Skip to content

Commit

Permalink
otk: add mtls into resolve ostree command
Browse files Browse the repository at this point in the history
  • Loading branch information
lzap committed Dec 13, 2024
1 parent 994201a commit 8da1e8d
Show file tree
Hide file tree
Showing 3 changed files with 92 additions and 4 deletions.
24 changes: 21 additions & 3 deletions cmd/otk/osbuild-resolve-ostree-commit/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,16 @@ type Input struct {

// Whether to use RHSM secrets when resolving and fetching the commit.
RHSM bool `json:"rhsm,omitempty"`

// MTLS information. Will be ignored if RHSM is set.
MTLS *struct {
CA string `json:"ca"`
ClientCert string `json:"client_cert"`
ClientKey string `json:"client_key"`
} `json:"mtls,omitempty"`

// HTTP proxy to use when fetching the ref.
Proxy string `json:"proxy,omitempty"`
}

// Output contains everything needed to write a manifest that requires pulling
Expand All @@ -50,9 +60,17 @@ func run(r io.Reader, w io.Writer) error {
}

sourceSpec := ostree.SourceSpec{
URL: inputTree.Tree.URL,
Ref: inputTree.Tree.Ref,
RHSM: inputTree.Tree.RHSM,
URL: inputTree.Tree.URL,
Ref: inputTree.Tree.Ref,
RHSM: inputTree.Tree.RHSM,
Proxy: inputTree.Tree.Proxy,
}

if inputTree.Tree.MTLS != nil {
sourceSpec.MTLS = &ostree.MTLS{}
sourceSpec.MTLS.CA = inputTree.Tree.MTLS.CA
sourceSpec.MTLS.ClientCert = inputTree.Tree.MTLS.ClientCert
sourceSpec.MTLS.ClientKey = inputTree.Tree.MTLS.ClientKey
}

var commitSpec ostree.CommitSpec
Expand Down
68 changes: 67 additions & 1 deletion cmd/otk/osbuild-resolve-ostree-commit/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"testing"

resolver "github.com/osbuild/images/cmd/otk/osbuild-resolve-ostree-commit"
"github.com/osbuild/images/pkg/ostree/test_mtls_server"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
Expand All @@ -22,9 +23,30 @@ var commitMap = map[string]string{
"test/ref/one": "7433e1b49fb136d61dcca49ebe34e713fdbb8e29bf328fe90819628f71b86105",
}

const TestCertDir = "../../../pkg/ostree/test_mtls_server"

// Create a test server that responds with the commit ID that corresponds to
// the ref.
func createTestServer(refIDs map[string]string) *httptest.Server {
handler := createTestHandler(refIDs)

return httptest.NewServer(handler)
}

// Create a test server that responds with the commit ID that corresponds to
// the ref. MTLS variant.
func createMTLSTestServer(refIDs map[string]string) *httptest.Server {
handler := createTestHandler(refIDs)

mtlss, err := test_mtls_server.NewMTLSServerInPath(handler, TestCertDir)
if err != nil {
panic(err)
}

return mtlss.Server
}

func createTestHandler(refIDs map[string]string) *http.ServeMux {
handler := http.NewServeMux()
handler.HandleFunc("/refs/heads/", func(w http.ResponseWriter, r *http.Request) {
reqRef := strings.TrimPrefix(r.URL.Path, "/refs/heads/")
Expand All @@ -36,7 +58,7 @@ func createTestServer(refIDs map[string]string) *httptest.Server {
fmt.Fprint(w, id)
})

return httptest.NewServer(handler)
return handler
}

func TestResolver(t *testing.T) {
Expand Down Expand Up @@ -77,6 +99,50 @@ func TestResolver(t *testing.T) {
}
}

func TestResolverMTLS(t *testing.T) {
require := require.New(t)
assert := assert.New(t)

repoServer := createMTLSTestServer(commitMap)
defer repoServer.Close()

url := repoServer.URL
for ref, id := range commitMap {
inputReq, err := json.Marshal(map[string]interface{}{
"tree": map[string]interface{}{
"url": url,
"ref": ref,
"mtls": map[string]string{
"ca": fmt.Sprintf("%s/ca.crt", TestCertDir),
"client_cert": fmt.Sprintf("%s/client.crt", TestCertDir),
"client_key": fmt.Sprintf("%s/client.key", TestCertDir),
},
},
})
require.NoError(err)

inpBuf := bytes.NewBuffer(inputReq)
outBuf := &bytes.Buffer{}

assert.NoError(resolver.Run(inpBuf, outBuf))

var output map[string]map[string]map[string]string
require.NoError(json.Unmarshal(outBuf.Bytes(), &output))

expOutput := map[string]map[string]map[string]string{
"tree": {
"const": {
"url": url,
"ref": ref,
"checksum": id,
"secrets": "org.osbuild.mtls",
},
},
}
assert.Equal(expOutput, output)
}
}

func TestResolverByID(t *testing.T) {
require := require.New(t)
assert := assert.New(t)
Expand Down
4 changes: 4 additions & 0 deletions pkg/ostree/test_mtls_server/http_mtls_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ func NewMTLSServer(handler http.Handler) (*MTLSServer, error) {
return nil, err
}

return NewMTLSServerInPath(handler, certsPath)
}

func NewMTLSServerInPath(handler http.Handler, certsPath string) (*MTLSServer, error) {
caPath := filepath.Join(certsPath, "ca.crt")
serverKeyPath := filepath.Join(certsPath, "server.key")
serverCrtPath := filepath.Join(certsPath, "server.crt")
Expand Down

0 comments on commit 8da1e8d

Please sign in to comment.