reverted to old key_setup, add handling for private keys, refactored tests

Author: grodzki-lanl

stackinator/mirror.py

@@ -39,8 +39,7 @@ def __init__(
         self._check_mirrors()
 
         # Will hold a list of all the gpg keys (public and private)
-        # self._keys: Optional[List[pathlib.Path]] = []
-        self._keys = self._key_init()
+        self._keys: Optional[List[pathlib.Path]] = []
 
     def _load_mirrors(self, cmdline_cache: Optional[pathlib.Path]) -> Dict[str, Dict]:
         """Load the mirrors file, if one exists."""
@@ -156,12 +155,14 @@ def _check_mirrors(self):
                         f"Check the url listed in mirrors.yaml in system config. \n{err}"
                     )
 
-    def key_files(self, config_root: pathlib.Path):
+    @property
+    def keys(self):
         """Return the list of public and private key file paths."""
+
         if self._keys is None:
             raise RuntimeError("The mirror.keys method was accessed before setup_configs() was called.")
-        key_dir = config_root / self.KEY_STORE_DIR
-        return [key_dir / info["path"] for info in self._keys]
+
+        return self._keys
 
     def setup_configs(self, config_root: pathlib.Path):
         """Setup all mirror configs in the given config_root."""
@@ -230,67 +231,64 @@ def _create_bootstrap_configs(self, config_root: pathlib.Path):
         with (config_root / "bootstrap.yaml").open("w") as file:
             yaml.dump(bootstrap_yaml, file, default_flow_style=False)
 
-    def _key_init(self):
-        key_info = {}
-        
-        key = self.mirrors["buildcache"].get("private_key")
+    def _load_key(self, key: str, dest: pathlib.Path, name: str):
+        """Validate mirror keys, relocate to key_store, and update mirror config with new key paths."""
 
-        if key is None:
-            return
+        # key will be saved under key_store/mirror_name.[pub/priv].gpg
 
         # if path, check if abs path, if not, append sys config path in front and check again
         path = pathlib.Path(os.path.expandvars(key))
-
         if not path.is_absolute():
             # try prepending system config path
             path = self._system_config_root / path
 
         if path.is_file():
-            # use the user-provided file
-            key_info = {"path": pathlib.Path(f"buildcache.pgp"), "source": path}
+            with open(path, "rb") as reader:
+                binary_key = reader.read()
+
+        # convert base64 key to binary
         else:
-            # convert base64 key to binary
             try:
-                binary_key = base64.b64decode(key, validate=True)
-                print(binary_key)
+                binary_key = base64.b64decode(key)
             except ValueError:
                 raise MirrorError(
-                    f"Key for mirror 'buildcache' is not valid. \n"
+                    f"Key for mirror '{name}' is not valid: '{path}'. \n"
                     f"Must be a path to a GPG public key or a base64 encoded GPG public key. \n"
                     f"Check the key listed in mirrors.yaml in system config."
                 )
 
-            file_type = magic.from_buffer(binary_key, mime=True)
-            if file_type not in ("application/x-gnupg-keyring", "application/pgp-keys"):
-                raise MirrorError(
-                    f"Key for mirror 'buildcache' is not a valid GPG key. \n"
-                    f"The file (or base64) was readable, but the data itself was not a PGP key.\n"
-                    f"Check the key listed in mirrors.yaml in system config."
-                )
-
-            key_info = {"path": pathlib.Path("buildcache.pgp"), "source": binary_key}
+        # private keys will evaluate as "application/octet-stream"
+        file_type = magic.from_buffer(binary_key, mime=True)
+        if file_type not in ("application/x-gnupg-keyring", "application/pgp-keys", "application/octet-stream"):
+            raise MirrorError(
+                f"Key for mirror {name} is not a valid GPG key. \n"
+                f"The file (or base64) was readable, but the data itself was not a PGP key.\n"
+                f"Check the key listed in mirrors.yaml in system config."
+            )
 
-        return key_info
+        # copy key to new destination in key store
+        with open(dest, "wb") as writer:
+            writer.write(binary_key)
 
+        self._keys.append(dest)
+    
+    
     def _key_setup(self, key_store: pathlib.Path):
-        """Validate mirror keys, relocate to key_store, and update mirror config with new key paths."""
+        """Iterate through mirror keys and load + relocate each one to key_store"""
 
+        self._keys = []
         key_store.mkdir(exist_ok=True)
 
-        #for key_info in self._keys:
-
-        #path = key_store / key_info["path"]
-        path = key_store / self._keys["path"]
-        #source = key_info["source"]
-        source = self._keys["source"]
-
-        match source:
-            case pathlib.Path():
-                # copy source -> path
-                shutil.copy2(source, path)
-            case bytes():
-                # open path and copy in bytes
-                with open(path, "wb") as writer:
-                    writer.write(source)
-            case _:
-                raise TypeError(f"Expected Path or bytes, got {type(source).__name__}")
+        for name, mirror in self.mirrors.items():
+            if name == "buildcache":
+                if mirror.get("private_key"):
+                    key = mirror["private_key"]
+                    dest = pathlib.Path(key_store / f"{name}.priv.gpg")
+                    self._load_key(key, dest, name)
+
+            if mirror.get("public_key") is None:
+                continue
+
+            key = mirror["public_key"]
+            dest = pathlib.Path(key_store / f"{name}.pub.gpg")
+            self._load_key(key, dest, name)

stackinator/schema/mirror.json

@@ -10,7 +10,8 @@
                 "enabled": {
                     "type": "boolean",
                     "default": true
-                }
+                },
+                "public_key": {"type": "string"}
             },
             "additionalProperties": false,
             "required": ["url"]
@@ -48,7 +49,8 @@
                     "enabled": {
                         "type": "boolean",
                         "default": true
-                    }
+                    },
+                    "public_key": {"type": "string"}
                 },
                 "additionalProperties": false,
                 "required": ["url"]

unittests/data/systems/mirror-ok-raw-key/mirrors.yaml

@@ -4,13 +4,55 @@ bootstrap:
 buildcache:
   url: https://mirror.spack.io
   enabled: true
+  public_key: "\
+    mQINBGm4GvsBEACTyzQFPfRUgo1Wmb9/KgrSr/EFVobRX3LlrcAMemo4nFRdS88aCcEhRWzYQ8ML\
+    eGvcxFbzbAoEZACpThMspYOwFsVzIUc3lYQT7g9M/KNEPHztqaTWCqESYmzDFtaLYys6AQP52KMB\
+    2x0ya8NNd9whd2a9Vc3yD3u9qW8iqkqxDjNYtTc9Lo7T8DHlhJ79TKm8f3w0QZowTxPYh5NA8GiF\
+    kBN6J8hmg39LekC1kAWi2BwjDzRll19zVQtYfv+b4i/ripqmMNp4zcU93Ox1ReUFOmO3eiIq3GSK\
+    IbXw7h/NGLAImIeuMzce5cqz65iVk7+iyKeXtx5dSUGskiLR2voX8xVOGVhNtxfiolviyUAhT4kb\
+    WcWK6ipZ9h/nEyeZ9GYtoDkKMguet2a4bJCBsQmo4FR9Pf5c7qqs79obxLXzZe9zDnj1sbxAabJh\
+    jLUdwJqIPKvdPNy3F3nOBeKY8Jf1D+Y3szxzJX8gwqrNSyCbZUeXsaQhMZWUVoztxUXW+qfC8jlA\
+    TfoUQuQPC9Zr+8wU/3uUlKtChQo0prgwHAEHezwNpyEhZZc884RIt55DNKllH9UeqNwUWKpZYHG3\
+    qVxV+oi7MenLeKvfsg6nVCL0CETtB88dOen7BFfBZj9NRszRqIlVudDFf+5gqKQ0f1H241w/n4nH\
+    KEAzm7kma4cV8QARAQABtBtUZXN0IEtleSA8bm9wZUBub3doZXJlLmNvbT6JAlEEEwEKADsWIQSe\
+    CE84hgwq8uroW+w4Qgxu0DsXiAUCabga+wIbAwULCQgHAgIiAgYVCgkICwIEFgIDAQIeBwIXgAAK\
+    CRA4Qgxu0DsXiBbaD/4w7MlAf5SuOxrbH3fruN7k8NPxjwsvocB3VGo5AxzIy18C78IOYm5F2EQ+\
+    LpjsK05t1ZPsHFsBaLduo0CODcF8m1gJLI8S0uMmVUywnDGJjMKYiZNeIqXDlohVciD2KPIxWL+i\
+    qgho1BhFKlnQkXgEaxotUXFwHiKqcBwFcq21nu3PRVqsobMTk/UgeJhoSZf7ZIj5SyVHa6YVCoMr\
+    HB0TqRz3xIW/TDl+oxyfEdhMZ8iU6IdohfMkCP+ayZEpdx1SS37S47SRxbgNblbfJ9PfJD/dQzx1\
+    WnGVXxinSPjTTxIwNCyiEIrxqvLnk+O8fUHeEIrSqn9P0bZrCv02gAPUIfl7l4gN4boSgWEsfS5i\
+    /KL8ZUDGZCb9Fux64zaM17lHfwGWCAKbi1KjYRL4W7zaVmps6MfdLOcJdQSdpQufs9vRbMhiDW1x\
+    glsvz8JzPYiF2xRqJsx2odiufx4Mrrq5yxER07sDjKzUZYF6xD8qC5BAh6/xDUE+p8EOqc0HsqTE\
+    PhqBLdqGLf8GaXj3I9F6ZCH5dtSmehB6Q77KJ1hWTm9OzDdYm2apExbMIB9Z2H5c8FLZfIb4lnpW\
+    lhtP97eAix9JnBzoTe8QeaV5hcvQoqypTu5rD3ne2kQHlavmSeq5KVVWrIKGsfnZNRqDg7vKg/fw\
+    kx1f2T8qMLVfGxogJrkCDQRpuBr7ARAA08MhBUQkj4nVaLmW+Xa5e+nTnE8nYoKPYJIpbIDYP2Pe\
+    mD9Yca9HGWHnzUgsH4KEvdETrT/Uj9i3o+6xNZJ1Xz0GQkKW+2Vttl5ZBKwipHsn2iP+e78wAhwm\
+    HqYZi/ymgLJDEXmrgyXNr+cKaAI2cEWOb+Vomgu+WFF4ENG/UiIJH6zP5JY0TcSC1Ao47y4qL6bH\
+    Mfzz2zi3JpbvOi1/uY2TvMgitaL45tsukuEYMFfEEnd4Vyl0LSCFYv3zQx5JRSbu5ujlRdHnopS0\
+    UeWZMV+iEXYZ6wKVFtQ6nvxxDpjMf8k3Q5Ss+z0F9oTRwdlaJhdhXZx8PleBu0Ah1Wxd9+V6tYgF\
+    zrjsJB9eaXKIEeioZi8xNFB6RYUuNgjIfTtgtps685LeiGCy5q55MkC2FuKVAdv+YZcuJNdy/3gx\
+    Kg5bLz/aVQRfxakDQHI7kp9fl3bDK5jbWeY8EKvtTI8x7fxthPZP6Az2g4zp+ZojgEUdUXveuw0Y\
+    3MVaMu0ehG81nUHNU1tu7ELuhDWM6VkigokS1zptBsPbKojfp/oZJn6DGD1LZ+QyIdSUkjyfcs9H\
+    sfuyAbrgzVCmbcNY42x3IOZZZjIfQ66bJZpGht6kHEfO896oB2d+a7KS25ZWa5G+SsWntv5nnclr\
+    6DYFz3ThuYVmjQDLh8jN78/f45Jd6N8AEQEAAYkCNgQYAQoAIBYhBJ4ITziGDCry6uhb7DhCDG7Q\
+    OxeIBQJpuBr7AhsMAAoJEDhCDG7QOxeIVx8P/1wxrmmYWhIMDObXIpCM3vxq8dO+84nTuBQbomKR\
+    NURKOiCwgndEL3N38pf0gAToSIatrTF2VdkJsksyMEIzUaNmsYiHA9xYqhmCJ2pIqWeh2ONsNdmw\
+    Fg/M5mwZpvwl28Z2MpJP+NY6u52a3jxkxpGY1Q4+KxgMRhqXe6faXQtYwwUiYVGPSznQPudYLZ2Z\
+    +b8rGrz0AUVvvSWt3bVbUwZIMVSK0RVIWxG/sW7dWhkhtev+04fUlaxHnQ2b8G3h6AjONmLcIlpx\
+    7p1dVvolEqV0YQUgosl47J3tLnzacsqNzIS1Dya0ukLrXAYmeQzQWvwhLpLqjMh3cqLl5SkjatB7\
+    xU9Qu4IXENnvWSnqCRZzz6CbU/81FopTGgJfxbYok2v78O5qTdkbeszSHN8uCuvhpPKruHZgsFc6\
+    lw+hYhtB8YXbB8lT2f1Fp0DeEnPM+OzRgjeRYl3gmE8/1PtKGuTCOJzTxTtLWorFYtV0DXiOq4Vd\
+    eYkR+m3vNiYVkdALN5uIL8goYrPvs/fvq1wI49iyKw6B3pE5xIQSEjgPpwJ/7hvQUhenJTtrNRs8\
+    eKXSnjHZjhJbgIReoXSQwG44RqNtiV8dJsdPu98P27keSigBB5kguB0gCWeFVHkLfpBR3aRxSacG\
+    gllMF++N8+7T4/ehkA/hs2udYRkSCANLQ3I3"
   private_key: ../../test-gpg-priv.asc
   mount_specific: false
   cmdline: false
 sourcecache:
   mirror1:
     url: https://github.com
     enabled: true
+    public_key: ../../test-gpg-pub.asc
   mirror2:
     url: https://github.com/spack
     enabled: true

unittests/data/systems/mirror-ok/mirrors.yaml

@@ -35,16 +35,17 @@ def test_mirror_init(systems_path):
         "mirror1": {
             "url": "https://github.com",
             "enabled": True,
+            "public_key": "../../test-gpg-pub.asc"
         },
         "mirror2": {
             "url": "https://github.com/spack",
             "enabled": True,
         }
     }
 
-    # with (systems_path / "../test-gpg-pub.asc").open("rb") as pub_key_file:
-    #     key = base64.b64encode(pub_key_file.read()).decode()
-    #     valid_mirrors["buildcache"]["public_key"] = key
+    with (systems_path / "../test-gpg-pub.asc").open("rb") as pub_key_file:
+        key = base64.b64encode(pub_key_file.read()).decode()
+        valid_mirrors["buildcache"]["public_key"] = key
 
     assert mirrors_obj.mirrors == valid_mirrors
 
@@ -149,8 +150,7 @@ def test_create_bootstrap_configs(tmp_path, systems_path):
 
     with (tmp_path / "bootstrap.yaml").open() as f:
         bs_data = yaml.safe_load(f)
-    print(bs_data)
-    print(valid_yaml)
+
     assert bs_data == valid_yaml
 
     with (tmp_path / "bootstrap/bootstrap-mirror/metadata.yaml").open() as f:
@@ -161,26 +161,19 @@ def test_create_bootstrap_configs(tmp_path, systems_path):
 def test_key_setup(systems_path, tmp_path):
     """Check that public keys are set up properly."""
 
-    mirrors_key_file = mirror.Mirrors(systems_path / "mirror-ok")
-    key_dir = tmp_path / "key_dir"
-    mirrors_raw_key = mirror.Mirrors(systems_path / "mirror-ok-raw-key")
-    raw_dir = tmp_path / "raw_dir"
-
-    mirrors_key_file._key_setup(key_dir)
-    mirrors_raw_key._key_setup(raw_dir)
+    mirrors = mirror.Mirrors(systems_path / "mirror-ok")
 
-    key_file, = (p for p in key_dir.iterdir() if p.is_file())
-    assert key_file.name == "buildcache.pgp"
+    mirrors._key_setup(tmp_path)
 
-    raw_key_file, = (p for p in key_dir.iterdir() if p.is_file())
-    assert raw_key_file.name == "buildcache.pgp"
+    pub_files = sorted(f for f in tmp_path.iterdir() if f.name.endswith(".pub.gpg"))
+    assert {pub_file.name for pub_file in pub_files} == {"buildcache.pub.gpg", "mirror1.pub.gpg"}
 
     # The two files should be identical in content
-    with key_file.open("rb") as file:
-        key_file_data = file.read()
-    with raw_key_file.open("rb") as file:
-        raw_key_file_data = file.read()
-    assert key_file_data == raw_key_file_data
+    pub_file_data = []
+    for pub_file in pub_files:
+        with pub_file.open("rb") as file:
+            pub_file_data.append(file.read())
+    assert pub_file_data[0] == pub_file_data[1]
 
 
 @pytest.mark.parametrize(
@@ -193,5 +186,6 @@ def test_key_setup(systems_path, tmp_path):
 def test_key_setup_bad_key(tmp_path, systems_path, system_name):
     """Check that MirrorError is raised for bad keys"""
 
+    mirrors = mirror.Mirrors(systems_path / system_name)
     with pytest.raises(mirror.MirrorError):
-        mirrors = mirror.Mirrors(systems_path / system_name)
+        mirrors._key_setup(tmp_path)