diff options
author | Julian Andres Klode <julian.klode@canonical.com> | 2019-02-05 16:57:47 +0100 |
---|---|---|
committer | Julian Andres Klode <julian.klode@canonical.com> | 2019-03-01 10:04:22 +0100 |
commit | 58ebfeb08cf979c1702dfca44c258e2f176e4212 (patch) | |
tree | 9ea86bad7912cacefc146b301646a4dd9d719613 | |
parent | 08e35a30d5c1829580b155d8951314168c859456 (diff) |
Add support for /etc/apt/auth.conf.d/*.conf (netrcparts)
This allows us to install matching auth files for sources.list.d
files, for example; very useful.
The chmod() stuff we inherited from auth.conf handling is awful, but
what can we do? It's not needed anymore in later versions, as they open
files before dropping privileges, but ugh, not backporting that.
(parts cherry-picked from commit feed3ec105cd6be7b5d23da14c6cfca8572ee725)
LP: #1811120
-rw-r--r-- | apt-pkg/acquire.cc | 10 | ||||
-rw-r--r-- | apt-pkg/init.cc | 1 | ||||
-rw-r--r-- | methods/ftp.cc | 16 | ||||
-rw-r--r-- | methods/http.cc | 17 | ||||
-rw-r--r-- | methods/https.cc | 15 | ||||
-rwxr-xr-x | test/integration/test-authentication-basic | 18 |
6 files changed, 75 insertions, 2 deletions
diff --git a/apt-pkg/acquire.cc b/apt-pkg/acquire.cc index ed0ddf7ac..bf1c3a4fe 100644 --- a/apt-pkg/acquire.cc +++ b/apt-pkg/acquire.cc @@ -87,6 +87,16 @@ void pkgAcquire::Initialize() if(AuthConf.empty() == false && RealFileExists(AuthConf) && chown(AuthConf.c_str(), pw->pw_uid, gr->gr_gid) != 0) _error->WarningE("SetupAPTPartialDirectory", "chown to %s:root of file %s failed", SandboxUser.c_str(), AuthConf.c_str()); + + std::string const AuthParts = _config->FindDir("Dir::Etc::netrcparts"); + if (AuthParts.empty() == false && DirectoryExists(AuthParts)) + { + for (auto const &AuthConf : GetListOfFilesInDir(AuthParts, "conf", true, true)) + { + if (RealFileExists(AuthConf) && chown(AuthConf.c_str(), pw->pw_uid, gr->gr_gid) != 0) + _error->WarningE("SetupAPTPartialDirectory", "chown to %s:root of file %s failed", SandboxUser.c_str(), AuthConf.c_str()); + } + } } } } diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc index f5ca43465..645df044e 100644 --- a/apt-pkg/init.cc +++ b/apt-pkg/init.cc @@ -63,6 +63,7 @@ bool pkgInitConfig(Configuration &Cnf) Cnf.CndSet("Dir::Etc::sourceparts","sources.list.d"); Cnf.CndSet("Dir::Etc::main","apt.conf"); Cnf.CndSet("Dir::Etc::netrc", "auth.conf"); + Cnf.CndSet("Dir::Etc::netrcparts", "auth.conf.d"); Cnf.CndSet("Dir::Etc::parts","apt.conf.d"); Cnf.CndSet("Dir::Etc::preferences","preferences"); Cnf.CndSet("Dir::Etc::preferencesparts","preferences.d"); diff --git a/methods/ftp.cc b/methods/ftp.cc index edb758a81..cb45a816a 100644 --- a/methods/ftp.cc +++ b/methods/ftp.cc @@ -1018,6 +1018,22 @@ bool FtpMethod::Fetch(FetchItem *Itm) Res.IMSHit = false; maybe_add_auth (Get, _config->FindFile("Dir::Etc::netrc")); + if(Get.User.empty() || Get.Password.empty()) + { + auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts"); + if (not netrcparts.empty()) + { + _error->PushToStack(); + for (auto const &netrc : GetListOfFilesInDir(netrcparts, "conf", true, true)) + { + maybe_add_auth (Get, netrc); + if (Get.User.empty() == false || Get.Password.empty() == false) + break; + } + _error->RevertToStack(); + } + } + // Connect to the server if (Server == 0 || Server->Comp(Get) == false) diff --git a/methods/http.cc b/methods/http.cc index 96b24a146..699d801f0 100644 --- a/methods/http.cc +++ b/methods/http.cc @@ -748,7 +748,24 @@ void HttpMethod::SendReq(FetchItem *Itm) Req << "Proxy-Authorization: Basic " << Base64Encode(Server->Proxy.User + ":" + Server->Proxy.Password) << "\r\n"; + maybe_add_auth (Uri, _config->FindFile("Dir::Etc::netrc")); + if(Uri.User.empty() || Uri.Password.empty()) + { + auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts"); + if (not netrcparts.empty()) + { + _error->PushToStack(); + for (auto const &netrc : GetListOfFilesInDir(netrcparts, "conf", true, true)) + { + maybe_add_auth (Uri, netrc); + if (Uri.User.empty() == false || Uri.Password.empty() == false) + break; + } + _error->RevertToStack(); + } + } + if (Uri.User.empty() == false || Uri.Password.empty() == false) Req << "Authorization: Basic " << Base64Encode(Uri.User + ":" + Uri.Password) << "\r\n"; diff --git a/methods/https.cc b/methods/https.cc index 85733ecd4..ea4b33c6d 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -240,6 +240,21 @@ bool HttpsMethod::Fetch(FetchItem *Itm) SetupProxy(); maybe_add_auth (Uri, _config->FindFile("Dir::Etc::netrc")); + if(Uri.User.empty() || Uri.Password.empty()) + { + auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts"); + if (not netrcparts.empty()) + { + _error->PushToStack(); + for (auto const &netrc : GetListOfFilesInDir(netrcparts, "conf", true, true)) + { + maybe_add_auth (Uri, netrc); + if (Uri.User.empty() == false || Uri.Password.empty() == false) + break; + } + _error->RevertToStack(); + } + } // The "+" is encoded as a workaround for a amazon S3 bug // see LP bugs #1003633 and #1086997. (taken from http method) diff --git a/test/integration/test-authentication-basic b/test/integration/test-authentication-basic index 9a15c7604..124b85eab 100755 --- a/test/integration/test-authentication-basic +++ b/test/integration/test-authentication-basic @@ -13,6 +13,7 @@ setupaptarchive --no-update changetohttpswebserver --authorization="$(printf '%s' 'star@irc:hunter2' | base64 )" echo 'See, when YOU type hunter2, it shows to us as *******' > aptarchive/bash +echo 'Debug::Acquire::netrc "true";' > rootdir/etc/apt/apt.conf.d/netrcdebug.conf testauthfailure() { testfailure apthelper download-file "${1}/bash" ./downloaded/bash @@ -48,7 +49,8 @@ Conf foo (1 unstable [all])' aptget install foo -s } authfile() { - local AUTHCONF='rootdir/etc/apt/auth.conf' + local AUTHCONF="${2:-rootdir/etc/apt/auth.conf}" + mkdir -p "$(dirname "$AUTHCONF")" rm -f "$AUTHCONF" printf '%s' "$1" > "$AUTHCONF" chmod 600 "$AUTHCONF" @@ -80,6 +82,16 @@ machine localhost login star@irc password hunter2' testauthsuccess "$1" + + # delete file, make sure it fails; add auth.conf.d snippet, works again. + rm rootdir/etc/apt/auth.conf + testauthfailure "$1" + + authfile 'machine localhost +login star@irc +password hunter2' rootdir/etc/apt/auth.conf.d/myauth.conf + testauthsuccess "$1" + rm rootdir/etc/apt/auth.conf.d/myauth.conf } msgmsg 'server basic auth' @@ -94,7 +106,9 @@ rewritesourceslist "http://localhost:${APTHTTPPORT}" msgmsg 'proxy to server basic auth' webserverconfig 'aptwebserver::request::absolute' 'uri' -export http_proxy="http://localhost:${APTHTTPPORT}" +# using ip instead of localhost avoids picking up the auth for the repo +# for the proxy as well as we serve them both over the same server… +export http_proxy="http://127.0.0.1:${APTHTTPPORT}" runtest "http://localhost:${APTHTTPPORT}" unset http_proxy |