ukify: override default option value with config file

author Emanuele Giuseppe Esposito <eesposit@redhat.com>

Wed, 27 Sep 2023 08:28:45 +0000 (04:28 -0400)

committer Emanuele Giuseppe Esposito <eesposit@redhat.com>

Tue, 10 Oct 2023 11:06:24 +0000 (07:06 -0400)
author Emanuele Giuseppe Esposito <eesposit@redhat.com>
Wed, 27 Sep 2023 08:28:45 +0000 (04:28 -0400)
committer Emanuele Giuseppe Esposito <eesposit@redhat.com>
Tue, 10 Oct 2023 11:06:24 +0000 (07:06 -0400)
diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py

index 7c25aace81d222ea6e0d0e46710aacde98a13c30..b12c09d4bf9207b046539ab94723fd3ead415776 100755 (executable)
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@@ -266,6 +266,7 @@ def test_parse_sections():
  
  def test_config_priority(tmp_path):
      config = tmp_path / 'config1.conf'
+    # config: use pesign and give certdir + certname
      config.write_text(textwrap.dedent(
          f'''
          [UKI]
@@ -282,10 +283,8 @@ def test_config_priority(tmp_path):
          Stub = some/path4
          PCRBanks = sha512,sha1
          SigningEngine = engine1
-        SignTool = pesign
-        SecureBootPrivateKey = some/path5
-        SecureBootCertificate = some/path6
-        SecureBootCertificateDir = some/path7
+        SecureBootSigningTool = pesign
+        SecureBootCertificateDir = some/path5
          SecureBootCertificateName = some/name1
          SignKernel = no
  
@@ -295,6 +294,7 @@ def test_config_priority(tmp_path):
          Phases = {':'.join(ukify.KNOWN_PHASES)}
          '''))
  
+    # args: use sbsign and give key + cert, should override pesign
      opts = ukify.parse_args(
          ['build',
           '--linux=/ARG1',
@@ -311,11 +311,9 @@ def test_config_priority(tmp_path):
           '--pcr-public-key=PKEY2',
           '--pcr-banks=SHA1,SHA256',
           '--signing-engine=ENGINE',
-         '--signtool=pesign',
+         '--signtool=sbsign',
           '--secureboot-private-key=SBKEY',
           '--secureboot-certificate=SBCERT',
-         '--secureboot-certificate-dir=SBPATH',
-         '--secureboot-certificate-name=SBNAME',
           '--sign-kernel',
           '--no-sign-kernel',
           '--tools=TOOLZ///',
@@ -345,11 +343,11 @@ def test_config_priority(tmp_path):
                                      pathlib.Path('some/path8')]
      assert opts.pcr_banks == ['SHA1', 'SHA256']
      assert opts.signing_engine == 'ENGINE'
-    assert opts.signtool == 'pesign'
-    assert opts.sb_key == 'SBKEY'
-    assert opts.sb_cert == 'SBCERT'
-    assert opts.sb_certdir == 'SBPATH'
-    assert opts.sb_cert_name == 'SBNAME'
+    assert opts.signtool == 'sbsign' # from args
+    assert opts.sb_key == 'SBKEY' # from args
+    assert opts.sb_cert == 'SBCERT' # from args
+    assert opts.sb_certdir == 'some/path5' # from config
+    assert opts.sb_cert_name == 'some/name1' # from config
      assert opts.sign_kernel is False
      assert opts.tools == [pathlib.Path('TOOLZ/')]
      assert opts.output == pathlib.Path('OUTPUT')
diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py

index 40550e8c54188630f4b08fd03e6d8f5cb4850392..1ed8aadccad4eff3cda17160fd191a3aed611a9a 100755 (executable)
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -1036,6 +1036,19 @@ class ConfigItem:
          if getattr(namespace, dest) is None:
              setattr(namespace, dest, value)
  
+    @staticmethod
+    def config_set(
+            namespace: argparse.Namespace,
+            group: Optional[str],
+            dest: str,
+            value: Any,
+    ) -> None:
+        "Set namespace.<dest> to value only if it was None"
+
+        assert not group
+
+        setattr(namespace, dest, value)
+
      @staticmethod
      def config_set_group(
              namespace: argparse.Namespace,
@@ -1300,6 +1313,7 @@ CONFIG_ITEMS = [
          default = '/etc/pki/pesign',
          help = 'required by --signtool=pesign. Path to nss certificate database directory for PE signing. Default is /etc/pki/pesign',
          config_key = 'UKI/SecureBootCertificateDir',
+        config_push = ConfigItem.config_set
      ),
      ConfigItem(
          '--secureboot-certificate-name',
@@ -1314,6 +1328,7 @@ CONFIG_ITEMS = [
          default = 365 * 10,
          help = "period of validity (in days) for a certificate created by 'genkey'",
          config_key = 'UKI/SecureBootCertificateValidity',
+        config_push = ConfigItem.config_set
      ),
  
      ConfigItem(
author	Emanuele Giuseppe Esposito <eesposit@redhat.com>
	Wed, 27 Sep 2023 08:28:45 +0000 (04:28 -0400)
committer	Emanuele Giuseppe Esposito <eesposit@redhat.com>
	Tue, 10 Oct 2023 11:06:24 +0000 (07:06 -0400)
src/ukify/test/test_ukify.py		patch \| blob \| blame \| history
src/ukify/ukify.py		patch \| blob \| blame \| history