feature(keyringctl): adding ci command to verify newly added certs

Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
2021-10-24 22:08:50 +02:00
parent 9733fbafd8
commit a9e63edfa8
5 changed files with 125 additions and 1 deletions
--- a/libkeyringctl/keyring.py
+++ b/libkeyringctl/keyring.py
@ -57,7 +57,7 @@ def get_cert_paths(paths: Iterable[Path]) -> Set[Path]:

    Returns
    -------
-    The list of paths to certificates
+    A set of paths to certificates
    """

    # depth first search certificate paths
@ -73,6 +73,31 @@ def get_cert_paths(paths: Iterable[Path]) -> Set[Path]:
    return cert_paths


+def get_parent_cert_paths(paths: Iterable[Path]) -> Set[Path]:
+    """Walks a list of paths upwards and resolves all discovered parent certificate paths
+
+    Parameters
+    ----------
+    paths: A list of paths to walk and resolve to certificate paths.
+
+    Returns
+    -------
+    A set of paths to certificates
+    """
+
+    # depth first search certificate paths
+    cert_paths: Set[Path] = set()
+    visit: List[Path] = list(paths)
+    while visit:
+        node = visit.pop().parent
+        # this level contains a certificate, abort depth search
+        if "keyring" == node.parent.parent.parent.name:
+            cert_paths.add(node)
+            continue
+        visit.append(node)
+    return cert_paths
+
+
 def transform_username_to_keyring_path(keyring_dir: Path, paths: List[Path]) -> None:
    """Mutates the input sources by transforming passed usernames to keyring paths