Sign packages when modifying repo content

daviddavis · daviddavis · commit a87e82d522f7 · 2025-12-29T20:08:14.000Z
fixes #1300
diff --git a/pulp_deb/app/migrations/0035_add_deb_package_signing_result.py b/pulp_deb/app/migrations/0035_add_deb_package_signing_result.py
@@ -0,0 +1,32 @@
+# Generated by Django 4.2.27 on 2025-12-29 19:23
+
+from django.db import migrations, models
+import django.db.models.deletion
+import django_lifecycle.mixins
+import pulpcore.app.models.base
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0145_domainize_import_export'),
+        ('deb', '0034_package_signing'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='DebPackageSigningResult',
+            fields=[
+                ('pulp_id', models.UUIDField(default=pulpcore.app.models.base.pulp_uuid, editable=False, primary_key=True, serialize=False)),
+                ('pulp_created', models.DateTimeField(auto_now_add=True)),
+                ('pulp_last_updated', models.DateTimeField(auto_now=True, null=True)),
+                ('sha256', models.TextField(max_length=64)),
+                ('package_signing_fingerprint', models.TextField(max_length=40)),
+                ('result', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='core.content')),
+            ],
+            options={
+                'unique_together': {('sha256', 'package_signing_fingerprint')},
+            },
+            bases=(django_lifecycle.mixins.LifecycleModelMixin, models.Model),
+        ),
+    ]
diff --git a/pulp_deb/app/models/signing_service.py b/pulp_deb/app/models/signing_service.py
@@ -7,7 +7,8 @@
 from typing import Optional
 
 import gnupg
-from pulpcore.plugin.models import SigningService
+from django.db import models
+from pulpcore.plugin.models import BaseModel, Content, SigningService
 
 
 def prepare_gpg(temp_directory_name, public_key, pubkey_fingerprint):
@@ -255,3 +256,16 @@ def _validate_deb_package(
                 raise Exception(
                     f"'{deb_package_path}' appears to have been signed using the wrong key!"
                 )
+
+
+class DebPackageSigningResult(BaseModel):
+    """
+    A model used for storing the result of signing an RPM package.
+    """
+
+    sha256 = models.TextField(max_length=64)
+    package_signing_fingerprint = models.TextField(max_length=40)
+    result = models.ForeignKey(Content, on_delete=models.CASCADE)
+
+    class Meta:
+        unique_together = ("sha256", "package_signing_fingerprint")
diff --git a/pulp_deb/app/tasks/__init__.py b/pulp_deb/app/tasks/__init__.py
@@ -2,3 +2,4 @@
 from .publishing import publish, publish_verbatim
 from .synchronizing import synchronize
 from .copy import copy_content
+from .signing import sign_and_create, signed_add_and_remove
diff --git a/pulp_deb/app/tasks/signing.py b/pulp_deb/app/tasks/signing.py
@@ -1,11 +1,19 @@
 from pathlib import Path
 from tempfile import NamedTemporaryFile
 
-from pulpcore.plugin.models import Upload, UploadChunk, Artifact, CreatedResource, PulpTemporaryFile
-from pulpcore.plugin.tasking import general_create
+from pulpcore.plugin.models import (
+    Upload,
+    UploadChunk,
+    Artifact,
+    ContentArtifact,
+    CreatedResource,
+    PulpTemporaryFile,
+)
+from pulpcore.plugin.tasking import add_and_remove, general_create
 from pulpcore.plugin.util import get_url
 
-from pulp_deb.app.models.signing_service import AptPackageSigningService
+from pulp_deb.app.models.signing_service import AptPackageSigningService, DebPackageSigningResult
+from pulp_deb.app.models import AptRepository, Package
 
 
 def _save_file(fileobj, final_package):
@@ -22,6 +30,20 @@ def _save_upload(uploadobj, final_package):
     final_package.flush()
 
 
+def _sign_file(package_file, signing_service, signing_fingerprint):
+    result = signing_service.sign(
+        package_file.name, pubkey_fingerprint=signing_fingerprint
+    )
+    signed_package_path = Path(result["deb_package"])
+    if not signed_package_path.exists():
+        raise Exception(f"Signing script did not create the signed package: {result}")
+    artifact = Artifact.init_and_validate(str(signed_package_path))
+    artifact.save()
+    resource = CreatedResource(content_object=artifact)
+    resource.save()
+    return artifact
+
+
 def sign_and_create(
     app_label,
     serializer_name,
@@ -43,16 +65,7 @@ def sign_and_create(
             uploaded_package = Upload.objects.get(pk=temporary_file_pk)
             _save_upload(uploaded_package, final_package)
 
-        result = package_signing_service.sign(
-            final_package.name, pubkey_fingerprint=signing_fingerprint
-        )
-        signed_package_path = Path(result["deb_package"])
-        if not signed_package_path.exists():
-            raise Exception(f"Signing script did not create the signed package: {result}")
-        artifact = Artifact.init_and_validate(str(signed_package_path))
-        artifact.save()
-        resource = CreatedResource(content_object=artifact)
-        resource.save()
+        artifact = _sign_file(final_package, package_signing_service, signing_fingerprint)
     uploaded_package.delete()
     # Create Package content
     data["artifact"] = get_url(artifact)
@@ -64,3 +77,60 @@ def sign_and_create(
     if "upload" in data:
         del data["upload"]
     general_create(app_label, serializer_name, data=data, context=context, *args, **kwargs)
+
+
+def signed_add_and_remove(
+    repository_pk, add_content_units, remove_content_units, base_version_pk=None
+):
+    repo = AptRepository.objects.get(pk=repository_pk)
+
+    if repo.package_signing_service:
+        # sign each package and replace it in the add_content_units list
+        signed_packages = []
+
+        for package in Package.objects.filter(pk__in=add_content_units):
+            content_artifact = package.contentartifact_set.first()
+            artifact_obj = content_artifact.artifact
+
+            with NamedTemporaryFile(mode="wb", dir=".", delete=False) as final_package:
+                artifact_file = artifact_obj.file
+                _save_file(artifact_file, final_package)
+
+                # TODO: check if the package is already signed with our fingerprint
+
+                # check if the package has been signed in the past with our fingerprint
+                if existing_result := DebPackageSigningResult.objects.filter(
+                    sha256=content_artifact.artifact.sha256,
+                    package_signing_fingerprint=repo.package_signing_fingerprint,
+                ).first():
+                    signed_packages.append(existing_result.result_id)
+                    continue
+
+                # create a new signed version of the package
+                artifact = _sign_file(
+                    final_package, repo.package_signing_service, repo.package_signing_fingerprint
+                )
+                signed_package = package
+                signed_package.pk = None
+                signed_package.pulp_id = None
+                signed_package.pkgId = artifact.sha256
+                signed_package.checksum_type = "sha256"
+                signed_package.save()
+                ContentArtifact.objects.create(
+                    artifact=artifact,
+                    content=signed_package,
+                    relative_path=content_artifact.relative_path,
+                )
+                DebPackageSigningResult.objects.create(
+                    sha256=artifact_obj.sha256,
+                    package_signing_fingerprint=repo.package_signing_fingerprint,
+                    result=signed_package,
+                )
+
+                resource = CreatedResource(content_object=signed_package)
+                resource.save()
+                signed_packages.append(signed_package.pk)
+
+        add_content_units = signed_packages
+
+    return add_and_remove(repository_pk, add_content_units, remove_content_units, base_version_pk)
diff --git a/pulp_deb/app/viewsets/content.py b/pulp_deb/app/viewsets/content.py
@@ -21,7 +21,7 @@
 from drf_spectacular.utils import extend_schema
 
 from pulp_deb.app import models, serializers
-from pulp_deb.app.tasks import signing as deb_sign
+from pulp_deb.app.tasks import sign_and_create
 
 
 class GenericContentFilter(ContentFilter):
@@ -312,7 +312,7 @@ def create(self, request):
             serializer.validated_data.get("repository"),
         ]
         task = dispatch(
-            deb_sign.sign_and_create,
+            sign_and_create,
             exclusive_resources=task_exclusive,
             args=tuple(task_args.values()),
             kwargs={
diff --git a/pulp_deb/app/viewsets/repository.py b/pulp_deb/app/viewsets/repository.py
@@ -8,14 +8,15 @@
 from pulp_deb.app.models.content.content import Package
 from pulp_deb.app.models.content.structure_content import PackageReleaseComponent
 from pulp_deb.app.serializers import AptRepositorySyncURLSerializer
+from pulpcore.app.tasks import signed_add_and_remove
 
 from pulpcore.plugin.util import extract_pk, get_url
 from pulpcore.plugin.actions import ModifyRepositoryActionMixin
 from pulpcore.plugin.serializers import (
     AsyncOperationResponseSerializer,
     RepositoryAddRemoveContentSerializer,
 )
-from pulpcore.plugin.models import RepositoryVersion
+from pulpcore.plugin.models import Repository, ContentArtifact, RepositoryVersion
 from pulpcore.plugin.tasking import dispatch
 from pulpcore.plugin.viewsets import (
     OperationPostponedResponse,
@@ -29,6 +30,8 @@
 
 
 class AptModifyRepositoryActionMixin(ModifyRepositoryActionMixin):
+    modify_task = signed_add_and_remove
+
     @extend_schema(
         description="Trigger an asynchronous task to create a new repository version.",
         summary="Modify Repository Content",
@@ -37,13 +40,25 @@ class AptModifyRepositoryActionMixin(ModifyRepositoryActionMixin):
     @action(detail=True, methods=["post"], serializer_class=RepositoryAddRemoveContentSerializer)
     def modify(self, request, pk):
         remove_content_units = request.data.get("remove_content_units", [])
-        package_hrefs = [href for href in remove_content_units if "/packages/" in href]
+        remove_package_hrefs = [href for href in remove_content_units if "/packages/" in href]
 
-        if package_hrefs:
-            prc_hrefs = self._get_matching_prc_hrefs(package_hrefs)
+        if remove_package_hrefs:
+            prc_hrefs = self._get_matching_prc_hrefs(remove_package_hrefs)
             remove_content_units.extend(prc_hrefs)
             request.data["remove_content_units"] = remove_content_units
 
+        add_content_units = request.data.get("add_content_units", [])
+        add_package_hrefs = [href for href in add_content_units if "/packages/" in href]
+        repository = Repository.objects.get(pk=request.data["repository"])
+        if add_content_units and repository.package_signing_service:
+            ondemand_ca = ContentArtifact.objects.filter(
+                content_id__in=add_package_hrefs, artifact__isnull=True
+            )
+            if ondemand_ca.count() > 0:
+                raise DRFValidationError(
+                    _("Cannot add on-demand content to repo with set package signing service.")
+                )
+
         return super().modify(request, pk)
 
     def _get_matching_prc_hrefs(self, package_hrefs):
