diff options
author | Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com> | 2017-05-12 14:40:21 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-06-06 19:02:43 +0100 |
commit | 157c3be2ca93f076033f725ec1ee912df91f7488 (patch) | |
tree | 8ef896ff7adf78d63b34059cd5b017a4f0a3419a /meta/lib/oeqa/selftest/cases/signing.py | |
parent | 10c512b60d1167122b5fe778b93838dca3def717 (diff) | |
download | poky-157c3be2ca93f076033f725ec1ee912df91f7488.tar.gz |
oeqa/selftest/cases: Migrate test cases into the new oe-qa framework
New framework has different classes/decorators so adapt current test cases to
support these. Changes include changes on base classes and decorators.
Also include paths in selftest/__init__.py isn't needed because the
loader is the standard unittest one.
(From OE-Core rev: ddbbefdd124604d10bd47dd0266b55a764fcc0ab)
Signed-off-by: Leonardo Sandoval <leonardo.sandoval.gonzalez@linux.intel.com>
Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib/oeqa/selftest/cases/signing.py')
-rw-r--r-- | meta/lib/oeqa/selftest/cases/signing.py | 184 |
1 files changed, 184 insertions, 0 deletions
diff --git a/meta/lib/oeqa/selftest/cases/signing.py b/meta/lib/oeqa/selftest/cases/signing.py new file mode 100644 index 0000000000..edb5f653f2 --- /dev/null +++ b/meta/lib/oeqa/selftest/cases/signing.py | |||
@@ -0,0 +1,184 @@ | |||
1 | from oeqa.selftest.case import OESelftestTestCase | ||
2 | from oeqa.utils.commands import runCmd, bitbake, get_bb_var, get_bb_vars | ||
3 | import os | ||
4 | import glob | ||
5 | import re | ||
6 | import shutil | ||
7 | import tempfile | ||
8 | from oeqa.core.decorator.oeid import OETestID | ||
9 | from oeqa.utils.ftools import write_file | ||
10 | |||
11 | |||
12 | class Signing(OESelftestTestCase): | ||
13 | |||
14 | gpg_dir = "" | ||
15 | pub_key_path = "" | ||
16 | secret_key_path = "" | ||
17 | |||
18 | @classmethod | ||
19 | def setUpClass(cls): | ||
20 | super(Signing, cls).setUpClass() | ||
21 | # Check that we can find the gpg binary and fail early if we can't | ||
22 | if not shutil.which("gpg"): | ||
23 | raise AssertionError("This test needs GnuPG") | ||
24 | |||
25 | cls.gpg_home_dir = tempfile.TemporaryDirectory(prefix="oeqa-signing-") | ||
26 | cls.gpg_dir = cls.gpg_home_dir.name | ||
27 | |||
28 | cls.pub_key_path = os.path.join(cls.testlayer_path, 'files', 'signing', "key.pub") | ||
29 | cls.secret_key_path = os.path.join(cls.testlayer_path, 'files', 'signing', "key.secret") | ||
30 | |||
31 | runCmd('gpg --batch --homedir %s --import %s %s' % (cls.gpg_dir, cls.pub_key_path, cls.secret_key_path)) | ||
32 | |||
33 | @OETestID(1362) | ||
34 | def test_signing_packages(self): | ||
35 | """ | ||
36 | Summary: Test that packages can be signed in the package feed | ||
37 | Expected: Package should be signed with the correct key | ||
38 | Expected: Images can be created from signed packages | ||
39 | Product: oe-core | ||
40 | Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com> | ||
41 | Author: Alexander Kanavin <alexander.kanavin@intel.com> | ||
42 | AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com> | ||
43 | """ | ||
44 | import oe.packagedata | ||
45 | |||
46 | package_classes = get_bb_var('PACKAGE_CLASSES') | ||
47 | if 'package_rpm' not in package_classes: | ||
48 | self.skipTest('This test requires RPM Packaging.') | ||
49 | |||
50 | test_recipe = 'ed' | ||
51 | |||
52 | feature = 'INHERIT += "sign_rpm"\n' | ||
53 | feature += 'RPM_GPG_PASSPHRASE = "test123"\n' | ||
54 | feature += 'RPM_GPG_NAME = "testuser"\n' | ||
55 | feature += 'GPG_PATH = "%s"\n' % self.gpg_dir | ||
56 | |||
57 | self.write_config(feature) | ||
58 | |||
59 | bitbake('-c clean %s' % test_recipe) | ||
60 | bitbake('-f -c package_write_rpm %s' % test_recipe) | ||
61 | |||
62 | self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe) | ||
63 | |||
64 | needed_vars = ['PKGDATA_DIR', 'DEPLOY_DIR_RPM', 'PACKAGE_ARCH', 'STAGING_BINDIR_NATIVE'] | ||
65 | bb_vars = get_bb_vars(needed_vars, test_recipe) | ||
66 | pkgdatadir = bb_vars['PKGDATA_DIR'] | ||
67 | pkgdata = oe.packagedata.read_pkgdatafile(pkgdatadir + "/runtime/ed") | ||
68 | if 'PKGE' in pkgdata: | ||
69 | pf = pkgdata['PN'] + "-" + pkgdata['PKGE'] + pkgdata['PKGV'] + '-' + pkgdata['PKGR'] | ||
70 | else: | ||
71 | pf = pkgdata['PN'] + "-" + pkgdata['PKGV'] + '-' + pkgdata['PKGR'] | ||
72 | deploy_dir_rpm = bb_vars['DEPLOY_DIR_RPM'] | ||
73 | package_arch = bb_vars['PACKAGE_ARCH'].replace('-', '_') | ||
74 | staging_bindir_native = bb_vars['STAGING_BINDIR_NATIVE'] | ||
75 | |||
76 | pkg_deploy = os.path.join(deploy_dir_rpm, package_arch, '.'.join((pf, package_arch, 'rpm'))) | ||
77 | |||
78 | # Use a temporary rpmdb | ||
79 | rpmdb = tempfile.mkdtemp(prefix='oeqa-rpmdb') | ||
80 | |||
81 | runCmd('%s/rpmkeys --define "_dbpath %s" --import %s' % | ||
82 | (staging_bindir_native, rpmdb, self.pub_key_path)) | ||
83 | |||
84 | ret = runCmd('%s/rpmkeys --define "_dbpath %s" --checksig %s' % | ||
85 | (staging_bindir_native, rpmdb, pkg_deploy)) | ||
86 | # tmp/deploy/rpm/i586/ed-1.9-r0.i586.rpm: rsa sha1 md5 OK | ||
87 | self.assertIn('rsa sha1 (md5) pgp md5 OK', ret.output, 'Package signed incorrectly.') | ||
88 | shutil.rmtree(rpmdb) | ||
89 | |||
90 | #Check that an image can be built from signed packages | ||
91 | self.add_command_to_tearDown('bitbake -c clean core-image-minimal') | ||
92 | bitbake('-c clean core-image-minimal') | ||
93 | bitbake('core-image-minimal') | ||
94 | |||
95 | |||
96 | @OETestID(1382) | ||
97 | def test_signing_sstate_archive(self): | ||
98 | """ | ||
99 | Summary: Test that sstate archives can be signed | ||
100 | Expected: Package should be signed with the correct key | ||
101 | Product: oe-core | ||
102 | Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com> | ||
103 | AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com> | ||
104 | """ | ||
105 | |||
106 | test_recipe = 'ed' | ||
107 | |||
108 | builddir = os.environ.get('BUILDDIR') | ||
109 | sstatedir = os.path.join(builddir, 'test-sstate') | ||
110 | |||
111 | self.add_command_to_tearDown('bitbake -c clean %s' % test_recipe) | ||
112 | self.add_command_to_tearDown('rm -rf %s' % sstatedir) | ||
113 | |||
114 | feature = 'SSTATE_SIG_KEY ?= "testuser"\n' | ||
115 | feature += 'SSTATE_SIG_PASSPHRASE ?= "test123"\n' | ||
116 | feature += 'SSTATE_VERIFY_SIG ?= "1"\n' | ||
117 | feature += 'GPG_PATH = "%s"\n' % self.gpg_dir | ||
118 | feature += 'SSTATE_DIR = "%s"\n' % sstatedir | ||
119 | # Any mirror might have partial sstate without .sig files, triggering failures | ||
120 | feature += 'SSTATE_MIRRORS_forcevariable = ""\n' | ||
121 | |||
122 | self.write_config(feature) | ||
123 | |||
124 | bitbake('-c clean %s' % test_recipe) | ||
125 | bitbake(test_recipe) | ||
126 | |||
127 | recipe_sig = glob.glob(sstatedir + '/*/*:ed:*_package.tgz.sig') | ||
128 | recipe_tgz = glob.glob(sstatedir + '/*/*:ed:*_package.tgz') | ||
129 | |||
130 | self.assertEqual(len(recipe_sig), 1, 'Failed to find .sig file.') | ||
131 | self.assertEqual(len(recipe_tgz), 1, 'Failed to find .tgz file.') | ||
132 | |||
133 | ret = runCmd('gpg --homedir %s --verify %s %s' % (self.gpg_dir, recipe_sig[0], recipe_tgz[0])) | ||
134 | # gpg: Signature made Thu 22 Oct 2015 01:45:09 PM EEST using RSA key ID 61EEFB30 | ||
135 | # gpg: Good signature from "testuser (nocomment) <testuser@email.com>" | ||
136 | self.assertIn('gpg: Good signature from', ret.output, 'Package signed incorrectly.') | ||
137 | |||
138 | |||
139 | class LockedSignatures(OESelftestTestCase): | ||
140 | |||
141 | @OETestID(1420) | ||
142 | def test_locked_signatures(self): | ||
143 | """ | ||
144 | Summary: Test locked signature mechanism | ||
145 | Expected: Locked signatures will prevent task to run | ||
146 | Product: oe-core | ||
147 | Author: Daniel Istrate <daniel.alexandrux.istrate@intel.com> | ||
148 | AutomatedBy: Daniel Istrate <daniel.alexandrux.istrate@intel.com> | ||
149 | """ | ||
150 | |||
151 | test_recipe = 'ed' | ||
152 | locked_sigs_file = 'locked-sigs.inc' | ||
153 | |||
154 | self.add_command_to_tearDown('rm -f %s' % os.path.join(self.builddir, locked_sigs_file)) | ||
155 | |||
156 | bitbake(test_recipe) | ||
157 | # Generate locked sigs include file | ||
158 | bitbake('-S none %s' % test_recipe) | ||
159 | |||
160 | feature = 'require %s\n' % locked_sigs_file | ||
161 | feature += 'SIGGEN_LOCKEDSIGS_TASKSIG_CHECK = "warn"\n' | ||
162 | self.write_config(feature) | ||
163 | |||
164 | # Build a locked recipe | ||
165 | bitbake(test_recipe) | ||
166 | |||
167 | # Make a change that should cause the locked task signature to change | ||
168 | recipe_append_file = test_recipe + '_' + get_bb_var('PV', test_recipe) + '.bbappend' | ||
169 | recipe_append_path = os.path.join(self.testlayer_path, 'recipes-test', test_recipe, recipe_append_file) | ||
170 | feature = 'SUMMARY += "test locked signature"\n' | ||
171 | |||
172 | os.mkdir(os.path.join(self.testlayer_path, 'recipes-test', test_recipe)) | ||
173 | write_file(recipe_append_path, feature) | ||
174 | |||
175 | self.add_command_to_tearDown('rm -rf %s' % os.path.join(self.testlayer_path, 'recipes-test', test_recipe)) | ||
176 | |||
177 | # Build the recipe again | ||
178 | ret = bitbake(test_recipe) | ||
179 | |||
180 | # Verify you get the warning and that the real task *isn't* run (i.e. the locked signature has worked) | ||
181 | patt = r'WARNING: The %s:do_package sig is computed to be \S+, but the sig is locked to \S+ in SIGGEN_LOCKEDSIGS\S+' % test_recipe | ||
182 | found_warn = re.search(patt, ret.output) | ||
183 | |||
184 | self.assertIsNotNone(found_warn, "Didn't find the expected warning message. Output: %s" % ret.output) | ||