diff options
author | Julian Andres Klode <julian.klode@canonical.com> | 2019-02-01 14:43:52 +0100 |
---|---|---|
committer | Julian Andres Klode <julian.klode@canonical.com> | 2019-03-01 11:41:24 +0000 |
commit | cc67debf273087c44f39a63363553577eb0fcb9c (patch) | |
tree | 1ef10f169fc86b0c3775376171429f5172fa0b2f | |
parent | 25c024910b4c051461a9842d9fe0efc04748c908 (diff) |
Add a Packages-Require-Authorization Release file field
This new field allows a repository to declare that access to
packages requires authorization. The current implementation will
set the pin to -32768 if no authorization has been provided in
the auth.conf(.d) files.
This implementation is suboptimal in two aspects:
(1) A repository should behave more like NotSource repositories
(2) We only have the host name for the repository, we cannot use
paths yet.
- We can fix those after an ABI break.
The code also adds a check to acquire-item.cc to not use the
specified repository as a download source, mimicking NotSource.
(cherry picked from commit c2b9b0489538fed4770515bd8853a960b13a2618)
LP: #1814727
(cherry picked from commit d75162bc67d5a1a690eb2a8747d31ad68353823e)
(cherry picked from commit 19075f52174199fe7665334ad1815c747c26c10b)
Conflicts:
apt-pkg/deb/debmetaindex.cc
apt-pkg/pkgcache.h
-rw-r--r-- | apt-pkg/acquire-item.cc | 3 | ||||
-rw-r--r-- | apt-pkg/contrib/netrc.cc | 36 | ||||
-rw-r--r-- | apt-pkg/contrib/netrc.h | 4 | ||||
-rw-r--r-- | apt-pkg/deb/deblistparser.cc | 1 | ||||
-rw-r--r-- | apt-pkg/pkgcache.h | 2 | ||||
-rw-r--r-- | apt-pkg/policy.cc | 5 | ||||
-rwxr-xr-x | test/integration/test-packages-require-authorization | 61 |
7 files changed, 110 insertions, 2 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 4ddab943c..da51a1ee7 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -28,6 +28,7 @@ #include <apt-pkg/acquire.h> #include <apt-pkg/hashes.h> #include <apt-pkg/indexfile.h> +#include <apt-pkg/netrc.h> #include <apt-pkg/pkgcache.h> #include <apt-pkg/cacheiterators.h> #include <apt-pkg/pkgrecords.h> @@ -1998,6 +1999,8 @@ bool pkgAcqArchive::QueueNext() // Ignore not source sources if ((Vf.File()->Flags & pkgCache::Flag::NotSource) != 0) continue; + if ((Vf.File()->Flags & pkgCache::Flag::PackagesRequireAuthorization) == pkgCache::Flag::PackagesRequireAuthorization && !IsAuthorized(Vf.File())) + continue; // Try to cross match against the source list pkgIndexFile *Index; diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc index feaed67c8..661f9ad95 100644 --- a/apt-pkg/contrib/netrc.cc +++ b/apt-pkg/contrib/netrc.cc @@ -14,6 +14,8 @@ #include <config.h> #include <apt-pkg/configuration.h> +#include <apt-pkg/error.h> +#include <apt-pkg/fileutl.h> #include <apt-pkg/strutl.h> #include <iostream> @@ -214,6 +216,40 @@ void maybe_add_auth (URI &Uri, string NetRCFile) } } +/* Check if we are authorized. */ +bool IsAuthorized(pkgCache::PkgFileIterator const I) +{ + std::vector<std::string> authconfs; + if (authconfs.empty()) + { + _error->PushToStack(); + std::string const netrc = _config->FindFile("Dir::Etc::netrc"); + if (not netrc.empty()) + authconfs.push_back(netrc); + + std::string const netrcparts = _config->FindDir("Dir::Etc::netrcparts"); + if (not netrcparts.empty()) + { + std::vector<std::string> files = GetListOfFilesInDir(netrcparts, "conf", true, true); + for (std::vector<std::string>::const_iterator i = files.begin(); i != files.end(); i++) + authconfs.push_back(*i); + } + _error->RevertToStack(); + } + + // FIXME: Use the full base url + URI uri(std::string("http://") + I.Site() + "/"); + for (std::vector<std::string>::const_iterator i = authconfs.begin(); i != authconfs.end(); i++) + { + maybe_add_auth(uri, *i); + + if (not uri.User.empty() || not uri.Password.empty()) + return true; + } + + return false; +} + #ifdef DEBUG int main(int argc, char* argv[]) { diff --git a/apt-pkg/contrib/netrc.h b/apt-pkg/contrib/netrc.h index dbeb45386..3f22413c5 100644 --- a/apt-pkg/contrib/netrc.h +++ b/apt-pkg/contrib/netrc.h @@ -14,9 +14,12 @@ #ifndef NETRC_H #define NETRC_H +#include <memory> #include <string> +#include <vector> #include <apt-pkg/macros.h> +#include <apt-pkg/pkgcache.h> #ifndef APT_8_CLEANER_HEADERS #include <apt-pkg/strutl.h> @@ -32,4 +35,5 @@ class URI; APT_DEPRECATED int parsenetrc (char *host, char *login, char *password, char *filename); void maybe_add_auth (URI &Uri, std::string NetRCFile); +bool IsAuthorized(pkgCache::PkgFileIterator const I) APT_HIDDEN; #endif diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc index 02b9cb239..7c18286fc 100644 --- a/apt-pkg/deb/deblistparser.cc +++ b/apt-pkg/deb/deblistparser.cc @@ -926,6 +926,7 @@ bool debListParser::LoadReleaseInfo(pkgCache::PkgFileIterator &FileI, #undef APT_INRELEASE Section.FindFlag("NotAutomatic", FileI->Flags, pkgCache::Flag::NotAutomatic); Section.FindFlag("ButAutomaticUpgrades", FileI->Flags, pkgCache::Flag::ButAutomaticUpgrades); + Section.FindFlag("Packages-Require-Authorization", FileI->Flags, pkgCache::Flag::PackagesRequireAuthorization); return !_error->PendingError(); } diff --git a/apt-pkg/pkgcache.h b/apt-pkg/pkgcache.h index 5e8a9630a..69a222bd0 100644 --- a/apt-pkg/pkgcache.h +++ b/apt-pkg/pkgcache.h @@ -149,7 +149,7 @@ class pkgCache /*{{{*/ struct Flag { enum PkgFlags {Auto=(1<<0),Essential=(1<<3),Important=(1<<4)}; - enum PkgFFlags {NotSource=(1<<0),NotAutomatic=(1<<1),ButAutomaticUpgrades=(1<<2)}; + enum PkgFFlags {NotSource=(1<<0),NotAutomatic=(1<<1),ButAutomaticUpgrades=(1<<2), PackagesRequireAuthorization = (1 << 3)}; }; protected: diff --git a/apt-pkg/policy.cc b/apt-pkg/policy.cc index a44bd7efe..8fadc9fa0 100644 --- a/apt-pkg/policy.cc +++ b/apt-pkg/policy.cc @@ -35,6 +35,7 @@ #include <apt-pkg/error.h> #include <apt-pkg/sptr.h> #include <apt-pkg/cacheiterators.h> +#include <apt-pkg/netrc.h> #include <apt-pkg/pkgcache.h> #include <apt-pkg/versionmatch.h> @@ -94,7 +95,7 @@ pkgPolicy::pkgPolicy(pkgCache *Owner) : Pins(0), PFPriority(0), Cache(Owner) // --------------------------------------------------------------------- /* */ bool pkgPolicy::InitDefaults() -{ +{ // Initialize the priorities based on the status of the package file for (pkgCache::PkgFileIterator I = Cache->FileBegin(); I != Cache->FileEnd(); ++I) { @@ -105,6 +106,8 @@ bool pkgPolicy::InitDefaults() PFPriority[I->ID] = 100; else if ((I->Flags & pkgCache::Flag::NotAutomatic) == pkgCache::Flag::NotAutomatic) PFPriority[I->ID] = 1; + if ((I->Flags & pkgCache::Flag::PackagesRequireAuthorization) == pkgCache::Flag::PackagesRequireAuthorization && !IsAuthorized(I)) + PFPriority[I->ID] = NEVER_PIN; } // Apply the defaults.. diff --git a/test/integration/test-packages-require-authorization b/test/integration/test-packages-require-authorization new file mode 100755 index 000000000..803957c5e --- /dev/null +++ b/test/integration/test-packages-require-authorization @@ -0,0 +1,61 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' + +insertpackage 'unstable' 'cool' 'amd64' '1.0' + +export APT_DONT_SIGN='InRelease' +setupaptarchive --no-update +changetowebserver + +echo 'Packages-Require-Authorization: yes' >> aptarchive/dists/unstable/Release +signreleasefiles + +testsuccess aptget update +testequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now +-32768 http://localhost:8080/ unstable/main amd64 Packages + release a=unstable,n=sid,c=main + origin localhost +Pinned packages:" aptcache policy + +mkdir rootdir/etc/apt/auth.conf.d +cat > rootdir/etc/apt/auth.conf.d/myauth.conf << EOF +machine localhost +login username +password usersPassword +EOF + + +testequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now + 500 http://localhost:8080/ unstable/main amd64 Packages + release a=unstable,n=sid,c=main + origin localhost +Pinned packages:" aptcache policy + + +cat > rootdir/etc/apt/preferences.d/myauth.pref << EOF +Package: * +Pin: origin localhost +Pin-Priority: 990 + +Package: cool +Pin: origin localhost +Pin-Priority: 990 +EOF + +testequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now + 990 http://localhost:8080/ unstable/main amd64 Packages + release a=unstable,n=sid,c=main + origin localhost +Pinned packages: + cool -> 1.0" aptcache policy |