11"""Tests that verify Flatpak support"""
22
33import os
4+ import tempfile
5+
46import pytest
57import subprocess
6- from urllib .parse import urlparse
78
89from pulp_container .tests .functional .constants import REGISTRY_V2
910
11+ PULP_CA_CERT = "/etc/pulp/certs/pulp_webserver.crt"
12+ SYSTEM_CA_BUNDLE = "/etc/pki/tls/cert.pem"
13+
14+
15+ def _build_flatpak_env ():
16+ """Build an env with SSL_CERT_FILE pointing to a CA bundle that includes the Pulp cert.
17+
18+ Flatpak uses GLib's OpenSSL TLS backend (on RHEL 9) which honours SSL_CERT_FILE.
19+ This lets flatpak trust the self-signed Pulp cert without modifying the system
20+ trust store (which would break the certifi-based Python bindings).
21+ """
22+ if not os .path .exists (PULP_CA_CERT ):
23+ return None
24+
25+ bundle = tempfile .NamedTemporaryFile (
26+ mode = "w" , prefix = "flatpak-ca-" , suffix = ".pem" , delete = False
27+ )
28+ try :
29+ if os .path .exists (SYSTEM_CA_BUNDLE ):
30+ with open (SYSTEM_CA_BUNDLE ) as sys_ca :
31+ bundle .write (sys_ca .read ())
32+ bundle .write ("\n " )
33+ with open (PULP_CA_CERT ) as pulp_ca :
34+ bundle .write (pulp_ca .read ())
35+ finally :
36+ bundle .close ()
37+
38+ env = os .environ .copy ()
39+ env ["SSL_CERT_FILE" ] = bundle .name
40+ return env
41+
1042
1143def run_flatpak_commands (host ):
44+ env = _build_flatpak_env ()
45+
1246 # Remove any leftover remote from a previous failed run before starting.
13- subprocess .run (["flatpak" , "--user" , "remote-delete" , "--force" , "pulptest" ], check = False )
47+ subprocess .run (
48+ ["flatpak" , "--user" , "remote-delete" , "--force" , "pulptest" ],
49+ check = False ,
50+ env = env ,
51+ )
1452
1553 subprocess .check_call (
1654 [
@@ -19,30 +57,10 @@ def run_flatpak_commands(host):
1957 "remote-add" ,
2058 "pulptest" ,
2159 "oci+" + host ,
22- ]
60+ ],
61+ env = env ,
2362 )
2463
25- # OSTree (used by flatpak) verifies TLS against the system CA store, not certifi.
26- # For CI environments using a self-signed cert, configure the remote to trust
27- # the Pulp CA directly rather than relying on system-wide CA trust, which would
28- # interfere with the Python bindings trust setup in script.sh.
29- if urlparse (host ).scheme == "https" :
30- flatpak_user_repo = os .path .expanduser ("~/.local/share/flatpak/repo" )
31- ca_cert = "/etc/pulp/certs/pulp_webserver.crt"
32- tls_option = f"tls-ca-path={ ca_cert } if os .path .exists (ca_cert ) else "tls-permissive=true"
33- config_path = os .path .join (flatpak_user_repo , "config" )
34- try :
35- with open (config_path ) as f :
36- content = f .read ()
37- content = content .replace (
38- '[remote "pulptest"]' ,
39- f'[remote "pulptest"]\n { tls_option } ,
40- )
41- with open (config_path , "w" ) as f :
42- f .write (content )
43- except OSError :
44- pass
45-
4664 try :
4765 # See <https://pagure.io/fedora-lorax-templates/c/cc1155372046baa58f9d2cc27a9e5473bf05a3fb>
4866 # "lorax-embed-flatpaks.tmpl: Run the flatpak-install under dbus-run-session" for the need
@@ -56,7 +74,8 @@ def run_flatpak_commands(host):
5674 "--noninteractive" ,
5775 "pulptest" ,
5876 "net.fishsoup.Hello" ,
59- ]
77+ ],
78+ env = env ,
6079 )
6180 finally :
6281 # Clean up flatpak — runs even if install fails so the next test starts clean.
@@ -67,7 +86,7 @@ def run_flatpak_commands(host):
6786 "uninstall" ,
6887 "--noninteractive" ,
6988 "net.fishsoup.Hello" ,
70- ]
89+ ],
7190 )
7291 subprocess .run (
7392 [
@@ -76,9 +95,11 @@ def run_flatpak_commands(host):
7695 "uninstall" ,
7796 "--noninteractive" ,
7897 "net.fishsoup.BusyBoxPlatform" ,
79- ]
98+ ],
8099 )
81100 subprocess .run (["flatpak" , "--user" , "remote-delete" , "pulptest" ])
101+ if env and "SSL_CERT_FILE" in env :
102+ os .unlink (env ["SSL_CERT_FILE" ])
82103
83104
84105def test_flatpak_install (
0 commit comments