testing flatpak tls setup

Author: gerrod3

.github/workflows/scripts/post_before_script.sh

@@ -2,4 +2,6 @@ SCENARIOS=("pulp" "performance" "azure" "gcp" "s3" "generate-bindings" "lowerbou
 if [[ " ${SCENARIOS[*]} " =~ " ${TEST} " ]]; then
   # Needed by pulp_container/tests/functional/api/test_flatpak.py:
   cmd_prefix dnf install -yq dbus-daemon flatpak
+
+  cmd_prefix cp /etc/pulp/certs/pulp_webserver.crt /etc/pki/ca-trust/source/anchors/pulp_webserver.crt
 fi

.github/workflows/scripts/script.sh

@@ -138,8 +138,9 @@ else
     cmd_user_prefix bash -c "pytest -v --timeout=300 -r sx --color=yes --suppress-no-test-exit-code --durations=20 --pyargs pulp_container.tests.functional -m parallel -n 8 --nightly"
     cmd_user_prefix bash -c "pytest -v --timeout=300 -r sx --color=yes --suppress-no-test-exit-code --durations=20 --pyargs pulp_container.tests.functional -m 'not parallel' --nightly"
   else
-    cmd_user_prefix bash -c "pytest -v --timeout=300 -r sx --color=yes --suppress-no-test-exit-code --durations=20 --pyargs pulp_container.tests.functional -m parallel -n 8"
-    cmd_user_prefix bash -c "pytest -v --timeout=300 -r sx --color=yes --suppress-no-test-exit-code --durations=20 --pyargs pulp_container.tests.functional -m 'not parallel'"
+    # cmd_user_prefix bash -c "pytest -v --timeout=300 -r sx --color=yes --suppress-no-test-exit-code --durations=20 --pyargs pulp_container.tests.functional -m parallel -n 8"
+    # cmd_user_prefix bash -c "pytest -v --timeout=300 -r sx --color=yes --suppress-no-test-exit-code --durations=20 --pyargs pulp_container.tests.functional -m 'not parallel'"
+    cmd_user_prefix bash -c "pytest -v --timeout=300 -r sx --color=yes --suppress-no-test-exit-code --durations=20 --pyargs pulp_container.tests.functional -k 'test_flatpak'"
   fi
 fi
 pushd ../pulp-cli

pulp_container/tests/functional/api/test_flatpak.py

@@ -1,48 +1,14 @@
 """Tests that verify Flatpak support"""
 
-import os
 import subprocess
 
 import pytest
 
 from pulp_container.tests.functional.constants import REGISTRY_V2
 
-PULP_CA_CERT = "/etc/pulp/certs/pulp_webserver.crt"
-
-
-def _ensure_system_trust():
-    """Add the Pulp CA cert to the system trust store so flatpak can verify TLS.
-
-    On RHEL 9, both flatpak (via GLib/libsoup) and Python's OpenSSL resolve trust
-    through p11-kit.  The only reliable way to make flatpak accept the self-signed
-    Pulp webserver cert is to register it as a trust anchor.  This is safe to call
-    after the certifi patching in script.sh because `trust anchor` only *adds* to
-    the trust store.
-    """
-    anchor = "/etc/pki/ca-trust/source/anchors/pulp_webserver.crt"
-    if os.path.exists(PULP_CA_CERT) and not os.path.exists(anchor):
-        subprocess.check_call(["cp", PULP_CA_CERT, anchor])
-        subprocess.check_call(["update-ca-trust"])
-        # Re-patch certifi in case update-ca-trust regenerated the bundle it points to.
-        result = subprocess.run(
-            ["python3", "-c", "import certifi; print(certifi.where())"],
-            capture_output=True,
-            text=True,
-        )
-        if result.returncode == 0:
-            certifi_path = result.stdout.strip()
-            subprocess.run(
-                ["bash", "-c", f"cat {PULP_CA_CERT} >> '{certifi_path}'"],
-                check=False,
-            )
-
 
 def run_flatpak_commands(host):
-    _ensure_system_trust()
-
-    # Remove any leftover remote from a previous failed run before starting.
-    subprocess.run(["flatpak", "--user", "remote-delete", "--force", "pulptest"], check=False)
-
+    # Install flatpak:
     subprocess.check_call(
         [
             "flatpak",
@@ -52,43 +18,41 @@ def run_flatpak_commands(host):
             "oci+" + host,
         ]
     )
+    # See <https://pagure.io/fedora-lorax-templates/c/cc1155372046baa58f9d2cc27a9e5473bf05a3fb>
+    # "lorax-embed-flatpaks.tmpl: Run the flatpak-install under dbus-run-session" for the need for
+    # dbus-run-session to avoid "error: Cannot autolaunch D-Bus without X11 $DISPLAY":
+    subprocess.check_call(
+        [
+            "dbus-run-session",
+            "flatpak",
+            "--user",
+            "install",
+            "--noninteractive",
+            "pulptest",
+            "net.fishsoup.Hello",
+        ]
+    )
 
-    try:
-        # See <https://pagure.io/fedora-lorax-templates/c/cc1155372046baa58f9d2cc27a9e5473bf05a3fb>
-        # "lorax-embed-flatpaks.tmpl: Run the flatpak-install under dbus-run-session" for the need
-        # for dbus-run-session to avoid "error: Cannot autolaunch D-Bus without X11 $DISPLAY":
-        subprocess.check_call(
-            [
-                "dbus-run-session",
-                "flatpak",
-                "--user",
-                "install",
-                "--noninteractive",
-                "pulptest",
-                "net.fishsoup.Hello",
-            ]
-        )
-    finally:
-        # Clean up flatpak — runs even if install fails so the next test starts clean.
-        subprocess.run(
-            [
-                "flatpak",
-                "--user",
-                "uninstall",
-                "--noninteractive",
-                "net.fishsoup.Hello",
-            ],
-        )
-        subprocess.run(
-            [
-                "flatpak",
-                "--user",
-                "uninstall",
-                "--noninteractive",
-                "net.fishsoup.BusyBoxPlatform",
-            ],
-        )
-        subprocess.run(["flatpak", "--user", "remote-delete", "pulptest"])
+    # Clean up flatpak:
+    subprocess.run(
+        [
+            "flatpak",
+            "--user",
+            "uninstall",
+            "--noninteractive",
+            "net.fishsoup.Hello",
+        ]
+    )
+    subprocess.run(
+        [
+            "flatpak",
+            "--user",
+            "uninstall",
+            "--noninteractive",
+            "net.fishsoup.BusyBoxPlatform",
+        ]
+    )
+    subprocess.run(["flatpak", "--user", "remote-delete", "pulptest"])
 
 
 def test_flatpak_install(