-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Keys, Script and Signing Service to dev environment #1076
Conversation
Signing gpg --batch --import /tmp/ansible-sign.key &>/dev/null django-admin shell_plus ss = AsciiArmoredDetachedSigningService.objects.filter(name="ansible-default").first()
repo = AnsibleRepository.objects.filter(name="published").first()
from pulp_ansible.app.tasks.signature import sign
from pulpcore.plugin.tasking import dispatch
task = dispatch(
sign,
exclusive_resources=[repo],
kwargs=dict(
repository_href=repo.pk,
content_hrefs=["*"],
signing_service_href=ss.pk
)
) Acessing signatures Collection Version
GET /api/automation-hub/content/published/v3/collections/tosigntest/tosignf/versions/1.0.0/
HTTP 200 OK
Allow: GET, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept {
"version": "1.0.0",
"href": "/api/automation-hub/content/published/v3/collections/tosigntest/tosignf/versions/1.0.0/",
"created_at": "2021-12-16T18:43:21.748529Z",
"updated_at": "2021-12-16T18:43:21.748551Z",
"requires_ansible": ">=2",
"artifact": {
"filename": "tosigntest-tosignf-1.0.0.tar.gz",
"sha256": "cd5eb8b5c089dbfff708b37b2bbbe60741fa0cedcb65a5a32ba9674306a74ac3",
"size": 1574
},
"collection": {
"id": "044ef4c9-7df4-4465-aedb-36c82d97095f",
"name": "tosignf",
"href": "/api/automation-hub/content/published/v3/collections/tosigntest/tosignf/"
},
"download_url": "http://localhost:5001/api/automation-hub/v3/artifacts/collections/published/tosigntest-tosignf-1.0.0.tar.gz",
"name": "tosignf",
"namespace": {
"name": "tosigntest"
},
"signatures": [
{
"signature": "-----BEGIN PGP SIGNATURE-----\n\niQHIBAABCAAyFiEE6+0XDoyUgOIqHQWbFSUOnsCmJXcFAmHhg0EUHGdhbGF4eTNA\nYW5zaWJsZS5jb20ACgkQFSUOnsCmJXeKmgv/ed8eSOLr4SMbjP+cJILG5749UqfT\nmUz3+3eDfpe2YJpNGfWavWuMbuYAiujWDXsN46qhOdAFwvdkWxRj2GDK/V+1qB+P\nixtQQZ7Drpc8eEOVYYjFIH8+NoXmoeJCKL9ifOmIgtpapzBt09H1qVTIWuzPhmb0\nSt98nGLcEQeXHxzfebSx06NlKEt0n607hur9nZ+Lwy5I7jZtiEgcyezejQAzoQFv\nwcA52IgOnruyMLP6QdjVPJg/ZzqrvrlLe33zSIGr5271TW4YVgOHzV7aOcUVWpKr\nR4m2GXFEQ+fcEeZf65bprb4ndxFlNlpc4yXiDP3vTvBwKoxzYKdtUzlZmO2zN32A\nozRBClFiw0W++NUL/6zl/cUNGuA0CUBGzsRFF8uOijCFVTZ3pvnF+2hk4RpzUkcc\n52VGddFiFvcPhdMVLNitk2J3qhybGHETi0CP4opDUTHXkZC0hsIOLfRlqg7KxtXl\nl99SrE5bsWnpaVAFRinSGcopRWsd28iQbXvJ\n=8dHK\n-----END PGP SIGNATURE-----\n",
"pubkey_fingerprint": "EBED170E8C9480E22A1D059B15250E9EC0A62577",
"signing_service": "ansible-default",
"pulp_created": "2022-01-14T14:05:53.835605Z"
}
],
"metadata": {
"authors": [
"Orion User 1"
],
"contents": [],
"dependencies": {
"tosigntest.tosignh": "<=3.0.0"
},
"description": "a collection with some deps on other collections",
"documentation": "",
"homepage": "",
"issues": "",
"license": [
"GPL-3.0-or-later"
],
"repository": "http://github.example.com/orionuser1/skeleton",
"tags": [
"collectiontest"
]
},
"manifest": {},
"files": {}
} |
ea70366
to
df6cbf8
Compare
URL to sign collection on demand curl -X POST \
'http://0.0.0.0:8002/api/automation-hub/v3/sign/collections/' \
-H 'Accept: */*' \
-H 'Authorization: Token a64a0ab93948c92febf2c0611dc1b189f9f37cdd' \
-H 'Content-Type: application/json' \
-d '{
"signing_service": "ansible-default",
"repository": "published",
"namespace": "bla",
"collection": "zaz",
"version": "1.5.0",
"content_units": ["*"]
}' URL (POST ONLY) http://0.0.0.0:8002/api/automation-hub/v3/sign/collections/ Payloads Required {
"signing_service": "ansible-default",
"repository": "published",
} Either {
"signing_service": "ansible-default",
"repository": "published",
"content_units": ["*"]
} OR sign all {
"signing_service": "ansible-default",
"repository": "published",
"namespace": "bla",
} sign all versions under a specific collection {
"signing_service": "ansible-default",
"repository": "published",
"namespace": "bla",
"collection": "zaz",
} Sign specific by version specifier {
"signing_service": "ansible-default",
"repository": "published",
"namespace": "bla",
"collection": "zaz",
"version": "1.2.3"
} |
a271dfd
to
fd46330
Compare
Added to http://0.0.0.0:5001/api/automation-hub/_ui/v1/collection-versions/?limit=2 Signed collection versions gets a "data": [
{
"namespace": "test",
"name": "a",
"version": "1.0.0",
"requires_ansible": ">=2",
"created_at": "2022-01-14T14:04:02.157731Z",
"metadata": {
"dependencies": {
"test.b": "*"
},
"contents": [],
"documentation": "",
"homepage": "",
"issues": "",
"repository": "http://github.example.com/orionuser1/skeleton",
"description": "a collection with some deps on other collections",
"authors": [
"Orion User 1"
],
"license": [
"GPL-3.0-or-later"
],
"tags": [
"collectiontest"
],
"signatures": [
"EBED170E8C9480E22A1D059B15250E9EC0A62577"
]
},
"contents": [],
"repository_list": [
"published"
]
} On There is now 2 fields, the same "data": [
{
"id": "5e094530-4439-4188-9f83-6c278583d981",
"namespace": {
"id": 1,
"name": "test",
"company": "",
"email": "",
"avatar_url": "",
"description": "",
"groups": [
{
"id": 1,
"name": "system:partner-engineers",
"object_permissions": [
"upload_to_namespace",
"change_namespace",
"delete_namespace"
]
}
]
},
"name": "a",
"download_count": 0,
"latest_version": {
"namespace": "test",
"name": "a",
"version": "1.0.0",
"requires_ansible": ">=2",
"created_at": "2022-01-14T14:04:02.157731Z",
"metadata": {
"dependencies": {
"test.b": "*"
},
"contents": [],
"documentation": "",
"homepage": "",
"issues": "",
"repository": "http://github.example.com/orionuser1/skeleton",
"description": "a collection with some deps on other collections",
"authors": [
"Orion User 1"
],
"license": [
"GPL-3.0-or-later"
],
"tags": [
"collectiontest"
],
"signatures": [
"EBED170E8C9480E22A1D059B15250E9EC0A62577"
]
},
"contents": []
},
"deprecated": false,
"sign_state": "signed"
} Values are:
c/c @himdel |
Hey, checking the necessary endpoints, I think we're possibly missing a couple of changes:
I'm not sure what you mean, is that the hash in the signatures array?
Is this also a part of this? That's a UI change as well, right?
❓ some new permissions seem to be involved, should we also let admin assign these to groups in the UI? (or is this the other kind?) |
This PR adds: - secret and public keys on dev/common/ - imports and trusts keys on container build time - add make docker/add-signing-service TODO: - [ ] Route URL to spawn sign task (subclass pulp_ansible#754 serializer) - [ ] Surface the signature on collectionversion serializer - [ ] Add test to sign a collection Issue: AAH-1181 Required PR: pulp/pulp_ansible#754 env:LOCK_REQUIREMENTS=0 env:PULP_CONTAINER_REVISION=39b3000150960c554d2124ab3654e3e7b4c54352 env:PULPCORE_REVISION=f8306ac5d3af1cf9936d39abb0568e86d18cd55f env:GALAXY_IMPORTER_REVISION=7091519f38acb8e10b85baffe7c6074b02309598
Issue: AAH-1181 Required PR: pulp/pulp_ansible#754 env:LOCK_REQUIREMENTS=0
Issue: AAH-1181 Required PR: pulp/pulp_ansible#754 env:LOCK_REQUIREMENTS=0 env:PULP_CONTAINER_REVISION=39b3000150960c554d2124ab3654e3e7b4c54352 env:PULPCORE_REVISION=f8306ac5d3af1cf9936d39abb0568e86d18cd55f env:GALAXY_IMPORTER_REVISION=7091519f38acb8e10b85baffe7c6074b02309598
Issue: AAH-1181 Required PR: pulp/pulp_ansible#754 env:LOCK_REQUIREMENTS=0 env:PULP_CONTAINER_REVISION=39b3000150960c554d2124ab3654e3e7b4c54352 env:PULPCORE_REVISION=f8306ac5d3af1cf9936d39abb0568e86d18cd55f env:GALAXY_IMPORTER_REVISION=7091519f38acb8e10b85baffe7c6074b02309598
tasks on promotion e.g: copy + remove must run on the same task (or task group) in sequence and using the same locks. Required PR: pulp/pulp_ansible#754 env:LOCK_REQUIREMENTS=0
- Added tests taken from pulp_ansible PR - Added Permissions - Auto sign only when moving to published (avoid sign rejected content) - Added permissions to /me/ endpoint - Configs to run tests on CI Issue: AAH-1181 Required PR: pulp/pulp_ansible#754 env:LOCK_REQUIREMENTS=0
Issue: AAH-1181 Required PR: pulp/pulp_ansible#754 env:LOCK_REQUIREMENTS=0
Issue: AAH-1181 env:LOCK_REQUIREMENTS=0 env:PULP_ANSIBLE_REVISION=master
{
"id": "f006b2b0-e044-4e0f-b167-8c169f0a6d4d",
"namespace": {
"id": 5,
"name": "vittest",
"company": "",
"email": "",
"avatar_url": "",
"description": "",
"groups": [
{
"id": 1,
"name": "system:partner-engineers",
"object_permissions": [
"upload_to_namespace",
"change_namespace",
"delete_namespace"
]
}
]
},
"name": "vith",
"download_count": 0,
"latest_version": {
"namespace": "vittest",
"name": "vith",
"version": "4.0.0",
"requires_ansible": ">=2",
"created_at": "2022-01-24T17:04:33.344202Z",
"metadata": {
"dependencies": {},
"contents": [],
"documentation": "",
"homepage": "",
"issues": "",
"repository": "http://github.example.com/orionuser1/skeleton",
"description": "a collection with some deps on other collections",
"authors": [
"Orion User 1"
],
"license": [
"GPL-3.0-or-later"
],
"tags": [
"collectiontest"
],
"signatures": []
},
"contents": [],
"version_sign_state": "unsigned",
"docs_blob": {
"contents": [],
"collection_readme": {
"html": "<p>This is collection_reqs_test collection</p>",
"name": "README.md"
},
"documentation_files": []
}
},
"all_versions": [
{
"version": "4.0.0",
"created": "2022-01-24 17:04:33.344202+00:00",
"version_sign_state": "unsigned"
},
{
"version": "3.0.0",
"created": "2022-01-24 17:04:32.851448+00:00",
"version_sign_state": "unsigned"
},
{
"version": "2.0.0",
"created": "2022-01-24 17:04:32.366363+00:00",
"version_sign_state": "unsigned"
},
{
"version": "1.0.0",
"created": "2022-01-24 17:04:31.887908+00:00",
"version_sign_state": "signed"
}
],
"sign_state": "partial",
"total_versions": 4,
"signed_versions": 1,
"unsigned_versions": 3
} and {
"id": "bd1f6b5c-cf75-4752-af08-c37ec166d38d",
"namespace": {
"id": 5,
"name": "vittest",
"company": "",
"email": "",
"avatar_url": "",
"description": "",
"groups": [
{
"id": 1,
"name": "system:partner-engineers",
"object_permissions": [
"upload_to_namespace",
"change_namespace",
"delete_namespace"
]
}
]
},
"name": "vith",
"download_count": 0,
"latest_version": {
"namespace": "vittest",
"name": "vith",
"version": "5.0.0",
"requires_ansible": ">=2",
"created_at": "2022-01-24T17:04:33.904249Z",
"metadata": {
"dependencies": {},
"contents": [],
"documentation": "",
"homepage": "",
"issues": "",
"repository": "http://github.example.com/orionuser1/skeleton",
"description": "a collection with some deps on other collections",
"authors": [
"Orion User 1"
],
"license": [
"GPL-3.0-or-later"
],
"tags": [
"collectiontest"
],
"signatures": [
{
"signature": "-----BEGIN PGP SIGNATURE-----\n\niQHIBAABCAAyFiEE6+0XDoyUgOIqHQWbFSUOnsCmJXcFAmHu3C8UHGdhbGF4eTNA\nYW5zaWJsZS5jb20ACgkQFSUOnsCmJXeCBwv+KRukj6gRuNxfx+buJvqztzFkNdQz\nm9M/nrAKrLZngOgYBE1oAw4wH9vrcayDay/WvOF3ESgZLBdP1pMTWam403zXHESL\nEzOK3SkikHw2kh2tnBO+3yimLf0EhPNBYbp9CGw4zQ0BhloKqwRODAIr5iOT3L0y\nB1dp6l7MvS068dbtLnHYaEpm7XYcnVH+mewHcmpcTwli6DPoTU7ff82fbunMRT1W\n3KiRjMeEbRqgMC9QazXTU9MREYQ5CSxBR8uCekKJRKw6bij5bX5LHj4KFy2HA2PI\nRDFdy+ir6cqaJgfmr2tfAN4c6dzUnxLDMmZvuywrbw3qnYaGjOUGHZbl3DFaG9Zp\no60dnseIhPjFaHeFfydV6IyaehGml5Http1gdv60e7qbBsto1CbEKigI5BNfqJTu\nRp9Cz34lbZLpSNZnq/XUMqsuqNcCP1mze4g5Xq6AvT98TG27jN3zPyMb+0dmkN+A\n21GAOPFzAjnFhoQp0LwrheTLYbMeRrg9qkPz\n=ZQbE\n-----END PGP SIGNATURE-----\n",
"pubkey_fingerprint": "EBED170E8C9480E22A1D059B15250E9EC0A62577",
"signing_service": "ansible-default"
}
]
},
"contents": [],
"version_sign_state": "signed",
"docs_blob": {
"contents": [],
"collection_readme": {
"html": "<p>This is collection_reqs_test collection</p>",
"name": "README.md"
},
"documentation_files": []
}
},
"all_versions": [
{
"version": "5.0.0",
"created": "2022-01-24 17:04:33.904249+00:00",
"version_sign_state": "signed"
}
],
"sign_state": "signed",
"total_versions": 1,
"signed_versions": 1,
"unsigned_versions": 0
} |
How to determine if the system has signing enabled? /api/automation-hub/_ui/v1/feature-flags/ {
"collection_auto_sign": true, # this system signs during approval
"collection_signing": true, # there is a signing service and keys for collections
"execution_environments": true
} Or by checking on: /api/automation-hub/_ui/v1/settings/ "GALAXY_COLLECTION_SIGNING_SERVICE": "ansible-default",
"GALAXY_AUTO_SIGN_COLLECTIONS": true |
44da326
to
f9a2554
Compare
Filtering by sign state /api/automation-hub/_ui/v1/repo/staging/?deprecated=false&sign_state=unsigned,partial
# options are [signed, unsigned, partial] This endpoint accepts other filters such as |
Permissions on http://0.0.0.0:5001/api/automation-hub/_ui/v1/me/ "model_permissions": {
"sign_collections_on_namespace": true,
"sign_collections_on_repository": true, on approval dashboard the permission is |
5e30c7b
to
9996656
Compare
Issue: AAH-1181 env:LOCK_REQUIREMENTS=0 env:PULP_ANSIBLE_REVISION=main
Issue: AAH-1181 env:LOCK_REQUIREMENTS=0 env:PULP_ANSIBLE_REVISION=main
/retest |
…AH-1181 Issue: AAH-1181 env:LOCK_REQUIREMENTS=0 env:PULP_ANSIBLE_REVISION=main
/retest |
Issue: AAH-1181 env:LOCK_REQUIREMENTS=0 env:PULP_ANSIBLE_REVISION=main
Issue: AAH-1181 env:LOCK_REQUIREMENTS=0 env:PULP_ANSIBLE_REVISION=main
This PR adds the following features
signed_only
content field on Remote configurationmetadata
Issue: AAH-1181
env:LOCK_REQUIREMENTS=0
env:PULP_ANSIBLE_REVISION=main