Improve tmp file handling and cleanup in signing and publishing tasks

- Add output path for signing service to control tmp file location. - Ensure proper cleanup of uncompressed files in synchronization tasks. - Modify functional tests to pass output directory for signing. closes #1141
pulp · Oct 22, 2024 · a068a7a · a068a7a
1 parent 86be272
commit a068a7a
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 19 deletions.
diff --git a/pulp_deb/app/models/signing_service.py b/pulp_deb/app/models/signing_service.py
@@ -38,7 +38,7 @@ def validate(self):
                 test_data = b"arbitrary data"
                 test_file.write(test_data)
                 test_file.flush()
-                return_value = self.sign(test_release_path)
+                return_value = self.sign(test_release_path, output_path=temp_directory_name)
 
                 signatures = return_value.get("signatures")
 

diff --git a/pulp_deb/app/tasks/publishing.py b/pulp_deb/app/tasks/publishing.py
@@ -1,6 +1,8 @@
 import asyncio
 import os
 import shutil
+import random
+import string
 from contextlib import suppress
 from pathlib import Path
 
@@ -112,7 +114,7 @@ def publish(
             structured=structured,
         )
     )
-    with tempfile.TemporaryDirectory("."):
+    with tempfile.TemporaryDirectory(".") as temp_dir:
         with AptPublication.create(repo_version, pass_through=False) as publication:
             publication.simple = simple
             publication.structured = structured
@@ -144,6 +146,7 @@ def publish(
                     release=release,
                     components=[component],
                     architectures=architectures,
+                    tmp_dir=temp_dir,
                     signing_service=repository.signing_service,
                 )
 
@@ -239,6 +242,7 @@ def publish(
                         components=components,
                         architectures=architectures,
                         release=release,
+                        tmp_dir=temp_dir,
                         signing_service=signing_service,
                     )
 
@@ -465,9 +469,11 @@ def __init__(
         components,
         architectures,
         release,
+        tmp_dir,
         signing_service=None,
     ):
         self.publication = publication
+        self.tmp_dir = _create_random_directory(tmp_dir)
         self.distribution = distribution = release.distribution
         self.dists_subfolder = distribution.strip("/") if distribution != "/" else "flat-repo"
         if distribution[-1] == "/":
@@ -548,7 +554,9 @@ def save_unsigned_metadata(self):
     async def sign_metadata(self):
         self.signed = {"signatures": {}}
         if self.signing_service:
-            self.signed = await self.signing_service.asign(self.release_path)
+            self.signed = await self.signing_service.asign(
+                self.release_path, output_path=self.tmp_dir
+            )
 
     def save_signed_metadata(self):
         for signature_file in self.signed["signatures"].values():
@@ -586,3 +594,10 @@ def _batch_fetch_artifacts(packages):
     remote_artifact_dict = {artifact.sha256: artifact for artifact in remote_artifacts}
 
     return artifact_dict, remote_artifact_dict
+
+
+def _create_random_directory(path):
+    dir_name = "".join(random.choices(string.ascii_letters + string.digits, k=10))
+    dir_path = path + "/" + dir_name
+    os.makedirs(dir_path, exist_ok=True)
+    return dir_path
diff --git a/pulp_deb/app/tasks/synchronizing.py b/pulp_deb/app/tasks/synchronizing.py
@@ -502,16 +502,22 @@ async def run(self):
                         # No main_artifact found, uncompress one
                         relative_dir = os.path.dirname(d_content.content.relative_path)
                         filename = _uncompress_artifact(d_content.d_artifacts, relative_dir)
-                        da = DeclarativeArtifact(
-                            artifact=Artifact.init_and_validate(
-                                filename, expected_digests={"sha256": content.sha256}
-                            ),
-                            url=filename,
-                            relative_path=content.relative_path,
-                            remote=d_content.d_artifacts[0].remote,
-                        )
-                        d_content.d_artifacts.append(da)
-                        await _save_artifact_blocking(da)
+
+                        try:
+                            da = DeclarativeArtifact(
+                                artifact=Artifact.init_and_validate(
+                                    filename, expected_digests={"sha256": content.sha256}
+                                ),
+                                url=filename,
+                                relative_path=content.relative_path,
+                                remote=d_content.d_artifacts[0].remote,
+                            )
+                            d_content.d_artifacts.append(da)
+                            await _save_artifact_blocking(da)
+                        finally:
+                            # Ensure the uncompressed file is deleted after usage
+                            if os.path.exists(filename):
+                                os.remove(filename)
                     content.artifact_set_sha256 = _get_artifact_set_sha256(
                         d_content, PackageIndex.SUPPORTED_ARTIFACTS
                     )

diff --git a/pulp_deb/tests/functional/conftest.py b/pulp_deb/tests/functional/conftest.py
@@ -486,10 +486,11 @@ def deb_signing_script_path(
     return signing_script_filename
 
 
-@pytest.fixture(scope="class")
+@pytest.fixture(scope="session")
 def deb_signing_service_factory(
     deb_signing_script_path,
     signing_gpg_metadata,
+    signing_gpg_homedir_path,
     pulpcore_bindings,
 ):
     """A fixture for the debian signing service."""
@@ -518,10 +519,17 @@ def deb_signing_service_factory(
     yield signing_service
 
     cmd = (
-        "from pulpcore.app.models import SigningService;"
-        f"SigningService.objects.filter(name='{service_name}').delete()"
+        "pulpcore-manager",
+        "remove-signing-service",
+        service_name,
+        "--class",
+        "deb:AptReleaseSigningService",
+    )
+    process = subprocess.run(
+        cmd,
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
     )
-    process = subprocess.run(["pulpcore-manager", "shell", "-c", cmd], capture_output=True)
     assert process.returncode == 0
 
 

diff --git a/pulp_deb/tests/functional/constants.py b/pulp_deb/tests/functional/constants.py
@@ -374,7 +374,7 @@ def _clean_dict(d):
 
 export GNUPGHOME="HOMEDIRHERE"
 RELEASE_FILE="$(/usr/bin/readlink -f $1)"
-OUTPUT_DIR="$(/usr/bin/mktemp -d)"
+OUTPUT_DIR="$2"
 DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
 INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
 GPG_KEY_ID="GPGKEYIDHERE"

diff --git a/pulp_deb/tests/functional/sign_deb_release.sh b/pulp_deb/tests/functional/sign_deb_release.sh
@@ -3,7 +3,7 @@
 set -e
 
 RELEASE_FILE="$(/usr/bin/readlink -f $1)"
-OUTPUT_DIR="$(/usr/bin/mktemp -d)"
+OUTPUT_DIR="$2"
 DETACHED_SIGNATURE_PATH="${OUTPUT_DIR}/Release.gpg"
 INLINE_SIGNATURE_PATH="${OUTPUT_DIR}/InRelease"
 GPG_KEY_ID="Pulp QE"