awx
awx copied to clipboard
Perform content integrity validation when syncing project
Please confirm the following
- [X] I agree to follow this project's code of conduct.
- [X] I have checked the current issues for duplicates.
- [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
Feature Summary
As a user, I want the project sync to fail? When project integrity verification fails Maybe we display integrity verification fail without failing project sync?
Select the relevant components
- [ ] UI
- [X] API
- [ ] Docs
- [ ] Collection
- [X] CLI
- [ ] Other
Acceptance Criteria
- [x] Ensure that all new features in the api are also available in the cli.
- This might need to be moved to another ticket, this piece has less to do with the actual verification piece.
- [x] Checksum file validation piece
- [x] Parse existing sha256sum checksum file
- [x] Calculate hashes on all files tracked in the repository (or in the archive, etc., depending on project source)
- [x] Fail if a file has been added or removed from the project without the checksum manifest being made aware of it and re-signed
- [x] Checksum file signature verification piece
- A mismatch here will look like an unknown key, since the temporary gnupg home will only know about the key(s) in the stored credential.
- [x] Provide clear, relevant information to the user on failure and success
- [x] Standardize on a format for this information
- [x] Modular so that other methods of signature verification beyond GPG can be used later
- [x] Self-contained enough that the verification pieces can be moved out to a separate piece later.
- [x] Coordinate with awx-ee to figure out getting new Python/PyPI dependencies in
- [x]
ansible-sign
https://github.com/ansible/awx-ee/pull/130
- [x]
Current WIP (not yet PR ready): https://github.com/ansible/awx/compare/feature-project-integrity...relrod:awx:integrity-on-update-first-attempt
https://github.com/ansible/awx/pull/12680 reviewed and merged to the feature branch
@djyasin I believe we can change the description, because now we are supporting all the SCM (not only git).
The following tests are pending:
- The
awxkit
(CLI portion) must be reviewed and tested.
@relrod @djyasin @TheRealHaoLiu @jneedle
@djyasin I believe we can change the description, because now we are supporting all the SCM (not only git).
Done.
I believe we can close it.