From 70a3b2e5bb9172723ce075be3cdc18220005a6e8 Mon Sep 17 00:00:00 2001
From: Jan Kolarik <jkolarik@redhat.com>
Date: Tue, 18 Feb 2025 09:05:41 +0000
Subject: [PATCH] expired-pgp-keys: Add basic CI tests

---
 .../dnf/plugins-core/expired-pgp-keys.feature | 36 +++++++++++++++++++
 .../gpgkeys/keyspecs/dnf-ci-gpg-expiry/config |  1 +
 .../keyspecs/dnf-ci-gpg-expiry/packages       |  1 +
 dnf-behave-tests/fixtures/gpgkeys/sign.sh     | 12 +++++--
 .../dnf-ci-gpg-expiry/wget-1.19.5-5.fc29.spec | 24 +++++++++++++
 5 files changed, 72 insertions(+), 2 deletions(-)
 create mode 100644 dnf-behave-tests/dnf/plugins-core/expired-pgp-keys.feature
 create mode 100644 dnf-behave-tests/fixtures/gpgkeys/keyspecs/dnf-ci-gpg-expiry/config
 create mode 100644 dnf-behave-tests/fixtures/gpgkeys/keyspecs/dnf-ci-gpg-expiry/packages
 create mode 100644 dnf-behave-tests/fixtures/specs/dnf-ci-gpg-expiry/wget-1.19.5-5.fc29.spec

diff --git a/dnf-behave-tests/dnf/plugins-core/expired-pgp-keys.feature b/dnf-behave-tests/dnf/plugins-core/expired-pgp-keys.feature
new file mode 100644
index 0000000000..1203939922
--- /dev/null
+++ b/dnf-behave-tests/dnf/plugins-core/expired-pgp-keys.feature
@@ -0,0 +1,36 @@
+Feature: expired-pgp-keys plugin functionality
+
+
+Background:
+  Given I enable plugin "expired-pgp-keys"
+    And I configure dnf with
+      | key            | value                                              |
+      | pluginconfpath | {context.dnf.installroot}/etc/dnf/libdnf5-plugins  |
+    And I create file "/etc/dnf/libdnf5-plugins/expired-pgp-keys.conf" with
+    """
+    [main]
+    enabled = 1
+    """
+    And I use repository "dnf-ci-gpg-expiry" with configuration
+        | key      | value                                                                                    |
+        | gpgcheck | 1                                                                                        |
+        | gpgkey   | file://{context.dnf.fixturesdir}/gpgkeys/keys/dnf-ci-gpg-expiry/dnf-ci-gpg-expiry-public |
+    And I use repository "simple-base"
+    And I successfully execute dnf with args "install wget"
+
+
+Scenario: When PGP key is expired, its removal is triggered before transaction
+  Given I move the clock forward to "2 years"
+    And I successfully execute dnf with args "install vagare" 
+   Then stderr contains lines matching
+    """
+    The following PGP key \(0x.*\) is about to be removed:
+     Reason     : Expired on .*
+     UserID     : "dnf-ci-gpg-expiry"
+    """
+
+
+Scenario: When PGP key is expired, its removal is not triggered on non-transactional operations
+  Given I move the clock forward to "2 years"
+    And I successfully execute dnf with args "repoquery vagare" 
+   Then stderr does not contain "The following PGP key \(0x.*\) is about to be removed:"
diff --git a/dnf-behave-tests/fixtures/gpgkeys/keyspecs/dnf-ci-gpg-expiry/config b/dnf-behave-tests/fixtures/gpgkeys/keyspecs/dnf-ci-gpg-expiry/config
new file mode 100644
index 0000000000..75a8f78360
--- /dev/null
+++ b/dnf-behave-tests/fixtures/gpgkeys/keyspecs/dnf-ci-gpg-expiry/config
@@ -0,0 +1 @@
+USE_EXPIRATION_DATE=1
diff --git a/dnf-behave-tests/fixtures/gpgkeys/keyspecs/dnf-ci-gpg-expiry/packages b/dnf-behave-tests/fixtures/gpgkeys/keyspecs/dnf-ci-gpg-expiry/packages
new file mode 100644
index 0000000000..810f5f5a7e
--- /dev/null
+++ b/dnf-behave-tests/fixtures/gpgkeys/keyspecs/dnf-ci-gpg-expiry/packages
@@ -0,0 +1 @@
+dnf-ci-gpg-expiry/x86_64/wget-1.19.5-5.fc29.x86_64.rpm
diff --git a/dnf-behave-tests/fixtures/gpgkeys/sign.sh b/dnf-behave-tests/fixtures/gpgkeys/sign.sh
index d114f4b8d9..33b1764194 100755
--- a/dnf-behave-tests/fixtures/gpgkeys/sign.sh
+++ b/dnf-behave-tests/fixtures/gpgkeys/sign.sh
@@ -16,6 +16,7 @@ for KEY_NAME in $KEYSPECS; do
     # set defaults
     USE_SIGN_SUBKEY=0
     USE_NOEOF_KEYS=0
+    USE_EXPIRATION_DATE=0
 
     # read config file for key
     if [ -f "${DIR}/keyspecs/${KEY_NAME}/config" ]; then
@@ -37,8 +38,15 @@ for KEY_NAME in $KEYSPECS; do
     TMP_KEY_DIR="${TMP_DIR}/gpghome"
     ln -s "${KEY_DIR}" "${TMP_KEY_DIR}"
 
-    # create key (without password, without expire)
-    HOME=${TMP_KEY_DIR} gpg2 --batch --passphrase '' --quick-gen-key "${KEY_NAME}" default default 0
+    # keys are without expiration date by default
+    # if expiration is requested, set it to 1 year from now
+    EXPIRY_DATE=0
+    if [ "${USE_EXPIRATION_DATE}" = "1" ]; then
+        EXPIRY_DATE=$(date -d "+1 year" +%Y-%m-%d)
+    fi
+
+    # create key (without password)
+    HOME=${TMP_KEY_DIR} gpg2 --batch --passphrase '' --quick-gen-key "${KEY_NAME}" default default "${EXPIRY_DATE}"
 
     if [ "${USE_SIGN_SUBKEY}" = "1" ]; then
         # add sign subkey
diff --git a/dnf-behave-tests/fixtures/specs/dnf-ci-gpg-expiry/wget-1.19.5-5.fc29.spec b/dnf-behave-tests/fixtures/specs/dnf-ci-gpg-expiry/wget-1.19.5-5.fc29.spec
new file mode 100644
index 0000000000..19c878b95c
--- /dev/null
+++ b/dnf-behave-tests/fixtures/specs/dnf-ci-gpg-expiry/wget-1.19.5-5.fc29.spec
@@ -0,0 +1,24 @@
+Name: wget
+Version: 1.19.5
+Release: 5%{?dist}
+Summary: A utility for retrieving files using the HTTP or FTP protocols
+
+License: GPLv3+
+Group: Applications/Internet
+Url: http://www.gnu.org/software/wget/
+
+Provides: webclient
+Provides: bundled(gnulib) 
+
+%description
+GNU Wget is a file retrieval utility which can use either the HTTP or
+FTP protocols. Wget features include the ability to work in the
+background while you are logged out, recursive retrieval of
+directories, file name wildcard matching, remote file timestamp
+storage and comparison, use of Rest with FTP servers and Range with
+HTTP servers to retrieve files over slow or unstable connections,
+support for Proxy servers, and configurability.
+
+%files
+
+%changelog