From f53ede67b2e91221ea5bbf25d035245a5945646a Mon Sep 17 00:00:00 2001 From: Lukas Zapletal Date: Fri, 29 Nov 2024 12:45:43 +0100 Subject: [PATCH] blueprint: fix cacerts name for TOML --- pkg/blueprint/ca_customizations.go | 5 ----- pkg/blueprint/customizations.go | 18 ++++++++++-------- test/scripts/base-host-check.sh | 21 +++++++++++++++++++++ 3 files changed, 31 insertions(+), 13 deletions(-) delete mode 100644 pkg/blueprint/ca_customizations.go diff --git a/pkg/blueprint/ca_customizations.go b/pkg/blueprint/ca_customizations.go deleted file mode 100644 index 560bac66fa..0000000000 --- a/pkg/blueprint/ca_customizations.go +++ /dev/null @@ -1,5 +0,0 @@ -package blueprint - -type CACustomization struct { - PEMCerts []string `json:"pem_certs,omitempty" toml:"pem_certs,omitempty"` -} diff --git a/pkg/blueprint/customizations.go b/pkg/blueprint/customizations.go index b863e61bd8..bcb1f9899e 100644 --- a/pkg/blueprint/customizations.go +++ b/pkg/blueprint/customizations.go @@ -33,7 +33,7 @@ type Customizations struct { Installer *InstallerCustomization `json:"installer,omitempty" toml:"installer,omitempty"` RPM *RPMCustomization `json:"rpm,omitempty" toml:"rpm,omitempty"` RHSM *RHSMCustomization `json:"rhsm,omitempty" toml:"rhsm,omitempty"` - CACerts *CACustomization `json:"cacerts,omitempty" toml:"ca,omitempty"` + CACerts *CACustomization `json:"cacerts,omitempty" toml:"cacerts,omitempty"` } type IgnitionCustomization struct { @@ -144,6 +144,10 @@ type ContainerStorageCustomization struct { StoragePath *string `json:"destination-path,omitempty" toml:"destination-path,omitempty"` } +type CACustomization struct { + PEMCerts []string `json:"pem_certs,omitempty" toml:"pem_certs,omitempty"` +} + type CustomizationError struct { Message string } @@ -441,16 +445,14 @@ func (c *Customizations) GetRHSM() *RHSMCustomization { } func (c *Customizations) checkCACerts() error { - if c == nil { + if c == nil || c.CACerts == nil { return nil } - if c.CACerts != nil { - for _, bundle := range c.CACerts.PEMCerts { - _, err := cert.ParseCerts(bundle) - if err != nil { - return err - } + for _, bundle := range c.CACerts.PEMCerts { + _, err := cert.ParseCerts(bundle) + if err != nil { + return err } } diff --git a/test/scripts/base-host-check.sh b/test/scripts/base-host-check.sh index 55a8e041f7..0c3de336c3 100755 --- a/test/scripts/base-host-check.sh +++ b/test/scripts/base-host-check.sh @@ -1,4 +1,5 @@ #!/usr/bin/env bash +# vim: sw=4:et set -euo pipefail running_wait() { @@ -78,6 +79,22 @@ get_oscap_score() { fi } +check_ca_cert() { + serial=$(jq -r '.blueprint.customizations.cacerts.pem_certs[0]' "${config}" | openssl x509 -noout -serial | cut -d= -f 2-) + + echo "📗 Checking CA cert anchor file" + if ! [ -e "/etc/pki/ca-trust/source/anchors/${serial}.pem" ]; then + echo "Anchor CA file does not exist" + exit 1 + fi + + echo "📗 Checking extracted CA cert file" + if ! [ -e "/etc/pki/ca-trust/source/extracted/pem/directory-hash/Test_CA_for_osbuild.pem.pem" ]; then + echo "Extracted CA file does not exist" + exit 1 + fi +} + echo "❓ Checking system status" if ! running_wait; then @@ -114,4 +131,8 @@ if (( $# > 0 )); then if jq -e .blueprint.customizations.openscap "${config}"; then get_oscap_score "${config}" fi + + if jq -e '.blueprint.customizations.cacerts.pem_certs[0]' "${config}"; then + check_ca_cert "${config}" + fi fi