summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <jak@debian.org>2019-02-04 12:44:08 +0000
committerJulian Andres Klode <jak@debian.org>2019-02-04 12:44:08 +0000
commit3a015964dd56edf897ee062b2eafa2cfc0584380 (patch)
treeb7c47f960d6281195ea7fd3f90a6404b939df134
parentd5dcc2e9d3008b57c3fae0bcb5b1c2a197f5430c (diff)
parentc2b9b0489538fed4770515bd8853a960b13a2618 (diff)
Merge branch 'pu/dead-pin' into 'master'
A pin of -32768 overrides any other, disables repo See merge request apt-team/apt!40
-rw-r--r--apt-pkg/acquire-item.cc4
-rw-r--r--apt-pkg/contrib/netrc.cc44
-rw-r--r--apt-pkg/contrib/netrc.h4
-rw-r--r--apt-pkg/deb/debmetaindex.cc1
-rw-r--r--apt-pkg/pkgcache.h8
-rw-r--r--apt-pkg/policy.cc29
-rwxr-xr-xtest/integration/test-packages-require-authorization61
-rwxr-xr-xtest/integration/test-policy-pinning65
8 files changed, 206 insertions, 10 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 755e1fb59..bb3bc1b56 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -25,6 +25,7 @@
#include <apt-pkg/hashes.h>
#include <apt-pkg/indexfile.h>
#include <apt-pkg/metaindex.h>
+#include <apt-pkg/netrc.h>
#include <apt-pkg/pkgcache.h>
#include <apt-pkg/pkgrecords.h>
#include <apt-pkg/sourcelist.h>
@@ -3394,6 +3395,7 @@ pkgAcqArchive::pkgAcqArchive(pkgAcquire *const Owner, pkgSourceList *const Sourc
StoreFilename.clear();
std::set<string> targetComponents, targetCodenames, targetSuites;
+ std::vector<std::unique_ptr<FileFd>> authconfs;
for (auto Vf = Version.FileList(); Vf.end() == false; ++Vf)
{
auto const PkgF = Vf.File();
@@ -3401,6 +3403,8 @@ pkgAcqArchive::pkgAcqArchive(pkgAcquire *const Owner, pkgSourceList *const Sourc
continue;
if (PkgF.Flagged(pkgCache::Flag::NotSource))
continue;
+ if (PkgF.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(PkgF, authconfs))
+ continue;
pkgIndexFile *Index;
if (Sources->FindIndex(PkgF, Index) == false)
continue;
diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc
index 84b4c0ed8..48114ba3c 100644
--- a/apt-pkg/contrib/netrc.cc
+++ b/apt-pkg/contrib/netrc.cc
@@ -13,6 +13,7 @@
#include <config.h>
#include <apt-pkg/configuration.h>
+#include <apt-pkg/error.h>
#include <apt-pkg/fileutl.h>
#include <apt-pkg/strutl.h>
@@ -149,3 +150,46 @@ void maybe_add_auth(URI &Uri, std::string NetRCFile)
if (fd.Open(NetRCFile, FileFd::ReadOnly))
MaybeAddAuth(fd, Uri);
}
+
+/* Check if we are authorized. */
+bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector<std::unique_ptr<FileFd>> &authconfs)
+{
+ if (authconfs.empty())
+ {
+ _error->PushToStack();
+ auto const netrc = _config->FindFile("Dir::Etc::netrc");
+ if (not netrc.empty())
+ {
+ authconfs.emplace_back(new FileFd());
+ authconfs.back()->Open(netrc, FileFd::ReadOnly);
+ }
+
+ auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts");
+ if (not netrcparts.empty())
+ {
+ for (auto const &netrc : GetListOfFilesInDir(netrcparts, "conf", true, true))
+ {
+ authconfs.emplace_back(new FileFd());
+ authconfs.back()->Open(netrc, FileFd::ReadOnly);
+ }
+ }
+ _error->RevertToStack();
+ }
+
+ // FIXME: Use the full base url
+ URI uri(std::string("http://") + I.Site() + "/");
+ for (auto &authconf : authconfs)
+ {
+ if (not authconf->IsOpen())
+ continue;
+ if (not authconf->Seek(0))
+ continue;
+
+ MaybeAddAuth(*authconf, uri);
+
+ if (not uri.User.empty() || not uri.Password.empty())
+ return true;
+ }
+
+ return false;
+}
diff --git a/apt-pkg/contrib/netrc.h b/apt-pkg/contrib/netrc.h
index 981494064..80d95acc1 100644
--- a/apt-pkg/contrib/netrc.h
+++ b/apt-pkg/contrib/netrc.h
@@ -13,9 +13,12 @@
#ifndef NETRC_H
#define NETRC_H
+#include <memory>
#include <string>
+#include <vector>
#include <apt-pkg/macros.h>
+#include <apt-pkg/pkgcache.h>
#ifndef APT_8_CLEANER_HEADERS
#include <apt-pkg/strutl.h>
@@ -32,4 +35,5 @@ class FileFd;
APT_DEPRECATED_MSG("Use FileFd-based MaybeAddAuth instead")
void maybe_add_auth(URI &Uri, std::string NetRCFile);
bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri);
+bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector<std::unique_ptr<FileFd>> &authconfs) APT_HIDDEN;
#endif
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 1afcdf2c0..f88076abf 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -918,6 +918,7 @@ bool debReleaseIndex::Merge(pkgCacheGenerator &Gen,OpProgress * /*Prog*/) const/
#undef APT_INRELEASE
Section.FindFlag("NotAutomatic", File->Flags, pkgCache::Flag::NotAutomatic);
Section.FindFlag("ButAutomaticUpgrades", File->Flags, pkgCache::Flag::ButAutomaticUpgrades);
+ Section.FindFlag("Packages-Require-Authorization", File->Flags, pkgCache::Flag::PackagesRequireAuthorization);
return true;
}
diff --git a/apt-pkg/pkgcache.h b/apt-pkg/pkgcache.h
index 5c33c7073..787e3995f 100644
--- a/apt-pkg/pkgcache.h
+++ b/apt-pkg/pkgcache.h
@@ -182,9 +182,11 @@ class pkgCache /*{{{*/
LocalSource=(1<<1), /*!< local sources can't and will not be verified by hashes */
NoPackages=(1<<2), /*!< the file includes no package records itself, but additions like Translations */
};
- enum ReleaseFileFlags {
- NotAutomatic=(1<<0), /*!< archive has a default pin of 1 */
- ButAutomaticUpgrades=(1<<1), /*!< (together with the previous) archive has a default pin of 100 */
+ enum ReleaseFileFlags
+ {
+ NotAutomatic = (1 << 0), /*!< archive has a default pin of 1 */
+ ButAutomaticUpgrades = (1 << 1), /*!< (together with the previous) archive has a default pin of 100 */
+ PackagesRequireAuthorization = (1 << 2), /*!< (together with the previous) archive has a default pin of 100 */
};
enum ProvidesFlags {
MultiArchImplicit=pkgCache::Dep::MultiArchImplicit, /*!< generated internally, not spelled out in the index */
diff --git a/apt-pkg/policy.cc b/apt-pkg/policy.cc
index d7eb43c0f..7986aa506 100644
--- a/apt-pkg/policy.cc
+++ b/apt-pkg/policy.cc
@@ -18,6 +18,7 @@
#include <apt-pkg/configuration.h>
#include <apt-pkg/error.h>
#include <apt-pkg/fileutl.h>
+#include <apt-pkg/netrc.h>
#include <apt-pkg/pkgcache.h>
#include <apt-pkg/policy.h>
#include <apt-pkg/strutl.h>
@@ -38,6 +39,8 @@
using namespace std;
+constexpr short NEVER_PIN = std::numeric_limits<short>::min();
+
// Policy::Init - Startup and bind to a cache /*{{{*/
// ---------------------------------------------------------------------
/* Set the defaults for operation. The default mode with no loaded policy
@@ -85,7 +88,8 @@ pkgPolicy::pkgPolicy(pkgCache *Owner) : Pins(nullptr), VerPins(nullptr),
// ---------------------------------------------------------------------
/* */
bool pkgPolicy::InitDefaults()
-{
+{
+ std::vector<std::unique_ptr<FileFd>> authconfs;
// Initialize the priorities based on the status of the package file
for (pkgCache::PkgFileIterator I = Cache->FileBegin(); I != Cache->FileEnd(); ++I)
{
@@ -96,6 +100,8 @@ bool pkgPolicy::InitDefaults()
PFPriority[I->ID] = 100;
else if (I.Flagged(pkgCache::Flag::NotAutomatic))
PFPriority[I->ID] = 1;
+ if (I.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(I, authconfs))
+ PFPriority[I->ID] = NEVER_PIN;
}
// Apply the defaults..
@@ -107,7 +113,7 @@ bool pkgPolicy::InitDefaults()
pkgVersionMatch Match(I->Data,I->Type);
for (pkgCache::PkgFileIterator F = Cache->FileBegin(); F != Cache->FileEnd(); ++F)
{
- if (Fixed[F->ID] == false && Match.FileMatch(F) == true)
+ if ((Fixed[F->ID] == false || I->Priority == NEVER_PIN) && PFPriority[F->ID] != NEVER_PIN && Match.FileMatch(F) == true)
{
PFPriority[F->ID] = I->Priority;
@@ -271,7 +277,14 @@ APT_PURE signed short pkgPolicy::GetPriority(pkgCache::PkgIterator const &Pkg)
APT_PURE signed short pkgPolicy::GetPriority(pkgCache::VerIterator const &Ver, bool ConsiderFiles)
{
if (VerPins[Ver->ID].Type != pkgVersionMatch::None)
- return VerPins[Ver->ID].Priority;
+ {
+ // If all sources are never pins, the never pin wins.
+ if (VerPins[Ver->ID].Priority == NEVER_PIN)
+ return NEVER_PIN;
+ for (pkgCache::VerFileIterator file = Ver.FileList(); file.end() == false; file++)
+ if (GetPriority(file.File()) != NEVER_PIN)
+ return VerPins[Ver->ID].Priority;
+ }
if (!ConsiderFiles)
return 0;
@@ -388,9 +401,17 @@ bool ReadPinFile(pkgPolicy &Plcy,string File)
for (; Word != End && isspace(*Word) != 0; Word++);
_error->PushToStack();
- int const priority = Tags.FindI("Pin-Priority", 0);
+ std::string sPriority = Tags.FindS("Pin-Priority");
+ int priority = sPriority == "never" ? NEVER_PIN : Tags.FindI("Pin-Priority", 0);
bool const newError = _error->PendingError();
_error->MergeWithStack();
+
+ if (sPriority == "never" && not Name.empty())
+ return _error->Error(_("%s: The special 'Pin-Priority: %s' can only be used for 'Package: *' records"), File.c_str(), "never");
+
+ // Silently clamp the never pin to never pin + 1
+ if (priority == NEVER_PIN && sPriority != "never")
+ priority = NEVER_PIN + 1;
if (priority < std::numeric_limits<short>::min() ||
priority > std::numeric_limits<short>::max() ||
newError) {
diff --git a/test/integration/test-packages-require-authorization b/test/integration/test-packages-require-authorization
new file mode 100755
index 000000000..527497ce5
--- /dev/null
+++ b/test/integration/test-packages-require-authorization
@@ -0,0 +1,61 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+setupenvironment
+configarchitecture 'amd64'
+
+insertpackage 'unstable' 'cool' 'amd64' '1.0'
+
+export APT_DONT_SIGN='InRelease'
+setupaptarchive --no-update
+changetowebserver
+
+echo 'Packages-Require-Authorization: yes' >> aptarchive/dists/unstable/Release
+signreleasefiles
+
+testsuccess aptget update
+testsuccessequal "Package files:
+ 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status
+ release a=now
+-32768 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages
+ release a=unstable,n=sid,c=main,b=amd64
+ origin localhost
+Pinned packages:" aptcache policy
+
+mkdir rootdir/etc/apt/auth.conf.d
+cat > rootdir/etc/apt/auth.conf.d/myauth.conf << EOF
+machine localhost
+login username
+password usersPassword
+EOF
+
+
+testsuccessequal "Package files:
+ 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status
+ release a=now
+ 500 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages
+ release a=unstable,n=sid,c=main,b=amd64
+ origin localhost
+Pinned packages:" aptcache policy
+
+
+cat > rootdir/etc/apt/preferences.d/myauth.pref << EOF
+Package: *
+Pin: origin localhost
+Pin-Priority: 990
+
+Package: cool
+Pin: origin localhost
+Pin-Priority: 990
+EOF
+
+testsuccessequal "Package files:
+ 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status
+ release a=now
+ 990 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages
+ release a=unstable,n=sid,c=main,b=amd64
+ origin localhost
+Pinned packages:
+ cool -> 1.0 with priority 990" aptcache policy
diff --git a/test/integration/test-policy-pinning b/test/integration/test-policy-pinning
index 5676d1457..35e178871 100755
--- a/test/integration/test-policy-pinning
+++ b/test/integration/test-policy-pinning
@@ -315,15 +315,16 @@ testsuccessequal "coolstuff:
Installed: 2.0~bpo1
Candidate: $2
Version table:
- 2.0~bpo2 $1
- $1 file:${tmppath}/aptarchive backports/main all Packages
+ 2.0~bpo2 ${3:-$1}
+ ${3:-$1} file:${tmppath}/aptarchive backports/main all Packages
*** 2.0~bpo1 100
100 ${tmppath}/rootdir/var/lib/dpkg/status
1.0 500
500 file:${tmppath}/aptarchive stable/main all Packages" apt policy coolstuff
}
currentpin '32767' '2.0~bpo2'
-currentpin '-32768' '2.0~bpo1'
+currentpin '-32768' '2.0~bpo1' '-32767'
+currentpin '-32767' '2.0~bpo1' '-32767'
# Check for 0
echo "Package: coolstuff
@@ -359,3 +360,61 @@ testsuccessequal "coolstuff:
100 ${tmppath}/rootdir/var/lib/dpkg/status
1.0 500
500 file:${tmppath}/aptarchive stable/main all Packages" aptcache policy coolstuff
+
+
+# Check for override pins
+
+# Normal pins: First one wins
+echo "Package: coolstuff
+Pin: release n=backports
+Pin-Priority: 990
+
+Package: coolstuff
+Pin: release n=backports
+Pin-Priority: 991
+" > rootdir/etc/apt/preferences
+
+testsuccessequal "coolstuff:
+ Installed: 2.0~bpo1
+ Candidate: 2.0~bpo2
+ Version table:
+ 2.0~bpo2 990
+ 100 file:${tmppath}/aptarchive backports/main all Packages
+ *** 2.0~bpo1 100
+ 100 ${tmppath}/rootdir/var/lib/dpkg/status
+ 1.0 500
+ 500 file:${tmppath}/aptarchive stable/main all Packages" aptcache policy coolstuff
+
+
+echo "Package: coolstuff
+Pin: release n=backports
+Pin-Priority: 990
+
+Package: *
+Pin: release n=backports
+Pin-Priority: never
+" > rootdir/etc/apt/preferences
+
+testsuccessequal "coolstuff:
+ Installed: 2.0~bpo1
+ Candidate: 2.0~bpo1
+ Version table:
+ 2.0~bpo2 -32768
+ -32768 file:${tmppath}/aptarchive backports/main all Packages
+ *** 2.0~bpo1 100
+ 100 ${tmppath}/rootdir/var/lib/dpkg/status
+ 1.0 500
+ 500 file:${tmppath}/aptarchive stable/main all Packages" aptcache policy coolstuff
+
+
+
+
+# Check for 0
+echo "Package: coolstuff
+Pin: release n=backports
+Pin-Priority: never
+" > rootdir/etc/apt/preferences
+
+testfailureequal "Reading package lists...
+E: ${tmppath}/rootdir/etc/apt/preferences: The special 'Pin-Priority: never' can only be used for 'Package: *' records" \
+ aptget install -s coolstuff -o PinPriority=0