diff --git a/.gitignore b/.gitignore index 17ad19e97e..30a912a21a 100644 --- a/.gitignore +++ b/.gitignore @@ -10,5 +10,7 @@ __pycache__ /test/data/manifests /tools/appsre-ansible/inventory dictionary.dic +/cmd/ostree-resolve/*.crt +/cmd/ostree-resolve/*.key *~ diff --git a/cmd/ostree-resolve/main.go b/cmd/ostree-resolve/main.go new file mode 100644 index 0000000000..8a8f9f9225 --- /dev/null +++ b/cmd/ostree-resolve/main.go @@ -0,0 +1,25 @@ +package main + +import ( + "fmt" + "os" + + "github.com/osbuild/images/pkg/ostree" +) + +func main() { + fmt.Println("Resolving ostree source, configuration:") + fmt.Printf("CA: %s\n", os.Getenv("OSBUILD_COMPOSER_OSTREE_CA")) + fmt.Printf("Client cert: %s\n", os.Getenv("OSBUILD_COMPOSER_OSTREE_CLIENT_CERT")) + fmt.Printf("Client key: %s\n", os.Getenv("OSBUILD_COMPOSER_OSTREE_CLIENT_KEY")) + + spec := ostree.SourceSpec{ + URL: "https://builder.home.lan/ccb2194f-9876-4e76-9e64-a338a32df230/", + Ref: "fedora/40/x86_64/iot", + } + cs, err := ostree.Resolve(spec) + if err != nil { + panic(err) + } + fmt.Printf("Resolved checksum: %s", cs.Checksum) +} diff --git a/pkg/ostree/ostree.go b/pkg/ostree/ostree.go index 8898f33702..6d01134ca9 100644 --- a/pkg/ostree/ostree.go +++ b/pkg/ostree/ostree.go @@ -13,8 +13,6 @@ import ( "regexp" "strings" "time" - - "github.com/osbuild/images/pkg/rhsm" ) var ( @@ -25,9 +23,8 @@ var ( // SourceSpec serves as input for ResolveParams, and contains all necessary // variables to resolve a ref, which can then be turned into a CommitSpec. type SourceSpec struct { - URL string - Ref string - RHSM bool + URL string + Ref string } // CommitSpec specifies an ostree commit using any combination of Ref (branch), URL (source), and Checksum (commit ID). @@ -141,7 +138,7 @@ func verifyChecksum(commit string) bool { // ResolveRef resolves the URL path specified by the location and ref // (location+"refs/heads/"+ref) and returns the commit ID for the named ref. If // there is an error, it will be of type ResolveRefError. -func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptions, ca *string) (string, error) { +func ResolveRef(location, ref string) (string, error) { u, err := url.Parse(location) if err != nil { return "", NewResolveRefError("error parsing ostree repository location: %v", err) @@ -149,40 +146,32 @@ func ResolveRef(location, ref string, consumerCerts bool, subs *rhsm.Subscriptio u.Path = path.Join(u.Path, "refs/heads/", ref) var client *http.Client - if consumerCerts { - if subs == nil { - subs, err = rhsm.LoadSystemSubscriptions() + if u.Scheme == "https" { + tlsConf := &tls.Config{} + + // If CA is set, load the CA certificate and add it to the TLS configuration. Otherwise, use the system CA. + if caFilename := os.Getenv("OSBUILD_COMPOSER_OSTREE_CA"); caFilename != "" { + caCertPEM, err := os.ReadFile(caFilename) if err != nil { - return "", NewResolveRefError("error adding rhsm certificates when resolving ref: %s", err) + return "", NewResolveRefError("error adding ca certificate when resolving ref: %s", err) } - if subs.Consumer == nil { - return "", NewResolveRefError("error adding rhsm certificates when resolving ref") + tlsConf.RootCAs = x509.NewCertPool() + if ok := tlsConf.RootCAs.AppendCertsFromPEM(caCertPEM); !ok { + return "", NewResolveRefError("error adding ca certificate when resolving ref") } } - tlsConf := &tls.Config{ - MinVersion: tls.VersionTLS12, - } + certFilename := os.Getenv("OSBUILD_COMPOSER_OSTREE_CLIENT_CERT") + keyFilename := os.Getenv("OSBUILD_COMPOSER_OSTREE_CLIENT_KEY") - if ca != nil { - caCertPEM, err := os.ReadFile(*ca) + if certFilename != "" && keyFilename != "" { + cert, err := tls.LoadX509KeyPair(certFilename, keyFilename) if err != nil { - return "", NewResolveRefError("error adding rhsm certificates when resolving ref: %s", err) - } - roots := x509.NewCertPool() - ok := roots.AppendCertsFromPEM(caCertPEM) - if !ok { - return "", NewResolveRefError("error adding rhsm certificates when resolving ref") + return "", NewResolveRefError("error adding client certificate when resolving ref: %s", err) } - tlsConf.RootCAs = roots + tlsConf.Certificates = []tls.Certificate{cert} } - cert, err := tls.LoadX509KeyPair(subs.Consumer.ConsumerCert, subs.Consumer.ConsumerKey) - if err != nil { - return "", NewResolveRefError("error adding rhsm certificates when resolving ref: %s", err) - } - tlsConf.Certificates = []tls.Certificate{cert} - client = &http.Client{ Transport: &http.Transport{ TLSClientConfig: tlsConf, @@ -234,10 +223,6 @@ func Resolve(source SourceSpec) (CommitSpec, error) { URL: source.URL, } - if source.RHSM { - commit.Secrets = "org.osbuild.rhsm.consumer" - } - if verifyChecksum(source.Ref) { // the ref is a commit: return as is commit.Checksum = source.Ref @@ -252,7 +237,7 @@ func Resolve(source SourceSpec) (CommitSpec, error) { // URL set: Resolve checksum if source.URL != "" { // If a URL is specified, we need to fetch the commit at the URL. - checksum, err := ResolveRef(source.URL, source.Ref, source.RHSM, nil, nil) + checksum, err := ResolveRef(source.URL, source.Ref) if err != nil { return CommitSpec{}, err // ResolveRefError }