summaryrefslogtreecommitdiff
path: root/test/integration
diff options
context:
space:
mode:
authorMichael Vogt <mvo@ubuntu.com>2014-10-01 12:21:55 +0200
committerMichael Vogt <mvo@ubuntu.com>2014-10-01 13:05:26 +0200
commitc99fe2e169243fc6e1a3278ce3768f0f521e260b (patch)
tree8b9c5141f4e90a02a1b342692b217c3567684a1d /test/integration
parent8d266656767f6c7c3946700c7052d0b8b6212742 (diff)
Use Acquire::Allow{InsecureRepositories,DowngradeToInsecureRepositories}
The configuration key Acquire::AllowInsecureRepositories controls if apt allows loading of unsigned repositories at all. The configuration Acquire::AllowDowngradeToInsecureRepositories controls if a signed repository can ever become unsigned. This should really never be needed but we provide it to avoid having to mess around in /var/lib/apt/lists if there is a use-case for this (which I can't think of right now).
Diffstat (limited to 'test/integration')
-rwxr-xr-xtest/integration/test-apt-get-source-authenticated2
-rwxr-xr-xtest/integration/test-apt-get-update-unauth-warning4
-rwxr-xr-xtest/integration/test-apt-update-nofallback23
-rwxr-xr-xtest/integration/test-apt-update-rollback2
-rwxr-xr-xtest/integration/test-apt-update-unauth2
-rwxr-xr-xtest/integration/test-bug-596498-trusted-unsigned-repo2
-rwxr-xr-xtest/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted4
-rwxr-xr-xtest/integration/test-bug-717891-abolute-uris-for-proxies2
-rwxr-xr-xtest/integration/test-bug-738785-switch-protocol2
-rwxr-xr-xtest/integration/test-hashsum-verification2
-rwxr-xr-xtest/integration/test-policy-pinning2
11 files changed, 35 insertions, 12 deletions
diff --git a/test/integration/test-apt-get-source-authenticated b/test/integration/test-apt-get-source-authenticated
index d73097b54..d833ddd85 100755
--- a/test/integration/test-apt-get-source-authenticated
+++ b/test/integration/test-apt-get-source-authenticated
@@ -21,7 +21,7 @@ APTARCHIVE=$(readlink -f ./aptarchive)
rm -f $APTARCHIVE/dists/unstable/*Release*
# update without authenticated InRelease file
-testsuccess aptget update --allow-unauthenticated
+testsuccess aptget update --allow-insecure-repositories
# this all should fail
testfailure aptget install -y foo
diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning
index b1c676738..510249747 100755
--- a/test/integration/test-apt-get-update-unauth-warning
+++ b/test/integration/test-apt-get-update-unauth-warning
@@ -23,7 +23,7 @@ testequal "Ign file: unstable InRelease
Ign file: unstable Release
Reading package lists...
W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated.
-W: Use --allow-unauthenticated to force the update" aptget update
+W: Use --allow-insecure-repositories to force the update" aptget update
# no package foo
testequal "Listing..." apt list foo
@@ -32,7 +32,7 @@ testequal "Listing..." apt list foo
testequal "Ign file: unstable InRelease
Ign file: unstable Release
Reading package lists...
-W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-unauthenticated
+W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-insecure-repositories
# ensure we can not install the package
testequal "WARNING: The following packages cannot be authenticated!
diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback
index 4e8ea9916..a53226e18 100755
--- a/test/integration/test-apt-update-nofallback
+++ b/test/integration/test-apt-update-nofallback
@@ -78,6 +78,25 @@ test_from_release_gpg_to_unsigned()
assert_update_is_refused_and_last_good_state_used
}
+test_from_inrelease_to_unsigned_with_override()
+{
+ # setup archive with InRelease file
+ setupaptarchive_with_lists_clean
+ testsuccess aptget update
+
+ # simulate moving to a unsigned but otherwise valid repo
+ simulate_mitm_and_inject_evil_package
+ generatereleasefiles
+
+ # and ensure we can update to it (with enough force)
+ testsuccess aptget update --allow-insecure-repositories \
+ -o Acquire::AllowDowngradeToInsecureRepositories=1
+ # but that the individual packages are still considered untrusted
+ testequal "WARNING: The following packages cannot be authenticated!
+ evil
+E: There are problems and -y was used without --force-yes" aptget install -qq -y evil
+}
+
test_cve_2012_0214()
{
# see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108
@@ -205,3 +224,7 @@ test_inrelease_to_invalid_inrelease
# ensure we revert to last good state if Release/Release.gpg does not verify
msgmsg "test_release_gpg_to_invalid_release_release_gpg"
test_release_gpg_to_invalid_release_release_gpg
+
+# ensure we can ovveride the downgrade error
+msgmsg "test_from_inrelease_to_unsigned"
+test_from_inrelease_to_unsigned_with_override
diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback
index e37be9554..ee8bc6926 100755
--- a/test/integration/test-apt-update-rollback
+++ b/test/integration/test-apt-update-rollback
@@ -114,7 +114,7 @@ test_unauthenticated_to_invalid_inrelease() {
rm $APTARCHIVE/dists/unstable/Release.gpg
avoid_ims_hit
- testsuccess aptget update -qq --allow-unauthenticated
+ testsuccess aptget update -qq --allow-insecure-repositories
testequal "WARNING: The following packages cannot be authenticated!
old
E: There are problems and -y was used without --force-yes" aptget install -qq -y old
diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth
index 5db8a3c16..ade523ea7 100755
--- a/test/integration/test-apt-update-unauth
+++ b/test/integration/test-apt-update-unauth
@@ -28,7 +28,7 @@ runtest() {
rm -f aptarchive/dists/unstable/*Release*
# remove uncompressed version
find aptarchive/ -name Packages | xargs rm -f
- aptget update -qq --allow-unauthenticated
+ aptget update -qq --allow-insecure-repositories
# become authenticated
generatereleasefiles
diff --git a/test/integration/test-bug-596498-trusted-unsigned-repo b/test/integration/test-bug-596498-trusted-unsigned-repo
index 973520a97..3104a70c2 100755
--- a/test/integration/test-bug-596498-trusted-unsigned-repo
+++ b/test/integration/test-bug-596498-trusted-unsigned-repo
@@ -12,7 +12,7 @@ setupaptarchive
aptgetupdate() {
rm -rf rootdir/var/lib/apt/ rootdir/var/cache/apt/*.bin
- aptget update -qq --allow-unauthenticated
+ aptget update -qq --allow-insecure-repositories
}
PKGTEXT="$(aptget install cool --assume-no -d | head -n 7)"
diff --git a/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted b/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted
index 276e10564..0736bb6dc 100755
--- a/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted
+++ b/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted
@@ -26,7 +26,7 @@ testrun() {
rm -rf rootdir/var/lib/apt
if [ "$1" = 'trusted' ]; then
- testsuccess aptget update
+ testsuccess aptget update
testsuccess aptget download cool
testfileexists 'cool_1.0_i386.deb'
@@ -34,7 +34,7 @@ testrun() {
testsuccess aptget download cool --allow-unauthenticated
testfileexists 'cool_1.0_i386.deb'
else
- testsuccess aptget update --allow-unauthenticated
+ testsuccess aptget update --allow-insecure-repositories
testfailure aptget download cool
testfilemissing 'cool_1.0_i386.deb'
diff --git a/test/integration/test-bug-717891-abolute-uris-for-proxies b/test/integration/test-bug-717891-abolute-uris-for-proxies
index a8947b5e2..54a616686 100755
--- a/test/integration/test-bug-717891-abolute-uris-for-proxies
+++ b/test/integration/test-bug-717891-abolute-uris-for-proxies
@@ -12,7 +12,7 @@ setupaptarchive
changetowebserver --request-absolute='uri'
msgtest 'Check that absolute paths are' 'not accepted'
-testfailure --nomsg aptget update --allow-unauthenticated
+testfailure --nomsg aptget update --allow-insecure-repositories
echo 'Acquire::http::Proxy "http://localhost:8080";' > rootdir/etc/apt/apt.conf.d/99proxy
diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol
index 4ff044515..f81bba4b9 100755
--- a/test/integration/test-bug-738785-switch-protocol
+++ b/test/integration/test-bug-738785-switch-protocol
@@ -60,4 +60,4 @@ mv rootdir/${COPYMETHODS}.bak rootdir/${COPYMETHODS}
# check that downgrades from https to http are not allowed
webserverconfig 'aptwebserver::support::http' 'true'
sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/*
-testfailure aptget update --allow-unauthenticated
+testfailure aptget update --allow-insecure-repositories
diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification
index 2db2bab0f..5f88110b3 100755
--- a/test/integration/test-hashsum-verification
+++ b/test/integration/test-hashsum-verification
@@ -70,7 +70,7 @@ runtest() {
rm -rf rootdir/var/lib/apt/lists
rm aptarchive/InRelease aptarchive/Release.gpg
msgtest 'unsigned apt-get update gets the expected hashsum mismatch'
- aptget update --allow-unauthenticated >output.log 2>&1 || true
+ aptget update --allow-insecure-repositories >output.log 2>&1 || true
if grep -q "Hash Sum mismatch" output.log; then
msgpass
else
diff --git a/test/integration/test-policy-pinning b/test/integration/test-policy-pinning
index 2281d7a1d..c08a2f103 100755
--- a/test/integration/test-policy-pinning
+++ b/test/integration/test-policy-pinning
@@ -28,7 +28,7 @@ Pinned packages:" aptcache policy $*
aptgetupdate() {
# just to be sure that no old files are used
rm -rf rootdir/var/lib/apt
- if aptget update --allow-unauthenticated -qq 2>&1 | grep '^E: '; then
+ if aptget update --allow-insecure-repositories -qq 2>&1 | grep '^E: '; then
msgwarn 'apt-get update failed with an error'
fi
}