Add a Packages-Require-Authorization Release file field

This new field allows a repository to declare that access to
packages requires authorization. The current implementation will
set the pin to -32768 if no authorization has been provided in
the auth.conf(.d) files.

This implementation is suboptimal in two aspects:
(1) A repository should behave more like NotSource repositories
(2) We only have the host name for the repository, we cannot use
    paths yet.

- We can fix those after an ABI break.

The code also adds a check to acquire-item.cc to not use the
specified repository as a download source, mimicking NotSource.

(cherry picked from commit c2b9b0489538fed4770515bd8853a960b13a2618)
LP: #1814727
(cherry picked from commit d75162bc67d5a1a690eb2a8747d31ad68353823e)
(cherry picked from commit 19075f52174199fe7665334ad1815c747c26c10b)

7 files changed, 113 insertions, 4 deletions

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 6ac893b1b..1469c0edd 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -27,6 +27,7 @@
 #include <apt-pkg/acquire.h>
 #include <apt-pkg/hashes.h>
 #include <apt-pkg/indexfile.h>
+#include <apt-pkg/netrc.h>
 #include <apt-pkg/pkgcache.h>
 #include <apt-pkg/cacheiterators.h>
 #include <apt-pkg/pkgrecords.h>
@@ -2952,6 +2953,8 @@ bool pkgAcqArchive::QueueNext()
       // Ignore not source sources
       if (PkgF.Flagged(pkgCache::Flag::NotSource))
 	 continue;
+      if (PkgF.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(PkgF))
+	 continue;
 
       // Try to cross match against the source list
       pkgIndexFile *Index;
diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc
index 8840de72c..9c40aec05 100644
--- a/apt-pkg/contrib/netrc.cc
+++ b/apt-pkg/contrib/netrc.cc
@@ -14,6 +14,8 @@
 #include <config.h>
 
 #include <apt-pkg/configuration.h>
+#include <apt-pkg/error.h>
+#include <apt-pkg/fileutl.h>
 #include <apt-pkg/strutl.h>
 
 #include <iostream>
@@ -202,6 +204,39 @@ void maybe_add_auth (URI &Uri, string NetRCFile)
   }
 }
 
+/* Check if we are authorized. */
+bool IsAuthorized(pkgCache::PkgFileIterator const I)
+{
+  std::vector<std::string> authconfs;
+   if (authconfs.empty())
+   {
+      _error->PushToStack();
+      auto const netrc = _config->FindFile("Dir::Etc::netrc");
+      if (not netrc.empty())
+	 authconfs.push_back(netrc);
+
+      auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts");
+      if (not netrcparts.empty())
+      {
+	 for (auto const &netrc : GetListOfFilesInDir(netrcparts, "conf", true, true))
+	    authconfs.push_back(netrc);
+      }
+      _error->RevertToStack();
+   }
+
+   // FIXME: Use the full base url
+   URI uri(std::string("http://") + I.Site() + "/");
+   for (auto &authconf : authconfs)
+   {
+      maybe_add_auth(uri, authconf);
+
+      if (not uri.User.empty() || not uri.Password.empty())
+	 return true;
+   }
+
+   return false;
+}
+
 #ifdef DEBUG
 int main(int argc, char* argv[])
 {
diff --git a/apt-pkg/contrib/netrc.h b/apt-pkg/contrib/netrc.h
index b5b56f5d4..dbe2e1637 100644
--- a/apt-pkg/contrib/netrc.h
+++ b/apt-pkg/contrib/netrc.h
@@ -14,9 +14,12 @@
 #ifndef NETRC_H
 #define NETRC_H
 
+#include <memory>
 #include <string>
+#include <vector>
 
 #include <apt-pkg/macros.h>
+#include <apt-pkg/pkgcache.h>
 
 #ifndef APT_8_CLEANER_HEADERS
 #include <apt-pkg/strutl.h>
@@ -28,4 +31,5 @@
 class URI;
 
 void maybe_add_auth (URI &Uri, std::string NetRCFile);
+bool IsAuthorized(pkgCache::PkgFileIterator const I) APT_HIDDEN;
 #endif
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 8b4430c9d..ce87fb569 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -765,6 +765,7 @@ bool debReleaseIndex::Merge(pkgCacheGenerator &Gen,OpProgress * /*Prog*/) const/
    #undef APT_INRELEASE
    Section.FindFlag("NotAutomatic", File->Flags, pkgCache::Flag::NotAutomatic);
    Section.FindFlag("ButAutomaticUpgrades", File->Flags, pkgCache::Flag::ButAutomaticUpgrades);
+   Section.FindFlag("Packages-Require-Authorization", File->Flags, pkgCache::Flag::PackagesRequireAuthorization);
 
    return true;
 }
diff --git a/apt-pkg/pkgcache.h b/apt-pkg/pkgcache.h
index 91228f713..f7325fd73 100644
--- a/apt-pkg/pkgcache.h
+++ b/apt-pkg/pkgcache.h
@@ -182,9 +182,11 @@ class pkgCache								/*{{{*/
 	 LocalSource=(1<<1), /*!< local sources can't and will not be verified by hashes */
 	 NoPackages=(1<<2), /*!< the file includes no package records itself, but additions like Translations */
       };
-      enum ReleaseFileFlags {
-	 NotAutomatic=(1<<0), /*!< archive has a default pin of 1 */
-	 ButAutomaticUpgrades=(1<<1), /*!< (together with the previous) archive has a default pin of 100 */
+      enum ReleaseFileFlags
+      {
+	 NotAutomatic = (1 << 0),		  /*!< archive has a default pin of 1 */
+	 ButAutomaticUpgrades = (1 << 1),	 /*!< (together with the previous) archive has a default pin of 100 */
+	 PackagesRequireAuthorization = (1 << 2), /*!< (together with the previous) archive has a default pin of 100 */
       };
       enum ProvidesFlags {
 	 MultiArchImplicit=pkgCache::Dep::MultiArchImplicit, /*!< generated internally, not spelled out in the index */
diff --git a/apt-pkg/policy.cc b/apt-pkg/policy.cc
index 22aebc49d..5ea7cd1d7 100644
--- a/apt-pkg/policy.cc
+++ b/apt-pkg/policy.cc
@@ -23,6 +23,7 @@
 #include <apt-pkg/fileutl.h>
 #include <apt-pkg/error.h>
 #include <apt-pkg/cacheiterators.h>
+#include <apt-pkg/netrc.h>
 #include <apt-pkg/pkgcache.h>
 #include <apt-pkg/versionmatch.h>
 #include <apt-pkg/version.h>
@@ -87,7 +88,7 @@ pkgPolicy::pkgPolicy(pkgCache *Owner) : Pins(nullptr), VerPins(nullptr),
 // ---------------------------------------------------------------------
 /* */
 bool pkgPolicy::InitDefaults()
-{   
+{
    // Initialize the priorities based on the status of the package file
    for (pkgCache::PkgFileIterator I = Cache->FileBegin(); I != Cache->FileEnd(); ++I)
    {
@@ -98,6 +99,8 @@ bool pkgPolicy::InitDefaults()
 	 PFPriority[I->ID] = 100;
       else if (I.Flagged(pkgCache::Flag::NotAutomatic))
 	 PFPriority[I->ID] = 1;
+      if (I.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(I))
+	 PFPriority[I->ID] = NEVER_PIN;
    }
 
    // Apply the defaults..
diff --git a/test/integration/test-packages-require-authorization b/test/integration/test-packages-require-authorization
new file mode 100755
index 000000000..527497ce5
--- /dev/null
+++ b/test/integration/test-packages-require-authorization
@@ -0,0 +1,61 @@
+#!/bin/sh
+set -e
+
+TESTDIR="$(readlink -f "$(dirname "$0")")"
+. "$TESTDIR/framework"
+setupenvironment
+configarchitecture 'amd64'
+
+insertpackage 'unstable' 'cool' 'amd64' '1.0'
+
+export APT_DONT_SIGN='InRelease'
+setupaptarchive --no-update
+changetowebserver
+
+echo 'Packages-Require-Authorization: yes' >> aptarchive/dists/unstable/Release
+signreleasefiles
+
+testsuccess aptget update
+testsuccessequal "Package files:
+ 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status
+     release a=now
+-32768 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages
+     release a=unstable,n=sid,c=main,b=amd64
+     origin localhost
+Pinned packages:" aptcache policy
+
+mkdir rootdir/etc/apt/auth.conf.d
+cat > rootdir/etc/apt/auth.conf.d/myauth.conf  << EOF
+machine localhost
+login username
+password usersPassword
+EOF
+
+
+testsuccessequal "Package files:
+ 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status
+     release a=now
+ 500 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages
+     release a=unstable,n=sid,c=main,b=amd64
+     origin localhost
+Pinned packages:" aptcache policy
+
+
+cat > rootdir/etc/apt/preferences.d/myauth.pref  << EOF
+Package: *
+Pin: origin localhost
+Pin-Priority: 990
+
+Package: cool
+Pin: origin localhost
+Pin-Priority: 990
+EOF
+
+testsuccessequal "Package files:
+ 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status
+     release a=now
+ 990 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages
+     release a=unstable,n=sid,c=main,b=amd64
+     origin localhost
+Pinned packages:
+     cool -> 1.0 with priority 990" aptcache policy