Move load_pem_public_key to repo_online
This commit is contained in:
parent
64adcf3647
commit
51c0703d71
@ -6,7 +6,6 @@ import urllib.parse
|
|||||||
|
|
||||||
config = configparser.ConfigParser()
|
config = configparser.ConfigParser()
|
||||||
config.read('/etc/spoc/spoc.conf')
|
config.read('/etc/spoc/spoc.conf')
|
||||||
print ('CONFIG LOADED') # TODO: Debug, remove
|
|
||||||
|
|
||||||
def get_repo_auth(config):
|
def get_repo_auth(config):
|
||||||
username = config.get('repo', 'username', fallback='')
|
username = config.get('repo', 'username', fallback='')
|
||||||
@ -15,12 +14,7 @@ def get_repo_auth(config):
|
|||||||
return None
|
return None
|
||||||
return (username, password)
|
return (username, password)
|
||||||
|
|
||||||
def get_repo_pubkey(config):
|
NETWORK_INTERFACE = config.get('general', 'network-interface', fallback='spocbr0')
|
||||||
pubkey = config.get('repo', 'public-key', fallback='')
|
|
||||||
pubkey = f'-----BEGIN PUBLIC KEY-----\n{pubkey}\n-----END PUBLIC KEY-----'
|
|
||||||
return pubkey.encode()
|
|
||||||
|
|
||||||
NETWORK_INTERFACE = config.get('general', 'network-interface', 'spocbr0')
|
|
||||||
|
|
||||||
DATA_DIR = config.get('general', 'data-dir', fallback='/var/lib/spoc')
|
DATA_DIR = config.get('general', 'data-dir', fallback='/var/lib/spoc')
|
||||||
APPS_DIR = os.path.join(DATA_DIR, 'apps')
|
APPS_DIR = os.path.join(DATA_DIR, 'apps')
|
||||||
@ -28,7 +22,7 @@ CONTAINERS_DIR = os.path.join(DATA_DIR, 'containers')
|
|||||||
LAYERS_DIR = os.path.join(DATA_DIR, 'layers')
|
LAYERS_DIR = os.path.join(DATA_DIR, 'layers')
|
||||||
VOLUME_DIR = os.path.join(DATA_DIR, 'volumes')
|
VOLUME_DIR = os.path.join(DATA_DIR, 'volumes')
|
||||||
HOSTS_FILE = os.path.join(DATA_DIR, 'hosts')
|
HOSTS_FILE = os.path.join(DATA_DIR, 'hosts')
|
||||||
REPO_FILE = os.path.join(DATA_DIR, 'packages.json')
|
REPO_FILE = os.path.join(DATA_DIR, 'repository.json')
|
||||||
LOG_DIR = config.get('general', 'log-dir', fallback='/var/log/spoc')
|
LOG_DIR = config.get('general', 'log-dir', fallback='/var/log/spoc')
|
||||||
LOCK_FILE = '/run/lock/spoc.lock'
|
LOCK_FILE = '/run/lock/spoc.lock'
|
||||||
|
|
||||||
@ -43,4 +37,4 @@ REPO_URL = config.get('repo', 'url', fallback='https://localhost')
|
|||||||
REPO_PACKAGES_URL = urllib.parse.urljoin(REPO_URL, 'packages.json')
|
REPO_PACKAGES_URL = urllib.parse.urljoin(REPO_URL, 'packages.json')
|
||||||
REPO_SIG_URL = urllib.parse.urljoin(REPO_URL, 'packages.sig')
|
REPO_SIG_URL = urllib.parse.urljoin(REPO_URL, 'packages.sig')
|
||||||
REPO_AUTH = get_repo_auth(config)
|
REPO_AUTH = get_repo_auth(config)
|
||||||
REPO_PUBKEY = get_repo_pubkey(config)
|
REPO_PUBKEY = config.get('repo', 'public-key', fallback='')
|
||||||
|
@ -17,7 +17,7 @@ class Image:
|
|||||||
self.name = name
|
self.name = name
|
||||||
self.layer_path = os.path.join(LAYERS_DIR, name)
|
self.layer_path = os.path.join(LAYERS_DIR, name)
|
||||||
self.archive_path = os.path.join(PUB_LAYERS_DIR, f'{name}.tar.xz')
|
self.archive_path = os.path.join(PUB_LAYERS_DIR, f'{name}.tar.xz')
|
||||||
self.online_path = urllib.parse.urljoin(REPO_URL, 'images', f'{image_name}.tar.xz')
|
self.online_path = urllib.parse.urljoin(REPO_URL, 'images', f'{name}.tar.xz')
|
||||||
self.layers = [name]
|
self.layers = [name]
|
||||||
self.env = {}
|
self.env = {}
|
||||||
self.uid = None
|
self.uid = None
|
||||||
|
@ -17,6 +17,12 @@ from .config import REPO_AUTH, REPO_PUBKEY, REPO_PACKAGES_URL, REPO_SIG_URL
|
|||||||
TYPE_APP = 'apps'
|
TYPE_APP = 'apps'
|
||||||
TYPE_IMAGE = 'images'
|
TYPE_IMAGE = 'images'
|
||||||
|
|
||||||
|
def get_pubkey():
|
||||||
|
pubkey = f'-----BEGIN PUBLIC KEY-----\n{REPO_PUBKEY}\n-----END PUBLIC KEY-----'
|
||||||
|
return load_pem_public_key(pubkey.encode(), default_backend())
|
||||||
|
|
||||||
|
PUBLIC_KEY = get_pubkey()
|
||||||
|
|
||||||
def download_archive(src, dst, expected_hash):
|
def download_archive(src, dst, expected_hash):
|
||||||
# Download archive via http(s), verify hash and decompress
|
# Download archive via http(s), verify hash and decompress
|
||||||
with tempfile.TemporaryFile() as tmp_archive:
|
with tempfile.TemporaryFile() as tmp_archive:
|
||||||
@ -30,7 +36,7 @@ def download_archive(src, dst, expected_hash):
|
|||||||
tmp_archive.write(chunk)
|
tmp_archive.write(chunk)
|
||||||
hasher.update(chunk)
|
hasher.update(chunk)
|
||||||
# Verify hash
|
# Verify hash
|
||||||
REPO_PUBKEY.verify(bytes.fromhex(expected_hash), hasher.finalize(), ec.ECDSA(utils.Prehashed(sha512)))
|
PUBLIC_KEY.verify(bytes.fromhex(expected_hash), hasher.finalize(), ec.ECDSA(utils.Prehashed(sha512)))
|
||||||
# Extract the tar.xz file
|
# Extract the tar.xz file
|
||||||
tmp_archive.seek(0)
|
tmp_archive.seek(0)
|
||||||
with tarfile.open(fileobj=tmp_archive) as tar:
|
with tarfile.open(fileobj=tmp_archive) as tar:
|
||||||
@ -40,7 +46,7 @@ def load():
|
|||||||
with requests.Session(auth=REPO_AUTH) as session:
|
with requests.Session(auth=REPO_AUTH) as session:
|
||||||
packages = session.get(REPO_PACKAGES_URL, timout=5).content
|
packages = session.get(REPO_PACKAGES_URL, timout=5).content
|
||||||
packages_sig = bytes.fromhex(session.get(REPO_SIG_URL, timout=5).content)
|
packages_sig = bytes.fromhex(session.get(REPO_SIG_URL, timout=5).content)
|
||||||
REPO_PUBKEY.verify(packages_sig, packages, ec.ECDSA(hashes.SHA512()))
|
PUBLIC_KEY.verify(packages_sig, packages, ec.ECDSA(hashes.SHA512()))
|
||||||
return json.loads(packages)
|
return json.loads(packages)
|
||||||
|
|
||||||
def get_entries(entry_type):
|
def get_entries(entry_type):
|
||||||
|
Loading…
Reference in New Issue
Block a user