launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~jugmac00/launchpad-buildd:fetch-service-provision-build-environment into launchpad-buildd:master

To: mp+462893@xxxxxxxxxxxxxxxxxx
From: Jürgen Gmach <mp+462893@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Apr 2024 19:23:25 -0000
Reply-to: mp+462893@xxxxxxxxxxxxxxxxxx
Sender: noreply@xxxxxxxxxxxxx

Jürgen Gmach has proposed merging ~jugmac00/launchpad-buildd:fetch-service-provision-build-environment into launchpad-buildd:master.

Commit message:
Install ca certificate for the fetch service

This is necessary so the fetch service can man in the middle all
requests when builds are fetching dependencies.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~jugmac00/launchpad-buildd/+git/launchpad-buildd/+merge/462893
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~jugmac00/launchpad-buildd:fetch-service-provision-build-environment into launchpad-buildd:master.

diff --git a/lpbuildd/target/build_snap.py b/lpbuildd/target/build_snap.py
index f613e99..4afbee3 100644
--- a/lpbuildd/target/build_snap.py
+++ b/lpbuildd/target/build_snap.py
@@ -110,10 +110,26 @@ class BuildSnap(
         )
         parser.add_argument(
             "--fetch-service-mitm-certificate",
+            type=str,
             help=("content of the ca certificate"),
         )
         parser.add_argument("name", help="name of snap to build")
 
+    def install_mitm_certificate(self):
+        """Install ca certificate for the fetch service
+
+        This is necessary so the fetch service can man in the middle all
+        requests when fetching dependencies.
+        """
+        with self.backend.open(
+            "/usr/local/share/ca-certificates/local-ca.crt", mode="w"
+        ) as local_ca_cert:
+            local_ca_cert.write(self.args.fetch_service_mitm_certificate)
+        self.backend.run(["update-ca-certificates"])
+        # XXX jugmac00 2024-04-17: We might need to restart snapd
+        # so the new certificate will be used
+        # snapd folks are unsure, so we need to try ourselves
+
     def install_svn_servers(self):
         proxy = urlparse(self.args.proxy_url)
         svn_servers = dedent(
@@ -182,7 +198,12 @@ class BuildSnap(
                 ]
             )
         if self.args.proxy_url:
+            # XXX jugmac00 2024-04-17:reached out to William whether we need to
+            # take this into account for using the fetch service
+            # William is not sure, so we need to try this in staging
             self.install_svn_servers()
+        if self.args.use_fetch_service:
+            self.install_mitm_certificate()
 
     def repo(self):
         """Collect git or bzr branch."""
diff --git a/lpbuildd/target/tests/test_build_snap.py b/lpbuildd/target/tests/test_build_snap.py
index 8719e57..4788029 100644
--- a/lpbuildd/target/tests/test_build_snap.py
+++ b/lpbuildd/target/tests/test_build_snap.py
@@ -194,6 +194,65 @@ class TestBuildSnap(TestCase):
             build_snap.backend.backend_fs["/root/.subversion/servers"],
         )
 
+    def test_install_certificate(self):
+        args = [
+            "buildsnap",
+            "--backend=fake",
+            "--series=xenial",
+            "--arch=amd64",
+            "1",
+            "--git-repository",
+            "lp:foo",
+            "--proxy-url",
+            "http://proxy.example:3128/";,
+            "test-snap",
+            "--use_fetch_service",
+            "--fetch-service-mitm-certificate",
+            "content_of_cert",
+        ]
+        build_snap = parse_args(args=args).operation
+        build_snap.bin = "/builderbin"
+        self.useFixture(FakeFilesystem()).add("/builderbin")
+        os.mkdir("/builderbin")
+        with open("/builderbin/lpbuildd-git-proxy", "w") as proxy_script:
+            proxy_script.write("proxy script\n")
+            os.fchmod(proxy_script.fileno(), 0o755)
+        build_snap.install()
+        self.assertThat(
+            build_snap.backend.run.calls,
+            MatchesListwise(
+                [
+                    RanAptGet(
+                        "install", "python3", "socat", "git", "snapcraft"
+                    ),
+                    RanCommand(["mkdir", "-p", "/root/.subversion"]),
+                    RanCommand(["update-ca-certificates"]),
+                ]
+            ),
+        )
+        self.assertEqual(
+            (b"proxy script\n", stat.S_IFREG | 0o755),
+            build_snap.backend.backend_fs["/usr/local/bin/lpbuildd-git-proxy"],
+        )
+        self.assertEqual(
+            (
+                b"[global]\n"
+                b"http-proxy-host = proxy.example\n"
+                b"http-proxy-port = 3128\n",
+                stat.S_IFREG | 0o644,
+            ),
+            build_snap.backend.backend_fs["/root/.subversion/servers"],
+        )
+        self.assertEqual(
+            (
+                b"content_of_cert",
+                stat.S_IFREG | 0o644,
+            ),
+            build_snap.backend.backend_fs[
+                "/usr/local/share/ca-certificates/local-ca.crt"
+            ],
+        )
+
     def test_install_channels(self):
         args = [
             "buildsnap",