blueprint: fix cacerts name for TOML

osbuild · Dec 6, 2024 · e82349a · e82349a
1 parent 4c9b590
commit e82349a
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 14 deletions.
diff --git a/cmd/otk/osbuild-resolve-ostree-commit/main_test.go b/cmd/otk/osbuild-resolve-ostree-commit/main_test.go
@@ -202,7 +202,13 @@ func TestMockResolve(t *testing.T) {
 {
   "tree": {
     "ref": "otk/ostree/test",
-    "url": "https://ostree.example.org/repo"
+    "url": "https://ostree.example.org/repo",
+    "mtls": {
+        "ca": "ca.crt",
+        "client_cert": "client.crt",
+        "client_key": "client.key"
+    },
+    "proxy": "proxy.example.com:8080"
   }
 }
 `

diff --git a/pkg/blueprint/ca_customizations.go b/pkg/blueprint/ca_customizations.go
diff --git a/pkg/blueprint/customizations.go b/pkg/blueprint/customizations.go
@@ -33,7 +33,7 @@ type Customizations struct {
 	Installer          *InstallerCustomization        `json:"installer,omitempty" toml:"installer,omitempty"`
 	RPM                *RPMCustomization              `json:"rpm,omitempty" toml:"rpm,omitempty"`
 	RHSM               *RHSMCustomization             `json:"rhsm,omitempty" toml:"rhsm,omitempty"`
-	CACerts            *CACustomization               `json:"cacerts,omitempty" toml:"ca,omitempty"`
+	CACerts            *CACustomization               `json:"cacerts,omitempty" toml:"cacerts,omitempty"`
 }
 
 type IgnitionCustomization struct {
@@ -144,6 +144,10 @@ type ContainerStorageCustomization struct {
 	StoragePath *string `json:"destination-path,omitempty" toml:"destination-path,omitempty"`
 }
 
+type CACustomization struct {
+	PEMCerts []string `json:"pem_certs,omitempty" toml:"pem_certs,omitempty"`
+}
+
 type CustomizationError struct {
 	Message string
 }
@@ -441,16 +445,14 @@ func (c *Customizations) GetRHSM() *RHSMCustomization {
 }
 
 func (c *Customizations) checkCACerts() error {
-	if c == nil {
+	if c == nil || c.CACerts == nil {
 		return nil
 	}
 
-	if c.CACerts != nil {
-		for _, bundle := range c.CACerts.PEMCerts {
-			_, err := cert.ParseCerts(bundle)
-			if err != nil {
-				return err
-			}
+	for _, bundle := range c.CACerts.PEMCerts {
+		_, err := cert.ParseCerts(bundle)
+		if err != nil {
+			return err
 		}
 	}
 

diff --git a/test/scripts/base-host-check.sh b/test/scripts/base-host-check.sh
@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+# vim: sw=4:et
 set -euo pipefail
 
 running_wait() {
@@ -78,6 +79,22 @@ get_oscap_score() {
     fi
 }
 
+check_ca_cert() {
+    serial=$(jq -r '.blueprint.customizations.cacerts.pem_certs[0]' "${config}" | openssl x509 -noout -serial | cut -d= -f 2-)
+
+    echo "📗 Checking CA cert anchor file"
+    if ! [ -e "/etc/pki/ca-trust/source/anchors/${serial}.pem" ]; then
+        echo "Anchor CA file does not exist"
+        exit 1
+    fi
+
+    echo "📗 Checking extracted CA cert file"
+    if ! [ -e "/etc/pki/ca-trust/source/extracted/pem/directory-hash/Test_CA_for_osbuild.pem.pem" ]; then
+        echo "Extracted CA file does not exist"
+        exit 1
+    fi
+}
+
 echo "❓ Checking system status"
 if ! running_wait; then
 
@@ -114,4 +131,8 @@ if (( $# > 0 )); then
     if jq -e .blueprint.customizations.openscap "${config}"; then
         get_oscap_score "${config}"
     fi
+
+    if jq -e '.blueprint.customizations.cacerts.pem_certs[0]' "${config}"; then
+        check_ca_cert "${config}"
+    fi
 fi