lpci

Merge ~jugmac00/lpci:add-support-for-trusted-value into lpci:main

  1. Git
  2. lp:~jugmac00/lpci
  3. add-support-for-trusted-value
  4. Merge into main
Proposed by Jürgen Gmach
Status: Merged
Merge reported by: Jürgen Gmach
Merged at revision: d2b07f45d7dd10eaa296dfa2db125957465e7023
Proposed branch: ~jugmac00/lpci:add-support-for-trusted-value
Merge into: lpci:main
Diff against target: 153 lines (+67/-6)
4 files modified
NEWS.rst (+4/-3)
docs/configuration.rst (+6/-0)
lpcraft/config.py (+11/-2)
lpcraft/tests/test_config.py (+46/-1)
Reviewer Review Type Date Requested Status
Colin Watson (community) Approve
Review via email: mp+426416@code.launchpad.net

Commit message

Allow overriding APT's security checks

To post a comment you must log in.
Revision history for this message
Jürgen Gmach (jugmac00) :
Revision history for this message
Colin Watson (cjwatson) :
review: Approve
Revision history for this message
Colin Watson (cjwatson) :
review: Approve
Revision history for this message
Jürgen Gmach (jugmac00) :
Revision history for this message
Colin Watson (cjwatson) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/NEWS.rst b/NEWS.rst
2index da3bbc7..5fd2e10 100644
3--- a/NEWS.rst
4+++ b/NEWS.rst
5@@ -5,7 +5,10 @@ Version history
6 0.0.19 (unreleased)
7 ===================
8
9-- nothing yet
10+- Add new CLI option to provide secrets via a YAML-based configuration file.
11+
12+- Allow overriding APT's security checks via `PackageRepository.trusted`
13+
14
15 0.0.18 (2022-07-04)
16 ===================
17@@ -19,8 +22,6 @@ Version history
18 - Rebuild the Snap package to include updated system packages.
19 See https://ubuntu.com/security/notices/USN-5495-1/.
20
21-- Add new CLI option to provide secrets via a YAML-based configuration file.
22-
23 0.0.17 (2022-06-17)
24 ===================
25
26diff --git a/docs/configuration.rst b/docs/configuration.rst
27index 6e2b84a..a020b07 100644
28--- a/docs/configuration.rst
29+++ b/docs/configuration.rst
30@@ -172,3 +172,9 @@ More properties can be implemented on demand.
31 The URL is rendered using `Jinja2 <https://pypi.org/project/Jinja2/>`_.
32 This can be used to supply authentication details via the *secrets*
33 command line option.
34+
35+``trusted`` (optional)
36+ Set this to ``true`` to override APT's security checks, ie accept sources
37+ which do not pass authentication checks. ``false`` does the opposite.
38+ By default APT decides whether a source is considered trusted. This third
39+ option cannot be set explicitly.
40diff --git a/lpcraft/config.py b/lpcraft/config.py
41index 0e835e2..328cd56 100644
42--- a/lpcraft/config.py
43+++ b/lpcraft/config.py
44@@ -8,7 +8,7 @@ from pathlib import Path
45 from typing import Any, Dict, Iterator, List, Optional, Type, Union
46
47 import pydantic
48-from pydantic import AnyHttpUrl, StrictStr
49+from pydantic import AnyHttpUrl, StrictStr, validator
50
51 from lpcraft.errors import ConfigurationError
52 from lpcraft.plugins import PLUGINS
53@@ -123,6 +123,12 @@ class PackageRepository(ModelConfigDefaults):
54 components: List[PackageComponent] # e.g. `[main, universe]`
55 suites: List[PackageSuite] # e.g. `[bionic, focal]`
56 url: AnyHttpUrl
57+ trusted: Optional[bool]
58+
59+ @validator("trusted")
60+ def convert_trusted(cls, v: bool) -> str:
61+ # trusted is True or False, but we need `yes` or `no`
62+ return v and "yes" or "no"
63
64 def sources_list_lines(self) -> Iterator[str]:
65 """Yield repository lines as strings.
66@@ -131,7 +137,10 @@ class PackageRepository(ModelConfigDefaults):
67 """ # noqa: E501
68 for format in self.formats:
69 for suite in self.suites:
70- yield f"{format} {self.url!s} {suite} {' '.join(self.components)}" # noqa: E501
71+ if self.trusted:
72+ yield f"{format} [trusted={self.trusted}] {self.url!s} {suite} {' '.join(self.components)}" # noqa: E501
73+ else:
74+ yield f"{format} {self.url!s} {suite} {' '.join(self.components)}" # noqa: E501
75
76
77 class Job(ModelConfigDefaults):
78diff --git a/lpcraft/tests/test_config.py b/lpcraft/tests/test_config.py
79index 3daf342..575f284 100644
80--- a/lpcraft/tests/test_config.py
81+++ b/lpcraft/tests/test_config.py
82@@ -422,6 +422,12 @@ class TestConfig(TestCase):
83 components: [main]
84 suites: [focal]
85 url: https://canonical.example.org/artifactory/jammy-golang-backport
86+ - type: apt
87+ formats: [deb]
88+ components: [main]
89+ suites: [focal]
90+ url: https://canonical.example.org/artifactory/jammy-golang-backport
91+ trusted: false
92 """ # noqa: E501
93 )
94 )
95@@ -443,7 +449,22 @@ class TestConfig(TestCase):
96 host_type="domain",
97 path="/artifactory/jammy-golang-backport",
98 ),
99- )
100+ ),
101+ PackageRepository(
102+ type="apt",
103+ formats=["deb"],
104+ components=["main"],
105+ suites=["focal"],
106+ url=AnyHttpUrl(
107+ "https://canonical.example.org/artifactory/jammy-golang-backport", # noqa: E501
108+ scheme="https",
109+ host="canonical.example.org",
110+ tld="org",
111+ host_type="domain",
112+ path="/artifactory/jammy-golang-backport",
113+ ),
114+ trusted=False,
115+ ),
116 ],
117 config.jobs["test"][0].package_repositories,
118 )
119@@ -466,6 +487,18 @@ class TestConfig(TestCase):
120 components: [main]
121 suites: [focal, bionic]
122 url: https://canonical.example.org/artifactory/jammy-golang-backport
123+ - type: apt
124+ formats: [deb]
125+ components: [main]
126+ suites: [focal]
127+ url: https://canonical.example.org/artifactory/jammy-golang-backport
128+ trusted: true
129+ - type: apt
130+ formats: [deb]
131+ components: [main]
132+ suites: [focal]
133+ url: https://canonical.example.org/artifactory/jammy-golang-backport
134+ trusted: false
135 """ # noqa: E501
136 )
137 )
138@@ -481,3 +514,15 @@ class TestConfig(TestCase):
139 self.assertEqual(
140 expected, (list(repositories[0].sources_list_lines()))
141 )
142+ self.assertEqual(
143+ [
144+ "deb [trusted=yes] https://canonical.example.org/artifactory/jammy-golang-backport focal main" # noqa: E501
145+ ], # noqa: E501
146+ list(repositories[1].sources_list_lines()),
147+ )
148+ self.assertEqual(
149+ [
150+ "deb [trusted=no] https://canonical.example.org/artifactory/jammy-golang-backport focal main" # noqa: E501
151+ ], # noqa: E501
152+ list(repositories[2].sources_list_lines()),
153+ )

Subscribers

People subscribed via source and target branches