Fix flatpak TLS by updating system CA trust in container

gerrod3 · gerrod3 · commit 188aaa1451b9 · 2026-04-27T16:02:28.000-04:00
Made-with: Cursor
diff --git a/pulp_container/tests/functional/api/test_flatpak.py b/pulp_container/tests/functional/api/test_flatpak.py
@@ -1,14 +1,45 @@
 """Tests that verify Flatpak support"""
 
 import os
-import pytest
 import subprocess
-from urllib.parse import urlparse
+
+import pytest
 
 from pulp_container.tests.functional.constants import REGISTRY_V2
 
+PULP_CA_CERT = "/etc/pulp/certs/pulp_webserver.crt"
+
+
+def _ensure_system_trust():
+    """Add the Pulp CA cert to the system trust store so flatpak can verify TLS.
+
+    On RHEL 9, both flatpak (via GLib/libsoup) and Python's OpenSSL resolve trust
+    through p11-kit.  The only reliable way to make flatpak accept the self-signed
+    Pulp webserver cert is to register it as a trust anchor.  This is safe to call
+    after the certifi patching in script.sh because `trust anchor` only *adds* to
+    the trust store.
+    """
+    anchor = "/etc/pki/ca-trust/source/anchors/pulp_webserver.crt"
+    if os.path.exists(PULP_CA_CERT) and not os.path.exists(anchor):
+        subprocess.check_call(["cp", PULP_CA_CERT, anchor])
+        subprocess.check_call(["update-ca-trust"])
+        # Re-patch certifi in case update-ca-trust regenerated the bundle it points to.
+        result = subprocess.run(
+            ["python3", "-c", "import certifi; print(certifi.where())"],
+            capture_output=True,
+            text=True,
+        )
+        if result.returncode == 0:
+            certifi_path = result.stdout.strip()
+            subprocess.run(
+                ["bash", "-c", f"cat {PULP_CA_CERT} >> '{certifi_path}'"],
+                check=False,
+            )
+
 
 def run_flatpak_commands(host):
+    _ensure_system_trust()
+
     # Remove any leftover remote from a previous failed run before starting.
     subprocess.run(["flatpak", "--user", "remote-delete", "--force", "pulptest"], check=False)
 
@@ -22,27 +53,6 @@ def run_flatpak_commands(host):
         ]
     )
 
-    # OSTree (used by flatpak) verifies TLS against the system CA store, not certifi.
-    # For CI environments using a self-signed cert, configure the remote to trust
-    # the Pulp CA directly rather than relying on system-wide CA trust, which would
-    # interfere with the Python bindings trust setup in script.sh.
-    if urlparse(host).scheme == "https":
-        flatpak_user_repo = os.path.expanduser("~/.local/share/flatpak/repo")
-        ca_cert = "/etc/pulp/certs/pulp_webserver.crt"
-        tls_option = f"tls-ca-path={ca_cert}" if os.path.exists(ca_cert) else "tls-permissive=true"
-        config_path = os.path.join(flatpak_user_repo, "config")
-        try:
-            with open(config_path) as f:
-                content = f.read()
-            content = content.replace(
-                '[remote "pulptest"]',
-                f'[remote "pulptest"]\n{tls_option}',
-            )
-            with open(config_path, "w") as f:
-                f.write(content)
-        except OSError:
-            pass
-
     try:
         # See <https://pagure.io/fedora-lorax-templates/c/cc1155372046baa58f9d2cc27a9e5473bf05a3fb>
         # "lorax-embed-flatpaks.tmpl: Run the flatpak-install under dbus-run-session" for the need
@@ -67,7 +77,7 @@ def run_flatpak_commands(host):
                 "uninstall",
                 "--noninteractive",
                 "net.fishsoup.Hello",
-            ]
+            ],
         )
         subprocess.run(
             [
@@ -76,7 +86,7 @@ def run_flatpak_commands(host):
                 "uninstall",
                 "--noninteractive",
                 "net.fishsoup.BusyBoxPlatform",
-            ]
+            ],
         )
         subprocess.run(["flatpak", "--user", "remote-delete", "pulptest"])
 
