From 5acf154d810a0225cc7d14637d101205e43ceba8 Mon Sep 17 00:00:00 2001
From: Michael Vogt <mvo@debian.org>
Date: Fri, 13 Dec 2013 14:37:14 +0100
Subject: make apt-key net-update actually testable

---
 cmdline/apt-key.in                       | 19 +++++++++++++------
 test/integration/test-apt-key-net-update | 14 ++++++++++++++
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 779872b4c..c7d3ce8b5 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -25,6 +25,9 @@ GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
 
 GPG="$GPG_CMD"
 
+APT_DIR="/"
+eval $(apt-config shell APT_DIR Dir)
+
 MASTER_KEYRING='&keyring-master-filename;'
 eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)
 ARCHIVE_KEYRING='&keyring-filename;'
@@ -33,7 +36,7 @@ REMOVED_KEYS='&keyring-removed-filename;'
 eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)
 ARCHIVE_KEYRING_URI='&keyring-uri;'
 eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)
-TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg
+TMP_KEYRING=${APT_DIR}/var/lib/apt/keyrings/maybe-import-keyring.gpg
 
 requires_root() {
 	if [ "$(id -u)" -ne 0 ]; then
@@ -107,7 +110,11 @@ add_keys_with_verify_against_master_keyring() {
 # (otherwise it does not make sense from a security POV)
 net_update() {
     # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128))
-    exit 1
+    APT_KEY_NET_UPDATE_ENABLED=""
+    eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled)
+    if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then
+        exit 1
+    fi
 
     if [ -z "$ARCHIVE_KEYRING_URI" ]; then
 	echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
@@ -120,15 +127,15 @@ net_update() {
 	echo >&2 "ERROR: an installed wget is required for a network-based update"
 	exit 1
     fi
-    if [ ! -d /var/lib/apt/keyrings ]; then
-	mkdir -p /var/lib/apt/keyrings
+    if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then
+	mkdir -p ${APT_DIR}/var/lib/apt/keyrings
     fi
-    keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
+    keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
     old_mtime=0
     if [ -e $keyring ]; then
 	old_mtime=$(stat -c %Y $keyring)
     fi
-    (cd  /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI)
+    (cd  ${APT_DIR}/var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI)
     if [ ! -e $keyring ]; then
 	return
     fi
diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update
index 73545aff7..e0869402e 100755
--- a/test/integration/test-apt-key-net-update
+++ b/test/integration/test-apt-key-net-update
@@ -6,6 +6,20 @@ TESTDIR=$(readlink -f $(dirname $0))
 
 setupenvironment
 configarchitecture "i386"
+changetowebserver
+
+# setup env
+mkdir -p aptarchive/ubuntu/project var/lib/apt/keyrings
+echo 'APT::Key::ArchiveKeyringURI "http://localhost:8080/ubuntu/project/ubuntu-archive-keyring.gpg";' >> ./aptconfig.conf
+echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf
+
+# signed thing
+echo "meep" > aptarchive/ubuntu/project/ubuntu-archive-keyring.gpg
+
+# test against the "real" webserver
+aptkey --fakeroot net-update
+
+exit 1
 
 # mock
 requires_root() {
-- 
cgit v1.2.3