diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2016-03-18 12:50:02 +0100 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2016-06-22 14:05:01 +0200 |
| commit | b1bdfe682054ea6fc202416968c5342d59b403b1 (patch) | |
| tree | 1183d520bb5826deef7d6872a0254c6c1e76d23e /test | |
| parent | ab94dcece2465f824bea80fc9158bf9a028b2e87 (diff) | |
generalize secure->insecure downgrade protection
Handling the extra check (and force requirement) for downgrades in
security in our AllowInsecureRepositories checker helps in having this
check everywhere instead of just in the most common place and requiring
a little extra force in such cases is always good.
Diffstat (limited to 'test')
| -rwxr-xr-x | test/integration/test-apt-update-nofallback | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index c8a008214..40fbae560 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -93,6 +93,30 @@ test_from_inrelease_to_unsigned_with_override() find "$APTARCHIVE" -name '*Packages*' -exec touch -d '+2 hours' {} \; # and ensure we can update to it (with enough force) + testfailure aptget update + testfailure aptget update --allow-insecure-repositories + testwarning aptget update --allow-insecure-repositories \ + -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 + # but that the individual packages are still considered untrusted + testfailureequal "WARNING: The following packages cannot be authenticated! + evil +E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y evil +} + +test_from_inrelease_to_norelease_with_override() +{ + # setup archive with InRelease file + setupaptarchive_with_lists_clean + testsuccess aptget update + + # simulate moving to a unsigned but otherwise valid repo + simulate_mitm_and_inject_evil_package + find "$APTARCHIVE" -name '*Release*' -delete + find "$APTARCHIVE" -name '*Packages*' -exec touch -d '+2 hours' {} \; + + # and ensure we can update to it (with enough force) + testfailure aptget update + testfailure aptget update --allow-insecure-repositories testwarning aptget update --allow-insecure-repositories \ -o Acquire::AllowDowngradeToInsecureRepositories=1 -o Debug::pkgAcquire::Worker=1 -o Debug::pkgAcquire::Auth=1 # but that the individual packages are still considered untrusted @@ -237,3 +261,5 @@ test_release_gpg_to_invalid_release_release_gpg # ensure we can override the downgrade error msgmsg "test_from_inrelease_to_unsigned_with_override" test_from_inrelease_to_unsigned_with_override +msgmsg "test_from_inrelease_to_norelease_with_override" +test_from_inrelease_to_norelease_with_override |