move pgp logic to separate package

canonical · Dec 14, 2023 · c42b8b0 · c42b8b0
1 parent 4c5ef3f
commit c42b8b0
Show file tree

Hide file tree

Showing 7 changed files with 101 additions and 16 deletions.
diff --git a/internal/archive/archive.go b/internal/archive/archive.go
@@ -13,7 +13,7 @@ import (
 	"github.com/canonical/chisel/internal/cache"
 	"github.com/canonical/chisel/internal/control"
 	"github.com/canonical/chisel/internal/deb"
-	"github.com/canonical/chisel/internal/setup"
+	"github.com/canonical/chisel/internal/openpgputil"
 )
 
 type Archive interface {
@@ -201,11 +201,11 @@ func (index *ubuntuIndex) fetchRelease() error {
 	// Unlike gpg --verify which ensures the verification of all signatures,
 	// this is in line with what apt does internally:
 	// https://salsa.debian.org/apt-team/apt/-/blob/4e344a4/methods/gpgv.cc#L553-557
-	sigs, canonicalBody, err := setup.DecodeClearSigned(data)
+	sigs, canonicalBody, err := openpgputil.DecodeClearSigned(data)
 	if err != nil {
 		return fmt.Errorf("cannot decode clearsigned InRelease file: %v", err)
 	}
-	err = setup.VerifyAnySignature(index.archive.publicKeys, sigs, canonicalBody)
+	err = openpgputil.VerifyAnySignature(index.archive.publicKeys, sigs, canonicalBody)
 	if err != nil {
 		return fmt.Errorf("cannot verify signature of the InRelease file")
 	}

diff --git a/internal/openpgputil/log.go b/internal/openpgputil/log.go
@@ -0,0 +1,53 @@
+package openpgputil
+
+import (
+	"fmt"
+	"sync"
+)
+
+// Avoid importing the log type information unnecessarily.  There's a small cost
+// associated with using an interface rather than the type.  Depending on how
+// often the logger is plugged in, it would be worth using the type instead.
+type log_Logger interface {
+	Output(calldepth int, s string) error
+}
+
+var globalLoggerLock sync.Mutex
+var globalLogger log_Logger
+var globalDebug bool
+
+// Specify the *log.Logger object where log messages should be sent to.
+func SetLogger(logger log_Logger) {
+	globalLoggerLock.Lock()
+	globalLogger = logger
+	globalLoggerLock.Unlock()
+}
+
+// Enable the delivery of debug messages to the logger.  Only meaningful
+// if a logger is also set.
+func SetDebug(debug bool) {
+	globalLoggerLock.Lock()
+	globalDebug = debug
+	globalLoggerLock.Unlock()
+}
+
+// logf sends to the logger registered via SetLogger the string resulting
+// from running format and args through Sprintf.
+func logf(format string, args ...interface{}) {
+	globalLoggerLock.Lock()
+	defer globalLoggerLock.Unlock()
+	if globalLogger != nil {
+		globalLogger.Output(2, fmt.Sprintf(format, args...))
+	}
+}
+
+// debugf sends to the logger registered via SetLogger the string resulting
+// from running format and args through Sprintf, but only if debugging was
+// enabled via SetDebug.
+func debugf(format string, args ...interface{}) {
+	globalLoggerLock.Lock()
+	defer globalLoggerLock.Unlock()
+	if globalDebug && globalLogger != nil {
+		globalLogger.Output(2, fmt.Sprintf(format, args...))
+	}
+}
diff --git a/internal/setup/openpgp.go → internal/openpgputil/openpgp.go b/internal/setup/openpgp.go → internal/openpgputil/openpgp.go
@@ -1,4 +1,4 @@
-package setup
+package openpgputil
 
 import (
 	"bytes"

diff --git a/internal/setup/openpgp_test.go → internal/openpgputil/openpgp_test.go b/internal/setup/openpgp_test.go → internal/openpgputil/openpgp_test.go
@@ -1,10 +1,16 @@
-package setup_test
+package openpgputil_test
 
 import (
 	"golang.org/x/crypto/openpgp/packet"
 	. "gopkg.in/check.v1"
 
-	"github.com/canonical/chisel/internal/setup"
+	"github.com/canonical/chisel/internal/openpgputil"
+	"github.com/canonical/chisel/internal/testutil"
+)
+
+var (
+	testKey      = testutil.GetGPGKey("test-key-1")
+	extraTestKey = testutil.GetGPGKey("test-key-2")
 )
 
 type archiveKeyTest struct {
@@ -50,7 +56,7 @@ func (s *S) TestDecodeArchivePubKey(c *C) {
 	for _, test := range archiveKeyTests {
 		c.Logf("Summary: %s", test.summary)
 
-		pubKey, err := setup.DecodePublicKey([]byte(test.armored))
+		pubKey, err := openpgputil.DecodePublicKey([]byte(test.armored))
 		if test.relerror != "" {
 			c.Assert(err, ErrorMatches, test.relerror)
 			continue
@@ -110,9 +116,9 @@ func (s *S) TestVerifySignature(c *C) {
 	for _, test := range verifyClearSignTests {
 		c.Logf("Summary: %s", test.summary)
 
-		sigs, body, err := setup.DecodeClearSigned([]byte(test.clearData))
+		sigs, body, err := openpgputil.DecodeClearSigned([]byte(test.clearData))
 		if err == nil {
-			err = setup.VerifyAnySignature(test.pubKeys, sigs, body)
+			err = openpgputil.VerifyAnySignature(test.pubKeys, sigs, body)
 		}
 		if test.relerror != "" {
 			c.Assert(err, ErrorMatches, test.relerror)

diff --git a/internal/openpgputil/suite_test.go b/internal/openpgputil/suite_test.go
@@ -0,0 +1,25 @@
+package openpgputil_test
+
+import (
+	"testing"
+
+	. "gopkg.in/check.v1"
+
+	"github.com/canonical/chisel/internal/openpgputil"
+)
+
+func Test(t *testing.T) { TestingT(t) }
+
+type S struct{}
+
+var _ = Suite(&S{})
+
+func (s *S) SetUpTest(c *C) {
+	openpgputil.SetDebug(true)
+	openpgputil.SetLogger(c)
+}
+
+func (s *S) TearDownTest(c *C) {
+	openpgputil.SetDebug(false)
+	openpgputil.SetLogger(nil)
+}
diff --git a/internal/setup/setup.go b/internal/setup/setup.go
@@ -13,6 +13,7 @@ import (
 	"gopkg.in/yaml.v3"
 
 	"github.com/canonical/chisel/internal/deb"
+	"github.com/canonical/chisel/internal/openpgputil"
 	"github.com/canonical/chisel/internal/strdist"
 )
 
@@ -426,7 +427,7 @@ func parseRelease(baseDir, filePath string, data []byte) (*Release, error) {
 	// Decode the public keys and match against provided IDs.
 	pubKeys := make(map[string]*packet.PublicKey, len(yamlVar.PublicKeys))
 	for keyName, yamlPubKey := range yamlVar.PublicKeys {
-		key, err := DecodePublicKey([]byte(yamlPubKey.Armor))
+		key, err := openpgputil.DecodePublicKey([]byte(yamlPubKey.Armor))
 		if err != nil {
 			return nil, fmt.Errorf("%s: cannot decode public key %q: %w", fileName, keyName, err)
 		}

diff --git a/internal/testutil/gpgkeys.go → internal/testutil/pgpkeys.go b/internal/testutil/gpgkeys.go → internal/testutil/pgpkeys.go
@@ -5,7 +5,7 @@ import (
 
 	"golang.org/x/crypto/openpgp/packet"
 
-	"github.com/canonical/chisel/internal/setup"
+	"github.com/canonical/chisel/internal/openpgputil"
 )
 
 type Key struct {
@@ -16,7 +16,7 @@ type Key struct {
 	PrivateKey        *packet.PrivateKey
 }
 
-var gpgKeys = map[string]*Key{
+var pgpKeys = map[string]*Key{
 	"ubuntu-archive-key-2018": {
 		ID:               "871920D1991BC93C",
 		ArmoredPublicKey: ubuntuArchiveSignKey2018,
@@ -38,16 +38,16 @@ var gpgKeys = map[string]*Key{
 }
 
 func init() {
-	for name, key := range gpgKeys {
+	for name, key := range pgpKeys {
 		if key.ArmoredPublicKey != "" {
-			pubKeys, privKeys, err := setup.DecodeKeys([]byte(key.ArmoredPublicKey))
+			pubKeys, privKeys, err := openpgputil.DecodeKeys([]byte(key.ArmoredPublicKey))
 			if err != nil || len(privKeys) > 0 || len(pubKeys) != 1 || pubKeys[0].KeyIdString() != key.ID {
 				log.Panicf("invalid public key armored data: %s", name)
 			}
 			key.PublicKey = pubKeys[0]
 		}
 		if key.ArmoredPrivateKey != "" {
-			pubKeys, privKeys, err := setup.DecodeKeys([]byte(key.ArmoredPrivateKey))
+			pubKeys, privKeys, err := openpgputil.DecodeKeys([]byte(key.ArmoredPrivateKey))
 			if err != nil || len(pubKeys) > 0 || len(privKeys) != 1 || privKeys[0].KeyIdString() != key.ID {
 				log.Panicf("invalid private key armored data: %s", name)
 			}
@@ -57,7 +57,7 @@ func init() {
 }
 
 func GetGPGKey(name string) *Key {
-	return gpgKeys[name]
+	return pgpKeys[name]
 }
 
 // Ubuntu Archive Automatic Signing Key (2018) <[email protected]>.