From c8aa88aa2c3139584cfabb1ce4619c773e9f2b99 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 23 Sep 2014 18:08:53 +0200 Subject: cleanup, fix test-apt-update-unauth as the behavior of apt changed --- test/integration/test-apt-update-unauth | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 13487603c..4e08b5e35 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -17,23 +17,41 @@ insertsource 'unstable' 'foo' 'all' '1.0' setupaptarchive changetowebserver +# FIXME: +# - also check the unauth -> auth success case, i.e. that all files are +# reverified runtest() { # start unauthenticated find rootdir/var/lib/apt/lists/ -type f | xargs rm -f rm -f aptarchive/dists/unstable/*Release* + # remove uncompressed version + find aptarchive/ -name Packages | xargs rm -f aptget update -qq # become authenticated generatereleasefiles signreleasefiles - # and ensure we do download the data again - msgtest "Check that the data is check when going to authenticated" - if aptget update |grep -q Hit; then - msgfail - else + # and ensure we re-check the downloaded data + msgtest "Check rollback on going from unauth -> auth" + + # change the local packages file + PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) + echo "meep" > $PKGS + ls -l rootdir/var/lib/apt/lists > lists.before + + # update and ensure all is reverted on the hashsum failure + aptget update -o Debug::Acquire::Transaction=1 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 > output.log 2>&1 || true + + # ensure we have before what we have after + ls -l rootdir/var/lib/apt/lists > lists.after + if diff -u lists.before lists.after; then msgpass + else + #cat output.log + msgfail fi + } for COMPRESSEDINDEXES in 'false' 'true'; do -- cgit v1.2.3 From bca84917c326fa3158e120147c8aecebe0789b47 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 26 Sep 2014 22:45:18 +0200 Subject: test fixes --- test/integration/test-apt-update-unauth | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 4e08b5e35..2e46e3ace 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -26,7 +26,7 @@ runtest() { rm -f aptarchive/dists/unstable/*Release* # remove uncompressed version find aptarchive/ -name Packages | xargs rm -f - aptget update -qq + aptget update -qq --allow-unauthenticated # become authenticated generatereleasefiles -- cgit v1.2.3 From e1bd768b762bd74221f9089133883723a7307f9b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 29 Sep 2014 11:03:02 +0200 Subject: test fixes --- test/integration/test-apt-update-unauth | 2 ++ 1 file changed, 2 insertions(+) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 2e46e3ace..5db8a3c16 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -8,6 +8,8 @@ set -e TESTDIR=$(readlink -f $(dirname $0)) . $TESTDIR/framework +umask 022 + setupenvironment configarchitecture "i386" -- cgit v1.2.3 From c99fe2e169243fc6e1a3278ce3768f0f521e260b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 12:21:55 +0200 Subject: Use Acquire::Allow{InsecureRepositories,DowngradeToInsecureRepositories} The configuration key Acquire::AllowInsecureRepositories controls if apt allows loading of unsigned repositories at all. The configuration Acquire::AllowDowngradeToInsecureRepositories controls if a signed repository can ever become unsigned. This should really never be needed but we provide it to avoid having to mess around in /var/lib/apt/lists if there is a use-case for this (which I can't think of right now). --- test/integration/test-apt-update-unauth | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 5db8a3c16..ade523ea7 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -28,7 +28,7 @@ runtest() { rm -f aptarchive/dists/unstable/*Release* # remove uncompressed version find aptarchive/ -name Packages | xargs rm -f - aptget update -qq --allow-unauthenticated + aptget update -qq --allow-insecure-repositories # become authenticated generatereleasefiles -- cgit v1.2.3 From 0b844e23f014bd3ce95e27fe5fa81138e9ae4879 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 17:13:33 +0200 Subject: hack around test-apt-update-unauth failure --- test/integration/test-apt-update-unauth | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index ade523ea7..cf5195024 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -26,34 +26,43 @@ runtest() { # start unauthenticated find rootdir/var/lib/apt/lists/ -type f | xargs rm -f rm -f aptarchive/dists/unstable/*Release* - # remove uncompressed version - find aptarchive/ -name Packages | xargs rm -f + aptget update -qq --allow-insecure-repositories + # FIXME: this really shouldn't be needed + rm -f rootdir/var/lib/apt/lists/partial/* + # become authenticated generatereleasefiles signreleasefiles + # move uncompressed away + mv aptarchive/dists/unstable/main/binary-i386/Packages \ + aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed + # and ensure we re-check the downloaded data msgtest "Check rollback on going from unauth -> auth" # change the local packages file PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) echo "meep" > $PKGS - ls -l rootdir/var/lib/apt/lists > lists.before + ls rootdir/var/lib/apt/lists/ > lists.before # update and ensure all is reverted on the hashsum failure - aptget update -o Debug::Acquire::Transaction=1 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 > output.log 2>&1 || true + aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 > output.log 2>&1 || true # ensure we have before what we have after - ls -l rootdir/var/lib/apt/lists > lists.after + ls rootdir/var/lib/apt/lists/ > lists.after if diff -u lists.before lists.after; then msgpass else - #cat output.log + cat output.log msgfail fi + # move uncompressed back for release file + mv aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed \ + aptarchive/dists/unstable/main/binary-i386/Packages } for COMPRESSEDINDEXES in 'false' 'true'; do -- cgit v1.2.3 From 5684f71fa0f6c1b765aa53e22ca3b024c578b9c9 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 6 Oct 2014 14:29:53 +0200 Subject: use _apt:root only for partial directories Using a different user for calling methods is intended to protect us from methods running amok (via remotely exploited bugs) by limiting what can be done by them. By using root:root for the final directories and just have the files in partial writeable by the methods we enhance this in sofar as a method can't modify already verified data in its parent directory anymore. As a side effect, this also clears most of the problems you could have if the final directories are shared without user-sharing or if these directories disappear as they are now again root owned and only the partial directories contain _apt owned files (usually none if apt isn't running) and the directory itself is autocreated with the right permissions. --- test/integration/test-apt-update-unauth | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) (limited to 'test/integration/test-apt-update-unauth') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index cf5195024..b7ccd6cf3 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -27,7 +27,7 @@ runtest() { find rootdir/var/lib/apt/lists/ -type f | xargs rm -f rm -f aptarchive/dists/unstable/*Release* - aptget update -qq --allow-insecure-repositories + testsuccess aptget update -qq --allow-insecure-repositories # FIXME: this really shouldn't be needed rm -f rootdir/var/lib/apt/lists/partial/* @@ -41,7 +41,6 @@ runtest() { aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed # and ensure we re-check the downloaded data - msgtest "Check rollback on going from unauth -> auth" # change the local packages file PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) @@ -49,18 +48,22 @@ runtest() { ls rootdir/var/lib/apt/lists/ > lists.before # update and ensure all is reverted on the hashsum failure - aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 > output.log 2>&1 || true + testfailure aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 # ensure we have before what we have after + msgtest 'Check rollback on going from' 'unauth -> auth' ls rootdir/var/lib/apt/lists/ > lists.after - if diff -u lists.before lists.after; then + if cmp lists.before lists.after; then msgpass else - cat output.log - msgfail + echo >&2 '### Output of previous apt-get update ###' + cat >&2 rootdir/tmp/testfailure.output + echo >&2 '### Changes in the lists-directory: ###' + diff -u >&2 lists.before lists.after + msgfail fi - # move uncompressed back for release file + # move uncompressed back for release file mv aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed \ aptarchive/dists/unstable/main/binary-i386/Packages } @@ -72,6 +75,5 @@ for COMPRESSEDINDEXES in 'false' 'true'; do else msgmsg 'Run tests with GzipIndexes disabled' fi - - runtest + runtest done -- cgit v1.2.3