diff options
author | Julian Andres Klode <jak@debian.org> | 2019-02-04 12:44:08 +0000 |
---|---|---|
committer | Julian Andres Klode <jak@debian.org> | 2019-02-04 12:44:08 +0000 |
commit | 3a015964dd56edf897ee062b2eafa2cfc0584380 (patch) | |
tree | b7c47f960d6281195ea7fd3f90a6404b939df134 | |
parent | d5dcc2e9d3008b57c3fae0bcb5b1c2a197f5430c (diff) | |
parent | c2b9b0489538fed4770515bd8853a960b13a2618 (diff) |
Merge branch 'pu/dead-pin' into 'master'
A pin of -32768 overrides any other, disables repo
See merge request apt-team/apt!40
-rw-r--r-- | apt-pkg/acquire-item.cc | 4 | ||||
-rw-r--r-- | apt-pkg/contrib/netrc.cc | 44 | ||||
-rw-r--r-- | apt-pkg/contrib/netrc.h | 4 | ||||
-rw-r--r-- | apt-pkg/deb/debmetaindex.cc | 1 | ||||
-rw-r--r-- | apt-pkg/pkgcache.h | 8 | ||||
-rw-r--r-- | apt-pkg/policy.cc | 29 | ||||
-rwxr-xr-x | test/integration/test-packages-require-authorization | 61 | ||||
-rwxr-xr-x | test/integration/test-policy-pinning | 65 |
8 files changed, 206 insertions, 10 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 755e1fb59..bb3bc1b56 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -25,6 +25,7 @@ #include <apt-pkg/hashes.h> #include <apt-pkg/indexfile.h> #include <apt-pkg/metaindex.h> +#include <apt-pkg/netrc.h> #include <apt-pkg/pkgcache.h> #include <apt-pkg/pkgrecords.h> #include <apt-pkg/sourcelist.h> @@ -3394,6 +3395,7 @@ pkgAcqArchive::pkgAcqArchive(pkgAcquire *const Owner, pkgSourceList *const Sourc StoreFilename.clear(); std::set<string> targetComponents, targetCodenames, targetSuites; + std::vector<std::unique_ptr<FileFd>> authconfs; for (auto Vf = Version.FileList(); Vf.end() == false; ++Vf) { auto const PkgF = Vf.File(); @@ -3401,6 +3403,8 @@ pkgAcqArchive::pkgAcqArchive(pkgAcquire *const Owner, pkgSourceList *const Sourc continue; if (PkgF.Flagged(pkgCache::Flag::NotSource)) continue; + if (PkgF.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(PkgF, authconfs)) + continue; pkgIndexFile *Index; if (Sources->FindIndex(PkgF, Index) == false) continue; diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc index 84b4c0ed8..48114ba3c 100644 --- a/apt-pkg/contrib/netrc.cc +++ b/apt-pkg/contrib/netrc.cc @@ -13,6 +13,7 @@ #include <config.h> #include <apt-pkg/configuration.h> +#include <apt-pkg/error.h> #include <apt-pkg/fileutl.h> #include <apt-pkg/strutl.h> @@ -149,3 +150,46 @@ void maybe_add_auth(URI &Uri, std::string NetRCFile) if (fd.Open(NetRCFile, FileFd::ReadOnly)) MaybeAddAuth(fd, Uri); } + +/* Check if we are authorized. */ +bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector<std::unique_ptr<FileFd>> &authconfs) +{ + if (authconfs.empty()) + { + _error->PushToStack(); + auto const netrc = _config->FindFile("Dir::Etc::netrc"); + if (not netrc.empty()) + { + authconfs.emplace_back(new FileFd()); + authconfs.back()->Open(netrc, FileFd::ReadOnly); + } + + auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts"); + if (not netrcparts.empty()) + { + for (auto const &netrc : GetListOfFilesInDir(netrcparts, "conf", true, true)) + { + authconfs.emplace_back(new FileFd()); + authconfs.back()->Open(netrc, FileFd::ReadOnly); + } + } + _error->RevertToStack(); + } + + // FIXME: Use the full base url + URI uri(std::string("http://") + I.Site() + "/"); + for (auto &authconf : authconfs) + { + if (not authconf->IsOpen()) + continue; + if (not authconf->Seek(0)) + continue; + + MaybeAddAuth(*authconf, uri); + + if (not uri.User.empty() || not uri.Password.empty()) + return true; + } + + return false; +} diff --git a/apt-pkg/contrib/netrc.h b/apt-pkg/contrib/netrc.h index 981494064..80d95acc1 100644 --- a/apt-pkg/contrib/netrc.h +++ b/apt-pkg/contrib/netrc.h @@ -13,9 +13,12 @@ #ifndef NETRC_H #define NETRC_H +#include <memory> #include <string> +#include <vector> #include <apt-pkg/macros.h> +#include <apt-pkg/pkgcache.h> #ifndef APT_8_CLEANER_HEADERS #include <apt-pkg/strutl.h> @@ -32,4 +35,5 @@ class FileFd; APT_DEPRECATED_MSG("Use FileFd-based MaybeAddAuth instead") void maybe_add_auth(URI &Uri, std::string NetRCFile); bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri); +bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector<std::unique_ptr<FileFd>> &authconfs) APT_HIDDEN; #endif diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index 1afcdf2c0..f88076abf 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -918,6 +918,7 @@ bool debReleaseIndex::Merge(pkgCacheGenerator &Gen,OpProgress * /*Prog*/) const/ #undef APT_INRELEASE Section.FindFlag("NotAutomatic", File->Flags, pkgCache::Flag::NotAutomatic); Section.FindFlag("ButAutomaticUpgrades", File->Flags, pkgCache::Flag::ButAutomaticUpgrades); + Section.FindFlag("Packages-Require-Authorization", File->Flags, pkgCache::Flag::PackagesRequireAuthorization); return true; } diff --git a/apt-pkg/pkgcache.h b/apt-pkg/pkgcache.h index 5c33c7073..787e3995f 100644 --- a/apt-pkg/pkgcache.h +++ b/apt-pkg/pkgcache.h @@ -182,9 +182,11 @@ class pkgCache /*{{{*/ LocalSource=(1<<1), /*!< local sources can't and will not be verified by hashes */ NoPackages=(1<<2), /*!< the file includes no package records itself, but additions like Translations */ }; - enum ReleaseFileFlags { - NotAutomatic=(1<<0), /*!< archive has a default pin of 1 */ - ButAutomaticUpgrades=(1<<1), /*!< (together with the previous) archive has a default pin of 100 */ + enum ReleaseFileFlags + { + NotAutomatic = (1 << 0), /*!< archive has a default pin of 1 */ + ButAutomaticUpgrades = (1 << 1), /*!< (together with the previous) archive has a default pin of 100 */ + PackagesRequireAuthorization = (1 << 2), /*!< (together with the previous) archive has a default pin of 100 */ }; enum ProvidesFlags { MultiArchImplicit=pkgCache::Dep::MultiArchImplicit, /*!< generated internally, not spelled out in the index */ diff --git a/apt-pkg/policy.cc b/apt-pkg/policy.cc index d7eb43c0f..7986aa506 100644 --- a/apt-pkg/policy.cc +++ b/apt-pkg/policy.cc @@ -18,6 +18,7 @@ #include <apt-pkg/configuration.h> #include <apt-pkg/error.h> #include <apt-pkg/fileutl.h> +#include <apt-pkg/netrc.h> #include <apt-pkg/pkgcache.h> #include <apt-pkg/policy.h> #include <apt-pkg/strutl.h> @@ -38,6 +39,8 @@ using namespace std; +constexpr short NEVER_PIN = std::numeric_limits<short>::min(); + // Policy::Init - Startup and bind to a cache /*{{{*/ // --------------------------------------------------------------------- /* Set the defaults for operation. The default mode with no loaded policy @@ -85,7 +88,8 @@ pkgPolicy::pkgPolicy(pkgCache *Owner) : Pins(nullptr), VerPins(nullptr), // --------------------------------------------------------------------- /* */ bool pkgPolicy::InitDefaults() -{ +{ + std::vector<std::unique_ptr<FileFd>> authconfs; // Initialize the priorities based on the status of the package file for (pkgCache::PkgFileIterator I = Cache->FileBegin(); I != Cache->FileEnd(); ++I) { @@ -96,6 +100,8 @@ bool pkgPolicy::InitDefaults() PFPriority[I->ID] = 100; else if (I.Flagged(pkgCache::Flag::NotAutomatic)) PFPriority[I->ID] = 1; + if (I.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(I, authconfs)) + PFPriority[I->ID] = NEVER_PIN; } // Apply the defaults.. @@ -107,7 +113,7 @@ bool pkgPolicy::InitDefaults() pkgVersionMatch Match(I->Data,I->Type); for (pkgCache::PkgFileIterator F = Cache->FileBegin(); F != Cache->FileEnd(); ++F) { - if (Fixed[F->ID] == false && Match.FileMatch(F) == true) + if ((Fixed[F->ID] == false || I->Priority == NEVER_PIN) && PFPriority[F->ID] != NEVER_PIN && Match.FileMatch(F) == true) { PFPriority[F->ID] = I->Priority; @@ -271,7 +277,14 @@ APT_PURE signed short pkgPolicy::GetPriority(pkgCache::PkgIterator const &Pkg) APT_PURE signed short pkgPolicy::GetPriority(pkgCache::VerIterator const &Ver, bool ConsiderFiles) { if (VerPins[Ver->ID].Type != pkgVersionMatch::None) - return VerPins[Ver->ID].Priority; + { + // If all sources are never pins, the never pin wins. + if (VerPins[Ver->ID].Priority == NEVER_PIN) + return NEVER_PIN; + for (pkgCache::VerFileIterator file = Ver.FileList(); file.end() == false; file++) + if (GetPriority(file.File()) != NEVER_PIN) + return VerPins[Ver->ID].Priority; + } if (!ConsiderFiles) return 0; @@ -388,9 +401,17 @@ bool ReadPinFile(pkgPolicy &Plcy,string File) for (; Word != End && isspace(*Word) != 0; Word++); _error->PushToStack(); - int const priority = Tags.FindI("Pin-Priority", 0); + std::string sPriority = Tags.FindS("Pin-Priority"); + int priority = sPriority == "never" ? NEVER_PIN : Tags.FindI("Pin-Priority", 0); bool const newError = _error->PendingError(); _error->MergeWithStack(); + + if (sPriority == "never" && not Name.empty()) + return _error->Error(_("%s: The special 'Pin-Priority: %s' can only be used for 'Package: *' records"), File.c_str(), "never"); + + // Silently clamp the never pin to never pin + 1 + if (priority == NEVER_PIN && sPriority != "never") + priority = NEVER_PIN + 1; if (priority < std::numeric_limits<short>::min() || priority > std::numeric_limits<short>::max() || newError) { diff --git a/test/integration/test-packages-require-authorization b/test/integration/test-packages-require-authorization new file mode 100755 index 000000000..527497ce5 --- /dev/null +++ b/test/integration/test-packages-require-authorization @@ -0,0 +1,61 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' + +insertpackage 'unstable' 'cool' 'amd64' '1.0' + +export APT_DONT_SIGN='InRelease' +setupaptarchive --no-update +changetowebserver + +echo 'Packages-Require-Authorization: yes' >> aptarchive/dists/unstable/Release +signreleasefiles + +testsuccess aptget update +testsuccessequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now +-32768 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages + release a=unstable,n=sid,c=main,b=amd64 + origin localhost +Pinned packages:" aptcache policy + +mkdir rootdir/etc/apt/auth.conf.d +cat > rootdir/etc/apt/auth.conf.d/myauth.conf << EOF +machine localhost +login username +password usersPassword +EOF + + +testsuccessequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now + 500 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages + release a=unstable,n=sid,c=main,b=amd64 + origin localhost +Pinned packages:" aptcache policy + + +cat > rootdir/etc/apt/preferences.d/myauth.pref << EOF +Package: * +Pin: origin localhost +Pin-Priority: 990 + +Package: cool +Pin: origin localhost +Pin-Priority: 990 +EOF + +testsuccessequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now + 990 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages + release a=unstable,n=sid,c=main,b=amd64 + origin localhost +Pinned packages: + cool -> 1.0 with priority 990" aptcache policy diff --git a/test/integration/test-policy-pinning b/test/integration/test-policy-pinning index 5676d1457..35e178871 100755 --- a/test/integration/test-policy-pinning +++ b/test/integration/test-policy-pinning @@ -315,15 +315,16 @@ testsuccessequal "coolstuff: Installed: 2.0~bpo1 Candidate: $2 Version table: - 2.0~bpo2 $1 - $1 file:${tmppath}/aptarchive backports/main all Packages + 2.0~bpo2 ${3:-$1} + ${3:-$1} file:${tmppath}/aptarchive backports/main all Packages *** 2.0~bpo1 100 100 ${tmppath}/rootdir/var/lib/dpkg/status 1.0 500 500 file:${tmppath}/aptarchive stable/main all Packages" apt policy coolstuff } currentpin '32767' '2.0~bpo2' -currentpin '-32768' '2.0~bpo1' +currentpin '-32768' '2.0~bpo1' '-32767' +currentpin '-32767' '2.0~bpo1' '-32767' # Check for 0 echo "Package: coolstuff @@ -359,3 +360,61 @@ testsuccessequal "coolstuff: 100 ${tmppath}/rootdir/var/lib/dpkg/status 1.0 500 500 file:${tmppath}/aptarchive stable/main all Packages" aptcache policy coolstuff + + +# Check for override pins + +# Normal pins: First one wins +echo "Package: coolstuff +Pin: release n=backports +Pin-Priority: 990 + +Package: coolstuff +Pin: release n=backports +Pin-Priority: 991 +" > rootdir/etc/apt/preferences + +testsuccessequal "coolstuff: + Installed: 2.0~bpo1 + Candidate: 2.0~bpo2 + Version table: + 2.0~bpo2 990 + 100 file:${tmppath}/aptarchive backports/main all Packages + *** 2.0~bpo1 100 + 100 ${tmppath}/rootdir/var/lib/dpkg/status + 1.0 500 + 500 file:${tmppath}/aptarchive stable/main all Packages" aptcache policy coolstuff + + +echo "Package: coolstuff +Pin: release n=backports +Pin-Priority: 990 + +Package: * +Pin: release n=backports +Pin-Priority: never +" > rootdir/etc/apt/preferences + +testsuccessequal "coolstuff: + Installed: 2.0~bpo1 + Candidate: 2.0~bpo1 + Version table: + 2.0~bpo2 -32768 + -32768 file:${tmppath}/aptarchive backports/main all Packages + *** 2.0~bpo1 100 + 100 ${tmppath}/rootdir/var/lib/dpkg/status + 1.0 500 + 500 file:${tmppath}/aptarchive stable/main all Packages" aptcache policy coolstuff + + + + +# Check for 0 +echo "Package: coolstuff +Pin: release n=backports +Pin-Priority: never +" > rootdir/etc/apt/preferences + +testfailureequal "Reading package lists... +E: ${tmppath}/rootdir/etc/apt/preferences: The special 'Pin-Priority: never' can only be used for 'Package: *' records" \ + aptget install -s coolstuff -o PinPriority=0 |