diff --git a/api/service_composer.py b/api/service_composer.py index dff548b..818eec5 100644 --- a/api/service_composer.py +++ b/api/service_composer.py @@ -35,9 +35,10 @@ _SAFE_ID_RE = re.compile(r'^[a-z0-9][a-z0-9_-]{0,63}$') _DIGEST_RE = re.compile(r'@sha256:[0-9a-f]{64}$') # Bundled cosign public key — shipped in the repo (config/cosign/cosign.pub) so -# every cell can verify store-service image signatures offline. install.sh keeps -# it at /opt/pic/config/cosign/cosign.pub; in the cell-api container it is -# COPYed to /app/config/cosign/cosign.pub. +# every cell can verify store-service image signatures offline. It is bind-mounted +# into cell-api at /app/config/cosign/cosign.pub (see docker-compose.yml). Because +# `make reinstall`/`uninstall` run `rm -rf config/`, setup_cell.ensure_cosign_pubkey() +# restores it from git on every setup so the mount is never empty. _COSIGN_PUBKEY_PATH = os.environ.get( 'PIC_COSIGN_PUBKEY', '/app/config/cosign/cosign.pub' ) diff --git a/scripts/setup_cell.py b/scripts/setup_cell.py index af07a04..73c4f83 100644 --- a/scripts/setup_cell.py +++ b/scripts/setup_cell.py @@ -62,6 +62,38 @@ def ensure_file(rel): print(f'[EXISTS] {rel}') +def ensure_cosign_pubkey(): + """Restore the tracked cosign public key if a config wipe removed it. + + `config/cosign/cosign.pub` is a git-tracked asset bind-mounted into cell-api + and used to verify store-service image signatures. `make reinstall`/ + `uninstall` run `rm -rf config/`, which deletes it from the working tree, and + nothing else recreates it — leaving every store install broken under the + default enforce mode. Restore it from HEAD here (setup runs on every + install/reinstall). Best-effort: if this is not a git checkout, warn rather + than fail — install.sh surfaces the same warning. + """ + rel = os.path.join('config', 'cosign', 'cosign.pub') + path = os.path.join(ROOT, rel) + if os.path.exists(path) and os.path.getsize(path) > 0: + print(f'[EXISTS] {rel}') + return + os.makedirs(os.path.dirname(path), exist_ok=True) + try: + blob = subprocess.run( + ['git', '-C', ROOT, 'show', 'HEAD:config/cosign/cosign.pub'], + capture_output=True, check=True).stdout + if blob: + with open(path, 'wb') as f: + f.write(blob) + print(f'[RESTORED] {rel} (from git HEAD)') + return + except Exception as e: + print(f'[WARN] could not restore {rel} from git: {e}') + print(f'[WARN] {rel} is missing — store-service image signature ' + 'verification will fail under enforce mode until it is provided') + + def ensure_caddy_ca_cert(): cert_dir = os.path.join(ROOT, 'config', 'caddy', 'certs') ca_key = os.path.join(cert_dir, 'ca.key') @@ -402,6 +434,7 @@ def main(): for f in REQUIRED_FILES: ensure_file(f) + ensure_cosign_pubkey() ensure_caddy_ca_cert() priv, _pub = generate_wg_keys() write_wg0_conf(priv, vpn_address, wg_port) diff --git a/tests/test_setup_cell.py b/tests/test_setup_cell.py new file mode 100644 index 0000000..0a5b23c --- /dev/null +++ b/tests/test_setup_cell.py @@ -0,0 +1,67 @@ +"""Tests for scripts/setup_cell.py setup helpers.""" +import os +import sys +import shutil +import subprocess +import tempfile +import unittest +from pathlib import Path + +sys.path.insert(0, str(Path(__file__).parent.parent / 'scripts')) +import setup_cell # noqa: E402 + + +class TestEnsureCosignPubkey(unittest.TestCase): + """ensure_cosign_pubkey restores the tracked key after a `rm -rf config/`. + + Regression: `make reinstall`/`uninstall` wipe config/, deleting the tracked + config/cosign/cosign.pub; without restore, enforce-mode store installs break. + """ + + KEY_REL = os.path.join('config', 'cosign', 'cosign.pub') + KEY_BODY = '-----BEGIN PUBLIC KEY-----\nTESTKEYDATA\n-----END PUBLIC KEY-----\n' + + def setUp(self): + self.tmp = tempfile.mkdtemp() + env = {**os.environ, 'GIT_CONFIG_GLOBAL': '/dev/null', 'GIT_CONFIG_SYSTEM': '/dev/null'} + subprocess.run(['git', 'init', '-q', self.tmp], check=True, env=env) + subprocess.run(['git', '-C', self.tmp, 'config', 'user.email', 't@t'], check=True) + subprocess.run(['git', '-C', self.tmp, 'config', 'user.name', 't'], check=True) + self.key = os.path.join(self.tmp, self.KEY_REL) + os.makedirs(os.path.dirname(self.key)) + with open(self.key, 'w') as f: + f.write(self.KEY_BODY) + subprocess.run(['git', '-C', self.tmp, 'add', '-A'], check=True) + subprocess.run(['git', '-C', self.tmp, 'commit', '-qm', 'init'], check=True, env=env) + self._root = setup_cell.ROOT + setup_cell.ROOT = self.tmp + + def tearDown(self): + setup_cell.ROOT = self._root + shutil.rmtree(self.tmp, ignore_errors=True) + + def test_restores_key_when_wiped(self): + os.remove(self.key) + shutil.rmtree(os.path.dirname(self.key)) # mimic `rm -rf config/` + self.assertFalse(os.path.exists(self.key)) + setup_cell.ensure_cosign_pubkey() + self.assertTrue(os.path.exists(self.key)) + self.assertEqual(open(self.key).read(), self.KEY_BODY) + + def test_noop_when_key_present(self): + setup_cell.ensure_cosign_pubkey() + self.assertEqual(open(self.key).read(), self.KEY_BODY) + + def test_warns_not_raises_outside_git(self): + # Not a git checkout and key missing → must warn, never raise. + non_git = tempfile.mkdtemp() + setup_cell.ROOT = non_git + try: + setup_cell.ensure_cosign_pubkey() # should not raise + self.assertFalse(os.path.exists(os.path.join(non_git, self.KEY_REL))) + finally: + shutil.rmtree(non_git, ignore_errors=True) + + +if __name__ == '__main__': + unittest.main()