From 0f9a77c0e3d3188a897f68eedf73745347364036 Mon Sep 17 00:00:00 2001
From: Brendan Reilly <breilly@redhat.com>
Date: Jun 17 2021 13:46:11 +0000
Subject: Add noverifyssl option to oz image builds


---

diff --git a/builder/kojid b/builder/kojid
index 04d5c4e..1e07556 100755
--- a/builder/kojid
+++ b/builder/kojid
@@ -3763,6 +3763,10 @@ class OzImageTask(BaseTaskHandler):
         # repo associated with the target passed in initially.
         ks.handler.repo.repoList = []  # delete whatever the ks file told us
         repo_class = kscontrol.dataMap[ks.version]['RepoData']
+        # only use noverifyssl if allowed in kojid.conf
+        if self.opts.get('noverifyssl') and not self.options.allow_noverifyssl:
+            raise koji.BuildError("noverifyssl option is not enabled")
+        noverifyssl = self.options.allow_noverifyssl and self.opts.get('noverifyssl')
         # TODO: sensibly use "url" and "repo" commands in kickstart
         if self.opts.get('repo'):
             # the user used --repo at least once
@@ -3771,7 +3775,8 @@ class OzImageTask(BaseTaskHandler):
             for user_repo in user_repos:
                 repo_url = user_repo.replace('$arch', self.arch)
                 ks.handler.repo.repoList.append(repo_class(
-                    baseurl=repo_url, name='koji-override-%i' % index))
+                    baseurl=repo_url, name='koji-override-%i' % index,
+                    noverifyssl=noverifyssl))
                 index += 1
         else:
             # --repo was not given, so we use the target's build repo
@@ -3781,9 +3786,10 @@ class OzImageTask(BaseTaskHandler):
             baseurl = '%s/%s' % (repopath, self.arch)
             self.logger.debug('BASEURL: %s' % baseurl)
             ks.handler.repo.repoList.append(repo_class(
-                baseurl=baseurl, name='koji-override-0'))
+                baseurl=baseurl, name='koji-override-0',
+                noverifyssl=noverifyssl))
         # inject the URL of the install tree into the kickstart
-        ks.handler.url(url=install_tree)
+        ks.handler.url(url=install_tree, noverifyssl=noverifyssl)
         return ks
 
     def writeKickstart(self, ksobj, ksname):
@@ -6362,7 +6368,8 @@ def get_options():
                 'xz_options': '-z6T0',
                 'task_avail_delay': 300,
                 'cert': None,
-                'serverca': None}
+                'serverca': None,
+                'allow_noverifyssl': False}
     if config.has_section('kojid'):
         for name, value in config.items('kojid'):
             if name in ['sleeptime', 'maxjobs', 'minspace', 'retry_interval',
@@ -6376,7 +6383,8 @@ def get_options():
                     quit("value for %s option must be a valid integer" % name)
             elif name in ['offline_retry', 'use_createrepo_c', 'createrepo_skip_stat',
                           'createrepo_update', 'use_fast_upload', 'support_rpm_source_layout',
-                          'build_arch_can_fail', 'no_ssl_verify', 'log_timestamps']:
+                          'build_arch_can_fail', 'no_ssl_verify', 'log_timestamps',
+                          'allow_noverifyssl']:
                 defaults[name] = config.getboolean('kojid', name)
             elif name in ['plugin', 'plugins']:
                 defaults['plugin'] = value.split()
diff --git a/builder/kojid.conf b/builder/kojid.conf
index 1ce0f18..4dc2a87 100644
--- a/builder/kojid.conf
+++ b/builder/kojid.conf
@@ -138,3 +138,6 @@ from_addr=Koji Build System <buildsys@example.com>
 
 ;path where builder plugins are located, there could be multiple paths delimited by :
 ;pluginpath = /usr/lib/koji-builder-plugins
+
+;allow passing noverifyssl option to anaconda for image builds
+;allow_noverifyssl = False
diff --git a/cli/koji_cli/commands.py b/cli/koji_cli/commands.py
index 0fa1f06..fffb920 100644
--- a/cli/koji_cli/commands.py
+++ b/cli/koji_cli/commands.py
@@ -6040,6 +6040,9 @@ def handle_image_build(options, session, args):
                       help=_("The syntax version used in the kickstart file"))
     parser.add_option("--noprogress", action="store_true",
                       help=_("Do not display progress of the upload"))
+    parser.add_option("--noverifyssl", action="store_true",
+                      help=_("Use the noverifyssl option for the install tree and all repos. "
+                             "This option is only allowed if enabled on the builder."))
     parser.add_option("--nowait", action="store_false", dest="wait",
                       help=_("Don't wait on image creation"))
     parser.add_option("--ova-option", action="append",
diff --git a/tests/test_cli/test_image_build.py b/tests/test_cli/test_image_build.py
index 5067e50..313e679 100644
--- a/tests/test_cli/test_image_build.py
+++ b/tests/test_cli/test_image_build.py
@@ -33,6 +33,7 @@ TASK_OPTIONS = {
     "ksurl": "git://git.fedorahosted.org/git/spin-kickstarts.git?fedora26#68c40eb7",
     "ksversion": "DEVEL",
     "noprogress": None,
+    "noverifyssl": None,
     "optional_arches": [
         "ppc",
         "arm64"
@@ -356,6 +357,9 @@ Options:
   --ksurl=SCMURL        The URL to the SCM containing the kickstart file
   --ksversion=VERSION   The syntax version used in the kickstart file
   --noprogress          Do not display progress of the upload
+  --noverifyssl         Use the noverifyssl option for the install tree and
+                        all repos. This option is only allowed if enabled on
+                        the builder.
   --nowait              Don't wait on image creation
   --ova-option=OVA_OPTION
                         Override a value in the OVA description XML. Provide a