Add Keys, Script and Signing Service to dev environment

This PR adds: - secret and public keys on dev/common/ - imports and trusts keys on container build time - add make docker/add-signing-service TODO: - [ ] Route URL to spawn sign task (subclass pulp_ansible#754 serializer) - [ ] Surface the signature on collectionversion serializer - [ ] Add test to sign a collection Issue: AAH-1181 Required PR: pulp/pulp_ansible#754 env:LOCK_REQUIREMENTS=0 env:PULP_CONTAINER_REVISION=39b3000150960c554d2124ab3654e3e7b4c54352 env:PULPCORE_REVISION=f8306ac5d3af1cf9936d39abb0568e86d18cd55f env:GALAXY_IMPORTER_REVISION=7091519f38acb8e10b85baffe7c6074b02309598
ansible · Dec 9, 2021 · d3f1de7 · d3f1de7
1 parent c2eb855
commit d3f1de7
Show file tree

Hide file tree

Showing 9 changed files with 81 additions and 5 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -5,4 +5,3 @@ venv/
 pip-wheel-metadata/
 **/__pycache__/
 .git/
-dev/
diff --git a/CHANGES/1181.misc b/CHANGES/1181.misc
@@ -0,0 +1 @@
+Add keys, script and signing service to dev env
diff --git a/Makefile b/Makefile
@@ -7,13 +7,13 @@ DJ_MANAGER = $(shell if [ "$(RUNNING)" == "" ]; then echo manage; else echo djan
 
 define exec_or_run
 	# Tries to run on existing container if it exists, otherwise starts a new one.
-	@echo $(1)$(2)$(3)$(4)$(5)
+	@echo $(1)$(2)$(3)$(4)$(5)$(6)
 	@if [ "$(RUNNING)" != "" ]; then \
 		echo "Running on existing container $(RUNNING)" 1>&2; \
-		./compose exec $(1) $(2) $(3) $(4) $(5); \
+		./compose exec $(1) $(2) $(3) $(4) $(5) $(6); \
 	else \
 		echo "Starting new container" 1>&2; \
-		./compose run --use-aliases --service-ports --rm $(1) $(2) $(3) $(4) $(5); \
+		./compose run --use-aliases --service-ports --rm $(1) $(2) $(3) $(4) $(5) $(6); \
 	fi
 endef
 
@@ -92,6 +92,10 @@ docker/makemigrations:   ## Run django migrations
 docker/migrate:   ## Run django migrations
 	$(call exec_or_run, api, $(DJ_MANAGER), migrate)
 
+.PHONY: docker/add-signing-service
+docker/add-signing-service:    ## Add a Signing service using default GPG key
+	$(call exec_or_run, worker, $(DJ_MANAGER), add-signing-service, ansible-default, /var/lib/pulp/scripts/collection_sign.sh, [email protected])
+
 .PHONY: docker/resetdb
 docker/resetdb:   ## Cleans database
 	# Databases must be stopped to be able to reset them.
@@ -109,6 +113,7 @@ docker/all: 	                                ## Build, migrate, loaddata, transl
 	make docker/migrate
 	make docker/loaddata
 	make docker/translations
+	make docker/add-signing-service
 
 # Application management and debugging
 

diff --git a/dev/Dockerfile.base b/dev/Dockerfile.base
@@ -38,6 +38,7 @@ RUN set -ex; \
         python38-devel \
         libpq \
         libpq-devel \
+        pinentry \
     && dnf clean all \
     && rm -rf /var/cache/dnf/ \
     && rm -f /var/lib/rpm/__db.* \
@@ -54,6 +55,7 @@ ENV PATH="/venv/bin:${PATH}" \
     VIRTUAL_ENV="/venv"
 
 COPY ./requirements/requirements.common.txt /tmp/requirements.txt
+COPY ./dev/common/ansible-sign.key /tmp/ansible-sign.key
 
 RUN set -ex; \
     pip install --no-cache-dir --upgrade pip \
@@ -83,9 +85,11 @@ RUN set -ex; \
     && mkdir --mode=2775 -p \
              /var/lib/pulp/artifact \
              /var/lib/pulp/tmp \
+             /var/lib/pulp/scripts \
              /tmp/ansible \
     && chown ${USER_NAME}:${USER_GROUP} /var/lib/pulp/artifact \
     && chown ${USER_NAME}:${USER_GROUP} /var/lib/pulp/tmp \
+    && chown ${USER_NAME}:${USER_GROUP} /var/lib/pulp/scripts \
     && chown ${USER_NAME}:${USER_GROUP} \
         /tmp/ansible \
         /etc/ansible \
@@ -98,7 +102,9 @@ RUN set -ex; \
     && chmod 0644 /var/log/galaxy_api_access.log \
     && chown galaxy:galaxy /var/log/galaxy_api_access.log \
     && mkdir -p /etc/pulp/certs/ \
-    && echo "DNmNdwgyZugTax9S64J0FITTr9IHPxbuoF1F1CGPr68=" > /etc/pulp/certs/database_fields.symmetric.key
+    && echo "DNmNdwgyZugTax9S64J0FITTr9IHPxbuoF1F1CGPr68=" > /etc/pulp/certs/database_fields.symmetric.key \
+    && gpg --batch --import /tmp/ansible-sign.key &>/dev/null \
+    && (echo trust &echo 5 &echo y &echo quit &echo save) | gpg --batch --command-fd 0 --edit-key galaxy3 &>/dev/null
 
 # This symmetric.key is for dev only and should not be used in production
 # DNmNdwgyZugTax9S64J0FITTr9IHPxbuoF1F1CGPr68=

diff --git a/dev/common/ansible-sign-pub.gpg b/dev/common/ansible-sign-pub.gpg
diff --git a/dev/common/ansible-sign-pub.txt b/dev/common/ansible-sign-pub.txt
@@ -0,0 +1,41 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBGGyPsgBDACpWO2BexH3orSI2ksseqLjQ9h6Eq2HaBQdJLLQZZvkiWB/e3Gy
+8gvO3wgP7XxcIH09kddvmEFa4BXheXNd74qKTdoKh5UX2oFnw1rDwrQjcMKxJnjm
+Yku6br68kMfaNkwyQrSY7wwZ3XG/UfoWtdMehZKDZWD1YwTuaSJ5kxhsmQVxlN+U
+pTMG3uEC7aykogyzIH2PWvMoaP+XDvUb7XXJs0Z54tPzF9ngYpNiwTlMrm7+Q2FG
+1qognKlzEfKJ9FVSE9cO7MGCYOYCUrKcPahEMMnNDRnY5FwCEVTZhH/LgXg0pY7x
+pyKAvCFi+j2QSlYlvhGKJWgZG2v9qH6DPRla5mf8+f6/gviEGum9DwwjlJ2bFWrw
+fVGH7Ij9L1D3qjxFuMJkumEF9qpdfG8NZYingDsbgwjdKn6VXqmdVkUXNDwnk3gG
+tPQ9wd46qrUPzjwJ+66c28XKnjOJbJ7HU1bth9q7uvnoOqgNJGJVJhX+1+CXhSIA
+UnPsTOq5ivx/2DUAEQEAAbQiR2FsYXh5IERldiAzIDxnYWxheHkzQGFuc2libGUu
+Y29tPokB1AQTAQgAPhYhBOvtFw6MlIDiKh0FmxUlDp7ApiV3BQJhsj7IAhsDBQkD
+wmcABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEBUlDp7ApiV3i0UL/1mjlc08
+IHJDA64xIqifN96s7TEpuSw1DNkCrvBpZkbcZjEpLYW8QiTatTUbf2NgEFlOl6Xi
+H1Q9+oU03BAF1e8ymTRFuCkPdhqcjbkORke5/1PuemGG39SfRVsjVNrceXh9kWs0
+eOfnOvDt4RpNUO2lHf34NmQuxRqiALSb4gK5xrS2K2Y2hySEZldy6RcGURdm+pmf
+o4XQIZuzlGo7bV1vEmfZ/81kkOS5FlmOZt+Qm+YB8B7VjGY1RLtH7kY0y75j9Xea
+XMeraK+g3Om5TkCsqryR5EMs+xlX2B20rmVJ4NIxkq8o+llr3Yac/+T261XMjHGr
+2Sg/mVHVKTqtLlRwNDfg+iAQsr9AuUe4azp1EFAZL7zVQaFGlDRo1FX4EyTiVi7j
+nSNWl5j3Jm2+n7ddG7qi1v8OYxMFwtJoGeqLI3QFCu7la/hQVg8M7bifeMx4O9/G
+w4Q2EemGGMhSuC3p8Wig0sUIxu84xTHBGttFdwGimNS+pEd5LjTgwbulcrkBjQRh
+sj7IAQwArHLjcJTMfDuxOLF6cVprf7eidcC5YMKf5zIp2kRHLJdLGC2IbvLPcegM
+s9qh/GAfpO+3MbdUycoTJF7QrFxXqilJPbSEgQQN7J+SKjQ2UE95GxjSAijZ7moo
+a87crV/wvk+qth0XZCF3flKGJ2KQHIWN/9R6hRiPRjSy8KAHpxgjpEIjdhz4emPr
+aRzyK9zOqXWymcnTO2LcEP5NdBK8QIEXg7XYO2k7i08okhMzA+u0+Ke2ZDT/pI1e
+wd+xnBwpGoycQvVNSJg8bG5rPhWD9ADiR0SB+r12fLmReQBF/wVG9rB7pW3F3KqU
+m7CjgC3mP9EuqbDA2G4ruH1+T4Ff1zbaXmB5BzRu+VgRoQ50m6j84IJvq1kKAn5E
+UbRn6583ltgNPid9dzmslCN7upuzzq2fV7PRWCKcd0aT/wJ94UBO4ufjo8hIFwxa
+RbSAruBRJfWsS9rDwYs32QwfmSLrDXYlGpjG1HUZ3J5LLjHipvZeZlmNt5rUvni/
+ajQcyiP5ABEBAAGJAbwEGAEIACYWIQTr7RcOjJSA4iodBZsVJQ6ewKYldwUCYbI+
+yAIbDAUJA8JnAAAKCRAVJQ6ewKYldz/uC/9JiVlWge5sswUYUiV+TcXtATN3UKRE
+BEKtQYNgBW6geLwMyIsxSTBfpSoioezSZrriFirnQAtvrygUqTeX/uq4TD5qY502
+EejE+onF7bHpUEfJ/biyXQuFDBqNGBsWYnXxPbhXBY+mGhY5un5mg6TEGL2SMdSj
+5uhTBcaQ3BkGaqNng1nVC710nwQcMm8f9qs4uOogqy7Ndl1xtoRQZa9/Vbi3vIDC
+P9GYGUdAPu1OuXvl9wFYIKlWy95CS+L25o/59JbqT+XLLiyAnEmyMvWF+JUScm6H
+6wAjDoZOenmBSzgKs/7POb7z3ktZrEWvTcNHWCuH7hwYOP/zAWrble9RdUsRZF/K
+dcWrMZmkDSqOch6Qbp+vc8n/Z1rFiNvyfbiAkQ/Z9BW3+iHolEGHwq4i/O9Xx5bq
+NWuRMs3XgtmQpAxFi2C8nGo5E8eDUw4qKHXYNkcuOraay0wBNpoffISO4+d24GB4
+I6KUd9Bv1wf+etJ50jZ0dzt+T1Qs2wKbtf0=
+=PHJy
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/dev/common/ansible-sign.key b/dev/common/ansible-sign.key
diff --git a/dev/common/collection_sign.sh b/dev/common/collection_sign.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+FILE_PATH=$1
+SIGNATURE_PATH="$1.asc"
+
+ADMIN_ID="[email protected]"
+PASSWORD="Galaxy2022"
+
+# Create a detached signature
+gpg --quiet --batch --pinentry-mode loopback --yes --passphrase \
+   $PASSWORD --homedir ~/.gnupg/ --detach-sign --default-key $ADMIN_ID \
+   --armor --output $SIGNATURE_PATH $FILE_PATH
+
+# Check the exit status
+STATUS=$?
+if [ $STATUS -eq 0 ]; then
+   echo {\"file\": \"$FILE_PATH\", \"signature\": \"$SIGNATURE_PATH\"}
+else
+   exit $STATUS
+fi
diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml
@@ -21,6 +21,7 @@ services:
     entrypoint: "/bin/true"
     tmpfs:
       - "/var/lib/pulp/artifact"
+      - "/var/lib/pulp/scripts"
       - "/var/lib/pulp/tmp"
       - "/tmp/ansible"
 
@@ -44,6 +45,7 @@ services:
       - './common/galaxy_ng.env'
     volumes:
       - "./common/settings.py:/etc/pulp/settings.py:z"
+      - "./common/collection_sign.sh:/var/lib/pulp/scripts/collection_sign.sh:z"
       - "${COMPOSE_CONTEXT}/..:/src:z"
       - "pulp:/var/lib/pulp"
     tmpfs:
@@ -65,6 +67,7 @@ services:
       - './common/galaxy_ng.env'
     volumes:
       - "./common/settings.py:/etc/pulp/settings.py:z"
+      - "./common/collection_sign.sh:/var/lib/pulp/scripts/collection_sign.sh:z"
       - "${COMPOSE_CONTEXT}/..:/src:z"
       - "pulp:/var/lib/pulp"
     tmpfs:
@@ -88,6 +91,7 @@ services:
       - './common/galaxy_ng.env'
     volumes:
       - "./common/settings.py:/etc/pulp/settings.py:z"
+      - "./common/collection_sign.sh:/var/lib/pulp/scripts/collection_sign.sh:z"
       - "${COMPOSE_CONTEXT}/..:/src:z"
       - "pulp:/var/lib/pulp"
     tmpfs:
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,4 +5,3 @@ venv/ @@
     pip-wheel-metadata/
     **/__pycache__/
     .git/
-    dev/
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Add keys, script and signing service to dev env