ostree: drop RHSM for MTLS over ENV

osbuild · Oct 10, 2024 · a61432d · a61432d
1 parent 3a705cb
commit a61432d
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 35 deletions.
diff --git a/.gitignore b/.gitignore
@@ -10,5 +10,7 @@ __pycache__
 /test/data/manifests
 /tools/appsre-ansible/inventory
 dictionary.dic
+/cmd/ostree-resolve/*.crt
+/cmd/ostree-resolve/*.key
 
 *~
diff --git a/cmd/ostree-resolve/main.go b/cmd/ostree-resolve/main.go
@@ -0,0 +1,25 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/osbuild/images/pkg/ostree"
+)
+
+func main() {
+	fmt.Println("Resolving ostree source, configuration:")
+	fmt.Printf("CA: %s\n", os.Getenv("OSBUILD_COMPOSER_OSTREE_CA"))
+	fmt.Printf("Client cert: %s\n", os.Getenv("OSBUILD_COMPOSER_OSTREE_CLIENT_CERT"))
+	fmt.Printf("Client key: %s\n", os.Getenv("OSBUILD_COMPOSER_OSTREE_CLIENT_KEY"))
+
+	spec := ostree.SourceSpec{
+		URL: "https://builder.home.lan/ccb2194f-9876-4e76-9e64-a338a32df230/",
+		Ref: "fedora/40/x86_64/iot",
+	}
+	cs, err := ostree.Resolve(spec)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Printf("Resolved checksum: %s", cs.Checksum)
+}
diff --git a/pkg/ostree/ostree.go b/pkg/ostree/ostree.go
@@ -13,8 +13,6 @@ import (
 	"regexp"
 	"strings"
 	"time"
-
-	"github.com/osbuild/images/pkg/rhsm"
 )
 
 var (
@@ -25,9 +23,8 @@ var (
 // SourceSpec serves as input for ResolveParams, and contains all necessary
 // variables to resolve a ref, which can then be turned into a CommitSpec.
 type SourceSpec struct {
-	URL  string
-	Ref  string
-	RHSM bool
+	URL string
+	Ref string
 }
 
 // CommitSpec specifies an ostree commit using any combination of Ref (branch), URL (source), and Checksum (commit ID).
@@ -141,48 +138,40 @@ func verifyChecksum(commit string) bool {
 // ResolveRef resolves the URL path specified by the location and ref
 // (location+"refs/heads/"+ref) and returns the commit ID for the named ref. If
 // there is an error, it will be of type ResolveRefError.
-func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptions, ca *string) (string, error) {
+func ResolveRef(location, ref string) (string, error) {
 	u, err := url.Parse(location)
 	if err != nil {
 		return "", NewResolveRefError("error parsing ostree repository location: %v", err)
 	}
 	u.Path = path.Join(u.Path, "refs/heads/", ref)
 
 	var client *http.Client
-	if consumerCerts {
-		if subs == nil {
-			subs, err = rhsm.LoadSystemSubscriptions()
+	if u.Scheme == "https" {
+		tlsConf := &tls.Config{}
+
+		// If CA is set, load the CA certificate and add it to the TLS configuration. Otherwise, use the system CA.
+		if caFilename := os.Getenv("OSBUILD_COMPOSER_OSTREE_CA"); caFilename != "" {
+			caCertPEM, err := os.ReadFile(caFilename)
 			if err != nil {
-				return "", NewResolveRefError("error adding rhsm certificates when resolving ref: %s", err)
+				return "", NewResolveRefError("error adding ca certificate when resolving ref: %s", err)
 			}
-			if subs.Consumer == nil {
-				return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
+			tlsConf.RootCAs = x509.NewCertPool()
+			if ok := tlsConf.RootCAs.AppendCertsFromPEM(caCertPEM); !ok {
+				return "", NewResolveRefError("error adding ca certificate when resolving ref")
 			}
 		}
 
-		tlsConf := &tls.Config{
-			MinVersion: tls.VersionTLS12,
-		}
+		certFilename := os.Getenv("OSBUILD_COMPOSER_OSTREE_CLIENT_CERT")
+		keyFilename := os.Getenv("OSBUILD_COMPOSER_OSTREE_CLIENT_KEY")
 
-		if ca != nil {
-			caCertPEM, err := os.ReadFile(*ca)
+		if certFilename != "" && keyFilename != "" {
+			cert, err := tls.LoadX509KeyPair(certFilename, keyFilename)
 			if err != nil {
-				return "", NewResolveRefError("error adding rhsm certificates when resolving ref: %s", err)
-			}
-			roots := x509.NewCertPool()
-			ok := roots.AppendCertsFromPEM(caCertPEM)
-			if !ok {
-				return "", NewResolveRefError("error adding rhsm certificates when resolving ref")
+				return "", NewResolveRefError("error adding client certificate when resolving ref: %s", err)
 			}
-			tlsConf.RootCAs = roots
+			tlsConf.Certificates = []tls.Certificate{cert}
 		}
 
-		cert, err := tls.LoadX509KeyPair(subs.Consumer.ConsumerCert, subs.Consumer.ConsumerKey)
-		if err != nil {
-			return "", NewResolveRefError("error adding rhsm certificates when resolving ref: %s", err)
-		}
-		tlsConf.Certificates = []tls.Certificate{cert}
-
 		client = &http.Client{
 			Transport: &http.Transport{
 				TLSClientConfig: tlsConf,
@@ -234,10 +223,6 @@ func Resolve(source SourceSpec) (CommitSpec, error) {
 		URL: source.URL,
 	}
 
-	if source.RHSM {
-		commit.Secrets = "org.osbuild.rhsm.consumer"
-	}
-
 	if verifyChecksum(source.Ref) {
 		// the ref is a commit: return as is
 		commit.Checksum = source.Ref
@@ -252,7 +237,7 @@ func Resolve(source SourceSpec) (CommitSpec, error) {
 	// URL set: Resolve checksum
 	if source.URL != "" {
 		// If a URL is specified, we need to fetch the commit at the URL.
-		checksum, err := ResolveRef(source.URL, source.Ref, source.RHSM, nil, nil)
+		checksum, err := ResolveRef(source.URL, source.Ref)
 		if err != nil {
 			return CommitSpec{}, err // ResolveRefError
 		}