target* image
     // reference, which defaults to pulling from a registry.
-    let target_sigverify = if target_opts.target_no_signature_verification {
-        SignatureSource::ContainerPolicyAllowInsecure
-    } else if let Some(remote) = target_opts.target_ostree_remote.as_deref() {
-        SignatureSource::OstreeRemote(remote.to_string())
-    } else {
-        SignatureSource::ContainerPolicy
-    };
+    let target_sigverify = sigpolicy_from_opts(
+        target_opts.target_no_signature_verification,
+        target_opts.target_ostree_remote.as_deref(),
+    );
     let target_imgname = target_opts
         .target_imgref
         .as_deref()
diff --git a/lib/src/utils.rs b/lib/src/utils.rs
index d7e959eb0..9b37a4337 100644
--- a/lib/src/utils.rs
+++ b/lib/src/utils.rs
@@ -3,6 +3,7 @@ use std::process::Command;
 
 use anyhow::{Context, Result};
 use ostree::glib;
+use ostree_ext::container::SignatureSource;
 use ostree_ext::ostree;
 
 /// Try to look for keys injected by e.g. rpm-ostree requesting machine-local
@@ -52,6 +53,20 @@ pub(crate) fn spawn_editor(tmpf: &tempfile::NamedTempFile) -> Result<()> {
     Ok(())
 }
 
+/// Convert a combination of values (likely from CLI parsing) into a signature source
+pub(crate) fn sigpolicy_from_opts(
+    disable_verification: bool,
+    ostree_remote: Option<&str>,
+) -> SignatureSource {
+    if disable_verification {
+        SignatureSource::ContainerPolicyAllowInsecure
+    } else if let Some(remote) = ostree_remote {
+        SignatureSource::OstreeRemote(remote.to_owned())
+    } else {
+        SignatureSource::ContainerPolicy
+    }
+}
+
 /// Output a warning message
 pub(crate) fn warning(s: &str) {
     anstream::eprintln!(
@@ -94,3 +109,23 @@ fn test_find_mount_option() {
     assert_eq!(find_mount_option(V1, "rw"), None);
     assert_eq!(find_mount_option(V1, "somethingelse"), None);
 }
+
+#[test]
+fn test_sigpolicy_from_opts() {
+    assert_eq!(
+        sigpolicy_from_opts(false, None),
+        SignatureSource::ContainerPolicy
+    );
+    assert_eq!(
+        sigpolicy_from_opts(true, None),
+        SignatureSource::ContainerPolicyAllowInsecure
+    );
+    assert_eq!(
+        sigpolicy_from_opts(false, Some("foo")),
+        SignatureSource::OstreeRemote("foo".to_owned())
+    );
+    assert_eq!(
+        sigpolicy_from_opts(true, Some("foo")),
+        SignatureSource::ContainerPolicyAllowInsecure
+    );
+}