From d3f1de7b18e87d55dcac8c6d984c2e20d13146af Mon Sep 17 00:00:00 2001 From: Bruno Rocha Date: Thu, 9 Dec 2021 18:53:32 +0000 Subject: [PATCH] Add Keys, Script and Signing Service to dev environment This PR adds: - secret and public keys on dev/common/ - imports and trusts keys on container build time - add make docker/add-signing-service TODO: - [ ] Route URL to spawn sign task (subclass pulp_ansible#754 serializer) - [ ] Surface the signature on collectionversion serializer - [ ] Add test to sign a collection Issue: AAH-1181 Required PR: https://github.com/pulp/pulp_ansible/pull/754 env:LOCK_REQUIREMENTS=0 env:PULP_CONTAINER_REVISION=39b3000150960c554d2124ab3654e3e7b4c54352 env:PULPCORE_REVISION=f8306ac5d3af1cf9936d39abb0568e86d18cd55f env:GALAXY_IMPORTER_REVISION=7091519f38acb8e10b85baffe7c6074b02309598 --- .dockerignore | 1 - CHANGES/1181.misc | 1 + Makefile | 11 ++++++--- dev/Dockerfile.base | 8 ++++++- dev/common/ansible-sign-pub.gpg | Bin 0 -> 1754 bytes dev/common/ansible-sign-pub.txt | 41 ++++++++++++++++++++++++++++++++ dev/common/ansible-sign.key | Bin 0 -> 3787 bytes dev/common/collection_sign.sh | 20 ++++++++++++++++ dev/docker-compose.yml | 4 ++++ 9 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 CHANGES/1181.misc create mode 100644 dev/common/ansible-sign-pub.gpg create mode 100644 dev/common/ansible-sign-pub.txt create mode 100644 dev/common/ansible-sign.key create mode 100755 dev/common/collection_sign.sh diff --git a/.dockerignore b/.dockerignore index 23fe409eb7..d3c7eaf69c 100644 --- a/.dockerignore +++ b/.dockerignore @@ -5,4 +5,3 @@ venv/ pip-wheel-metadata/ **/__pycache__/ .git/ -dev/ diff --git a/CHANGES/1181.misc b/CHANGES/1181.misc new file mode 100644 index 0000000000..fa7693aa6a --- /dev/null +++ b/CHANGES/1181.misc @@ -0,0 +1 @@ +Add keys, script and signing service to dev env diff --git a/Makefile b/Makefile index 50bed3844a..d80bb3890c 100644 --- a/Makefile +++ b/Makefile @@ -7,13 +7,13 @@ DJ_MANAGER = $(shell if [ "$(RUNNING)" == "" ]; then echo manage; else echo djan define exec_or_run # Tries to run on existing container if it exists, otherwise starts a new one. - @echo $(1)$(2)$(3)$(4)$(5) + @echo $(1)$(2)$(3)$(4)$(5)$(6) @if [ "$(RUNNING)" != "" ]; then \ echo "Running on existing container $(RUNNING)" 1>&2; \ - ./compose exec $(1) $(2) $(3) $(4) $(5); \ + ./compose exec $(1) $(2) $(3) $(4) $(5) $(6); \ else \ echo "Starting new container" 1>&2; \ - ./compose run --use-aliases --service-ports --rm $(1) $(2) $(3) $(4) $(5); \ + ./compose run --use-aliases --service-ports --rm $(1) $(2) $(3) $(4) $(5) $(6); \ fi endef @@ -92,6 +92,10 @@ docker/makemigrations: ## Run django migrations docker/migrate: ## Run django migrations $(call exec_or_run, api, $(DJ_MANAGER), migrate) +.PHONY: docker/add-signing-service +docker/add-signing-service: ## Add a Signing service using default GPG key + $(call exec_or_run, worker, $(DJ_MANAGER), add-signing-service, ansible-default, /var/lib/pulp/scripts/collection_sign.sh, galaxy3@ansible.com) + .PHONY: docker/resetdb docker/resetdb: ## Cleans database # Databases must be stopped to be able to reset them. @@ -109,6 +113,7 @@ docker/all: ## Build, migrate, loaddata, transl make docker/migrate make docker/loaddata make docker/translations + make docker/add-signing-service # Application management and debugging diff --git a/dev/Dockerfile.base b/dev/Dockerfile.base index 1b497bbce1..ef2595e6b3 100644 --- a/dev/Dockerfile.base +++ b/dev/Dockerfile.base @@ -38,6 +38,7 @@ RUN set -ex; \ python38-devel \ libpq \ libpq-devel \ + pinentry \ && dnf clean all \ && rm -rf /var/cache/dnf/ \ && rm -f /var/lib/rpm/__db.* \ @@ -54,6 +55,7 @@ ENV PATH="/venv/bin:${PATH}" \ VIRTUAL_ENV="/venv" COPY ./requirements/requirements.common.txt /tmp/requirements.txt +COPY ./dev/common/ansible-sign.key /tmp/ansible-sign.key RUN set -ex; \ pip install --no-cache-dir --upgrade pip \ @@ -83,9 +85,11 @@ RUN set -ex; \ && mkdir --mode=2775 -p \ /var/lib/pulp/artifact \ /var/lib/pulp/tmp \ + /var/lib/pulp/scripts \ /tmp/ansible \ && chown ${USER_NAME}:${USER_GROUP} /var/lib/pulp/artifact \ && chown ${USER_NAME}:${USER_GROUP} /var/lib/pulp/tmp \ + && chown ${USER_NAME}:${USER_GROUP} /var/lib/pulp/scripts \ && chown ${USER_NAME}:${USER_GROUP} \ /tmp/ansible \ /etc/ansible \ @@ -98,7 +102,9 @@ RUN set -ex; \ && chmod 0644 /var/log/galaxy_api_access.log \ && chown galaxy:galaxy /var/log/galaxy_api_access.log \ && mkdir -p /etc/pulp/certs/ \ - && echo "DNmNdwgyZugTax9S64J0FITTr9IHPxbuoF1F1CGPr68=" > /etc/pulp/certs/database_fields.symmetric.key + && echo "DNmNdwgyZugTax9S64J0FITTr9IHPxbuoF1F1CGPr68=" > /etc/pulp/certs/database_fields.symmetric.key \ + && gpg --batch --import /tmp/ansible-sign.key &>/dev/null \ + && (echo trust &echo 5 &echo y &echo quit &echo save) | gpg --batch --command-fd 0 --edit-key galaxy3 &>/dev/null # This symmetric.key is for dev only and should not be used in production # DNmNdwgyZugTax9S64J0FITTr9IHPxbuoF1F1CGPr68= diff --git a/dev/common/ansible-sign-pub.gpg b/dev/common/ansible-sign-pub.gpg new file mode 100644 index 0000000000000000000000000000000000000000..000057af24cb053e5cba74817c5bb9148eea86c4 GIT binary patch literal 1754 zcmV<01||8K0gVJ!+JR@oTEoJ$BXGj8CV1vz zOS*2pypYG*HcT=?w3zP<8QpQeQTi6O(;kJAgJod#V+8JLB6*V-Y?%ddl;4!4GX~z_ z0`07%q71VjeUDo6C}{te4)q)Db;+|vdE(Ra7un!qlVZU+Os;PJLt#eNsvw-Ha}n~1 z^i@(5*ADE#f?(zXQnH*qs6;Ty%?%mY(Ml z5sD>f85?W;sD6Vz8CvFN{Q3UBg7}0Q>AepOBb1$+6>9K(QHSh^{V!1Wsys!w!eqK( z1@@|4d~Xe9h^K%%8-oblDt?t-shw6u7c@L4lXwQS^gY4eI;yn~&O8bGuAJM&%APZc zY@WwcR_%w{ySn-4I;agKVpS#;{@37_g(3h_bL>p&xr+RM*fjtV0RRECB1d6tVR(5U zL}hj$Gax)?VQgV|c{4y^ZgXj3Y-KKEZ*4w_0n`K&0SEv-79j-d?H3M=lz`$Y9R-^e zB@UjzrX_a;0%5W~$O0P!1qlPfX8;8Y2?z%Q1{Dek2nzxP76JnS0v-VZ7k~f?2@n+} z4xYfKC3lNO3;$W8mCZaLazg{IF(Rm+H{Pu6F)6t$H4NDTuJCDQM%-pGDJ_M(LL}O? zH5-3pU=UeOm!;w#R6Y8IG~5sc)$cNyG)1^64|W=yjkyj+N4ft~?s{Q{-_)N)TO(B3 z+!7FmvF-;kT;0q`ExjAk`NyGQOuG|RqY^>>v(dH{kjp5VF5OxktEbI&~0G885umL7_&JG-%XS_!A`JRxab6BUYD~_a<$= zpSN8bx}w(q4r3Dq!qR9N>Wd?E1q$xvYxq!B4-D{(gG;i?rJD&&fKkE@V-x~wjCE_A$NXKh9_c>9EFYl z)Ov*&k47}I@Sq2$7$c-YBX%74dSmNp9P%sN&Z%{>naR^TV%!k^O>`2xK!F#7wb(mp zJBv>!k`prn>$Lc%wq!K_q>Wy|-?5w=DH@ENLiJ5Zm^^H5Yd#f&^Z?>VM1lIfc6_;! zc>qQK1xEI;d!=o~+^UqDu%m!2=0DLcsj$GGL zsQlo9Z>w1f0)9kMv}fy|H0oOec({{nsCKu+T4 zY+fZ{401)CKm4xYfKC3gh^VX{8R z0vikk2?N4s000UJ5EUg3p1`IhcR%h6|4E5iR)OwpvjrGZC4NoC?Ey1)P^3fzLajlA zUv7#kL1b@4s8R|Suz8WuUaerAKD#2CGjG1Q~x=u-v8klYytYNKa^ zS=9@@be{wqGH)ODt2nsoAgeCTc3p9{givL#e^t1*ynw<#(U=)WKtAnGxqIdJ0azfZ zR?FT(OXBwCkNNbL>QCj%E-ZkYNwPBah4_^ca&Cv~03!~DPI`HPOE?O%{?9qS^WIBY ztVOR)!$(*vhwdC0IREnjYTK3XQFTiZWM9g4#j7!yqzx*LavqRwpRaSt|7Tjoh}-gg zxPXxl+4L2+`XT6)L5ISwBK+@H$Cm0fYmqX|*MixQqzpxiV7#1aITOc&Qw}O9b=WpX wE;_cF%S-__njd_Gj^pQc;9z(oqLg>gZ`TL@deV8)HgtD8eos^^+X9=l{jbqZ8E0kh&N(AFoRD!@nb|rgBq0(>gfl~A zoV~++zrWw_@%cTz|9$^_|MB|w{mdapkU2N23<5wT)z*ZBD8|#$)?~cFy~xrPjp<0H zw@9y>+=9(x?ggtUPH|Cz%?Grji&PARXnVdG<;*GnJT==TmR}LU4!fzTMtB-z4jVqf z^ONnT-d2Ht-lp5(Yc2*IuY?TF1DZ7#DpzSf7#g7iPp{eo8O>)Bx*1c2yuh43S5>iaWw7m<=jHkJhi7Mr92;E>AOUny0gLxuj45(E z`RYFOv_?s*z1OY7nf#>2A=;nLJ-ISokrPfeFB+TUSY2eP#RgHjlO0acdZheuL7}FN zVN{9wZ++ox|CeH^6yM^{k1PpD{QHjcKMGZJf-V-fS+1v+auNI_X2IKro4C}=xM^t; zMgR%mnvxW#e>+=nfholEH2Kg`C2c@8X3vo7AdA+~=HslNUuW5#(b@lL?*Ts?wdfXH~C#5;m9(^%(k=(lN_{;k!o*=((VaaMy zB$J5o**jAPB;S)DC?l3~Y|zx`R9gF**afQcu7R3_#aE@oCDXmW^Yk=RU{(X;eqrtu0lUjnCjIU^E3n+-Rw+~3KbO{qdpAO z&(L0usUN-7SMul%f~n5RKda#P-cY&uw?JR(x^G&zWoiSSlTIk;<;tMnKM|Gwov``o zt9k9{SLhZ6VAUk}F3yC%+R$i9#qX7>UdS%@Zl+;%%>?<0V3nQ1gERYb3QXVJ2JeF; z!=x6sTiLx2bvrMlhd}JeqpnxMmPEQ|>$%0jvvP6*nG@qi zf9;E0_^q0^KRzPeTqL~QPZz0_$*y@lUGMTxb?8pn%JC-!jdyGm9;fWMjHu|J|23DQG2^iB(BAm9@}p$Q*rcWiIZ}O;eao`q{n56r zkrT*kw_y-zt@u;f;IdiGy~lDztRO-}(4Ek|!q44ecAyL$b8)K**VYfch;Ib~8k*=B-S(VIe;A8YWy@|W&1uWWyrqc}2{Dk30Go(K% z1%VOCoH{GI*~C2i+tG*$U~eV#9IAO6>ndW0bYMA;`n97c{tl4rz`P;rKB>ZkrI&rB zMG@e28`}crsmUK4Uhx+UT4shqQZKMY>U7~{~R5^EXqw@z#>Fn-19~#j2!qsPY&cH zC8s9s^&}yurKX|;Qn1iaQ_%v+Sb?MfAP)e@7EeM$edC`bO^cRjQ;CyynUm2*}(G^2uGv ze27-N2tz1GVLFapTL(vcv=ix^v^as$vJ)`J&qajCWconD*Vh&H2){Utpo9wUt1}rl z@qUg{lGcJ{Aa0=b-CYkEq+p_lRnP_-g(;iIMLwnsF?Oq<1?{cq=itxeIYS(AL#^Ui zZC-dRq6*dkdpwiRJ)||?>+EPlhPz#l!(Q2cuJvkoJ-2}~R;{b)%v{yD_ZMt6&D~n> zuD3KUk<}o4VdFEOR7hMs*|PZhJg{~~_+h^3q=>>>aq|F(?9v6_jph%kIGuJMg^(Li z@cqt7wGwSK#B0Lhj9GBmQhcRIz%n=Q^tN9&2J67tQTmfe@5)TxJMIPEOcQuYPP6md z=L~Ae03x(w!oP+qE)IN3lwsURVjnbX7u(qPdOhAxHLxq!FY%FMRx1opnm5s1t`i{+ zS^D_CBB+Qw=^ujYf>r|1U!xV9yI3;p;9KAy zPz%1~(uucx7b}4^ANs;9=r~qqZ&f3rr`(#DKt{KX$r6RgKusbz*~fvxGdteGKBIGQ zAMbUW)V$+nbGsE5YnF7!1;vF(Cr(5n*fX>t&3msYE7=9g)dfPi&LUm6o^T!9og1wV zY0e+|q3AMqSVI8@z2=@rh!ZiEtLP6zNv$S>-!72(dif@#A7sA(sfp^FsAw zBi%eDUzm>y3;c*=Sw}PBqAN5Sml;8#MI_fgX^g7y>z}JZ7c`c|i>*EUE?(W(GYz}j z9usSl@OVlF@8}dk34xtkGnUXlEvUL&dgfniLj#P}G;Q_V!pOdyrc=2S6DD7W7KrL7 zXc>Krv1<8l&0iR%olOMB{8BYuUSBC2)MW$NYPH7KFPRD**BRhHeN2;`0rBSZZ_$Mc zapVn5gn;LY4a6mu-<&vl*ra1$O>~EU@P=@G5jg*Uf^}&oW1fM*8mEaKG--0qum;#C zLzUC69fsvBMQlhClRDNm-f!Yiu48V{Bw^1~yD?dh#V+`GFIpxjg^GW)9K%Kz7MfY) za4c%>SAh|$(G3|4AJ#23Kan=xpxgL>WGid73qTyiCBEqb1St(9YRufpl(o%A8oL_5 z9!d2LhWJl2y>pY@&IdHqT|ZqLh>F>-Id_>nxC|lJb#2v|&a2N~58dt+2}9?U#JWAU zpf_8Q?nffB#F)>2&G$!F^cWJLy*?K2t1`VrOa1uYFY_20GwvMB*d+zRQg{c_``uY5 zY~EYOHC)XN=B{fgF~>!6|Jd}U`Np1Pin~xObkI;8wn+o1Qni8!k_oXwn+~WE%6OV5 z(io|uaIxOd`gB5Ka~D-CT)`R*LbQ~;!S!XwHjiqqX5RnVjFT6WKI-YJm55Wq%87ij z;$fq%-bY*aBTluyJyG<2X?I)A*J0-9GN`2@q+Is2(PiN97wf>vM1E^$KwvVW1VZP% z()L+jmYwWxG0@^){lMhcvQ??up^~V3uu)wqguHDRZsSHM9l?GCP>l`(BeGR-*Rli$bhyd z(7P^Ji5>Mzu7&petC1mf4Q)YZPl1~hh$6W8kc8sGl8&I)_2F7mBk#|HMP>ntiTT>= zKA+eKmQF_yCtd2r;O~sv8s9|SMUR^dB)M{hjKaIci!sXrP7jRSGGUVVK4*`yHgk(* z!AUffFv1zq6oS-wLV7r#mKKw1xm&L5N_al|xHF1f-$|QNd1FxX9-heaYh~St#vD>% zL@IQywJf#!u%KbXulQ=2uYOyU4>eIj>9KH`+aTmE=7hJb>F)b1t4Zb9GZUN;X!k|4 z_NBtj*~XxZziQo&NZ=XA24&_%N2y$1a)Fda-ynSlEJ5&{F zRI~?LxmV4koxcNc44@{Qo!o3Zu#I>F=9lGLv6!NhNc>Q#fEKO)hId{q2*A|hmtoWE zo_F-Ynvh7Fao@6en+)!cF|0$L@3@M6{N4oJF*andO01{9=%_FD(6s-z*$j&Jv- z1*Y5>O96C}vH#oG+yBK^(Es`RpN>A+nv{V48&9gU1!3{3YAt9v#c9qU)-({td!6t7UVqH`@(Wyj_cA82|KLr1TS- zHlR8~SMALXvnVneOVXeBq*ktdldo2MB-A1BT_V)IAWEn^hwA1E^>#9U5`FK+!ot08;q`7d{^KEK?Q_Q{kSnR+&ZDhFw$Idv9#%QJt5KcW{E4w;tG z5m$KkYS<7U^NKe*@x{t|=#o>oKq)$G%zujVI&wT>T;^$*Vyubzy;)#E+tt4SGqyZU literal 0 HcmV?d00001 diff --git a/dev/common/collection_sign.sh b/dev/common/collection_sign.sh new file mode 100755 index 0000000000..f180672f47 --- /dev/null +++ b/dev/common/collection_sign.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +FILE_PATH=$1 +SIGNATURE_PATH="$1.asc" + +ADMIN_ID="galaxy3@ansible.com" +PASSWORD="Galaxy2022" + +# Create a detached signature +gpg --quiet --batch --pinentry-mode loopback --yes --passphrase \ + $PASSWORD --homedir ~/.gnupg/ --detach-sign --default-key $ADMIN_ID \ + --armor --output $SIGNATURE_PATH $FILE_PATH + +# Check the exit status +STATUS=$? +if [ $STATUS -eq 0 ]; then + echo {\"file\": \"$FILE_PATH\", \"signature\": \"$SIGNATURE_PATH\"} +else + exit $STATUS +fi diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml index ad0184a7b5..7441740dfe 100644 --- a/dev/docker-compose.yml +++ b/dev/docker-compose.yml @@ -21,6 +21,7 @@ services: entrypoint: "/bin/true" tmpfs: - "/var/lib/pulp/artifact" + - "/var/lib/pulp/scripts" - "/var/lib/pulp/tmp" - "/tmp/ansible" @@ -44,6 +45,7 @@ services: - './common/galaxy_ng.env' volumes: - "./common/settings.py:/etc/pulp/settings.py:z" + - "./common/collection_sign.sh:/var/lib/pulp/scripts/collection_sign.sh:z" - "${COMPOSE_CONTEXT}/..:/src:z" - "pulp:/var/lib/pulp" tmpfs: @@ -65,6 +67,7 @@ services: - './common/galaxy_ng.env' volumes: - "./common/settings.py:/etc/pulp/settings.py:z" + - "./common/collection_sign.sh:/var/lib/pulp/scripts/collection_sign.sh:z" - "${COMPOSE_CONTEXT}/..:/src:z" - "pulp:/var/lib/pulp" tmpfs: @@ -88,6 +91,7 @@ services: - './common/galaxy_ng.env' volumes: - "./common/settings.py:/etc/pulp/settings.py:z" + - "./common/collection_sign.sh:/var/lib/pulp/scripts/collection_sign.sh:z" - "${COMPOSE_CONTEXT}/..:/src:z" - "pulp:/var/lib/pulp" tmpfs: