Test updates for Travis CI

Travis is running Trusty with GPG 2.0.x, which is much different from 2.1.x. Add tests for default key signing. Add test for gpg1/2 in functional.
aptly-dev · Oct 9, 2018 · 61e00b5 · 61e00b5
1 parent 1b2fccb
commit 61e00b5
Show file tree

Hide file tree

Showing 11 changed files with 212 additions and 40 deletions.
diff --git a/pgp/gnupg_test.go b/pgp/gnupg_test.go
@@ -210,6 +210,8 @@ func (s *Gnupg2SignerSuite) SetUpTest(c *C) {
 
 	c.Assert(s.verifier.InitKeyring(), IsNil)
 
+	s.skipDefaultKey = true
+
 	s.SignerSuite.SetUpTest(c)
 }
 

diff --git a/pgp/sign_test.go b/pgp/sign_test.go
@@ -21,6 +21,8 @@ type SignerSuite struct {
 
 	passwordFile string
 
+	skipDefaultKey bool
+
 	keyringNoPassphrase [2]string
 	keyringPassphrase   [2]string
 
@@ -82,6 +84,16 @@ func (s *SignerSuite) TestSignDetachedNoPassphrase(c *C) {
 	s.testSignDetached(c)
 }
 
+func (s *SignerSuite) TestSignDetachedNoPassphraseDefaultKey(c *C) {
+	if s.skipDefaultKey {
+		c.Skip("test for default key skipped")
+	}
+
+	s.signer.SetKeyRing(s.keyringNoPassphrase[0], s.keyringNoPassphrase[1])
+
+	s.testSignDetached(c)
+}
+
 func (s *SignerSuite) TestSignDetachedPassphrase(c *C) {
 	s.signer.SetKey(string(s.passphraseKey))
 	s.signer.SetKeyRing(s.keyringPassphrase[0], s.keyringPassphrase[1])
@@ -90,6 +102,17 @@ func (s *SignerSuite) TestSignDetachedPassphrase(c *C) {
 	s.testSignDetached(c)
 }
 
+func (s *SignerSuite) TestSignDetachedPassphraseDefaultKey(c *C) {
+	if s.skipDefaultKey {
+		c.Skip("test for default key skipped")
+	}
+
+	s.signer.SetKeyRing(s.keyringPassphrase[0], s.keyringPassphrase[1])
+	s.signer.SetPassphrase("verysecret", "")
+
+	s.testSignDetached(c)
+}
+
 func (s *SignerSuite) TestSignDetachedPassphraseFile(c *C) {
 	s.signer.SetKey(string(s.passphraseKey))
 	s.signer.SetKeyRing(s.keyringPassphrase[0], s.keyringPassphrase[1])
@@ -129,6 +152,16 @@ func (s *SignerSuite) TestClearSignNoPassphrase(c *C) {
 	s.testClearSign(c, s.noPassphraseKey)
 }
 
+func (s *SignerSuite) TestClearSignNoPassphraseDefaultKey(c *C) {
+	if s.skipDefaultKey {
+		c.Skip("test for default key skipped")
+	}
+
+	s.signer.SetKeyRing(s.keyringNoPassphrase[0], s.keyringNoPassphrase[1])
+
+	s.testClearSign(c, s.noPassphraseKey)
+}
+
 func (s *SignerSuite) TestClearSignPassphrase(c *C) {
 	s.signer.SetKey(string(s.passphraseKey))
 	s.signer.SetKeyRing(s.keyringPassphrase[0], s.keyringPassphrase[1])
@@ -137,6 +170,17 @@ func (s *SignerSuite) TestClearSignPassphrase(c *C) {
 	s.testClearSign(c, s.passphraseKey)
 }
 
+func (s *SignerSuite) TestClearSignPassphraseDefaultKey(c *C) {
+	if s.skipDefaultKey {
+		c.Skip("test for default key skipped")
+	}
+
+	s.signer.SetKeyRing(s.keyringPassphrase[0], s.keyringPassphrase[1])
+	s.signer.SetPassphrase("verysecret", "")
+
+	s.testClearSign(c, s.passphraseKey)
+}
+
 func (s *SignerSuite) TestClearSignPassphraseFile(c *C) {
 	s.signer.SetKey(string(s.passphraseKey))
 	s.signer.SetKeyRing(s.keyringPassphrase[0], s.keyringPassphrase[1])

diff --git a/system/lib.py b/system/lib.py
@@ -50,6 +50,34 @@ def log_message(self, format, *args):
         pass
 
 
+class GPGFinder(object):
+    """
+    GnuPG binary discovery.
+    """
+
+    def __init__(self):
+        self.gpg1 = self.find_gpg(["gpg1", "gpg"], "gpg (GnuPG) 1.")
+        self.gpg2 = self.find_gpg(["gpg2", "gpg"], "gpg (GnuPG) 2.")
+
+        self.gpg = self.gpg1
+        if self.gpg is None:
+            self.gpg = self.gpg2
+
+        if self.gpg is None:
+            raise Exception("GnuPG binary wasn't found")
+
+    def find_gpg(self, executables, expected_version):
+        for executable in executables:
+            try:
+                output = subprocess.check_output([executable, "--version"])
+                if expected_version in output:
+                    return executable
+            except Exception:
+                pass
+
+        return None
+
+
 class BaseTest(object):
     """
     Base class for all tests.
@@ -62,6 +90,8 @@ class BaseTest(object):
     fixtureGpg = False
     fixtureWebServer = False
     requiresFTP = False
+    requiresGPG1 = False
+    requiresGPG2 = False
 
     expectedCode = 0
     configFile = {
@@ -95,6 +125,8 @@ class BaseTest(object):
 
     captureResults = False
 
+    gpgFinder = GPGFinder()
+
     def test(self):
         self.prepare()
         self.run()
@@ -110,6 +142,10 @@ def prepare_remove_all(self):
 
     def prepare_default_config(self):
         cfg = self.configFile.copy()
+        if self.requiresGPG1:
+            cfg["gpgProvider"] = "gpg1"
+        elif self.requiresGPG2:
+            cfg["gpgProvider"] = "gpg2"
         cfg.update(**self.configOverride)
         f = open(os.path.join(os.environ["HOME"], ".aptly.conf"), "w")
         f.write(json.dumps(cfg))
@@ -122,6 +158,10 @@ def fixture_available(self):
             return False
         if self.requiresFTP and os.environ.get('NO_FTP_ACCESS', '') == 'yes':
             return False
+        if self.requiresGPG1 and self.gpgFinder.gpg1 is None:
+            return False
+        if self.requiresGPG2 and self.gpgFinder.gpg2 is None:
+            return False
 
         return True
 
@@ -141,17 +181,13 @@ def prepare_fixture(self):
             self.webServerUrl = self.start_webserver(os.path.join(os.path.dirname(inspect.getsourcefile(self.__class__)),
                                                      self.fixtureWebServer))
 
-        if self.fixtureGpg:
-            # try to find gpg1 as that's what aptly prefers by default to build trusted keys in DB
-            # in lowest supported format
-            gpg = "gpg1"
-            try:
-                subprocess.check_output(["gpg1", "--version"])
-            except Exception:
-                gpg = "gpg"
+        if self.requiresGPG2:
+            self.run_cmd([
+                self.gpgFinder.gpg2, "--import",
+                os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files") + "/aptly.sec"], expected_code=None)
 
-            # TODO: fixme
-            self.run_cmd([gpg, "--no-default-keyring", "--trust-model", "always", "--batch", "--keyring", "aptlytest.gpg", "--import"] +
+        if self.fixtureGpg:
+            self.run_cmd([self.gpgFinder.gpg, "--no-default-keyring", "--trust-model", "always", "--batch", "--keyring", "aptlytest.gpg", "--import"] +
                          [os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", key) for key in self.fixtureGpgKeys])
 
         if hasattr(self, "fixtureCmds"):
@@ -185,8 +221,9 @@ def run_cmd(self, command, expected_code=0):
         try:
             proc = self._start_process(command, stdout=subprocess.PIPE)
             output, _ = proc.communicate()
-            if proc.returncode != expected_code:
-                raise Exception("exit code %d != %d (output: %s)" % (proc.returncode, expected_code, output))
+            if expected_code is not None:
+                if proc.returncode != expected_code:
+                    raise Exception("exit code %d != %d (output: %s)" % (proc.returncode, expected_code, output))
             return output
         except Exception, e:
             raise Exception("Running command %s failed: %s" % (command, str(e)))

diff --git a/system/t04_mirror/CreateMirror32Test_gold b/system/t04_mirror/CreateMirror32Test_gold
@@ -0,0 +1,9 @@
+Downloading http://mirror.yandex.ru/debian/dists/wheezy/InRelease...
+Downloading http://mirror.yandex.ru/debian/dists/wheezy/Release...
+Downloading http://mirror.yandex.ru/debian/dists/wheezy/Release.gpg...
+gpgv: Good signature from "Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]>"
+gpgv: Good signature from "Debian Archive Automatic Signing Key (8/jessie) <[email protected]>"
+gpgv: Good signature from "Wheezy Stable Release Key <[email protected]>"
+
+Mirror [mirror32]: http://mirror.yandex.ru/debian/ wheezy successfully added.
+You can run 'aptly mirror update mirror32' to download repository contents.
diff --git a/system/t04_mirror/CreateMirror32Test_mirror_show b/system/t04_mirror/CreateMirror32Test_mirror_show
@@ -0,0 +1,20 @@
+Name: mirror32
+Archive Root URL: http://mirror.yandex.ru/debian/
+Distribution: wheezy
+Components: main, contrib, non-free
+Architectures: amd64, armel, armhf, i386, ia64, kfreebsd-amd64, kfreebsd-i386, mips, mipsel, powerpc, s390, s390x, sparc
+Download Sources: no
+Download .udebs: no
+Last update: never
+
+Information from release file:
+Architectures: amd64 armel armhf i386 ia64 kfreebsd-amd64 kfreebsd-i386 mips mipsel powerpc s390 s390x sparc
+Codename: wheezy
+Components: main contrib non-free
+Date: Sat, 17 Jun 2017 08:55:32 UTC
+Description:  Debian 7.11 Released 04 June 2016
+
+Label: Debian
+Origin: Debian
+Suite: oldoldstable
+Version: 7.11
diff --git a/system/t04_mirror/create.py b/system/t04_mirror/create.py
@@ -59,6 +59,7 @@ class CreateMirror6Test(BaseTest):
     create mirror: missing release
     """
     expectedCode = 1
+    requiresGPG1 = True
 
     runCmd = "aptly mirror create --keyring=aptlytest.gpg mirror6 http://mirror.yandex.ru/debian/ suslik"
 
@@ -92,6 +93,7 @@ class CreateMirror9Test(BaseTest):
     """
     runCmd = "aptly mirror create --keyring=aptlytest.gpg mirror9 http://mirror.yandex.ru/debian/ wheezy-backports"
     fixtureGpg = True
+    requiresGPG1 = True
 
     def outputMatchPrepare(_, s):
         return re.sub(r'Signature made .* using|Warning: using insecure memory!\n', '', s)
@@ -396,3 +398,21 @@ class CreateMirror31Test(BaseTest):
 
     def outputMatchPrepare(_, s):
         return re.sub(r'Signature made .* using', '', s)
+
+
+class CreateMirror32Test(BaseTest):
+    """
+    create mirror: repo with Release + Release.gpg verification (gpg2)
+    """
+    runCmd = "aptly mirror create --keyring=aptlytest.gpg mirror32 http://mirror.yandex.ru/debian/ wheezy"
+    fixtureGpg = True
+    requiresGPG2 = True
+
+    def outputMatchPrepare(_, s):
+        return \
+            re.sub(r'([A-F0-9]{8})[A-F0-9]{8}', r'\1',
+                   re.sub(r'^gpgv: (Signature made .+|.+using RSA key.+)\n', '', s, flags=re.MULTILINE))
+
+    def check(self):
+        self.check_output()
+        self.check_cmd_output("aptly mirror show mirror32", "mirror_show")
diff --git a/system/t06_publish/PublishRepo32Test_gold b/system/t06_publish/PublishRepo32Test_gold
@@ -0,0 +1,14 @@
+Loading packages...
+Generating metadata files and linking package files...
+Finalizing metadata files...
+Signing file 'Release' with gpg, please enter your passphrase when prompted:
+Clearsigning file 'Release' with gpg, please enter your passphrase when prompted:
+
+Local repo local-repo has been successfully published.
+Please setup your webserver to serve directory '${HOME}/.aptly/public' with autoindexing.
+Now you can add following line to apt sources:
+  deb http://your-server/ maverick main
+  deb-src http://your-server/ maverick main
+Don't forget to add your GPG key to apt with apt-key.
+
+You can also use `aptly serve` to publish your repositories over HTTP quickly.
diff --git a/system/t06_publish/repo.py b/system/t06_publish/repo.py
@@ -57,9 +57,9 @@ def check(self):
         self.check_file_contents('public/dists/maverick/Contents-i386.gz', 'contents_i386_legacy', match_prepare=ungzip_if_required)
 
         # verify signatures
-        self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
-        self.run_cmd(["gpg", "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
                       os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])
 
@@ -456,9 +456,9 @@ def check(self):
         self.check_file_contents('public/dists/maverick/Release', 'release', match_prepare=strip_processor)
 
         # verify signatures
-        self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
-        self.run_cmd(["gpg", "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
                       os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])
 
@@ -637,9 +637,9 @@ def check(self):
         super(PublishRepo26Test, self).check()
 
         # verify signatures
-        self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
-        self.run_cmd(["gpg", "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
                       os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])
 
@@ -739,9 +739,9 @@ def check(self):
         super(PublishRepo30Test, self).check()
 
         # verify signatures
-        self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
-        self.run_cmd(["gpg", "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
                       os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])
 
@@ -765,8 +765,34 @@ def check(self):
         super(PublishRepo31Test, self).check()
 
         # verify signatures
-        self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
-        self.run_cmd(["gpg", "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
+                      "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
+                      os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])
+
+
+class PublishRepo32Test(BaseTest):
+    """
+    publish repo: default with gpg2
+    """
+    requiresGPG2 = True
+    fixtureCmds = [
+        "aptly repo create local-repo",
+        "aptly repo add local-repo ${files}",
+    ]
+    runCmd = "aptly publish repo -gpg-key=C5ACD2179B5231DFE842EE6121DBB89C16DB3E6D -keyring=${files}/aptly.pub -distribution=maverick local-repo"
+    gold_processor = BaseTest.expand_environ
+
+    def outputMatchPrepare(_, s):
+        return s.replace("gpg: gpg-agent is not available in this session\n", "")
+
+    def check(self):
+        super(PublishRepo32Test, self).check()
+
+        # verify signatures
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
+                      "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
+        self.run_cmd([self.gpgFinder.gpg, "--no-auto-check-trustdb",  "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly_passphrase.pub"),
                       "--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
                       os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])