#60 Add a configuration option to define who can import RPM builds into koji
Opened 6 months ago by bstinson. Modified 6 months ago
bstinson/robosignatory fix/59  into  master

file modified
+2
@@ -94,6 +94,8 @@ 

          [consumer_config.koji_instances.primary]

          url = 'http://koji.fedoraproject.org/kojihub'

          mbs_user = 'mbs/mbs.example.com'

+         # Users that are allowed to import builds into your koji instance

+         build_import_users = ['my-import-user', 'kojiadmin']

  

              [consumer_config.koji_instances.primary.options]

              # Only ssl and kerberos are supported at the moment

file modified
+7 -2
@@ -43,6 +43,10 @@ 

                              'tags': {}}

              if 'mbs_user' in instance_info:

                  instance_obj['mbs_user'] = instance_info['mbs_user']

+             if 'build_import_users' in instance_info:

+                 instance_obj['build_import_users'] = instance_info['build_import_users']

+             else:

+                 instance_obj['build_import_users'] = []

              for tag in instance_info['tags']:

                  if tag['from'] in instance_obj['tags']:

                      raise Exception('From detected twice: %s' % tag['from'])
@@ -258,9 +262,10 @@ 

          log.info('Content tag: %s', content_koji_tag)

          log.info('Signing all module content')

          for build in instance['client'].listTagged(content_koji_tag):

-             if build['owner_name'] != instance['mbs_user']:

+             if build['owner_name'] != instance['mbs_user'] and \

+                 build['owner_name'] not in instance['build_import_users']:

                  log.error(

-                     'Build {build_id} has owner {owner_name}, which is NOT mbs_user!'.format(

+                     'Build {build_id} has owner {owner_name}, which is NOT mbs_user and is not in build_import_users!'.format(

                          **build

                      )

                  )

file modified
+2 -1
@@ -16,6 +16,7 @@ 

          'test': {

              'url': 'https://koji.example.com',

              'mbs_user': 'mbs_user',

+             'build_import_users': ['kojiadmin',],

              'options': {

                  'authmethod': 'kerberos',

                  'principal': 'test@EXAMPLE.COM',
@@ -322,7 +323,7 @@ 

  

          if error == 'non-mbs-owner':

              expected_log_msgs.append(

-                 f"Build {build_id} has owner {build_owner}, which is NOT mbs_user!")

+                 f"Build {build_id} has owner {build_owner}, which is NOT mbs_user and is not in build_import_users!")

              expected_exc_ctx = raises(Exception,

                                        match="Modular content tag contains invalid owned build")

          elif error == 'untrusted-tagger':

This allows us to expand an ownership check when signing modular content
tags to allow signing imported RPMs. This configuration option is
additive, any robosignatory sites out there without the config option it
defaults to the empty list.

Fixes: #59

Signed-off-by: Brian Stinson bstinson@redhat.com