summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulian Andres Klode <julian.klode@canonical.com>2019-12-04 13:58:38 +0100
committerJulian Andres Klode <julian.klode@canonical.com>2020-01-15 22:07:25 +0100
commita9916c3faa2b8c6fa288599efec65868d050b0ef (patch)
treea16aee2e340d061e7820bc0ea87f8c64b372faea
parent5db3a38926aa820546c411dd9f49f57eea24cd9e (diff)
netrc: Add warning when ignoring entries for unencrypted protocols
Commit 93f33052de84e9aeaf19c92291d043dad2665bbd restricted auth.conf entries to only apply to https by default, but this was silent - there was no information why http sources with auth.conf entries suddenly started failing. Add such information, and extend test case to cover it.
-rw-r--r--apt-pkg/contrib/netrc.cc24
-rw-r--r--methods/aptmethod.h12
-rwxr-xr-xtest/integration/test-authentication-basic2
3 files changed, 29 insertions, 9 deletions
diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc
index 2069a0394..4f5206e6c 100644
--- a/apt-pkg/contrib/netrc.cc
+++ b/apt-pkg/contrib/netrc.cc
@@ -11,6 +11,7 @@
##################################################################### */
/*}}}*/
#include <config.h>
+#include <apti18n.h>
#include <apt-pkg/configuration.h>
#include <apt-pkg/error.h>
@@ -47,6 +48,8 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri)
std::string line;
while (NetRCFile.Eof() == false || line.empty() == false)
{
+ bool protocolSpecified = false;
+
if (line.empty())
{
if (NetRCFile.ReadLine(line) == false)
@@ -75,7 +78,8 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri)
// If token contains a protocol: Check it first, and strip it away if
// it matches. If it does not match, ignore this stanza.
// If there is no protocol, only allow https protocols.
- if (token.find("://") != std::string::npos)
+ protocolSpecified = token.find("://") != std::string::npos;
+ if (protocolSpecified)
{
if (not APT::String::Startswith(token, Uri.Access + "://"))
{
@@ -84,14 +88,7 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri)
}
token.erase(0, Uri.Access.length() + 3);
}
- else if (Uri.Access != "https" && Uri.Access != "tor+https")
- {
- if (Debug)
- std::clog << "MaybeAddAuth: Rejecting matching host adding '" << Uri.User << "' and '" << Uri.Password << "' for "
- << (std::string)Uri << " from " << NetRCFile.Name() << "as the protocol is not https" << std::endl;
- active_token = NO;
- break;
- }
+
if (token.find('/') == std::string::npos)
{
if (Uri.Port != 0 && Uri.Host == token)
@@ -108,6 +105,15 @@ bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri)
else
active_token = NO;
}
+
+ if (active_token == GOOD_MACHINE && not protocolSpecified)
+ {
+ if (Uri.Access != "https" && Uri.Access != "tor+https")
+ {
+ _error->Warning(_("%s: Credentials for %s match, but the protocol is not encrypted. Annotate with %s:// to use."), NetRCFile.Name().c_str(), token.c_str(), Uri.Access.c_str());
+ active_token = NO;
+ }
+ }
break;
case GOOD_MACHINE:
if (token == "login")
diff --git a/methods/aptmethod.h b/methods/aptmethod.h
index 5d792ceb7..de931dd7e 100644
--- a/methods/aptmethod.h
+++ b/methods/aptmethod.h
@@ -525,6 +525,7 @@ class aptAuthConfMethod : public aptMethod
if (uri.User.empty() == false || uri.Password.empty() == false)
return true;
+ _error->PushToStack();
for (auto &authconf : authconfs)
{
if (authconf->IsOpen() == false)
@@ -538,6 +539,17 @@ class aptAuthConfMethod : public aptMethod
result &= MaybeAddAuth(*authconf, uri);
}
+ if (not _error->empty())
+ {
+ std::string message;
+ while (not _error->empty())
+ {
+ _error->PopMessage(message);
+ Warning("%s", message.c_str());
+ }
+ }
+ _error->RevertToStack();
+
return result;
}
diff --git a/test/integration/test-authentication-basic b/test/integration/test-authentication-basic
index 5aafaade0..784a00c03 100755
--- a/test/integration/test-authentication-basic
+++ b/test/integration/test-authentication-basic
@@ -96,6 +96,8 @@ password hunter2"
if [ "$protocol" = "https" ]; then
testauthsuccess "$1"
else
+ testfailure apthelper download-file "${1}/bash" ./downloaded/bash
+ testsuccessequal "W: ${1}/bash: ${TMPWORKINGDIRECTORY}/rootdir/etc/apt/auth.conf: Credentials for localhost match, but the protocol is not encrypted. Annotate with http:// to use." grep "Credentials.*match" rootdir/tmp/testfailure.output
testauthfailure "$1"
fi