tests: Add tests for https OCI remotes

2026-05-16 12:50:01 -04:00 · 2024-12-17 17:47:35 +01:00
parent c75ba1c7e1
commit a2aad56cd7
5 changed files with 101 additions and 20 deletions
--- a/tests/libtest.sh
+++ b/tests/libtest.sh
@@ -332,12 +332,16 @@ make_runtime () {
 }

 httpd () {
-    COMMAND=${1:-web-server.py}
-    DIR=${2:-repos}
+    if [ $# -eq 0 ] ; then
+        set web-server.py repos
+    fi
+
+    COMMAND=$1
+    shift

    rm -f httpd-pipe
    mkfifo httpd-pipe
-    PYTHONUNBUFFERED=1 $(dirname $0)/$COMMAND "$DIR" 3> httpd-pipe 2>&1 | tee -a httpd-log >&2 &
+    PYTHONUNBUFFERED=1 $(dirname $0)/$COMMAND "$@" 3> httpd-pipe 2>&1 | tee -a httpd-log >&2 &
    read < httpd-pipe
 }

@@ -589,10 +593,15 @@ skip_without_libsystemd () {
  fi
 }

+FLATPAK_SYSTEM_CERTS_D=$(pwd)/certs.d
+export FLATPAK_SYSTEM_CERTS_D
+
 sed s#@testdir@#${test_builddir}# ${test_srcdir}/session.conf.in > session.conf
 dbus-daemon --fork --config-file=session.conf --print-address=3 --print-pid=4 \
    3> dbus-session-bus-address 4> dbus-session-bus-pid
-export DBUS_SESSION_BUS_ADDRESS="$(cat dbus-session-bus-address)"
+
+DBUS_SESSION_BUS_ADDRESS="$(cat dbus-session-bus-address)"
+export DBUS_SESSION_BUS_ADDRESS
 DBUS_SESSION_BUS_PID="$(cat dbus-session-bus-pid)"

 if ! /bin/kill -0 "$DBUS_SESSION_BUS_PID"; then
--- a/tests/test-matrix/meson.build
+++ b/tests/test-matrix/meson.build
@@ -17,8 +17,10 @@ wrapped_tests += {'name' : 'test-sideload@system.wrap', 'script' : 'test-sideloa
 wrapped_tests += {'name' : 'test-bundle@user.wrap', 'script' : 'test-bundle.sh'}
 wrapped_tests += {'name' : 'test-bundle@system.wrap', 'script' : 'test-bundle.sh'}
 wrapped_tests += {'name' : 'test-bundle@system-norevokefs.wrap', 'script' : 'test-bundle.sh'}
-wrapped_tests += {'name' : 'test-oci-registry@user.wrap', 'script' : 'test-oci-registry.sh'}
-wrapped_tests += {'name' : 'test-oci-registry@system.wrap', 'script' : 'test-oci-registry.sh'}
+wrapped_tests += {'name' : 'test-oci-registry@user,http.wrap', 'script' : 'test-oci-registry.sh'}
+wrapped_tests += {'name' : 'test-oci-registry@user,https.wrap', 'script' : 'test-oci-registry.sh'}
+wrapped_tests += {'name' : 'test-oci-registry@system,http.wrap', 'script' : 'test-oci-registry.sh'}
+wrapped_tests += {'name' : 'test-oci-registry@system,https.wrap', 'script' : 'test-oci-registry.sh'}
 wrapped_tests += {'name' : 'test-update-remote-configuration@newsummary.wrap', 'script' : 'test-update-remote-configuration.sh'}
 wrapped_tests += {'name' : 'test-update-remote-configuration@oldsummary.wrap', 'script' : 'test-update-remote-configuration.sh'}
 wrapped_tests += {'name' : 'test-update-portal@user.wrap', 'script' : 'test-update-portal.sh'}
--- a/tests/test-oci-registry.sh
+++ b/tests/test-oci-registry.sh
@@ -27,9 +27,73 @@ echo "1..14"

 # Start the fake registry server

-httpd oci-registry-server.py --dir=.
+if [ x${USE_HTTPS} = xyes ] ; then
+    cat > openssl.config <<EOF
+[req]
+distinguished_name=default_dn
+
+[v3_ca]
+basicConstraints=critical,CA:TRUE,pathlen:0
+
+[server_cert]
+basicConstraints=CA:FALSE
+subjectAltName=DNS:registry.example.com,IP:127.0.0.1
+
+[usr_cert]
+subjectAltName=email:copy
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature
+extendedKeyUsage=clientAuth
+
+[default_dn]
+CN=Unused
+EOF
+
+    openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
+        -nodes -keyout example.com.ca.key -out example.com.ca.crt \
+        -subj="/CN=Example CA/O=example.com/emailAddress=nomail@example.com" \
+        -config openssl.config -extensions v3_ca
+
+    openssl req -newkey rsa:4096 -sha256 \
+        -nodes -keyout example.com.key -out example.com.csr \
+	-subj "/CN=registry.example.com"
+
+    openssl x509 -req -in example.com.csr -days 3650 \
+        -CA example.com.ca.crt -CAkey example.com.ca.key -CAcreateserial \
+	-extfile openssl.config -extensions server_cert \
+	-out example.com.crt
+
+    openssl req -newkey rsa:4096 -sha256 \
+        -nodes -keyout client.key -out client.csr \
+        -subj="/CN=User/O=example.com/emailAddress=user@example.com"
+
+    openssl x509 -req -in client.csr -days 3650 \
+	-CA example.com.ca.crt -CAkey example.com.ca.key -CAcreateserial \
+	-extfile openssl.config -extensions usr_cert \
+	-out client.cert
+
+    server_args="--cert=example.com.crt --key=example.com.key --mtls-cacert=example.com.ca.crt"
+else
+    server_args=
+    client_args=
+fi
+
+httpd oci-registry-server.py --dir=. $server_args
 port=$(cat httpd-port)
-client="python3 $test_srcdir/oci-registry-client.py --url=http://127.0.0.1:$port"
+
+if [ x${USE_HTTPS} = xyes ] ; then
+    scheme=https
+    client_args="--cert=client.cert --key=client.key --cacert=example.com.ca.crt"
+
+    hostdir=$FLATPAK_SYSTEM_CERTS_D/127.0.0.1:${port}
+    mkdir -p $hostdir
+    cp example.com.ca.crt client.key client.cert $hostdir
+else
+    scheme=http
+    client_args=
+fi
+
+client="python3 $test_srcdir/oci-registry-client.py $client_args --url=${scheme}://127.0.0.1:${port}"

 setup_repo_no_add oci

@@ -43,7 +107,7 @@ $client add hello latest $(pwd)/oci/app-image

 # Add an OCI remote

-${FLATPAK} remote-add ${U} oci-registry "oci+http://127.0.0.1:${port}" >&2
+${FLATPAK} remote-add ${U} oci-registry "oci+${scheme}://127.0.0.1:${port}" >&2

 # Check that the images we expect are listed

@@ -144,7 +208,7 @@ fi
 assert_has_file $base/oci/oci-registry.index.gz
 assert_has_file $base/oci/oci-registry.summary
 assert_has_dir $base/appstream/oci-registry
-${FLATPAK} remote-modify ${U} --url=http://127.0.0.1:${port} oci-registry >&2
+${FLATPAK} remote-modify ${U} --url=${scheme}://127.0.0.1:${port} oci-registry >&2
 assert_not_has_file $base/oci/oci-registry.index.gz
 assert_not_has_file $base/oci/oci-registry.summary
 assert_not_has_dir $base/appstream/oci-registry
@@ -153,7 +217,7 @@ ok "change remote to non-OCI"

 # Change it back and refetch

-${FLATPAK} remote-modify ${U} --url=oci+http://127.0.0.1:${port} oci-registry >&2
+${FLATPAK} remote-modify ${U} --url=oci+${scheme}://127.0.0.1:${port} oci-registry >&2
 ${FLATPAK} update ${U} --appstream oci-registry >&2

 # Delete the remote, check that everything was removed
@@ -177,7 +241,7 @@ ok "delete remote"
 cat << EOF > runtime-repo.flatpakrepo
 [Flatpak Repo]
 Version=1
-Url=oci+http://localhost:${port}
+Url=oci+${scheme}://localhost:${port}
 Title=The OCI Title
 EOF

@@ -186,7 +250,7 @@ cat << EOF > org.test.Platform.flatpakref
 Title=Test Platform
 Name=org.test.Platform
 Branch=master
-Url=oci+http://127.0.0.1:${port}
+Url=oci+${scheme}://127.0.0.1:${port}
 IsRuntime=true
 RuntimeRepo=file://$(pwd)/runtime-repo.flatpakrepo
 EOF
@@ -214,12 +278,12 @@ ok "prune origin remote"

 # Install from a (non-OCI) bundle, check that the repo-url is respected

-${FLATPAK} build-bundle --runtime --repo-url "oci+http://127.0.0.1:${port}" $FL_GPGARGS repos/oci org.test.Platform.flatpak org.test.Platform >&2
+${FLATPAK} build-bundle --runtime --repo-url "oci+${scheme}://127.0.0.1:${port}" $FL_GPGARGS repos/oci org.test.Platform.flatpak org.test.Platform >&2

 ${FLATPAK} ${U} install -y --bundle org.test.Platform.flatpak >&2

 ${FLATPAK} remotes -d > remotes-list
-assert_file_has_content remotes-list "^platform-origin.*[ 	]oci+http://127\.0\.0\.1:${port}"
+assert_file_has_content remotes-list "^platform-origin.*[ 	]oci+${scheme}://127\.0\.0\.1:${port}"

 assert_has_file $base/oci/platform-origin.index.gz

@@ -227,12 +291,12 @@ ok "install via bundle"

 # Install an app from a bundle

-${FLATPAK} build-bundle --repo-url "oci+http://127.0.0.1:${port}" $FL_GPGARGS repos/oci org.test.Hello.flatpak org.test.Hello >&2
+${FLATPAK} build-bundle --repo-url "oci+${scheme}://127.0.0.1:${port}" $FL_GPGARGS repos/oci org.test.Hello.flatpak org.test.Hello >&2

 ${FLATPAK} ${U} install -y --bundle org.test.Hello.flatpak >&2

 ${FLATPAK} remotes -d > remotes-list
-assert_file_has_content remotes-list "^hello-origin.*[ 	]oci+http://127\.0\.0\.1:${port}"
+assert_file_has_content remotes-list "^hello-origin.*[ 	]oci+${scheme}://127\.0\.0\.1:${port}"

 assert_has_file $base/oci/hello-origin.index.gz

@@ -241,12 +305,12 @@ ok "app install via bundle"
 # Install an updated app bundle with a different origin

 make_updated_app oci
-${FLATPAK} build-bundle --repo-url "http://127.0.0.1:${port}" $FL_GPGARGS repos/oci org.test.Hello.flatpak org.test.Hello >&2
+${FLATPAK} build-bundle --repo-url "${scheme}://127.0.0.1:${port}" $FL_GPGARGS repos/oci org.test.Hello.flatpak org.test.Hello >&2

 ${FLATPAK} ${U} install -y --bundle org.test.Hello.flatpak >&2

 ${FLATPAK} remotes -d > remotes-list
-assert_file_has_content remotes-list "^hello-origin.*[ 	]http://127\.0\.0\.1:${port}"
+assert_file_has_content remotes-list "^hello-origin.*[ 	]${scheme}://127\.0\.0\.1:${port}"

 assert_not_has_file $base/oci/hello-origin.index.gz

--- a/tests/test-wrapper.sh
+++ b/tests/test-wrapper.sh
@@ -30,6 +30,12 @@ for feature in $(echo $1 | sed "s/^.*@\(.*\).wrap/\1/" | tr "," "\n"); do
        annotations)
            export USE_OCI_ANNOTATIONS=yes
            ;;
+        https)
+            export USE_HTTPS=yes
+            ;;
+        http)
+            export USE_HTTPS=no
+            ;;
        *)
            echo unsupported test feature $feature
            exit 1
--- a/tests/update-test-matrix
+++ b/tests/update-test-matrix
@@ -23,7 +23,7 @@ TEST_MATRIX_SOURCE=(
 	'tests/test-extensions.sh' \
 	'tests/test-bundle.sh{user+system+system-norevokefs}' \
 	'tests/test-oci.sh' \
-	'tests/test-oci-registry.sh{user+system}' \
+	'tests/test-oci-registry.sh{{user+system},{http+https}}' \
 	'tests/test-update-remote-configuration.sh{newsummary+oldsummary}' \
 	'tests/test-override.sh' \
 	'tests/test-update-portal.sh{user+system}' \