Self-signed certificate support

doc/dbus/bus/org.opensuse.Agama.Software1.Product.bus.xml

@@ -48,6 +48,7 @@
     </method>
     <property type="s" name="RegCode" access="read"/>
     <property type="s" name="Email" access="read"/>
+    <property type="s" name="Url" access="readwrite"/>
     <property type="u" name="Requirement" access="read"/>
   </interface>
 </node>

doc/dbus/bus/org.opensuse.Agama.Software1.bus.xml

@@ -82,4 +82,7 @@
     <property type="aa{sv}" name="All" access="read"/>
     <property type="u" name="Current" access="read"/>
   </interface>
+  <interface name="org.opensuse.Agama.Security">
+    <property type="a(ss)" name="SslFingerprints" access="readwrite"/>
+  </interface>
 </node>

doc/dbus/org.opensuse.Agama.Software1.doc.xml

@@ -98,4 +98,7 @@
     </method>
     <property type="a{sy}" name="SelectedPatterns" access="read"/>
   </interface>
+  <interface name="org.opensuse.Agama.Security">
+    <property type="a(ss)" name="SslFingerprints" access="readwrite"/>
+  </interface>
 </node>

doc/dbus/org.opensuse.Agama1.Registration.doc.xml

@@ -63,6 +63,10 @@
       Email used for the registration. Empty if the current product is not registered yet.
       -->
     <property type="s" name="Email" access="read"/>
+    <!--
+      URL used to register against. Empty means use default
+      -->
+    <property type="s" name="Url" access="readwrite"/>
     <!--
       Indicates the registration requirement of the currently selected product.
 

rust/agama-lib/share/profile.schema.json

@@ -98,6 +98,33 @@
         }
       }
     },
+    "security": {
+      "title": "Security settings",
+      "type": "object",
+      "properties": {
+        "sslCertificates": {
+          "title": "List of SSL certificates to add to system",
+          "type": "array",
+          "items": {
+            "type": "object",
+            "properties": {
+              "fingerprint": {
+                "title": "fingerprint of ssl certificate",
+                "type": "string",
+                "examples": ["A8:DE:08:B1:57:52:FE:70:DF:D5:31:EA:E3:53:BB:39:EE:01:FF:B9"] 
+              },
+              "algorithm": {
+                "title": "fingerprint algorithm used to compute it",
+                "type": "string",
+                "enum": ["SHA1", "SHA256"],
+                "examples": ["SHA1"] 
+              }
+            },
+            "required": ["fingerprint", "algorithm"]
+          }
+        }
+      }
+    },
     "software": {
       "title": "Software settings",
       "type": "object",
@@ -139,6 +166,10 @@
         "registrationEmail": {
           "title": "Product registration email",
           "type": "string"
+        },
+        "registrationUrl": {
+          "title": "Specific registration server url",
+          "type": "string"
         }
       }
     },

rust/agama-lib/src/error.rs

@@ -73,6 +73,8 @@ pub enum ServiceError {
     // FIXME reroute the error to a better place
     #[error("Profile error: {0}")]
     Profile(#[from] ProfileError),
+    #[error("Unsupported SSL Fingeprint algorithm '#{0}'.")]
+    UnsupportedSSLFingerprintAlgorithm(String),
     #[error("Invalid URL: {0}")]
     InvalidURL(#[from] url::ParseError),
 }

rust/agama-lib/src/install_settings.rs

@@ -24,6 +24,7 @@
 use crate::bootloader::model::BootloaderSettings;
 use crate::files::model::UserFile;
 use crate::hostname::model::HostnameSettings;
+use crate::security::settings::SecuritySettings;
 use crate::{
     localization::LocalizationSettings, network::NetworkSettings, product::ProductSettings,
     scripts::ScriptsConfig, software::SoftwareSettings, users::UserSettings,
@@ -57,6 +58,9 @@ pub struct InstallSettings {
     pub user: Option<UserSettings>,
     #[serde(default)]
     #[serde(skip_serializing_if = "Option::is_none")]
+    pub security: Option<SecuritySettings>,
+    #[serde(default)]
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub software: Option<SoftwareSettings>,
     #[serde(default)]
     pub product: Option<ProductSettings>,

rust/agama-lib/src/lib.rs

@@ -69,6 +69,7 @@ pub use store::Store;
 pub mod openapi;
 pub mod questions;
 pub mod scripts;
+pub mod security;
 pub mod utils;
 
 use crate::error::ServiceError;

rust/agama-lib/src/product/client.rs

@@ -126,6 +126,16 @@ impl<'a> ProductClient<'a> {
         Ok(self.registration_proxy.email().await?)
     }
 
+    /// url of registration server
+    pub async fn registration_url(&self) -> Result<String, ServiceError> {
+        Ok(self.registration_proxy.url().await?)
+    }
+
+    /// set registration url
+    pub async fn set_registration_url(&self, url: &str) -> Result<(), ServiceError> {
+        Ok(self.registration_proxy.set_url(url).await?)
+    }
+
     /// list of already registered addons
     pub async fn registered_addons(&self) -> Result<Vec<AddonParams>, ServiceError> {
         let addons: Vec<AddonParams> = self

rust/agama-lib/src/product/http_client.rs

@@ -68,6 +68,12 @@ impl ProductHTTPClient {
         self.client.get("/software/registration").await
     }
 
+    pub async fn set_registration_url(&self, url: &String) -> Result<(), ServiceError> {
+        self.client
+            .put_void("/software/registration/url", url)
+            .await
+    }
+
     // get list of registered addons
     pub async fn get_registered_addons(&self) -> Result<Vec<AddonSettings>, ServiceError> {
         self.client

rust/agama-lib/src/product/proxies.rs

@@ -72,6 +72,12 @@ pub trait Registration {
     #[zbus(property)]
     fn reg_code(&self) -> zbus::Result<String>;
 
+    /// Url property
+    #[zbus(property)]
+    fn url(&self) -> zbus::Result<String>;
+    #[zbus(property)]
+    fn set_url(&self, value: &str) -> zbus::Result<()>;
+
     /// registered addons property, list of tuples (name, version, reg_code))
     #[zbus(property)]
     fn registered_addons(&self) -> zbus::Result<Vec<(String, String, String)>>;

rust/agama-lib/src/product/settings.rs

@@ -47,5 +47,7 @@ pub struct ProductSettings {
     #[serde(skip_serializing_if = "Option::is_none")]
     pub registration_email: Option<String>,
     #[serde(skip_serializing_if = "Option::is_none")]
+    pub registration_url: Option<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
     pub addons: Option<Vec<AddonSettings>>,
 }

rust/agama-lib/src/product/store.rs

@@ -61,6 +61,7 @@ impl ProductStore {
             id: Some(product),
             registration_code: Self::non_empty_string(registration_info.key),
             registration_email: Self::non_empty_string(registration_info.email),
+            registration_url: Self::non_empty_string(registration_info.url),
             addons,
         })
     }
@@ -75,6 +76,9 @@ impl ProductStore {
                 probe = true;
             }
         }
+        if let Some(url) = &settings.registration_url {
+            self.product_client.set_registration_url(url).await?;
+        }
         if let Some(reg_code) = &settings.registration_code {
             let email = settings.registration_email.as_deref().unwrap_or("");
 
@@ -146,7 +150,8 @@ mod test {
                 .body(
                     r#"{
                     "key": "",
-                    "email": ""
+                    "email": "",
+                    "url": ""
                 }"#,
                 );
         });
@@ -166,6 +171,7 @@ mod test {
             id: Some("Tumbleweed".to_owned()),
             registration_code: None,
             registration_email: None,
+            registration_url: None,
             addons: None,
         };
         // main assertion
@@ -215,6 +221,7 @@ mod test {
             id: Some("Tumbleweed".to_owned()),
             registration_code: None,
             registration_email: None,
+            registration_url: None,
             addons: None,
         };
 

rust/agama-lib/src/security.rs

@@ -0,0 +1,6 @@
+pub mod client;
+pub mod http_client;
+pub mod model;
+pub mod proxies;
+pub mod settings;
+pub mod store;

rust/agama-lib/src/security/client.rs

@@ -0,0 +1,64 @@
+// Copyright (c) [2025] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+use zbus::Connection;
+
+use crate::error::ServiceError;
+
+use super::{model::SSLFingerprint, proxies::SecurityProxy};
+
+/// D-Bus client for the security service
+#[derive(Clone)]
+pub struct SecurityClient<'a> {
+    security_proxy: SecurityProxy<'a>,
+}
+
+impl SecurityClient<'_> {
+    pub async fn new(connection: Connection) -> Result<Self, ServiceError> {
+        Ok(Self {
+            security_proxy: SecurityProxy::new(&connection).await?,
+        })
+    }
+
+    pub async fn get_ssl_fingerprints(&self) -> Result<Vec<SSLFingerprint>, ServiceError> {
+        let dbus_list = self.security_proxy.ssl_fingerprints().await?;
+        dbus_list
+            .into_iter()
+            .map(|(alg, value)| {
+                Ok(SSLFingerprint {
+                    fingerprint: value,
+                    algorithm: alg.try_into()?,
+                })
+            })
+            .collect()
+    }
+
+    pub async fn set_ssl_fingerprints(
+        &self,
+        list: &Vec<SSLFingerprint>,
+    ) -> Result<(), ServiceError> {
+        let dbus_list: Vec<(&str, &str)> = list
+            .iter()
+            .map(|s| (s.algorithm.to_str(), s.fingerprint.as_str()))
+            .collect();
+        self.security_proxy.set_ssl_fingerprints(&dbus_list).await?;
+        Ok(())
+    }
+}

rust/agama-lib/src/security/http_client.rs

@@ -0,0 +1,46 @@
+// Copyright (c) [2024] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+use crate::{base_http_client::BaseHTTPClient, error::ServiceError};
+
+use super::model::SSLFingerprint;
+
+pub struct SecurityHTTPClient {
+    client: BaseHTTPClient,
+}
+
+impl SecurityHTTPClient {
+    pub fn new(base: BaseHTTPClient) -> Self {
+        Self { client: base }
+    }
+
+    pub async fn get_ssl_fingerprints(&self) -> Result<Vec<SSLFingerprint>, ServiceError> {
+        self.client.get("/security/ssl_fingerprints").await
+    }
+
+    pub async fn set_ssl_fingerprints(
+        &self,
+        fps: &Vec<SSLFingerprint>,
+    ) -> Result<(), ServiceError> {
+        self.client
+            .put_void("/security/ssl_fingerprints", fps)
+            .await
+    }
+}

rust/agama-lib/src/security/model.rs

@@ -0,0 +1,61 @@
+// Copyright (c) [2025] SUSE LLC
+//
+// All Rights Reserved.
+//
+// This program is free software; you can redistribute it and/or modify it
+// under the terms of the GNU General Public License as published by the Free
+// Software Foundation; either version 2 of the License, or (at your option)
+// any later version.
+//
+// This program is distributed in the hope that it will be useful, but WITHOUT
+// ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+// FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+// more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, contact SUSE LLC.
+//
+// To contact SUSE LLC about this file by physical or electronic mail, you may
+// find current contact information at www.suse.com.
+
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Debug, Serialize, Deserialize, utoipa::ToSchema)]
+pub enum SSLFingerprintAlgorithm {
+    SHA1,
+    SHA256,
+}
+
+impl TryFrom<String> for SSLFingerprintAlgorithm {
+    type Error = crate::ServiceError;
+
+    fn try_from(value: String) -> Result<Self, Self::Error> {
+        match value.to_uppercase().as_str() {
+            "SHA1" => Ok(Self::SHA1),
+            "SHA256" => Ok(Self::SHA256),
+            _ => Err(crate::error::ServiceError::UnsupportedSSLFingerprintAlgorithm(value)),
+        }
+    }
+}
+
+impl SSLFingerprintAlgorithm {
+    pub fn to_str(&self) -> &'static str {
+        match self {
+            SSLFingerprintAlgorithm::SHA1 => "SHA1",
+            SSLFingerprintAlgorithm::SHA256 => "SHA256",
+        }
+    }
+}
+
+impl Default for SSLFingerprintAlgorithm {
+    fn default() -> Self {
+        Self::SHA256
+    }
+}
+
+#[derive(Clone, Debug, Serialize, Deserialize, utoipa::ToSchema)]
+pub struct SSLFingerprint {
+    pub fingerprint: String,
+    #[serde(default)]
+    pub algorithm: SSLFingerprintAlgorithm,
+}