Merge pull request #24 from majamassarini/validate-fedora-ci

Add validation for Fedora CI

Author: majamassarini

Containerfile

@@ -1,6 +1,6 @@
 FROM fedora:latest
 
-RUN dnf install -y python3-ogr python3-copr python3-pip && dnf clean all
+RUN dnf install -y python3-ogr python3-copr python3-koji python3-pip fedpkg krb5-workstation && dnf clean all
 
 RUN pip3 install --upgrade sentry-sdk && pip3 check
 

pyproject.toml

@@ -26,6 +26,7 @@ classifiers = [
 dependencies = [
   "click",
   "copr",
+  "koji",
   "ogr",
   "sentry-sdk",
 ]

src/validation/cli/__init__.py

@@ -10,23 +10,25 @@
 
 from validation.tests.github import GithubTests
 from validation.tests.gitlab import GitlabTests
+from validation.tests.pagure import PagureTests
 
-logging.basicConfig(level=logging.INFO)
+logging.basicConfig(
+    level=logging.DEBUG,
+    format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+)
 
 
 @click.group(context_settings={"help_option_names": ["-h", "--help"]}, invoke_without_command=True)
 @click.version_option(prog_name="validation")
 def validation():
-    loop = asyncio.get_event_loop()
-    tasks = set()
+    loop = asyncio.new_event_loop()
+    asyncio.set_event_loop(loop)
+    tasks = []
 
     # GitHub
     if getenv("GITHUB_TOKEN"):
         logging.info("Running validation for GitHub.")
-        task = loop.create_task(GithubTests().run())
-
-        tasks.add(task)
-        task.add_done_callback(tasks.discard)
+        tasks.append(GithubTests().run())
     else:
         logging.info("GITHUB_TOKEN not set, skipping the validation for GitHub.")
 
@@ -51,15 +53,52 @@ def validation():
             continue
 
         logging.info("Running validation for GitLab instance: %s", instance_url)
-        task = loop.create_task(
+        tasks.append(
             GitlabTests(
                 instance_url=instance_url,
                 namespace=namespace,
                 token_name=token,
             ).run(),
         )
 
-        tasks.add(task)
-        task.add_done_callback(tasks.discard)
+    # Pagure
+    pagure_instances = [
+        ("https://src.fedoraproject.org/", "rpms", "PAGURE_TOKEN"),
+    ]
+    for instance_url, namespace, token in pagure_instances:
+        if not getenv(token):
+            logging.info(
+                "%s not set, skipping the validation for Pagure instance: %s",
+                token,
+                instance_url,
+            )
+            continue
+
+        logging.info("Running validation for Pagure instance: %s", instance_url)
+        tasks.append(
+            PagureTests(
+                instance_url=instance_url,
+                namespace=namespace,
+                token_name=token,
+            ).run(),
+        )
+
+    if not tasks:
+        logging.error("No tokens configured, no validation tests to run")
+        raise SystemExit(1)
+
+    logging.info("Running %d validation test suite(s)", len(tasks))
+    try:
+        results = loop.run_until_complete(asyncio.gather(*tasks, return_exceptions=True))
+        logging.info("All validation tests completed")
 
-    loop.run_forever()
+        # Check if any test suite failed
+        failed_count = sum(1 for result in results if isinstance(result, Exception))
+        if failed_count:
+            logging.error("%d test suite(s) failed", failed_count)
+            raise SystemExit(1)
+    except KeyboardInterrupt:
+        logging.info("Validation interrupted by user")
+        raise SystemExit(130) from None
+    finally:
+        loop.close()

src/validation/helpers.py

@@ -2,18 +2,35 @@
 #
 # SPDX-License-Identifier: MIT
 
+import asyncio
 import logging
+import re
+import subprocess
 from functools import lru_cache
 from os import getenv
 
+import koji as koji_module
 from copr.v3 import Client
 
 
+class KerberosError(Exception):
+    """Exception raised for Kerberos-related errors."""
+
+
 @lru_cache
 def copr():
     return Client({"copr_url": "https://copr.fedorainfracloud.org"})
 
 
+@lru_cache
+def koji():
+    """
+    Create and return a Koji session for querying Fedora Koji builds.
+    """
+    koji_url = getenv("KOJI_URL", "https://koji.fedoraproject.org/kojihub")
+    return koji_module.ClientSession(koji_url)
+
+
 @lru_cache
 def sentry_sdk():
     if sentry_secret := getenv("SENTRY_SECRET"):
@@ -32,3 +49,121 @@ def log_failure(message: str):
         return
 
     logging.warning(message)
+
+
+async def extract_principal_from_keytab(keytab_file: str) -> str:
+    """
+    Extract principal from the specified keytab file.
+    Assumes there is a single principal in the keytab.
+
+    Args:
+        keytab_file: Path to a keytab file.
+
+    Returns:
+        Extracted principal name.
+    """
+    proc = await asyncio.create_subprocess_exec(
+        "klist",
+        "-k",
+        "-K",
+        "-e",
+        keytab_file,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+    )
+    stdout, stderr = await proc.communicate()
+    if proc.returncode:
+        logging.error("klist command failed: %s", stderr.decode())
+        msg = "klist command failed"
+        raise KerberosError(msg)
+
+    # Parse klist output to extract principal
+    # Format: "   2 principal@REALM (aes256-cts-hmac-sha1-96) (0x...)"
+    key_pattern = re.compile(r"^\s*(\d+)\s+(\S+)\s+\((\S+)\)\s+\((\S+)\)$")
+    for line in stdout.decode().splitlines():
+        if match := key_pattern.match(line):
+            # Return the principal associated with the first key
+            return match.group(2)
+
+    msg = "No valid key found in the keytab file"
+    raise KerberosError(msg)
+
+
+async def init_kerberos_ticket(keytab_file: str) -> str:
+    """
+    Initialize Kerberos ticket from keytab file.
+
+    Args:
+        keytab_file: Path to keytab file
+
+    Returns:
+        Principal name for which ticket was initialized
+    """
+    # Extract principal from keytab
+    principal = await extract_principal_from_keytab(keytab_file)
+    logging.debug("Extracted principal from keytab: %s", principal)
+
+    # Check if ticket already exists
+    proc = await asyncio.create_subprocess_exec(
+        "klist",
+        "-l",
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+    )
+    stdout, stderr = await proc.communicate()
+
+    if proc.returncode == 0:
+        # Parse existing principals
+        principals = [
+            parts[0]
+            for line in stdout.decode().splitlines()
+            if "Expired" not in line
+            for parts in (line.split(),)
+            if len(parts) >= 1 and "@" in parts[0]
+        ]
+
+        if principal in principals:
+            logging.info("Using existing Kerberos ticket for %s", principal)
+            return principal
+
+    # Initialize new ticket
+    logging.info("Initializing Kerberos ticket for %s", principal)
+    proc = await asyncio.create_subprocess_exec(
+        "kinit",
+        "-k",
+        "-t",
+        keytab_file,
+        principal,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+    )
+    stdout, stderr = await proc.communicate()
+
+    if proc.returncode:
+        logging.error("kinit failed: %s", stderr.decode())
+        msg = "kinit command failed"
+        raise KerberosError(msg)
+
+    logging.info("Kerberos ticket initialized for %s", principal)
+    return principal
+
+
+async def destroy_kerberos_ticket(principal: str):
+    """
+    Destroy Kerberos ticket for the specified principal.
+
+    Args:
+        principal: Principal name whose ticket should be destroyed
+    """
+    logging.info("Destroying Kerberos ticket for %s", principal)
+    proc = await asyncio.create_subprocess_exec(
+        "kdestroy",
+        "-p",
+        principal,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+    )
+    await proc.communicate()
+
+    if proc.returncode:
+        logging.warning("Failed to destroy Kerberos ticket for %s", principal)