Add a helper for generating sigpolicy

Prep for further refactoring, targeting #218 This will help us find the places we're synthesizing a policy. No functional changes intended. Signed-off-by: Colin Walters <[email protected]>
containers · Dec 15, 2023 · 9138153 · 9138153
1 parent 1a36314
commit 9138153
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 16 deletions.
diff --git a/lib/src/cli.rs b/lib/src/cli.rs
@@ -9,7 +9,6 @@ use fn_error_context::context;
 use ostree::gio;
 use ostree_container::store::PrepareResult;
 use ostree_ext::container as ostree_container;
-use ostree_ext::container::SignatureSource;
 use ostree_ext::keyfileext::KeyFileExt;
 use ostree_ext::ostree;
 use std::ffi::OsString;
@@ -20,6 +19,7 @@ use std::process::Command;
 use crate::deploy::RequiredHostSpec;
 use crate::spec::Host;
 use crate::spec::ImageReference;
+use crate::utils::sigpolicy_from_opts;
 
 /// Perform an upgrade operation
 #[derive(Debug, Parser)]
@@ -362,13 +362,10 @@ async fn switch(opts: SwitchOpts) -> Result<()> {
         transport,
         name: opts.target.to_string(),
     };
-    let sigverify = if opts.no_signature_verification {
-        SignatureSource::ContainerPolicyAllowInsecure
-    } else if let Some(remote) = opts.ostree_remote.as_ref() {
-        SignatureSource::OstreeRemote(remote.to_string())
-    } else {
-        SignatureSource::ContainerPolicy
-    };
+    let sigverify = sigpolicy_from_opts(
+        opts.no_signature_verification,
+        opts.ostree_remote.as_deref(),
+    );
     let target = ostree_container::OstreeImageReference { sigverify, imgref };
     let target = ImageReference::from(target);
 

diff --git a/lib/src/install.rs b/lib/src/install.rs
@@ -32,14 +32,14 @@ use rustix::fs::MetadataExt;
 use fn_error_context::context;
 use ostree::gio;
 use ostree_ext::container as ostree_container;
-use ostree_ext::container::SignatureSource;
 use ostree_ext::ostree;
 use ostree_ext::prelude::Cast;
 use serde::{Deserialize, Serialize};
 
 use self::baseline::InstallBlockDeviceOpts;
 use crate::containerenv::ContainerExecutionInfo;
 use crate::task::Task;
+use crate::utils::sigpolicy_from_opts;
 
 /// The default "stateroot" or "osname"; see https://github.com/ostreedev/ostree/issues/2794
 const STATEROOT_DEFAULT: &str = "default";
@@ -916,13 +916,10 @@ async fn prepare_install(
 
     // Parse the target CLI image reference options and create the *target* image
     // reference, which defaults to pulling from a registry.
-    let target_sigverify = if target_opts.target_no_signature_verification {
-        SignatureSource::ContainerPolicyAllowInsecure
-    } else if let Some(remote) = target_opts.target_ostree_remote.as_deref() {
-        SignatureSource::OstreeRemote(remote.to_string())
-    } else {
-        SignatureSource::ContainerPolicy
-    };
+    let target_sigverify = sigpolicy_from_opts(
+        target_opts.target_no_signature_verification,
+        target_opts.target_ostree_remote.as_deref(),
+    );
     let target_imgname = target_opts
         .target_imgref
         .as_deref()

diff --git a/lib/src/utils.rs b/lib/src/utils.rs
@@ -3,6 +3,7 @@ use std::process::Command;
 
 use anyhow::{Context, Result};
 use ostree::glib;
+use ostree_ext::container::SignatureSource;
 use ostree_ext::ostree;
 
 /// Try to look for keys injected by e.g. rpm-ostree requesting machine-local
@@ -52,6 +53,20 @@ pub(crate) fn spawn_editor(tmpf: &tempfile::NamedTempFile) -> Result<()> {
     Ok(())
 }
 
+/// Convert a combination of values (likely from CLI parsing) into a signature source
+pub(crate) fn sigpolicy_from_opts(
+    disable_verification: bool,
+    ostree_remote: Option<&str>,
+) -> SignatureSource {
+    if disable_verification {
+        SignatureSource::ContainerPolicyAllowInsecure
+    } else if let Some(remote) = ostree_remote {
+        SignatureSource::OstreeRemote(remote.to_owned())
+    } else {
+        SignatureSource::ContainerPolicy
+    }
+}
+
 /// Output a warning message
 pub(crate) fn warning(s: &str) {
     anstream::eprintln!(
@@ -94,3 +109,23 @@ fn test_find_mount_option() {
     assert_eq!(find_mount_option(V1, "rw"), None);
     assert_eq!(find_mount_option(V1, "somethingelse"), None);
 }
+
+#[test]
+fn test_sigpolicy_from_opts() {
+    assert_eq!(
+        sigpolicy_from_opts(false, None),
+        SignatureSource::ContainerPolicy
+    );
+    assert_eq!(
+        sigpolicy_from_opts(true, None),
+        SignatureSource::ContainerPolicyAllowInsecure
+    );
+    assert_eq!(
+        sigpolicy_from_opts(false, Some("foo")),
+        SignatureSource::OstreeRemote("foo".to_owned())
+    );
+    assert_eq!(
+        sigpolicy_from_opts(true, Some("foo")),
+        SignatureSource::ContainerPolicyAllowInsecure
+    );
+}