From 284eb10d360b7358b49021a0328f9189ef49fe71 Mon Sep 17 00:00:00 2001
From: "Sirlapu, Tejaswini" <tejaswini.sirlapu@intel.com>
Date: Thu, 11 Jan 2024 10:47:54 -0800
Subject: [PATCH] Add URI checks from trusted repo for Source Application gpg
 key URI

RTC 537769

check if sourceApplication Gpg key URL is in trusted repo
---
 inbc-program/README.md                           |  5 ++++-
 inbm/Changelog.md                                |  2 ++
 .../dispatcher/source/ubuntu_source_manager.py   | 16 ++++++++++++++--
 .../tests/unit/source/test_ubuntu_source_cmd.py  | 14 ++++++++++++++
 4 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/inbc-program/README.md b/inbc-program/README.md
index 4d36ab54d8..8765c2f218 100644
--- a/inbc-program/README.md
+++ b/inbc-program/README.md
@@ -417,6 +417,10 @@ inbc query --option sw
 Optionally Downloads and encrypts GPG key and stores it on the system under <em>/usr/share/keyrings</em>.  Creates a file under <em>/etc/apt/sources.list.d</em> to store the update source information.
 This list file is used during 'sudo apt update' to update the application.  <em>Deb882</em> format may be used instead of downloading a GPG key.
 
+**NOTE:** Make sure to add gpgKeyUri to trustedrepositories using INBC Config Append command before using Inbc source application add command
+```
+
+
 ### Usage
 ```
 inbc source application add
@@ -442,7 +446,6 @@ inbc source application add
 
       - Each blank line has a period in it. -> " ."
       - Each line after the Signed-By: starts with a space -> " gibberish"
-
 ```
 inbc source application add 
    --sources 
diff --git a/inbm/Changelog.md b/inbm/Changelog.md
index 8047b01b4b..6946acb605 100644
--- a/inbm/Changelog.md
+++ b/inbm/Changelog.md
@@ -10,7 +10,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ### Added
  - RTC 536601 - Added 'source' command to INBM. This command manages `/etc/apt/sources.list` and `/etc/apt/sources.list.d/*` and associated gpg keys on Ubuntu.
+- RTC 537769 - Add URI checks from trusted repo for Source Application gpg key URI 
 
+check if sourceApplication Gpg key URL is in trusted repo
 ### Fixed
  - RTC 534426 - Could not write to /var/log/inbm-update-status.log on Yocto due to /var/log being a symlink to /var/volatile/log.
  - RTC 523677 - Improve INBC error logging - invalid child tag not printed
diff --git a/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py b/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py
index 8838ff58a8..4ed56a7f9e 100644
--- a/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py
+++ b/inbm/dispatcher-agent/dispatcher/source/ubuntu_source_manager.py
@@ -7,6 +7,10 @@
 import logging
 import os
 
+from dispatcher.packagemanager.package_manager import verify_source
+from dispatcher.dispatcher_broker import DispatcherBroker
+from inbm_common_lib.utility import CanonicalUri
+from dispatcher.dispatcher_exception import DispatcherException
 from dispatcher.source.source_exception import SourceError
 from dispatcher.source.constants import (
     UBUNTU_APT_SOURCES_LIST,
@@ -98,11 +102,19 @@ def __init__(self) -> None:
 
     def add(self, parameters: ApplicationAddSourceParameters) -> None:
         """Adds a source file and optional GPG key to be used during Ubuntu application updates."""
-        # Step 1: Add key (Optional)
+        # Step 1: Verify gpg key uri from trusted repo list 
         if parameters.gpg_key_name and parameters.gpg_key_uri:
+            try:
+               url = parameters.gpg_key_uri
+               #URL slicing to remove the last segment (filename) from the URL 
+               source = url.value[:-(len(url.value.split('/')[-1]) + 1)]
+               verify_source(source=source, dispatcher_broker=Dispatcher_Broker)
+            except DispatcherException as err:
+               raise SourceError(f"Source Gpg key URI verification check failed: {err}")
+            # Step 2: Add key (Optional)
             add_gpg_key(parameters.gpg_key_uri, parameters.gpg_key_name)
 
-        # Step 2: Add the source
+        # Step 3: Add the source
         try:
             create_file_with_contents(
                 os.path.join(UBUNTU_APT_SOURCES_LIST_D, parameters.file_name), parameters.sources
diff --git a/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py b/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py
index 933e37379b..dd1445be3c 100644
--- a/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py
+++ b/inbm/dispatcher-agent/tests/unit/source/test_ubuntu_source_cmd.py
@@ -279,6 +279,20 @@ def test_successfully_remove_gpg_key_and_source_list(
         except SourceError:
             self.fail("Remove GPG key raised DispatcherException unexpectedly!")
 
+
+     def test_successfully_add_gpg_key(self):
+        parameters = ApplicationAddSourceParameters(
+            gpg_key_uri="https://dl-ssl.google.com/linux/linux_signing_key.pub"
+            gpg_key_name="name"
+        )
+        command = UbuntuApplicationSourceManager()
+        try:
+            command.add(parameters)
+        except SourceError:
+            self.fail("Source Gpg key URI verification check failed")
+
+
+
     @patch("dispatcher.source.ubuntu_source_manager.remove_gpg_key_if_exists")
     def test_raises_when_space_check_fails(self, mock_remove_gpg_key):
         parameters = ApplicationRemoveSourceParameters(