port glcli back from python_gardenlinux_cli

yeoldegrove · yeoldegrove · commit 3da161b85bf3 · 2025-05-13T16:08:21.000+02:00
diff --git a/pyproject.toml b/pyproject.toml
@@ -29,6 +29,7 @@ black = "^24.8.0"
 gl-cname = "python_gardenlinux_lib.cname:main"
 gl-flavors-parse = "python_gardenlinux_lib.flavors.parse_flavors:main"
 flavors-parse = "python_gardenlinux_lib.flavors.parse_flavors:main"
+glcli = "python_gardenlinux_lib.glcli.glcli:main"
 
 [tool.pytest.ini_options]
 pythonpath = [
diff --git a/src/python_gardenlinux_lib/constants.py b/src/python_gardenlinux_lib/constants.py
@@ -2,8 +2,19 @@
 
 # It is important that this list is sorted in descending length of the entries
 GL_MEDIA_TYPES = [
+    "secureboot.aws-efivars",
+    "secureboot.kek.auth",
     "gcpimage.tar.gz.log",
+    "secureboot.pk.auth",
+    "secureboot.kek.crt",
+    "secureboot.kek.der",
+    "secureboot.db.auth",
     "firecracker.tar.gz",
+    "secureboot.pk.crt",
+    "secureboot.pk.der",
+    "secureboot.db.crt",
+    "secureboot.db.der",
+    "secureboot.db.arn",
     "platform.test.log",
     "platform.test.xml",
     "gcpimage.tar.gz",
@@ -12,11 +23,15 @@
     "pxe.tar.gz.log",
     "root.squashfs",
     "manifest.log",
+    "squashfs.log",
     "release.log",
+    "vmlinuz.log",
+    "initrd.log",
     "pxe.tar.gz",
     "qcow2.log",
     "test-log",
     "boot.efi",
+    "squashfs",
     "manifest",
     "vmdk.log",
     "tar.log",
@@ -69,12 +84,27 @@
     "vhd.log": "application/io.gardenlinux.log",
     "ova.log": "application/io.gardenlinux.log",
     "vmlinuz": "application/io.gardenlinux.kernel",
+    "vmlinuz.log": "application/io.gardenlinux.log",
     "initrd": "application/io.gardenlinux.initrd",
+    "initrd.log": "application/io.gardenlinux.log",
     "root.squashfs": "application/io.gardenlinux.squashfs",
+    "squashfs": "application/io.gardenlinux.squashfs",
+    "squashfs.log": "application/io.gardenlinux.log",
     "boot.efi": "application/io.gardenlinux.efi",
     "platform.test.log": "application/io.gardenlinux.io.platform.test.log",
     "platform.test.xml": "application/io.gardenlinux.io.platform.test.xml",
     "chroot.test.log": "application/io.gardenlinux.io.chroot.test.log",
     "chroot.test.xml": "application/io.gardenlinux.io.chroot.test.xml",
     "oci.log": "application/io.gardenlinux.log",
+    "secureboot.pk.crt": "application/io.gardenlinux.cert.secureboot.pk.crt",
+    "secureboot.pk.der": "application/io.gardenlinux.cert.secureboot.pk.der",
+    "secureboot.pk.auth": "application/io.gardenlinux.cert.secureboot.pk.auth",
+    "secureboot.kek.crt": "application/io.gardenlinux.cert.secureboot.kek.crt",
+    "secureboot.kek.der": "application/io.gardenlinux.cert.secureboot.kek.der",
+    "secureboot.kek.auth": "application/io.gardenlinux.cert.secureboot.kek.auth",
+    "secureboot.db.crt": "application/io.gardenlinux.cert.secureboot.db.crt",
+    "secureboot.db.der": "application/io.gardenlinux.cert.secureboot.db.der",
+    "secureboot.db.auth": "application/io.gardenlinux.cert.secureboot.db.auth",
+    "secureboot.db.arn": "application/io.gardenlinux.cert.secureboot.db.arn",
+    "secureboot.aws-efivars": "application/io.gardenlinux.cert.secureboot.aws-efivars",
 }
diff --git a/src/python_gardenlinux_lib/crypto.py b/src/python_gardenlinux_lib/crypto.py
@@ -0,0 +1,16 @@
+import hashlib
+
+
+def verify_sha256(checksum: str, data: bytes):
+    data_checksum = f"sha256:{hashlib.sha256(data).hexdigest()}"
+    if checksum != data_checksum:
+        raise ValueError(f"Invalid checksum. {checksum} != {data_checksum}")
+
+
+def calculate_sha256(file_path: str) -> str:
+    """Calculate the SHA256 checksum of a file."""
+    sha256_hash = hashlib.sha256()
+    with open(file_path, "rb") as f:
+        for byte_block in iter(lambda: f.read(4096), b""):
+            sha256_hash.update(byte_block)
+    return sha256_hash.hexdigest()
diff --git a/src/python_gardenlinux_lib/glcli/glcli.py b/src/python_gardenlinux_lib/glcli/glcli.py
@@ -0,0 +1,111 @@
+#!/usr/bin/env python3
+
+import click
+import os
+
+from pygments.lexer import default
+
+from .registry import GlociRegistry
+
+
+@click.group()
+def cli():
+    pass
+
+
+@cli.command()
+@click.option(
+    "--container",
+    required=True,
+    type=click.Path(),
+    help="Container Name",
+)
+@click.option(
+    "--version",
+    required=True,
+    type=click.Path(),
+    help="Version of image",
+)
+@click.option(
+    "--arch",
+    required=True,
+    type=click.Path(),
+    help="Target Image CPU Architecture",
+)
+@click.option(
+    "--cname", required=True, type=click.Path(), help="Canonical Name of Image"
+)
+@click.option("--dir", "directory", required=True, help="path to the build artifacts")
+@click.option(
+    "--cosign_file",
+    required=False,
+    help="A file where the pushed manifests digests is written to. The content can be used by an external tool (e.g. cosign) to sign the manifests contents",
+)
+@click.option(
+    "--manifest_file",
+    default="manifests/manifest.json",
+    help="A file where the index entry for the pushed manifest is written to.",
+)
+@click.option(
+    "--insecure",
+    default=False,
+    help="Use HTTP to communicate with the registry",
+)
+def push_manifest(
+    container, version, arch, cname, directory, cosign_file, manifest_file, insecure
+):
+    """push artifacts from a dir to a registry, get the index-entry for the manifest in return"""
+    container_name = f"{container}:{version}"
+    registry = GlociRegistry(
+        container_name=container_name,
+        token=os.getenv("GLOCI_REGISTRY_TOKEN"),
+        insecure=insecure,
+    )
+    digest = registry.push_from_dir(arch, version, cname, directory, manifest_file)
+    if cosign_file:
+        print(digest, file=open(cosign_file, "w"))
+
+
+@cli.command()
+@click.option(
+    "--container",
+    "container",
+    required=True,
+    type=click.Path(),
+    help="Container Name",
+)
+@click.option(
+    "--version",
+    "version",
+    required=True,
+    type=click.Path(),
+    help="Version of image",
+)
+@click.option(
+    "--manifest_folder",
+    default="manifests",
+    help="A folder where the index entries are read from.",
+)
+@click.option(
+    "--insecure",
+    default=False,
+    help="Use HTTP to communicate with the registry",
+)
+def update_index(container, version, manifest_folder, insecure):
+    """push a index entry from a list of files to an index"""
+    container_name = f"{container}:{version}"
+    registry = GlociRegistry(
+        container_name=container_name,
+        token=os.getenv("GLOCI_REGISTRY_TOKEN"),
+        insecure=insecure,
+    )
+    registry.update_index(manifest_folder)
+
+
+def main():
+    """Entry point for the glcli command."""
+    cli()
+
+
+if __name__ == "__main__":
+    cli()
diff --git a/src/python_gardenlinux_lib/glcli/registry.py b/src/python_gardenlinux_lib/glcli/registry.py
diff --git a/src/python_gardenlinux_lib/glcli/schemas.py b/src/python_gardenlinux_lib/glcli/schemas.py
