From 19075f52174199fe7665334ad1815c747c26c10b Mon Sep 17 00:00:00 2001 From: Julian Andres Klode Date: Fri, 1 Feb 2019 14:43:52 +0100 Subject: Add a Packages-Require-Authorization Release file field This new field allows a repository to declare that access to packages requires authorization. The current implementation will set the pin to -32768 if no authorization has been provided in the auth.conf(.d) files. This implementation is suboptimal in two aspects: (1) A repository should behave more like NotSource repositories (2) We only have the host name for the repository, we cannot use paths yet. - We can fix those after an ABI break. The code also adds a check to acquire-item.cc to not use the specified repository as a download source, mimicking NotSource. (cherry picked from commit c2b9b0489538fed4770515bd8853a960b13a2618) LP: #1814727 (cherry picked from commit d75162bc67d5a1a690eb2a8747d31ad68353823e) --- apt-pkg/acquire-item.cc | 4 ++ apt-pkg/contrib/netrc.cc | 44 ++++++++++++++++ apt-pkg/contrib/netrc.h | 4 ++ apt-pkg/deb/debmetaindex.cc | 1 + apt-pkg/pkgcache.h | 8 +-- apt-pkg/policy.cc | 6 ++- .../test-packages-require-authorization | 61 ++++++++++++++++++++++ 7 files changed, 124 insertions(+), 4 deletions(-) create mode 100755 test/integration/test-packages-require-authorization diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 3e858175c..3cedb5950 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -3374,6 +3375,7 @@ pkgAcqArchive::pkgAcqArchive(pkgAcquire *const Owner, pkgSourceList *const Sourc StoreFilename.clear(); std::set targetComponents, targetCodenames, targetSuites; + std::vector> authconfs; for (auto Vf = Version.FileList(); Vf.end() == false; ++Vf) { auto const PkgF = Vf.File(); @@ -3381,6 +3383,8 @@ pkgAcqArchive::pkgAcqArchive(pkgAcquire *const Owner, pkgSourceList *const Sourc continue; if (PkgF.Flagged(pkgCache::Flag::NotSource)) continue; + if (PkgF.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(PkgF, authconfs)) + continue; pkgIndexFile *Index; if (Sources->FindIndex(PkgF, Index) == false) continue; diff --git a/apt-pkg/contrib/netrc.cc b/apt-pkg/contrib/netrc.cc index ed8b2aa88..f741bc684 100644 --- a/apt-pkg/contrib/netrc.cc +++ b/apt-pkg/contrib/netrc.cc @@ -14,6 +14,7 @@ #include #include +#include #include #include @@ -150,3 +151,46 @@ void maybe_add_auth(URI &Uri, std::string NetRCFile) if (fd.Open(NetRCFile, FileFd::ReadOnly)) MaybeAddAuth(fd, Uri); } + +/* Check if we are authorized. */ +bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector> &authconfs) +{ + if (authconfs.empty()) + { + _error->PushToStack(); + auto const netrc = _config->FindFile("Dir::Etc::netrc"); + if (not netrc.empty()) + { + authconfs.emplace_back(new FileFd()); + authconfs.back()->Open(netrc, FileFd::ReadOnly); + } + + auto const netrcparts = _config->FindDir("Dir::Etc::netrcparts"); + if (not netrcparts.empty()) + { + for (auto const &netrc : GetListOfFilesInDir(netrcparts, "conf", true, true)) + { + authconfs.emplace_back(new FileFd()); + authconfs.back()->Open(netrc, FileFd::ReadOnly); + } + } + _error->RevertToStack(); + } + + // FIXME: Use the full base url + URI uri(std::string("http://") + I.Site() + "/"); + for (auto &authconf : authconfs) + { + if (not authconf->IsOpen()) + continue; + if (not authconf->Seek(0)) + continue; + + MaybeAddAuth(*authconf, uri); + + if (not uri.User.empty() || not uri.Password.empty()) + return true; + } + + return false; +} diff --git a/apt-pkg/contrib/netrc.h b/apt-pkg/contrib/netrc.h index 46d8cab3d..2b0b5a6bb 100644 --- a/apt-pkg/contrib/netrc.h +++ b/apt-pkg/contrib/netrc.h @@ -14,9 +14,12 @@ #ifndef NETRC_H #define NETRC_H +#include #include +#include #include +#include #ifndef APT_8_CLEANER_HEADERS #include @@ -33,4 +36,5 @@ class FileFd; APT_DEPRECATED_MSG("Use FileFd-based MaybeAddAuth instead") void maybe_add_auth(URI &Uri, std::string NetRCFile); bool MaybeAddAuth(FileFd &NetRCFile, URI &Uri); +bool IsAuthorized(pkgCache::PkgFileIterator const I, std::vector> &authconfs) APT_HIDDEN; #endif diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index 6cbed85a7..a5aa91826 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -907,6 +907,7 @@ bool debReleaseIndex::Merge(pkgCacheGenerator &Gen,OpProgress * /*Prog*/) const/ #undef APT_INRELEASE Section.FindFlag("NotAutomatic", File->Flags, pkgCache::Flag::NotAutomatic); Section.FindFlag("ButAutomaticUpgrades", File->Flags, pkgCache::Flag::ButAutomaticUpgrades); + Section.FindFlag("Packages-Require-Authorization", File->Flags, pkgCache::Flag::PackagesRequireAuthorization); return true; } diff --git a/apt-pkg/pkgcache.h b/apt-pkg/pkgcache.h index 5c33c7073..787e3995f 100644 --- a/apt-pkg/pkgcache.h +++ b/apt-pkg/pkgcache.h @@ -182,9 +182,11 @@ class pkgCache /*{{{*/ LocalSource=(1<<1), /*!< local sources can't and will not be verified by hashes */ NoPackages=(1<<2), /*!< the file includes no package records itself, but additions like Translations */ }; - enum ReleaseFileFlags { - NotAutomatic=(1<<0), /*!< archive has a default pin of 1 */ - ButAutomaticUpgrades=(1<<1), /*!< (together with the previous) archive has a default pin of 100 */ + enum ReleaseFileFlags + { + NotAutomatic = (1 << 0), /*!< archive has a default pin of 1 */ + ButAutomaticUpgrades = (1 << 1), /*!< (together with the previous) archive has a default pin of 100 */ + PackagesRequireAuthorization = (1 << 2), /*!< (together with the previous) archive has a default pin of 100 */ }; enum ProvidesFlags { MultiArchImplicit=pkgCache::Dep::MultiArchImplicit, /*!< generated internally, not spelled out in the index */ diff --git a/apt-pkg/policy.cc b/apt-pkg/policy.cc index 097373935..f1ffa7440 100644 --- a/apt-pkg/policy.cc +++ b/apt-pkg/policy.cc @@ -19,6 +19,7 @@ #include #include #include +#include #include #include #include @@ -88,7 +89,8 @@ pkgPolicy::pkgPolicy(pkgCache *Owner) : Pins(nullptr), VerPins(nullptr), // --------------------------------------------------------------------- /* */ bool pkgPolicy::InitDefaults() -{ +{ + std::vector> authconfs; // Initialize the priorities based on the status of the package file for (pkgCache::PkgFileIterator I = Cache->FileBegin(); I != Cache->FileEnd(); ++I) { @@ -99,6 +101,8 @@ bool pkgPolicy::InitDefaults() PFPriority[I->ID] = 100; else if (I.Flagged(pkgCache::Flag::NotAutomatic)) PFPriority[I->ID] = 1; + if (I.Flagged(pkgCache::Flag::PackagesRequireAuthorization) && !IsAuthorized(I, authconfs)) + PFPriority[I->ID] = NEVER_PIN; } // Apply the defaults.. diff --git a/test/integration/test-packages-require-authorization b/test/integration/test-packages-require-authorization new file mode 100755 index 000000000..527497ce5 --- /dev/null +++ b/test/integration/test-packages-require-authorization @@ -0,0 +1,61 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'amd64' + +insertpackage 'unstable' 'cool' 'amd64' '1.0' + +export APT_DONT_SIGN='InRelease' +setupaptarchive --no-update +changetowebserver + +echo 'Packages-Require-Authorization: yes' >> aptarchive/dists/unstable/Release +signreleasefiles + +testsuccess aptget update +testsuccessequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now +-32768 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages + release a=unstable,n=sid,c=main,b=amd64 + origin localhost +Pinned packages:" aptcache policy + +mkdir rootdir/etc/apt/auth.conf.d +cat > rootdir/etc/apt/auth.conf.d/myauth.conf << EOF +machine localhost +login username +password usersPassword +EOF + + +testsuccessequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now + 500 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages + release a=unstable,n=sid,c=main,b=amd64 + origin localhost +Pinned packages:" aptcache policy + + +cat > rootdir/etc/apt/preferences.d/myauth.pref << EOF +Package: * +Pin: origin localhost +Pin-Priority: 990 + +Package: cool +Pin: origin localhost +Pin-Priority: 990 +EOF + +testsuccessequal "Package files: + 100 ${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status + release a=now + 990 http://localhost:${APTHTTPPORT} unstable/main amd64 Packages + release a=unstable,n=sid,c=main,b=amd64 + origin localhost +Pinned packages: + cool -> 1.0 with priority 990" aptcache policy -- cgit v1.2.3