async def test_private_artifacts(context_function):
task_group_id = task_id = slugid.nice()
override = {
'task_script': ('bash', '-c', '>&2 echo'),
}
async with context_function(override) as context:
result = await create_task(context, task_id, task_group_id)
assert result['status']['state'] == 'pending'
path = os.path.join(context.config['artifact_dir'],
'SampleArtifacts/_/X.txt')
utils.makedirs(os.path.dirname(path))
with open(path, "w") as fh:
fh.write("bar")
async with remember_cwd():
os.chdir(os.path.dirname(context.config['work_dir']))
status = await worker.run_tasks(context)
assert status == 0
result = await task_status(context, task_id)
assert result['status']['state'] == 'completed'
url = artifacts.get_artifact_url(context, task_id,
'SampleArtifacts/_/X.txt')
path2 = os.path.join(context.config['work_dir'], 'downloaded_file')
await utils.download_file(context, url, path2)
with open(path2, "r") as fh:
contents = fh.read().strip()
assert contents == 'bar'
async def download_cot(chain):
"""Download the signed chain of trust artifacts.
Args:
chain (ChainOfTrust): the chain of trust to add to.
Raises:
DownloadError: on failure.
"""
async_tasks = []
# only deal with chain.links, which are previously finished tasks with
# signed chain of trust artifacts. ``chain.task`` is the current running
# task, and will not have a signed chain of trust artifact yet.
for link in chain.links:
task_id = link.task_id
url = get_artifact_url(chain.context, task_id,
'public/chainOfTrust.json.asc')
parent_dir = link.cot_dir
async_tasks.append(
asyncio.ensure_future(
download_artifacts(chain.context, [url],
parent_dir=parent_dir,
valid_artifact_task_ids=[task_id])))
paths = await raise_future_exceptions(async_tasks)
for path in paths:
sha = get_hash(path[0])
log.debug("{} downloaded; hash is {}".format(path[0], sha))
async def test_private_artifacts(context_function):
task_group_id = task_id = slugid.nice()
override = {
'task_script': (
'bash', '-c',
'>&2 echo'
),
}
async with context_function(override) as context:
result = await create_task(context, task_id, task_group_id)
assert result['status']['state'] == 'pending'
path = os.path.join(context.config['artifact_dir'], 'SampleArtifacts/_/X.txt')
utils.makedirs(os.path.dirname(path))
with open(path, "w") as fh:
fh.write("bar")
async with remember_cwd():
os.chdir(os.path.dirname(context.config['work_dir']))
status = await worker.run_tasks(context)
assert status == 0
result = await task_status(context, task_id)
assert result['status']['state'] == 'completed'
url = artifacts.get_artifact_url(context, task_id, 'SampleArtifacts/_/X.txt')
path2 = os.path.join(context.config['work_dir'], 'downloaded_file')
await utils.download_file(context, url, path2)
with open(path2, "r") as fh:
contents = fh.read().strip()
assert contents == 'bar'
def test_get_artifact_url(tc03x):
def buildUrl(*args, **kwargs):
if tc03x:
raise AttributeError("foo")
else:
return "https://netloc/v1/rel/path"
def makeRoute(*args, **kwargs):
return "rel/path"
context = mock.MagicMock()
context.queue = mock.MagicMock()
context.queue.options = {'baseUrl': 'https://netloc/'}
context.queue.makeRoute = makeRoute
context.queue.buildUrl = buildUrl
assert get_artifact_url(context, "x", "y") == "https://netloc/v1/rel/path"
def test_get_artifact_url(path):
expected = "https://netloc/v1/{}".format(path)
def buildUrl(*args, **kwargs):
if path.startswith('public/'):
return expected
def buildSignedUrl(*args, **kwargs):
if not path.startswith('public/'):
return expected
context = mock.MagicMock()
context.queue = mock.MagicMock()
context.queue.options = {'baseUrl': 'https://netloc/'}
context.queue.buildUrl = buildUrl
context.queue.buildSignedUrl = buildSignedUrl
assert get_artifact_url(context, "x", path) == expected
def test_get_artifact_url(path):
expected = "https://netloc/v1/{}".format(path)
def buildUrl(*args, **kwargs):
if path.startswith('public/'):
return expected
def buildSignedUrl(*args, **kwargs):
if not path.startswith('public/'):
return expected
context = mock.MagicMock()
context.queue = mock.MagicMock()
context.queue.options = {'baseUrl': 'https://netloc/'}
context.queue.buildUrl = buildUrl
context.queue.buildSignedUrl = buildSignedUrl
assert get_artifact_url(context, "x", path) == expected
async def download_cot_artifact(chain, task_id, path):
"""Download an artifact and verify its SHA against the chain of trust.
Args:
chain (ChainOfTrust): the chain of trust object
task_id (str): the task ID to download from
path (str): the relative path to the artifact to download
Returns:
str: the full path of the downloaded artifact
Raises:
CoTError: on failure.
"""
link = chain.get_link(task_id)
log.debug("Verifying {} is in {} cot artifacts...".format(path, task_id))
if path not in link.cot['artifacts']:
raise CoTError("path {} not in {} {} chain of trust artifacts!".format(
path, link.name, link.task_id))
url = get_artifact_url(chain.context, task_id, path)
log.info("Downloading Chain of Trust artifact:\n{}".format(url))
await download_artifacts(chain.context, [url],
parent_dir=link.cot_dir,
valid_artifact_task_ids=[task_id])
full_path = link.get_artifact_full_path(path)
for alg, expected_sha in link.cot['artifacts'][path].items():
if alg not in chain.context.config['valid_hash_algorithms']:
raise CoTError("BAD HASH ALGORITHM: {}: {} {}!".format(
link.name, alg, full_path))
real_sha = get_hash(full_path, hash_alg=alg)
if expected_sha != real_sha:
raise CoTError("BAD HASH: {}: Expected {} {}; got {}!".format(
link.name, alg, expected_sha, real_sha))
log.debug("{} matches the expected {} {}".format(
full_path, alg, expected_sha))
return full_path
async def test_private_artifacts(context_function):
task_group_id = task_id = slugid.nice()
override = {"task_script": ("bash", "-c", ">&2 echo")}
async with context_function(override) as context:
result = await create_task(context, task_id, task_group_id)
assert result["status"]["state"] == "pending"
path = os.path.join(context.config["artifact_dir"],
"SampleArtifacts/_/X.txt")
utils.makedirs(os.path.dirname(path))
with open(path, "w") as fh:
fh.write("bar")
async with remember_cwd():
os.chdir(os.path.dirname(context.config["work_dir"]))
status = await worker.run_tasks(context)
assert status == 0
result = await task_status(context, task_id)
assert result["status"]["state"] == "completed"
url = artifacts.get_artifact_url(context, task_id,
"SampleArtifacts/_/X.txt")
path2 = os.path.join(context.config["work_dir"], "downloaded_file")
await utils.download_file(context, url, path2)
with open(path2, "r") as fh:
contents = fh.read().strip()
assert contents == "bar"
