pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads

Location: Pulp SmashAPI Documentationpulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads

Tests for repository importer signature checks.

As of Pulp 2.10, it’s possible to configure an RPM repository importer to perform checks on all synced-in and uploaded packages. Two new importer options are available:

require_signature
A boolean. If true, imported packages must be signed with a key listed in allowed_keys.
allowed_keys
A list of 32-bit key IDs, as hex characters. (e.g. ["deadbeef"]) An empty list is treated as the list of all possible key IDs.

Beware that if a package has a signature, its signature must be listed in allowed_keys, even when require_signature is false. The only importer configuration that allows all packages is {'require_signature': False, 'allowed_keys': []}.

To test this feature, importers with at least the following options should be created:

{'require_signature': False, 'allowed_keys': ['invalid key id']}
{'require_signature': False, 'allowed_keys': ['valid key id']}
{'require_signature': False, 'allowed_keys': []}
{'require_signature': True, 'allowed_keys': ['invalid key id']}
{'require_signature': True, 'allowed_keys': ['valid key id']}
{'require_signature': True, 'allowed_keys': []}

In addition, at least the following types of packages should be imported:

* Signed DRPMs
* Signed RPMs
* Signed SRPMs
* Unsigned DRPMs
* Unsigned RPMs
* Unsigned SRPMs

Finally, importer options may be changed in some circumstances, and Pulp should gracefully handle those changes.

For more information, see Pulp #1991 and Pulp Smash #347.

class pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads.AllowAnyKeyTestCase(methodName='runTest')

Use an importer that allows unsigned packages and has no key IDs.

The importer should have the following pseudocode configuration:

{"require_signature": false, "allowed_keys": []}
classmethod setUpClass()

Create a repository with an importer.

test_all_packages()

Import signed and unsigned DRPM, RPM & SRPM packages into the repo.

Verify that each import succeeds.

class pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads.AllowInvalidKeyTestCase(methodName='runTest')

Use an importer that allows unsigned packages and has an invalid key ID.

The importer should have the following pseudocode configuration:

{"require_signature": false, "allowed_keys": ["invalid key id"]}
classmethod setUpClass()

Create a repository with an importer.

test_signed_packages()

Import signed DRPM, RPM and SRPM packages into the repository.

Verify that each import fails.

test_unsigned_packages()

Import unsigned DRPM, RPM and SRPM packages into the repository.

Verify that each import succeeds.

class pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads.AllowValidKeyTestCase(methodName='runTest')

Use an importer that allows unsigned packages and has a valid key ID.

The importer should have the following pseudocode configuration:

{"require_signature": false, "allowed_keys": ["valid key id"]}
classmethod setUpClass()

Create a repository with an importer.

test_all_packages()

Import signed and unsigned DRPM, RPM & SRPM packages into the repo.

Verify that each import succeeds.

class pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads.KeyLengthTestCase(methodName='runTest')

Verify pulp rejects key IDs that are not 32-bits long.

An OpenPGP-compatible key ID (key fingerprint) is traditionally a 32-bit value. Newer OpenPGP key handling software allows for longer key IDs, and this is recommended, as it’s extremely easy to find colliding key IDs. [1] However, Pulp allows only the short key IDs.

[1]https://evil32.com/
test_key_ids()

Create importers with key IDs shorter and longer than 32 bits.

Pulp should prevent the importers from being created.

class pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads.RequireAnyKeyTestCase(methodName='runTest')

Use an importer that requires signatures and has no key IDs.

The importer should have the following pseudocode configuration:

{"require_signature": true, "allowed_keys": []}
classmethod setUpClass()

Create a repository with an importer.

test_signed_packages()

Import signed DRPM, RPM and SRPM packages into the repo.

Verify that each import succeeds.

test_unsigned_packages()

Import unsigned DRPM, RPM and SRPM packages into the repo.

Verify that each import fails.

class pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads.RequireInvalidKeyTestCase(methodName='runTest')

Use an importer that requires signatures and has an invalid key ID.

The importer should have the following pseudocode configuration:

{"require_signature": true, "allowed_keys": ["invalid key id"]}
classmethod setUpClass()

Create a repository with an importer.

test_all_packages()

Import signed and unsigned DRPM, RPM & SRPM packages into the repo.

Verify that each import fails.

class pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads.RequireValidKeyTestCase(methodName='runTest')

Use an importer that requires signatures and has a valid key ID.

The importer should have the following pseudocode configuration:

{"require_signature": true, "allowed_keys": ["valid key id"]}
classmethod setUpClass()

Create a repository with an importer.

test_signed_packages()

Import signed DRPM, RPM and SRPM packages into the repository.

Verify that each import succeeds.

test_unsigned_packages()

Import unsigned DRPM, RPM and SRPM packages into the repository.

Verify that each import fails.

pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads.setUpModule()

Conditionally skip tests. Cache packages to be uploaded to repos.

Skip the tests in this module if:

  • The RPM plugin is unsupported.
  • Pulp #1991 is untestable for the version of Pulp under test.
pulp_smash.tests.rpm.api_v2.test_signatures_checked_for_uploads.tearDownModule()

Delete the cached set of packages to be uploaded to repos.