summaryrefslogtreecommitdiff
path: root/apt-pkg
diff options
context:
space:
mode:
authorJulian Andres Klode <julian.klode@canonical.com>2019-02-01 14:43:52 +0100
committerJulian Andres Klode <julian.klode@canonical.com>2019-03-01 10:04:22 +0100
commit3bcecba71aa89511b17a8dbd9e176d8e88dc8be3 (patch)
tree3d3cbc3969552df5d7a4327a7710102dd216b135 /apt-pkg
parent58ebfeb08cf979c1702dfca44c258e2f176e4212 (diff)
Add a Packages-Require-Authorization Release file field
This new field allows a repository to declare that access to packages requires authorization. The current implementation will set the pin to -32768 if no authorization has been provided in the auth.conf(.d) files. This implementation is suboptimal in two aspects: (1) A repository should behave more like NotSource repositories (2) We only have the host name for the repository, we cannot use paths yet. - We can fix those after an ABI break. The code also adds a check to acquire-item.cc to not use the specified repository as a download source, mimicking NotSource. (cherry picked from commit c2b9b0489538fed4770515bd8853a960b13a2618) LP: #1814727 (cherry picked from commit d75162bc67d5a1a690eb2a8747d31ad68353823e) (cherry picked from commit 19075f52174199fe7665334ad1815c747c26c10b)
Diffstat (limited to 'apt-pkg')
-rw-r--r--apt-pkg/acquire-item.cc3
-rw-r--r--apt-pkg/contrib/netrc.cc35
-rw-r--r--apt-pkg/contrib/netrc.h4
-rw-r--r--apt-pkg/deb/debmetaindex.cc1
-rw-r--r--apt-pkg/pkgcache.h8
-rw-r--r--apt-pkg/policy.cc5
6 files changed, 52 insertions, 4 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 6ac893b1b..1469c0edd 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -27,6 +27,7 @@
#include <apt-pkg/acquire.h>
#include <apt-pkg/hashes.h>
#include <apt-pkg/indexfile.h>
+#include <apt-pkg/netrc.h>
#include <apt-pkg/pkgcache.h>
#include <apt-pkg/cacheiterators.h>
#include <apt-pkg/pkgrecords.h>
@@ -2952,6 +2953,8 @@ bool pkgAcqArchive::QueueNext()
// Ignore not source sources
if (PkgF.Flagged(pkgCache::Flag::NotSource))
continue;
+ if (PkgF.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(PkgF))
+ continue;
// Try to cross match against the source list
pkgIndexFile *Index;
diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc
index 8840de72c..9c40aec05 100644
--- a/apt-pkg/contrib/netrc.cc
+++ b/apt-pkg/contrib/netrc.cc
@@ -14,6 +14,8 @@
#include <config.h>
#include <apt-pkg/configuration.h>
+#include <apt-pkg/error.h>
+#include <apt-pkg/fileutl.h>
#include <apt-pkg/strutl.h>
#include <iostream>
@@ -202,6 +204,39 @@ void maybe_add_auth (URI &Uri, string NetRCFile)
}
}
+/* Check if we are authorized. */
+bool IsAuthorized(pkgCache::PkgFileIterator const I)
+{
+ std::vector<std::string> authconfs;
+ if (authconfs.empty())
+ {
+ _error->PushToStack();
+ auto const netrc = _config->FindFile("Dir::Etc::netrc");
+ if (not netrc.empty())
+ authconfs.push_back(netrc);
+
+ auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts");
+ if (not netrcparts.empty())
+ {
+ for (auto const &netrc : GetListOfFilesInDir(netrcparts, "conf", true, true))
+ authconfs.push_back(netrc);
+ }
+ _error->RevertToStack();
+ }
+
+ // FIXME: Use the full base url
+ URI uri(std::string("http://") + I.Site() + "/");
+ for (auto &authconf : authconfs)
+ {
+ maybe_add_auth(uri, authconf);
+
+ if (not uri.User.empty() || not uri.Password.empty())
+ return true;
+ }
+
+ return false;
+}
+
#ifdef DEBUG
int main(int argc, char* argv[])
{
diff --git a/apt-pkg/contrib/netrc.h b/apt-pkg/contrib/netrc.h
index b5b56f5d4..dbe2e1637 100644
--- a/apt-pkg/contrib/netrc.h
+++ b/apt-pkg/contrib/netrc.h
@@ -14,9 +14,12 @@
#ifndef NETRC_H
#define NETRC_H
+#include <memory>
#include <string>
+#include <vector>
#include <apt-pkg/macros.h>
+#include <apt-pkg/pkgcache.h>
#ifndef APT_8_CLEANER_HEADERS
#include <apt-pkg/strutl.h>
@@ -28,4 +31,5 @@
class URI;
void maybe_add_auth (URI &Uri, std::string NetRCFile);
+bool IsAuthorized(pkgCache::PkgFileIterator const I) APT_HIDDEN;
#endif
diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc
index 8b4430c9d..ce87fb569 100644
--- a/apt-pkg/deb/debmetaindex.cc
+++ b/apt-pkg/deb/debmetaindex.cc
@@ -765,6 +765,7 @@ bool debReleaseIndex::Merge(pkgCacheGenerator &Gen,OpProgress * /*Prog*/) const/
#undef APT_INRELEASE
Section.FindFlag("NotAutomatic", File->Flags, pkgCache::Flag::NotAutomatic);
Section.FindFlag("ButAutomaticUpgrades", File->Flags, pkgCache::Flag::ButAutomaticUpgrades);
+ Section.FindFlag("Packages-Require-Authorization", File->Flags, pkgCache::Flag::PackagesRequireAuthorization);
return true;
}
diff --git a/apt-pkg/pkgcache.h b/apt-pkg/pkgcache.h
index 91228f713..f7325fd73 100644
--- a/apt-pkg/pkgcache.h
+++ b/apt-pkg/pkgcache.h
@@ -182,9 +182,11 @@ class pkgCache /*{{{*/
LocalSource=(1<<1), /*!< local sources can't and will not be verified by hashes */
NoPackages=(1<<2), /*!< the file includes no package records itself, but additions like Translations */
};
- enum ReleaseFileFlags {
- NotAutomatic=(1<<0), /*!< archive has a default pin of 1 */
- ButAutomaticUpgrades=(1<<1), /*!< (together with the previous) archive has a default pin of 100 */
+ enum ReleaseFileFlags
+ {
+ NotAutomatic = (1 << 0), /*!< archive has a default pin of 1 */
+ ButAutomaticUpgrades = (1 << 1), /*!< (together with the previous) archive has a default pin of 100 */
+ PackagesRequireAuthorization = (1 << 2), /*!< (together with the previous) archive has a default pin of 100 */
};
enum ProvidesFlags {
MultiArchImplicit=pkgCache::Dep::MultiArchImplicit, /*!< generated internally, not spelled out in the index */
diff --git a/apt-pkg/policy.cc b/apt-pkg/policy.cc
index 22aebc49d..5ea7cd1d7 100644
--- a/apt-pkg/policy.cc
+++ b/apt-pkg/policy.cc
@@ -23,6 +23,7 @@
#include <apt-pkg/fileutl.h>
#include <apt-pkg/error.h>
#include <apt-pkg/cacheiterators.h>
+#include <apt-pkg/netrc.h>
#include <apt-pkg/pkgcache.h>
#include <apt-pkg/versionmatch.h>
#include <apt-pkg/version.h>
@@ -87,7 +88,7 @@ pkgPolicy::pkgPolicy(pkgCache *Owner) : Pins(nullptr), VerPins(nullptr),
// ---------------------------------------------------------------------
/* */
bool pkgPolicy::InitDefaults()
-{
+{
// Initialize the priorities based on the status of the package file
for (pkgCache::PkgFileIterator I = Cache->FileBegin(); I != Cache->FileEnd(); ++I)
{
@@ -98,6 +99,8 @@ bool pkgPolicy::InitDefaults()
PFPriority[I->ID] = 100;
else if (I.Flagged(pkgCache::Flag::NotAutomatic))
PFPriority[I->ID] = 1;
+ if (I.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(I))
+ PFPriority[I->ID] = NEVER_PIN;
}
// Apply the defaults..