e55042e45b
This moves all verify code to an own module and adds support to check all packet files in the structure for integrity. This is done by parsing assumptions like packet kind, type, issuer and location etc.
35 lines
1.3 KiB
Python
35 lines
1.3 KiB
Python
# SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
from os import environ
|
|
from pathlib import Path
|
|
from typing import List
|
|
|
|
from .git import git_changed_files
|
|
from .util import get_parent_cert_paths
|
|
from .verify import verify
|
|
|
|
|
|
def ci(working_dir: Path, keyring_root: Path, project_root: Path) -> None:
|
|
"""Verify certificates against modern expectations using sq-keyring-linter and hokey
|
|
|
|
Currently only newly added certificates will be checked against the expectations as existing
|
|
keys are not all fully compatible with those assumptions.
|
|
New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
|
|
|
|
Parameters
|
|
----------
|
|
working_dir: A directory to use for temporary files
|
|
keyring_root: The keyring root directory to look up username shorthand sources
|
|
project_root: Path to the root of the git repository
|
|
"""
|
|
|
|
ci_merge_request_diff_base = environ.get("CI_MERGE_REQUEST_DIFF_BASE_SHA")
|
|
created, deleted, changed = git_changed_files(
|
|
git_path=project_root, base=f"{ci_merge_request_diff_base}", paths=[Path("keyring")]
|
|
)
|
|
|
|
added_certificates: List[Path] = list(get_parent_cert_paths(paths=created))
|
|
|
|
if added_certificates:
|
|
verify(working_dir=working_dir, keyring_root=keyring_root, sources=added_certificates)
|