Log settings used for feeds with own settings

Author: zooba

src/manage/urlutils.py

@@ -683,9 +683,29 @@ def urlopen_index(self, url):
             )
             raise
 
-    def verify(self, previous_verified, url, data, params):
-        if previous_verified is not None or not params or not params.get("requires_signature"):
-            return previous_verified
+    def verify(self, url, data, params, show_settings=False):
+        if not params or not params.get("requires_signature"):
+            return None
+
+        if show_settings:
+            relevant_params = {k: params[k] for k in [
+                    "requires_signature",
+                    "required_root_subject",
+                    "required_publisher_subject",
+                    "required_publisher_eku",
+                ] if k in params}
+            if relevant_params:
+                LOGGER.info("Using verification settings from the index.")
+                LOGGER.info(
+                    "Check the log file or verbose output for the settings "
+                    "being used. Copying these into your configuration "
+                    "file's !G!'source_settings'!W! section to detect "
+                    "changes."
+                )
+                LOGGER.verbose(
+                    "Verifying with the below settings.\n%r",
+                    {sanitise_url(url): relevant_params}
+                )
 
         try:
             cat = self._cache[url + ".cat"]
@@ -767,12 +787,13 @@ def __next__(self):
                 )
                 raise
 
-            source_settings = (self.cmd.source_settings if self.cmd else None) or {}
-            verified = self.verify(verified, url, data, source_settings.get(s_url))
+            source_settings = self.cmd.source_settings.get(s_url) if self.cmd else None
+            verified = self.verify(url, data, source_settings)
             parsed = json.loads(data)
 
             # The parsed index may also have its own verification parameters
-            verified = self.verify(verified, url, data, parsed)
+            if not source_settings and not verified:
+                verified = self.verify(url, data, parsed, show_settings=True)
 
             if verified is True:
                 LOGGER.info("!G!The signature for %s was successfully verified.!W!", s_url)

tests/data/index-require-sig.json

@@ -1 +1,5 @@
-{"versions": [], "requires_signature": true}
+{
+    "versions": [],
+    "requires_signature": true,
+    "required_publisher_subject": "CN=King Arthur, O=Knights of the Round Table, C=Camelot"
+}

tests/test_verify.py

@@ -249,15 +249,38 @@ def test_verify_index_selfsigned(verify_with, expect_fail, tmp_path, assert_log)
 def test_verify_index_later(assert_log):
     # Signature not required until reading the index file
     cmd = MockConfig()
-    idx = IndexDownloader(cmd, (TESTDATA / "index-require-sig.json").as_uri(), MockIndex)
+    u = (TESTDATA / "index-require-sig.json").as_uri()
+    expect_settings = {
+        u: {
+            "requires_signature": True,
+            "required_publisher_subject": "CN=King Arthur, O=Knights of the Round Table, C=Camelot",
+        }
+    }
+    idx = IndexDownloader(cmd, u, MockIndex)
     with pytest.raises(InvalidFeedError):
         indexes = list(idx)
     assert_log(
         "Fetching.+",
+        "Using verification settings from the index.",
+        "Check the log file.+",
+        ("Verifying with the below settings.+", [expect_settings]),
         "The signature for %s could not be loaded.",
     )
 
 
+def test_verify_index_overridden_later(assert_log):
+    # Signature not required until reading the index file
+    cmd = MockConfig()
+    u = (TESTDATA / "index-require-sig.json").as_uri()
+    cmd.source_settings[u] = {"requires_signature": False}
+    idx = IndexDownloader(cmd, u, MockIndex)
+    indexes = list(idx)
+    assert_log(
+        "Fetching.+",
+        "No signature to verify for %s",
+    )
+
+
 def test_verify_index_not_later(assert_log):
     # Signature not required until reading the index file
     cmd = MockConfig()