Add a Packages-Require-Authorization Release file field

This new field allows a repository to declare that access to packages requires authorization. The current implementation will set the pin to -32768 if no authorization has been provided in the auth.conf(.d) files. This implementation is suboptimal in two aspects: (1) A repository should behave more like NotSource repositories (2) We only have the host name for the repository, we cannot use paths yet. - We can fix those after an ABI break. The code also adds a check to acquire-item.cc to not use the specified repository as a download source, mimicking NotSource. (cherry picked from commit c2b9b0489538fed4770515bd8853a960b13a2618) LP: #1814727 (cherry picked from commit d75162bc67d5a1a690eb2a8747d31ad68353823e) (cherry picked from commit 19075f52174199fe7665334ad1815c747c26c10b) Conflicts: apt-pkg/deb/debmetaindex.cc apt-pkg/pkgcache.h
author: Julian Andres Klode <julian.klode@canonical.com> 2019-02-01 14:43:52 +0100
committer: Julian Andres Klode <julian.klode@canonical.com> 2019-03-01 11:41:24 +0000
commit: cc67debf273087c44f39a63363553577eb0fcb9c (patch)
tree: 1ef10f169fc86b0c3775376171429f5172fa0b2f /apt-pkg
parent: 25c024910b4c051461a9842d9fe0efc04748c908 (diff)
6 files changed, 49 insertions, 2 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 4ddab943c..da51a1ee7 100644
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -28,6 +28,7 @@
 #include <apt-pkg/acquire.h>
 #include <apt-pkg/hashes.h>
 #include <apt-pkg/indexfile.h>
+#include <apt-pkg/netrc.h>
 #include <apt-pkg/pkgcache.h>
 #include <apt-pkg/cacheiterators.h>
 #include <apt-pkg/pkgrecords.h>
@@ -1998,6 +1999,8 @@ bool pkgAcqArchive::QueueNext()
       // Ignore not source sources
       if ((Vf.File()->Flags & pkgCache::Flag::NotSource) != 0)
 	 continue;
+      if ((Vf.File()->Flags & pkgCache::Flag::PackagesRequireAuthorization) == pkgCache::Flag::PackagesRequireAuthorization && !IsAuthorized(Vf.File()))
+	 continue;
 
       // Try to cross match against the source list
       pkgIndexFile *Index;
diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc
index feaed67c8..661f9ad95 100644
--- a/apt-pkg/contrib/netrc.cc
+++ b/apt-pkg/contrib/netrc.cc
@@ -14,6 +14,8 @@
 #include <config.h>
 
 #include <apt-pkg/configuration.h>
+#include <apt-pkg/error.h>
+#include <apt-pkg/fileutl.h>
 #include <apt-pkg/strutl.h>
 
 #include <iostream>
@@ -214,6 +216,40 @@ void maybe_add_auth (URI &Uri, string NetRCFile)
   }
 }
 
+/* Check if we are authorized. */
+bool IsAuthorized(pkgCache::PkgFileIterator const I)
+{
+  std::vector<std::string> authconfs;
+   if (authconfs.empty())
+   {
+      _error->PushToStack();
+      std::string const netrc = _config->FindFile("Dir::Etc::netrc");
+      if (not netrc.empty())
+	 authconfs.push_back(netrc);
+
+      std::string const netrcparts = _config->FindDir("Dir::Etc::netrcparts");
+      if (not netrcparts.empty())
+      {
+	std::vector<std::string> files = GetListOfFilesInDir(netrcparts, "conf", true, true);
+	 for (std::vector<std::string>::const_iterator i = files.begin(); i != files.end(); i++)
+	    authconfs.push_back(*i);
+      }
+      _error->RevertToStack();
+   }
+
+   // FIXME: Use the full base url
+   URI uri(std::string("http://") + I.Site() + "/");
+   for (std::vector<std::string>::const_iterator i = authconfs.begin(); i != authconfs.end(); i++)
+   {
+      maybe_add_auth(uri, *i);
+
+      if (not uri.User.empty() || not uri.Password.empty())
+	 return true;
+   }
+
+   return false;
+}
+
 #ifdef DEBUG
 int main(int argc, char* argv[])
 {
diff --git a/apt-pkg/contrib/netrc.h b/apt-pkg/contrib/netrc.h
index dbeb45386..3f22413c5 100644
--- a/apt-pkg/contrib/netrc.h
+++ b/apt-pkg/contrib/netrc.h
@@ -14,9 +14,12 @@
 #ifndef NETRC_H
 #define NETRC_H
 
+#include <memory>
 #include <string>
+#include <vector>
 
 #include <apt-pkg/macros.h>
+#include <apt-pkg/pkgcache.h>
 
 #ifndef APT_8_CLEANER_HEADERS
 #include <apt-pkg/strutl.h>
@@ -32,4 +35,5 @@ class URI;
 APT_DEPRECATED int parsenetrc (char *host, char *login, char *password, char *filename);
 
 void maybe_add_auth (URI &Uri, std::string NetRCFile);
+bool IsAuthorized(pkgCache::PkgFileIterator const I) APT_HIDDEN;
 #endif
diff --git a/apt-pkg/deb/deblistparser.cc b/apt-pkg/deb/deblistparser.cc
index 02b9cb239..7c18286fc 100644
--- a/apt-pkg/deb/deblistparser.cc
+++ b/apt-pkg/deb/deblistparser.cc
@@ -926,6 +926,7 @@ bool debListParser::LoadReleaseInfo(pkgCache::PkgFileIterator &FileI,
    #undef APT_INRELEASE
    Section.FindFlag("NotAutomatic", FileI->Flags, pkgCache::Flag::NotAutomatic);
    Section.FindFlag("ButAutomaticUpgrades", FileI->Flags, pkgCache::Flag::ButAutomaticUpgrades);
+   Section.FindFlag("Packages-Require-Authorization", FileI->Flags, pkgCache::Flag::PackagesRequireAuthorization);
 
    return !_error->PendingError();
 }
diff --git a/apt-pkg/pkgcache.h b/apt-pkg/pkgcache.h
index 5e8a9630a..69a222bd0 100644
--- a/apt-pkg/pkgcache.h
+++ b/apt-pkg/pkgcache.h
@@ -149,7 +149,7 @@ class pkgCache								/*{{{*/
    struct Flag
    {
       enum PkgFlags {Auto=(1<<0),Essential=(1<<3),Important=(1<<4)};
-      enum PkgFFlags {NotSource=(1<<0),NotAutomatic=(1<<1),ButAutomaticUpgrades=(1<<2)};
+      enum PkgFFlags {NotSource=(1<<0),NotAutomatic=(1<<1),ButAutomaticUpgrades=(1<<2), PackagesRequireAuthorization = (1 << 3)};
    };
    
    protected:
diff --git a/apt-pkg/policy.cc b/apt-pkg/policy.cc
index a44bd7efe..8fadc9fa0 100644
--- a/apt-pkg/policy.cc
+++ b/apt-pkg/policy.cc
@@ -35,6 +35,7 @@
 #include <apt-pkg/error.h>
 #include <apt-pkg/sptr.h>
 #include <apt-pkg/cacheiterators.h>
+#include <apt-pkg/netrc.h>
 #include <apt-pkg/pkgcache.h>
 #include <apt-pkg/versionmatch.h>
 
@@ -94,7 +95,7 @@ pkgPolicy::pkgPolicy(pkgCache *Owner) : Pins(0), PFPriority(0), Cache(Owner)
 // ---------------------------------------------------------------------
 /* */
 bool pkgPolicy::InitDefaults()
-{   
+{
    // Initialize the priorities based on the status of the package file
    for (pkgCache::PkgFileIterator I = Cache->FileBegin(); I != Cache->FileEnd(); ++I)
    {
@@ -105,6 +106,8 @@ bool pkgPolicy::InitDefaults()
 	 PFPriority[I->ID] = 100;
       else if ((I->Flags & pkgCache::Flag::NotAutomatic) == pkgCache::Flag::NotAutomatic)
 	 PFPriority[I->ID] = 1;
+      if ((I->Flags & pkgCache::Flag::PackagesRequireAuthorization) == pkgCache::Flag::PackagesRequireAuthorization && !IsAuthorized(I))
+	 PFPriority[I->ID] = NEVER_PIN;
    }
 
    // Apply the defaults..
author	Julian Andres Klode <julian.klode@canonical.com>	2019-02-01 14:43:52 +0100
committer	Julian Andres Klode <julian.klode@canonical.com>	2019-03-01 11:41:24 +0000
commit	cc67debf273087c44f39a63363553577eb0fcb9c (patch)
tree	1ef10f169fc86b0c3775376171429f5172fa0b2f /apt-pkg
parent	25c024910b4c051461a9842d9fe0efc04748c908 (diff)