From 47aca3cfc17ee23c37693b4e53c675a74b38decd Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 18 Jul 2014 23:41:29 +0200 Subject: add pkgAcquire::TransactionHasError() --- test/integration/test-apt-update-transactions | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100755 test/integration/test-apt-update-transactions (limited to 'test/integration') diff --git a/test/integration/test-apt-update-transactions b/test/integration/test-apt-update-transactions new file mode 100755 index 000000000..ee8d20dbf --- /dev/null +++ b/test/integration/test-apt-update-transactions @@ -0,0 +1,23 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +insertpackage 'unstable' 'foo' 'all' '1.0' + +setupaptarchive --no-update +changetowebserver + +# break package file +cat > aptarchive/dists/unstable/main/binary-i386/Packages < Date: Mon, 21 Jul 2014 11:19:37 +0200 Subject: Download Release first, then Release.gpg The old way of handling this was that pkgAcqMetaIndex was responsible to check/move both Release and Release.gpg in place. This breaks the assumption of the transaction that each pkgAcquire::Item has a single File that its responsible for. --- test/integration/test-apt-update-transactions | 1 + 1 file changed, 1 insertion(+) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-transactions b/test/integration/test-apt-update-transactions index ee8d20dbf..247334991 100755 --- a/test/integration/test-apt-update-transactions +++ b/test/integration/test-apt-update-transactions @@ -21,3 +21,4 @@ compressfile aptarchive/dists/unstable/main/binary-i386/Packages '+1hour' # ensure that a update will only succeed entirely or not at all testfailure aptget update testequal "partial" ls rootdir/var/lib/apt/lists + -- cgit v1.2.3 From e05672e88678f520b2db59599e939345ad0b6e53 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 31 Jul 2014 09:53:13 +0200 Subject: Rework TransactionID stuff --- test/integration/test-apt-update-rollback | 180 ++++++++++++++++++++++++++++++ 1 file changed, 180 insertions(+) create mode 100755 test/integration/test-apt-update-rollback (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback new file mode 100755 index 000000000..cd28f1f1f --- /dev/null +++ b/test/integration/test-apt-update-rollback @@ -0,0 +1,180 @@ +#!/bin/sh +# +# test that apt-get update is transactional +# +set -e + +avoid_ims_hit() { + touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages* + touch -d '+1hour' aptarchive/dists/unstable/main/source/Sources* + touch -d '+1hour' aptarchive/dists/unstable/*Release* + + touch -d '-1hour' rootdir/var/lib/apt/lists/* +} + +create_fresh_archive() +{ + rm -rf aptarchive/* + rm -f rootdir/var/lib/apt/lists/_* rootdir/var/lib/apt/lists/partial/* + + insertpackage 'unstable' 'old' 'all' '1.0' + + setupaptarchive +} + +add_new_package() { + insertpackage "unstable" "new" "all" "1.0" + insertsource "unstable" "new" "all" "1.0" + + setupaptarchive --no-update + + avoid_ims_hit +} + +break_repository_sources_index() { + printf "xxx" > $APTARCHIVE/dists/unstable/main/source/Sources + gzip -c $APTARCHIVE/dists/unstable/main/source/Sources > \ + $APTARCHIVE/dists/unstable/main/source/Sources.gz + avoid_ims_hit +} + +test_inrelease_to_new_inrelease() { + msgmsg "Test InRelease to new InRelease works fine" + create_fresh_archive + testequal "old/unstable 1.0 all" apt list -q + + add_new_package + testsuccess aptget update + + testequal "new/unstable 1.0 all +old/unstable 1.0 all" apt list -q +} + +test_inrelease_to_broken_hash_reverts_all() { + msgmsg "Test InRelease to broken InRelease reverts everything" + create_fresh_archive + add_new_package + # break the Sources file + break_repository_sources_index + + # test the error condition + testequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease + +W: Failed to fetch copy:${APTARCHIVE}/dists/unstable/main/source/Sources Hash Sum mismatch + +W: Failed to fetch copy:${APTARCHIVE}/dists/unstable/main/binary-i386/Packages + +E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + # ensure that the Packages file is also rolled back + testequal "E: Unable to locate package new" aptget install new -s -qq +} + +test_inreleae_to_valid_release() { + msgmsg "Test InRelease to valid Release" + create_fresh_archive + add_new_package + # switch to a unsinged repo now + rm $APTARCHIVE/dists/unstable/InRelease + rm $APTARCHIVE/dists/unstable/Release.gpg + avoid_ims_hit + + # update works + testsuccess aptget update -o Debug::Acquire::Transaction=1 + + # test that we can install the new packages but do no longer have a sig + testsuccess aptget install old -s + testsuccess aptget install new -s + testfailure ls $ROOTDIR/var/lib/apt/lists/*_InRelease + testfailure ls $ROOTDIR/var/lib/apt/lists/*_Release.gpg + testsuccess ls $ROOTDIR/var/lib/apt/lists/*_Release +} + +test_inreleae_to_release_reverts_all() { + msgmsg "Test InRelease to broken Release reverts everything" + create_fresh_archive + + # switch to a unsinged repo now + add_new_package + rm $APTARCHIVE/dists/unstable/InRelease + rm $APTARCHIVE/dists/unstable/Release.gpg + # break it + break_repository_sources_index + + # ensure error + testequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease + +W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release + +W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release.gpg + +W: Failed to fetch copy:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch + +W: Failed to fetch copy:$APTARCHIVE/dists/unstable/main/binary-i386/Packages + +E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq # -o Debug::acquire::transaction=1 + + # ensure that the Packages file is also rolled back + testsuccess aptget install old -s + testfailure aptget install new -s + testsuccess ls $ROOTDIR/var/lib/apt/lists/*_InRelease + testfailure ls $ROOTDIR/var/lib/apt/lists/*_Release +} + +test_unauthenticated_to_invalid_inrelease() { + msgmsg "Test UnAuthenticated to invalid InRelease reverts everything" + create_fresh_archive + rm $APTARCHIVE/dists/unstable/InRelease + rm $APTARCHIVE/dists/unstable/Release.gpg + avoid_ims_hit + + testsuccess aptget update -qq + testequal "WARNING: The following packages cannot be authenticated! + old +E: There are problems and -y was used without --force-yes" aptget install -qq -y old + + # go to authenticated but not correct + add_new_package + break_repository_sources_index + + testequal "W: Hashsum mismatch $ROOTDIR/var/lib/apt/lists/${APTARCHIVE_LISTS}_dists_unstable_main_source_Sources +W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease + +W: Failed to fetch copy:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch + +E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + + testfailure ls rootdir/var/lib/apt/lists/*_InRelease + testequal "WARNING: The following packages cannot be authenticated! + old +E: There are problems and -y was used without --force-yes" aptget install -qq -y old +} + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +# setup the archive and ensure we have a single package that installs fine +setupaptarchive +APTARCHIVE=$(readlink -f ./aptarchive) +ROOTDIR=${TMPWORKINGDIRECTORY}/rootdir +APTARCHIVE_LISTS="$(echo $APTARCHIVE | tr "/" "_" )" + +# test the following cases: +# - InRelease -> broken InRelease revert to previous state +# - empty lists dir and broken remote leaves nothing on the system +# - InRelease -> hashsum mismatch for one file reverts all files to previous state +# - Release/Release.gpg -> hashsum mismatch +# - InRelease -> Release with hashsum mismatch revert entire state and kills Release +# - Release -> InRelease with broken Sig/Hash removes InRelease +# going from Release/Release.gpg -> InRelease and vice versa +# - unauthenticated -> invalid InRelease + +test_inrelease_to_new_inrelease +test_inrelease_to_broken_hash_reverts_all + +test_inreleae_to_valid_release +test_inreleae_to_release_reverts_all + +#test_unauthenticated_to_invalid_inrelease -- cgit v1.2.3 From 6d979490c13e9d8004942507c99d152c22184a27 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 31 Jul 2014 10:02:27 +0200 Subject: make test_unauthenticated_to_invalid_inrelease work --- test/integration/test-apt-update-rollback | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index cd28f1f1f..9771f0edc 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -136,11 +136,12 @@ E: There are problems and -y was used without --force-yes" aptget install -qq -y add_new_package break_repository_sources_index - testequal "W: Hashsum mismatch $ROOTDIR/var/lib/apt/lists/${APTARCHIVE_LISTS}_dists_unstable_main_source_Sources -W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease - + testequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease + W: Failed to fetch copy:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch +W: Failed to fetch copy:$APTARCHIVE/dists/unstable/main/binary-i386/Packages + E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq testfailure ls rootdir/var/lib/apt/lists/*_InRelease @@ -177,4 +178,4 @@ test_inrelease_to_broken_hash_reverts_all test_inreleae_to_valid_release test_inreleae_to_release_reverts_all -#test_unauthenticated_to_invalid_inrelease +test_unauthenticated_to_invalid_inrelease -- cgit v1.2.3 From c5fced388848b967f0ce076656cad5366517f981 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 31 Jul 2014 18:40:05 +0200 Subject: ensure InRelease->Release is transactional as well --- test/integration/test-apt-update-rollback | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index 9771f0edc..c16e4f480 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -150,6 +150,22 @@ E: Some index files failed to download. They have been ignored, or old ones used E: There are problems and -y was used without --force-yes" aptget install -qq -y old } +test_inrelease_to_unauth_inrelease() { + msgmsg "Test InRelease to InRelease without sig" + create_fresh_archive + signreleasefiles 'Marvin Paranoid' + avoid_ims_hit + + testsuccess aptget update -qq + + testequal "WARNING: The following packages cannot be authenticated! + old +E: There are problems and -y was used without --force-yes" aptget install -qq -y old + + testfailure ls rootdir/var/lib/apt/lists/*_InRelease + testsuccess ls rootdir/var/lib/apt/lists/*_Release +} + TESTDIR=$(readlink -f $(dirname $0)) . $TESTDIR/framework @@ -179,3 +195,5 @@ test_inreleae_to_valid_release test_inreleae_to_release_reverts_all test_unauthenticated_to_invalid_inrelease + +test_inrelease_to_unauth_inrelease -- cgit v1.2.3 From 21638c3af355b3997fadd169495551568af6acfe Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 31 Jul 2014 19:24:36 +0200 Subject: fail early (again) on gpg sig failures --- test/integration/test-apt-update-rollback | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index c16e4f480..a6297792e 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -156,14 +156,13 @@ test_inrelease_to_unauth_inrelease() { signreleasefiles 'Marvin Paranoid' avoid_ims_hit - testsuccess aptget update -qq + testequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2 - testequal "WARNING: The following packages cannot be authenticated! - old -E: There are problems and -y was used without --force-yes" aptget install -qq -y old +W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease - testfailure ls rootdir/var/lib/apt/lists/*_InRelease - testsuccess ls rootdir/var/lib/apt/lists/*_Release +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + + testsuccess ls rootdir/var/lib/apt/lists/*_InRelease } TESTDIR=$(readlink -f $(dirname $0)) -- cgit v1.2.3 From 80976dd5452a9cfbe0c4f6229c729711ba685a5f Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 1 Aug 2014 11:06:47 +0200 Subject: mve MetaKey into pkgAcqBaseIndex --- test/integration/test-apt-update-rollback | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index a6297792e..d7078d217 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -44,7 +44,9 @@ test_inrelease_to_new_inrelease() { testequal "old/unstable 1.0 all" apt list -q add_new_package - testsuccess aptget update + aptget update -o Debug::Acquire::Transaction=1 + + testsuccess aptget update -o Debug::Acquire::Transaction=1 testequal "new/unstable 1.0 all old/unstable 1.0 all" apt list -q -- cgit v1.2.3 From 81273628cc3022641756b05e78256d59b7bd7c51 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 1 Aug 2014 11:46:16 +0200 Subject: fix transactionid passing --- test/integration/test-apt-update-rollback | 1 - 1 file changed, 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index d7078d217..4eef2aecf 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -44,7 +44,6 @@ test_inrelease_to_new_inrelease() { testequal "old/unstable 1.0 all" apt list -q add_new_package - aptget update -o Debug::Acquire::Transaction=1 testsuccess aptget update -o Debug::Acquire::Transaction=1 -- cgit v1.2.3 From 7abcfdde365d2f1110b1f1189e3fce04abdac98c Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 1 Aug 2014 17:13:15 +0200 Subject: check hashes of compressed files as well --- test/integration/test-apt-update-rollback | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index 4eef2aecf..b8a2b0791 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -61,9 +61,7 @@ test_inrelease_to_broken_hash_reverts_all() { # test the error condition testequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease -W: Failed to fetch copy:${APTARCHIVE}/dists/unstable/main/source/Sources Hash Sum mismatch - -W: Failed to fetch copy:${APTARCHIVE}/dists/unstable/main/binary-i386/Packages +W: Failed to fetch file:${APTARCHIVE}/dists/unstable/main/source/Sources Hash Sum mismatch E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq # ensure that the Packages file is also rolled back @@ -108,9 +106,7 @@ W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release.gpg -W: Failed to fetch copy:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch - -W: Failed to fetch copy:$APTARCHIVE/dists/unstable/main/binary-i386/Packages +W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq # -o Debug::acquire::transaction=1 @@ -139,9 +135,7 @@ E: There are problems and -y was used without --force-yes" aptget install -qq -y testequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease -W: Failed to fetch copy:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch - -W: Failed to fetch copy:$APTARCHIVE/dists/unstable/main/binary-i386/Packages +W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq @@ -166,6 +160,19 @@ W: Some index files failed to download. They have been ignored, or old ones used testsuccess ls rootdir/var/lib/apt/lists/*_InRelease } +test_inrelease_to_broken_gzip() { + msgmsg "Test InRelease to broken gzip" + create_fresh_archive + # append junk at the end of the gzip, this + echo "lala" >> $APTARCHIVE/dists/unstable/main/source/Sources.gz + # remove uncompressed file, otherwise apt will just fallback fetching + # that + rm $APTARCHIVE/dists/unstable/main/source/Sources + avoid_ims_hit + + testfailure aptget update +} + TESTDIR=$(readlink -f $(dirname $0)) . $TESTDIR/framework @@ -190,10 +197,8 @@ APTARCHIVE_LISTS="$(echo $APTARCHIVE | tr "/" "_" )" test_inrelease_to_new_inrelease test_inrelease_to_broken_hash_reverts_all - test_inreleae_to_valid_release test_inreleae_to_release_reverts_all - test_unauthenticated_to_invalid_inrelease - test_inrelease_to_unauth_inrelease +test_inrelease_to_broken_gzip -- cgit v1.2.3 From 183160cb20cd4aa86e78657bf060bf688edce703 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 1 Aug 2014 17:15:53 +0200 Subject: make errors more consistent --- test/integration/test-apt-update-rollback | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index b8a2b0791..24027787e 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -59,9 +59,7 @@ test_inrelease_to_broken_hash_reverts_all() { break_repository_sources_index # test the error condition - testequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease - -W: Failed to fetch file:${APTARCHIVE}/dists/unstable/main/source/Sources Hash Sum mismatch + testequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/main/source/Sources Hash Sum mismatch E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq # ensure that the Packages file is also rolled back @@ -100,13 +98,7 @@ test_inreleae_to_release_reverts_all() { break_repository_sources_index # ensure error - testequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease - -W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release - -W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release.gpg - -W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch + testequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq # -o Debug::acquire::transaction=1 @@ -133,9 +125,7 @@ E: There are problems and -y was used without --force-yes" aptget install -qq -y add_new_package break_repository_sources_index - testequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease - -W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch + testequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq -- cgit v1.2.3 From 67f2f9e2ed2f48833926abb7c31cca4a57ebfec1 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 1 Aug 2014 17:20:19 +0200 Subject: add gzip test and todo --- test/integration/test-apt-update-rollback | 4 ++++ test/integration/test-hashsum-verification | 12 ++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index 24027787e..ccd7f57ff 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -185,6 +185,10 @@ APTARCHIVE_LISTS="$(echo $APTARCHIVE | tr "/" "_" )" # going from Release/Release.gpg -> InRelease and vice versa # - unauthenticated -> invalid InRelease +# stuff to do: +# - ims-hit +# - gzip-index tests + test_inrelease_to_new_inrelease test_inrelease_to_broken_hash_reverts_all test_inreleae_to_valid_release diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification index e77efb46e..70bf1b476 100755 --- a/test/integration/test-hashsum-verification +++ b/test/integration/test-hashsum-verification @@ -75,5 +75,13 @@ runtest() { } -runtest - +for COMPRESSEDINDEXES in 'false' 'true'; do + echo "Acquire::GzipIndexes \"$COMPRESSEDINDEXES\";" > rootdir/etc/apt/apt.conf.d/compressindexes + if $COMPRESSEDINDEXES; then + msgmsg 'Run tests with GzipIndexes enabled' + else + msgmsg 'Run tests with GzipIndexes disabled' + fi + + runtest +done -- cgit v1.2.3 From 63d0f85391839a666957add1833e67f7638c8a83 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 1 Aug 2014 19:25:00 +0200 Subject: make i-m-s work again --- test/integration/test-apt-update-ims | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100755 test/integration/test-apt-update-ims (limited to 'test/integration') diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims new file mode 100755 index 000000000..cf2b28bb5 --- /dev/null +++ b/test/integration/test-apt-update-ims @@ -0,0 +1,22 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework +setupenvironment +configarchitecture 'amd64' + +buildsimplenativepackage 'unrelated' 'all' '0.5~squeeze1' 'unstable' + +setupaptarchive +changetowebserver + +testsuccess aptget update + +# check that I-M-S header is kept in redirections +testequal "Hit http://localhost:8080 unstable InRelease +Hit http://localhost:8080 unstable/main Sources +Hit http://localhost:8080 unstable/main amd64 Packages +Hit http://localhost:8080 unstable/main Translation-en +Reading package lists..." aptget update + -- cgit v1.2.3 From 63b7249e6930c1bcb69bac32f10108119eeacc2a Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Sat, 2 Aug 2014 05:37:43 +0200 Subject: add ims check verify --- test/integration/test-apt-update-ims | 3 +++ 1 file changed, 3 insertions(+) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims index cf2b28bb5..3bd6e843c 100755 --- a/test/integration/test-apt-update-ims +++ b/test/integration/test-apt-update-ims @@ -20,3 +20,6 @@ Hit http://localhost:8080 unstable/main amd64 Packages Hit http://localhost:8080 unstable/main Translation-en Reading package lists..." aptget update +# ensure that we still do a hash check on ims hit +msgtest 'Test I-M-S reverify' +aptget update -o Debug::pkgAcquire::Auth=1 2>&1 | grep -A1 'RecivedHash:' | grep -q -- '- SHA' && msgpass || msgfail -- cgit v1.2.3 From 09475bebba5554481a7cb05995ded92cf30063fa Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Sun, 24 Aug 2014 21:30:44 -0700 Subject: all tests pass --- test/integration/test-ubuntu-bug-346386-apt-get-update-paywall | 10 +++++----- .../test-ubuntu-bug-784473-InRelease-one-message-only | 4 +--- 2 files changed, 6 insertions(+), 8 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall b/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall index 8e50843f3..388c2bfdb 100755 --- a/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall +++ b/test/integration/test-ubuntu-bug-346386-apt-get-update-paywall @@ -37,8 +37,8 @@ ensure_n_canary_strings_in_dir() { LISTS='rootdir/var/lib/apt/lists' rm -rf rootdir/var/lib/apt/lists -msgtest 'Got expected NODATA failure in' 'apt-get update' -aptget update -qq 2>&1 | grep -q 'E: GPG error.*NODATA' && msgpass || msgfail +msgtest 'Got expected failure message' 'apt-get update' +aptget update -qq 2>&1 | grep -q 'W:.*Does not start with a cleartext signature' && msgpass || msgfail ensure_n_canary_strings_in_dir $LISTS 'ni ni ni' 0 testequal 'partial' ls $LISTS @@ -48,8 +48,8 @@ for f in Release Release.gpg main_binary-amd64_Packages main_source_Sources; do echo 'peng neee-wom' > $LISTS/localhost:8080_dists_stable_${f} done -msgtest 'Got expected NODATA failure in' 'apt-get update' -aptget update -qq 2>&1 | grep -q 'E: GPG error.*NODATA' && msgpass || msgfail +msgtest 'Got expected failure message in' 'apt-get update' +aptget update -qq 2>&1 | grep -q 'W:.*Does not start with a cleartext signature' && msgpass || msgfail ensure_n_canary_strings_in_dir $LISTS 'peng neee-wom' 4 ensure_n_canary_strings_in_dir $LISTS 'ni ni ni' 0 @@ -58,7 +58,7 @@ ensure_n_canary_strings_in_dir $LISTS 'ni ni ni' 0 echo 'peng neee-wom' > $LISTS/localhost:8080_dists_stable_InRelease rm -f $LISTS/localhost:8080_dists_stable_Release $LISTS/localhost:8080_dists_stable_Release.gpg msgtest 'excpected failure of' 'apt-get update' -aptget update -qq 2>&1 | grep -q 'E: GPG error.*NODATA' && msgpass || msgfail +aptget update -qq 2>&1 | grep -q 'W:.*Does not start with a cleartext signature' && msgpass || msgfail ensure_n_canary_strings_in_dir $LISTS 'peng neee-wom' 3 ensure_n_canary_strings_in_dir $LISTS 'ni ni ni' 0 diff --git a/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only b/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only index 50ca2bf57..09315868b 100755 --- a/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only +++ b/test/integration/test-ubuntu-bug-784473-InRelease-one-message-only @@ -28,12 +28,10 @@ MD5Sum: done msgtest 'The unsigned garbage before signed block is' 'ignored' -testsuccess --nomsg aptget update +aptget update -qq 2>&1 | grep -q 'W:.*Does not start with a cleartext signature' && msgpass || msgfail ROOTDIR="$(readlink -f .)" testequal "Package files: 100 ${ROOTDIR}/rootdir/var/lib/dpkg/status release a=now - 500 file:${ROOTDIR}/aptarchive/ unstable/main i386 Packages - release a=unstable,n=sid,c=main Pinned packages:" aptcache policy -- cgit v1.2.3 From c8aa88aa2c3139584cfabb1ce4619c773e9f2b99 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 23 Sep 2014 18:08:53 +0200 Subject: cleanup, fix test-apt-update-unauth as the behavior of apt changed --- test/integration/test-apt-update-unauth | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 13487603c..4e08b5e35 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -17,23 +17,41 @@ insertsource 'unstable' 'foo' 'all' '1.0' setupaptarchive changetowebserver +# FIXME: +# - also check the unauth -> auth success case, i.e. that all files are +# reverified runtest() { # start unauthenticated find rootdir/var/lib/apt/lists/ -type f | xargs rm -f rm -f aptarchive/dists/unstable/*Release* + # remove uncompressed version + find aptarchive/ -name Packages | xargs rm -f aptget update -qq # become authenticated generatereleasefiles signreleasefiles - # and ensure we do download the data again - msgtest "Check that the data is check when going to authenticated" - if aptget update |grep -q Hit; then - msgfail - else + # and ensure we re-check the downloaded data + msgtest "Check rollback on going from unauth -> auth" + + # change the local packages file + PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) + echo "meep" > $PKGS + ls -l rootdir/var/lib/apt/lists > lists.before + + # update and ensure all is reverted on the hashsum failure + aptget update -o Debug::Acquire::Transaction=1 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 > output.log 2>&1 || true + + # ensure we have before what we have after + ls -l rootdir/var/lib/apt/lists > lists.after + if diff -u lists.before lists.after; then msgpass + else + #cat output.log + msgfail fi + } for COMPRESSEDINDEXES in 'false' 'true'; do -- cgit v1.2.3 From 03bfbc965443393b92b2d6d82613472fa3a5067f Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 23 Sep 2014 23:48:19 +0200 Subject: make pdiff transactional (but at the cost of a CopyFile() --- test/integration/test-pdiff-usage | 1 + 1 file changed, 1 insertion(+) (limited to 'test/integration') diff --git a/test/integration/test-pdiff-usage b/test/integration/test-pdiff-usage index 74749d6ab..e86963f28 100755 --- a/test/integration/test-pdiff-usage +++ b/test/integration/test-pdiff-usage @@ -159,6 +159,7 @@ SHA1-Patches: " aptcache show apt newstuff } echo 'Debug::pkgAcquire::Diffs "true"; +Debug::Acquire::Transaction "true"; Debug::pkgAcquire::rred "true";' > rootdir/etc/apt/apt.conf.d/rreddebug.conf testrun -o Acquire::PDiffs::Merge=0 -o APT::Get::List-Cleanup=1 -- cgit v1.2.3 From c4ffa0428b617cd844f0f9dfd5d16ae0553675ac Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 26 Sep 2014 20:59:56 +0200 Subject: Print warning for unauthenticated repositories --- .../integration/test-apt-get-update-unauth-warning | 30 ++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100755 test/integration/test-apt-get-update-unauth-warning (limited to 'test/integration') diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning new file mode 100755 index 000000000..4411a7430 --- /dev/null +++ b/test/integration/test-apt-get-update-unauth-warning @@ -0,0 +1,30 @@ +#!/bin/sh +# +# ensure we print warnings for unauthenticated repositories +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +# a "normal" package with source and binary +buildsimplenativepackage 'foo' 'all' '2.0' + +setupaptarchive --no-update + +APTARCHIVE=$(readlink -f ./aptarchive) +rm -f $APTARCHIVE/dists/unstable/*Release* + +# update without authenticated InRelease file +testequal "Ign file: unstable InRelease +Ign file: unstable Release +Reading package lists... +W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update + +# ensure we can not install the package +testequal "WARNING: The following packages cannot be authenticated! + foo +E: There are problems and -y was used without --force-yes" aptget install -qq -y foo -- cgit v1.2.3 From 631a7dc7906a10ccd5f14dcfe42224e6107e11f6 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 26 Sep 2014 20:59:31 +0200 Subject: Do not allow going from authenticated to unauthenticated repo Also rework the way we load the Release file, so it only after Release.gpg verified the Release file. The rational is that we never want to load untrusted data into our parsers. Only stuff verified with gpg or by its hashes get loaded. To load untrusted data you now need to use apt-get update --allow-unauthenticated. --- test/integration/test-apt-update-nofallback | 207 ++++++++++++++++++++++++++++ 1 file changed, 207 insertions(+) create mode 100755 test/integration/test-apt-update-nofallback (limited to 'test/integration') diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback new file mode 100755 index 000000000..4e8ea9916 --- /dev/null +++ b/test/integration/test-apt-update-nofallback @@ -0,0 +1,207 @@ +#!/bin/sh +# +# ensure we never fallback from a signed to a unsigned repo +# +# hash checks are done in +# +set -e + +simulate_mitm_and_inject_evil_package() +{ + rm -f $APTARCHIVE/dists/unstable/InRelease + rm -f $APTARCHIVE/dists/unstable/Release.gpg + inject_evil_package +} + +inject_evil_package() +{ + cat > $APTARCHIVE/dists/unstable/main/binary-i386/Packages < +Architecture: all +Version: 1.0 +Filename: pool/evil_1.0_all.deb +Size: 1270 +Description: an autogenerated evil package +EOF + # avoid ims hit + touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages +} + +assert_update_is_refused_and_last_good_state_used() +{ + testequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq + + assert_repo_is_intact +} + +assert_repo_is_intact() +{ + testequal "foo/unstable 2.0 all" apt list -q + testsuccess "" aptget install -y -s foo + testfailure "" aptget install -y evil + + LISTDIR=rootdir/var/lib/apt/lists + if ! ( ls $LISTDIR/*InRelease >/dev/null 2>&1 || + ls $LISTDIR/*Release.gpg >/dev/null 2>&1 ); then + echo "Can not find InRelease/Release.gpg in $(ls $LISTDIR)" + msgfail + fi +} + +setupaptarchive_with_lists_clean() +{ + setupaptarchive --no-update + rm -f rootdir/var/lib/apt/lists/_* + #rm -rf rootdir/var/lib/apt/lists +} + +test_from_inrelease_to_unsigned() +{ + # setup archive with InRelease file + setupaptarchive_with_lists_clean + testsuccess aptget update + + simulate_mitm_and_inject_evil_package + assert_update_is_refused_and_last_good_state_used +} + +test_from_release_gpg_to_unsigned() +{ + # setup archive with Release/Release.gpg (but no InRelease) + setupaptarchive_with_lists_clean + rm $APTARCHIVE/dists/unstable/InRelease + testsuccess aptget update + + simulate_mitm_and_inject_evil_package + assert_update_is_refused_and_last_good_state_used +} + +test_cve_2012_0214() +{ + # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108 + # + # it was possible to MITM the download so that InRelease/Release.gpg + # are not delivered (404) and a altered Release file was send + # + # apt left the old InRelease file in /var/lib/apt/lists and downloaded + # the unauthenticated Release file too giving the false impression that + # Release was authenticated + # + # Note that this is pretty much impossible nowdays because: + # a) InRelease is left as is, not split to InRelease/Release as it was + # in the old days + # b) we refuse to go from signed->unsigned + # + # Still worth having a regression test the simulates the condition + + # setup archive with InRelease + setupaptarchive_with_lists_clean + testsuccess aptget update + + # do what CVE-2012-0214 did + rm $APTARCHIVE/dists/unstable/InRelease + rm $APTARCHIVE/dists/unstable/Release.gpg + inject_evil_package + # build valid Release file + aptftparchive -qq release ./aptarchive > aptarchive/dists/unstable/Release + + assert_update_is_refused_and_last_good_state_used + + # ensure there is no _Release file downloaded + testfailure ls rootdir/var/lib/apt/lists/*_Release +} + +test_subvert_inrelease() +{ + # setup archive with InRelease + setupaptarchive_with_lists_clean + testsuccess aptget update + + # replace InRelease with something else + mv $APTARCHIVE/dists/unstable/Release $APTARCHIVE/dists/unstable/InRelease + + testequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease Does not start with a cleartext signature + +E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + + # ensure we keep the repo + assert_repo_is_intact +} + +test_inrelease_to_invalid_inrelease() +{ + # setup archive with InRelease + setupaptarchive_with_lists_clean + testsuccess aptget update + + # now remove InRelease and subvert Release do no longer verify + sed -i 's/Codename.*/Codename: evil!'/ $APTARCHIVE/dists/unstable/InRelease + inject_evil_package + + testequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) + +W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease + +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq + + # ensure we keep the repo + assert_repo_is_intact + testfailure grep "evil" rootdir/var/lib/apt/lists/*InRelease +} + +test_release_gpg_to_invalid_release_release_gpg() +{ + # setup archive with InRelease + setupaptarchive_with_lists_clean + rm $APTARCHIVE/dists/unstable/InRelease + testsuccess aptget update + + # now subvert Release do no longer verify + echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release + inject_evil_package + + testequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq + + assert_repo_is_intact + testfailure grep "evil" rootdir/var/lib/apt/lists/*Release +} + + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +# a "normal" package with source and binary +buildsimplenativepackage 'foo' 'all' '2.0' + +# setup the archive and ensure we have a single package that installs fine +setupaptarchive +APTARCHIVE=$(readlink -f ./aptarchive) +assert_repo_is_intact + +# test the various cases where a repo may go from signed->unsigned +msgmsg "test_from_inrelease_to_unsigned" +test_from_inrelease_to_unsigned + +msgmsg "test_from_release_gpg_to_unsigned" +test_from_release_gpg_to_unsigned + +# ensure we do not regress on CVE-2012-0214 +msgmsg "test_cve_2012_0214" +test_cve_2012_0214 + +# ensure InRelase can not be subverted +msgmsg "test_subvert_inrelease" +test_subvert_inrelease + +# ensure we revert to last good state if InRelease does not verify +msgmsg "test_inrelease_to_invalid_inrelease" +test_inrelease_to_invalid_inrelease + +# ensure we revert to last good state if Release/Release.gpg does not verify +msgmsg "test_release_gpg_to_invalid_release_release_gpg" +test_release_gpg_to_invalid_release_release_gpg -- cgit v1.2.3 From bca84917c326fa3158e120147c8aecebe0789b47 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 26 Sep 2014 22:45:18 +0200 Subject: test fixes --- test/integration/test-apt-get-source-authenticated | 2 +- test/integration/test-apt-get-update-unauth-warning | 14 ++++++++++++-- test/integration/test-apt-update-rollback | 16 +++++++--------- test/integration/test-apt-update-unauth | 2 +- .../integration/test-bug-717891-abolute-uris-for-proxies | 2 +- test/integration/test-bug-738785-switch-protocol | 2 +- test/integration/test-policy-pinning | 3 ++- 7 files changed, 25 insertions(+), 16 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-get-source-authenticated b/test/integration/test-apt-get-source-authenticated index 2cee13923..d73097b54 100755 --- a/test/integration/test-apt-get-source-authenticated +++ b/test/integration/test-apt-get-source-authenticated @@ -21,7 +21,7 @@ APTARCHIVE=$(readlink -f ./aptarchive) rm -f $APTARCHIVE/dists/unstable/*Release* # update without authenticated InRelease file -testsuccess aptget update +testsuccess aptget update --allow-unauthenticated # this all should fail testfailure aptget install -y foo diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning index 4411a7430..b1c676738 100755 --- a/test/integration/test-apt-get-update-unauth-warning +++ b/test/integration/test-apt-get-update-unauth-warning @@ -18,11 +18,21 @@ setupaptarchive --no-update APTARCHIVE=$(readlink -f ./aptarchive) rm -f $APTARCHIVE/dists/unstable/*Release* -# update without authenticated InRelease file +# update without authenticated files leads to warning testequal "Ign file: unstable InRelease Ign file: unstable Release Reading package lists... -W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update +W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated. +W: Use --allow-unauthenticated to force the update" aptget update + +# no package foo +testequal "Listing..." apt list foo + +# allow override +testequal "Ign file: unstable InRelease +Ign file: unstable Release +Reading package lists... +W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-unauthenticated # ensure we can not install the package testequal "WARNING: The following packages cannot be authenticated! diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index ccd7f57ff..a88b0042b 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -75,15 +75,14 @@ test_inreleae_to_valid_release() { rm $APTARCHIVE/dists/unstable/Release.gpg avoid_ims_hit - # update works - testsuccess aptget update -o Debug::Acquire::Transaction=1 + # update fails + testequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq # test that we can install the new packages but do no longer have a sig testsuccess aptget install old -s - testsuccess aptget install new -s - testfailure ls $ROOTDIR/var/lib/apt/lists/*_InRelease - testfailure ls $ROOTDIR/var/lib/apt/lists/*_Release.gpg - testsuccess ls $ROOTDIR/var/lib/apt/lists/*_Release + testfailure aptget install new -s + testsuccess ls $ROOTDIR/var/lib/apt/lists/*_InRelease + testfailure ls $ROOTDIR/var/lib/apt/lists/*_Release } test_inreleae_to_release_reverts_all() { @@ -98,9 +97,7 @@ test_inreleae_to_release_reverts_all() { break_repository_sources_index # ensure error - testequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch - -E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq # -o Debug::acquire::transaction=1 + testequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq # -o Debug::acquire::transaction=1 # ensure that the Packages file is also rolled back testsuccess aptget install old -s @@ -112,6 +109,7 @@ E: Some index files failed to download. They have been ignored, or old ones used test_unauthenticated_to_invalid_inrelease() { msgmsg "Test UnAuthenticated to invalid InRelease reverts everything" create_fresh_archive + rm -rf rootdir/var/lib/apt/lists/* rm $APTARCHIVE/dists/unstable/InRelease rm $APTARCHIVE/dists/unstable/Release.gpg avoid_ims_hit diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 4e08b5e35..2e46e3ace 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -26,7 +26,7 @@ runtest() { rm -f aptarchive/dists/unstable/*Release* # remove uncompressed version find aptarchive/ -name Packages | xargs rm -f - aptget update -qq + aptget update -qq --allow-unauthenticated # become authenticated generatereleasefiles diff --git a/test/integration/test-bug-717891-abolute-uris-for-proxies b/test/integration/test-bug-717891-abolute-uris-for-proxies index ac1d6ec11..a8947b5e2 100755 --- a/test/integration/test-bug-717891-abolute-uris-for-proxies +++ b/test/integration/test-bug-717891-abolute-uris-for-proxies @@ -12,7 +12,7 @@ setupaptarchive changetowebserver --request-absolute='uri' msgtest 'Check that absolute paths are' 'not accepted' -testfailure --nomsg aptget update +testfailure --nomsg aptget update --allow-unauthenticated echo 'Acquire::http::Proxy "http://localhost:8080";' > rootdir/etc/apt/apt.conf.d/99proxy diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol index 1e5748eae..4ff044515 100755 --- a/test/integration/test-bug-738785-switch-protocol +++ b/test/integration/test-bug-738785-switch-protocol @@ -60,4 +60,4 @@ mv rootdir/${COPYMETHODS}.bak rootdir/${COPYMETHODS} # check that downgrades from https to http are not allowed webserverconfig 'aptwebserver::support::http' 'true' sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/* -testfailure aptget update +testfailure aptget update --allow-unauthenticated diff --git a/test/integration/test-policy-pinning b/test/integration/test-policy-pinning index 8eb4bcbad..2281d7a1d 100755 --- a/test/integration/test-policy-pinning +++ b/test/integration/test-policy-pinning @@ -28,7 +28,7 @@ Pinned packages:" aptcache policy $* aptgetupdate() { # just to be sure that no old files are used rm -rf rootdir/var/lib/apt - if aptget update -qq 2>&1 | grep '^E: '; then + if aptget update --allow-unauthenticated -qq 2>&1 | grep '^E: '; then msgwarn 'apt-get update failed with an error' fi } @@ -36,6 +36,7 @@ aptgetupdate() { ### not signed archive aptgetupdate + testequalpolicy 100 500 testequalpolicy 990 500 -t now -- cgit v1.2.3 From e1bd768b762bd74221f9089133883723a7307f9b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 29 Sep 2014 11:03:02 +0200 Subject: test fixes --- test/integration/test-apt-update-rollback | 2 +- test/integration/test-apt-update-unauth | 2 ++ .../test-bug-617690-allow-unauthenticated-makes-all-untrusted | 5 ++++- test/integration/test-bug-728500-tempdir | 2 +- 4 files changed, 8 insertions(+), 3 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index a88b0042b..e37be9554 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -114,7 +114,7 @@ test_unauthenticated_to_invalid_inrelease() { rm $APTARCHIVE/dists/unstable/Release.gpg avoid_ims_hit - testsuccess aptget update -qq + testsuccess aptget update -qq --allow-unauthenticated testequal "WARNING: The following packages cannot be authenticated! old E: There are problems and -y was used without --force-yes" aptget install -qq -y old diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 2e46e3ace..5db8a3c16 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -8,6 +8,8 @@ set -e TESTDIR=$(readlink -f $(dirname $0)) . $TESTDIR/framework +umask 022 + setupenvironment configarchitecture "i386" diff --git a/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted b/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted index f93510fd7..276e10564 100755 --- a/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted +++ b/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted @@ -24,15 +24,18 @@ testfilemissing() { testrun() { rm -rf rootdir/var/lib/apt - testsuccess aptget update if [ "$1" = 'trusted' ]; then + testsuccess aptget update + testsuccess aptget download cool testfileexists 'cool_1.0_i386.deb' testsuccess aptget download cool --allow-unauthenticated testfileexists 'cool_1.0_i386.deb' else + testsuccess aptget update --allow-unauthenticated + testfailure aptget download cool testfilemissing 'cool_1.0_i386.deb' diff --git a/test/integration/test-bug-728500-tempdir b/test/integration/test-bug-728500-tempdir index 0451fc1ed..e9df0a709 100755 --- a/test/integration/test-bug-728500-tempdir +++ b/test/integration/test-bug-728500-tempdir @@ -17,7 +17,7 @@ msgtest 'Test apt-get update with incorrect' 'TMPDIR' OUTPUT=$(mktemp) addtrap "rm $OUTPUT;" export TMPDIR=/does-not-exists -if aptget update >${OUTPUT} 2>&1; then +if aptget update -o Debug::Acquire::gpg=1 >${OUTPUT} 2>&1; then msgpass else echo -- cgit v1.2.3 From c292cc32b3ab0d70c63e68f7c94446932217c0ec Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 29 Sep 2014 11:47:03 +0200 Subject: more test fixes --- test/integration/test-bug-596498-trusted-unsigned-repo | 2 +- test/integration/test-hashsum-verification | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-bug-596498-trusted-unsigned-repo b/test/integration/test-bug-596498-trusted-unsigned-repo index 06c9c8285..973520a97 100755 --- a/test/integration/test-bug-596498-trusted-unsigned-repo +++ b/test/integration/test-bug-596498-trusted-unsigned-repo @@ -12,7 +12,7 @@ setupaptarchive aptgetupdate() { rm -rf rootdir/var/lib/apt/ rootdir/var/cache/apt/*.bin - aptget update -qq + aptget update -qq --allow-unauthenticated } PKGTEXT="$(aptget install cool --assume-no -d | head -n 7)" diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification index 2a400dcb4..2db2bab0f 100755 --- a/test/integration/test-hashsum-verification +++ b/test/integration/test-hashsum-verification @@ -70,9 +70,13 @@ runtest() { rm -rf rootdir/var/lib/apt/lists rm aptarchive/InRelease aptarchive/Release.gpg msgtest 'unsigned apt-get update gets the expected hashsum mismatch' - aptget update 2>&1 | grep "Hash Sum mismatch" > /dev/null && msgpass || msgfail - - + aptget update --allow-unauthenticated >output.log 2>&1 || true + if grep -q "Hash Sum mismatch" output.log; then + msgpass + else + cat output.log + msgfail + fi } for COMPRESSEDINDEXES in 'false' 'true'; do -- cgit v1.2.3 From c99fe2e169243fc6e1a3278ce3768f0f521e260b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 12:21:55 +0200 Subject: Use Acquire::Allow{InsecureRepositories,DowngradeToInsecureRepositories} The configuration key Acquire::AllowInsecureRepositories controls if apt allows loading of unsigned repositories at all. The configuration Acquire::AllowDowngradeToInsecureRepositories controls if a signed repository can ever become unsigned. This should really never be needed but we provide it to avoid having to mess around in /var/lib/apt/lists if there is a use-case for this (which I can't think of right now). --- test/integration/test-apt-get-source-authenticated | 2 +- .../integration/test-apt-get-update-unauth-warning | 4 ++-- test/integration/test-apt-update-nofallback | 23 ++++++++++++++++++++++ test/integration/test-apt-update-rollback | 2 +- test/integration/test-apt-update-unauth | 2 +- .../test-bug-596498-trusted-unsigned-repo | 2 +- ...17690-allow-unauthenticated-makes-all-untrusted | 4 ++-- .../test-bug-717891-abolute-uris-for-proxies | 2 +- test/integration/test-bug-738785-switch-protocol | 2 +- test/integration/test-hashsum-verification | 2 +- test/integration/test-policy-pinning | 2 +- 11 files changed, 35 insertions(+), 12 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-get-source-authenticated b/test/integration/test-apt-get-source-authenticated index d73097b54..d833ddd85 100755 --- a/test/integration/test-apt-get-source-authenticated +++ b/test/integration/test-apt-get-source-authenticated @@ -21,7 +21,7 @@ APTARCHIVE=$(readlink -f ./aptarchive) rm -f $APTARCHIVE/dists/unstable/*Release* # update without authenticated InRelease file -testsuccess aptget update --allow-unauthenticated +testsuccess aptget update --allow-insecure-repositories # this all should fail testfailure aptget install -y foo diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning index b1c676738..510249747 100755 --- a/test/integration/test-apt-get-update-unauth-warning +++ b/test/integration/test-apt-get-update-unauth-warning @@ -23,7 +23,7 @@ testequal "Ign file: unstable InRelease Ign file: unstable Release Reading package lists... W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated. -W: Use --allow-unauthenticated to force the update" aptget update +W: Use --allow-insecure-repositories to force the update" aptget update # no package foo testequal "Listing..." apt list foo @@ -32,7 +32,7 @@ testequal "Listing..." apt list foo testequal "Ign file: unstable InRelease Ign file: unstable Release Reading package lists... -W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-unauthenticated +W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-insecure-repositories # ensure we can not install the package testequal "WARNING: The following packages cannot be authenticated! diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index 4e8ea9916..a53226e18 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -78,6 +78,25 @@ test_from_release_gpg_to_unsigned() assert_update_is_refused_and_last_good_state_used } +test_from_inrelease_to_unsigned_with_override() +{ + # setup archive with InRelease file + setupaptarchive_with_lists_clean + testsuccess aptget update + + # simulate moving to a unsigned but otherwise valid repo + simulate_mitm_and_inject_evil_package + generatereleasefiles + + # and ensure we can update to it (with enough force) + testsuccess aptget update --allow-insecure-repositories \ + -o Acquire::AllowDowngradeToInsecureRepositories=1 + # but that the individual packages are still considered untrusted + testequal "WARNING: The following packages cannot be authenticated! + evil +E: There are problems and -y was used without --force-yes" aptget install -qq -y evil +} + test_cve_2012_0214() { # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108 @@ -205,3 +224,7 @@ test_inrelease_to_invalid_inrelease # ensure we revert to last good state if Release/Release.gpg does not verify msgmsg "test_release_gpg_to_invalid_release_release_gpg" test_release_gpg_to_invalid_release_release_gpg + +# ensure we can ovveride the downgrade error +msgmsg "test_from_inrelease_to_unsigned" +test_from_inrelease_to_unsigned_with_override diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index e37be9554..ee8bc6926 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -114,7 +114,7 @@ test_unauthenticated_to_invalid_inrelease() { rm $APTARCHIVE/dists/unstable/Release.gpg avoid_ims_hit - testsuccess aptget update -qq --allow-unauthenticated + testsuccess aptget update -qq --allow-insecure-repositories testequal "WARNING: The following packages cannot be authenticated! old E: There are problems and -y was used without --force-yes" aptget install -qq -y old diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index 5db8a3c16..ade523ea7 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -28,7 +28,7 @@ runtest() { rm -f aptarchive/dists/unstable/*Release* # remove uncompressed version find aptarchive/ -name Packages | xargs rm -f - aptget update -qq --allow-unauthenticated + aptget update -qq --allow-insecure-repositories # become authenticated generatereleasefiles diff --git a/test/integration/test-bug-596498-trusted-unsigned-repo b/test/integration/test-bug-596498-trusted-unsigned-repo index 973520a97..3104a70c2 100755 --- a/test/integration/test-bug-596498-trusted-unsigned-repo +++ b/test/integration/test-bug-596498-trusted-unsigned-repo @@ -12,7 +12,7 @@ setupaptarchive aptgetupdate() { rm -rf rootdir/var/lib/apt/ rootdir/var/cache/apt/*.bin - aptget update -qq --allow-unauthenticated + aptget update -qq --allow-insecure-repositories } PKGTEXT="$(aptget install cool --assume-no -d | head -n 7)" diff --git a/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted b/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted index 276e10564..0736bb6dc 100755 --- a/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted +++ b/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted @@ -26,7 +26,7 @@ testrun() { rm -rf rootdir/var/lib/apt if [ "$1" = 'trusted' ]; then - testsuccess aptget update + testsuccess aptget update testsuccess aptget download cool testfileexists 'cool_1.0_i386.deb' @@ -34,7 +34,7 @@ testrun() { testsuccess aptget download cool --allow-unauthenticated testfileexists 'cool_1.0_i386.deb' else - testsuccess aptget update --allow-unauthenticated + testsuccess aptget update --allow-insecure-repositories testfailure aptget download cool testfilemissing 'cool_1.0_i386.deb' diff --git a/test/integration/test-bug-717891-abolute-uris-for-proxies b/test/integration/test-bug-717891-abolute-uris-for-proxies index a8947b5e2..54a616686 100755 --- a/test/integration/test-bug-717891-abolute-uris-for-proxies +++ b/test/integration/test-bug-717891-abolute-uris-for-proxies @@ -12,7 +12,7 @@ setupaptarchive changetowebserver --request-absolute='uri' msgtest 'Check that absolute paths are' 'not accepted' -testfailure --nomsg aptget update --allow-unauthenticated +testfailure --nomsg aptget update --allow-insecure-repositories echo 'Acquire::http::Proxy "http://localhost:8080";' > rootdir/etc/apt/apt.conf.d/99proxy diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol index 4ff044515..f81bba4b9 100755 --- a/test/integration/test-bug-738785-switch-protocol +++ b/test/integration/test-bug-738785-switch-protocol @@ -60,4 +60,4 @@ mv rootdir/${COPYMETHODS}.bak rootdir/${COPYMETHODS} # check that downgrades from https to http are not allowed webserverconfig 'aptwebserver::support::http' 'true' sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/* -testfailure aptget update --allow-unauthenticated +testfailure aptget update --allow-insecure-repositories diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification index 2db2bab0f..5f88110b3 100755 --- a/test/integration/test-hashsum-verification +++ b/test/integration/test-hashsum-verification @@ -70,7 +70,7 @@ runtest() { rm -rf rootdir/var/lib/apt/lists rm aptarchive/InRelease aptarchive/Release.gpg msgtest 'unsigned apt-get update gets the expected hashsum mismatch' - aptget update --allow-unauthenticated >output.log 2>&1 || true + aptget update --allow-insecure-repositories >output.log 2>&1 || true if grep -q "Hash Sum mismatch" output.log; then msgpass else diff --git a/test/integration/test-policy-pinning b/test/integration/test-policy-pinning index 2281d7a1d..c08a2f103 100755 --- a/test/integration/test-policy-pinning +++ b/test/integration/test-policy-pinning @@ -28,7 +28,7 @@ Pinned packages:" aptcache policy $* aptgetupdate() { # just to be sure that no old files are used rm -rf rootdir/var/lib/apt - if aptget update --allow-unauthenticated -qq 2>&1 | grep '^E: '; then + if aptget update --allow-insecure-repositories -qq 2>&1 | grep '^E: '; then msgwarn 'apt-get update failed with an error' fi } -- cgit v1.2.3 From e8b1db38cca29cbdc0116e567f0aa7a28034287b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 14:06:01 +0200 Subject: update test/integration/test-releasefile-verification --- test/integration/test-releasefile-verification | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification index e558b83e8..3765a4b1f 100755 --- a/test/integration/test-releasefile-verification +++ b/test/integration/test-releasefile-verification @@ -235,10 +235,21 @@ runtest2() { " aptcache show apt failaptnew } -runtest2 +# diable some protection by default and ensure we still do the verification +# correctly +cat > rootdir/etc/apt/apt.conf.d/weaken-security < Date: Wed, 1 Oct 2014 14:22:46 +0200 Subject: fix test-apt-update-nofallback test --- test/integration/test-apt-update-nofallback | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index a53226e18..c400dcc36 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -181,7 +181,11 @@ test_release_gpg_to_invalid_release_release_gpg() echo "Some evil data" >> $APTARCHIVE/dists/unstable/Release inject_evil_package - testequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq + testequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable Release.gpg: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) + +W: Failed to fetch file:${APTARCHIVE}/dists/unstable/Release.gpg + +W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq assert_repo_is_intact testfailure grep "evil" rootdir/var/lib/apt/lists/*Release -- cgit v1.2.3 From 0b844e23f014bd3ce95e27fe5fa81138e9ae4879 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 17:13:33 +0200 Subject: hack around test-apt-update-unauth failure --- test/integration/test-apt-update-unauth | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index ade523ea7..cf5195024 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -26,34 +26,43 @@ runtest() { # start unauthenticated find rootdir/var/lib/apt/lists/ -type f | xargs rm -f rm -f aptarchive/dists/unstable/*Release* - # remove uncompressed version - find aptarchive/ -name Packages | xargs rm -f + aptget update -qq --allow-insecure-repositories + # FIXME: this really shouldn't be needed + rm -f rootdir/var/lib/apt/lists/partial/* + # become authenticated generatereleasefiles signreleasefiles + # move uncompressed away + mv aptarchive/dists/unstable/main/binary-i386/Packages \ + aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed + # and ensure we re-check the downloaded data msgtest "Check rollback on going from unauth -> auth" # change the local packages file PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) echo "meep" > $PKGS - ls -l rootdir/var/lib/apt/lists > lists.before + ls rootdir/var/lib/apt/lists/ > lists.before # update and ensure all is reverted on the hashsum failure - aptget update -o Debug::Acquire::Transaction=1 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 > output.log 2>&1 || true + aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 > output.log 2>&1 || true # ensure we have before what we have after - ls -l rootdir/var/lib/apt/lists > lists.after + ls rootdir/var/lib/apt/lists/ > lists.after if diff -u lists.before lists.after; then msgpass else - #cat output.log + cat output.log msgfail fi + # move uncompressed back for release file + mv aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed \ + aptarchive/dists/unstable/main/binary-i386/Packages } for COMPRESSEDINDEXES in 'false' 'true'; do -- cgit v1.2.3 From 47450dea0904298c8d5ea06b15ea26368da5a4ee Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 1 Oct 2014 18:01:14 +0200 Subject: fix leftover files from Acquire::GzipIndex --- test/integration/test-apt-update-ims | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims index 3bd6e843c..946dfc7af 100755 --- a/test/integration/test-apt-update-ims +++ b/test/integration/test-apt-update-ims @@ -11,15 +11,30 @@ buildsimplenativepackage 'unrelated' 'all' '0.5~squeeze1' 'unstable' setupaptarchive changetowebserver -testsuccess aptget update +runtest() { + rm -f rootdir/var/lib/apt/lists/localhost* -# check that I-M-S header is kept in redirections -testequal "Hit http://localhost:8080 unstable InRelease + testsuccess aptget update + + # ensure no leftovers in partial + testfailure ls "rootdir/var/lib/apt/lists/partial/*" + + # check that I-M-S header is kept in redirections + testequal "Hit http://localhost:8080 unstable InRelease Hit http://localhost:8080 unstable/main Sources Hit http://localhost:8080 unstable/main amd64 Packages Hit http://localhost:8080 unstable/main Translation-en -Reading package lists..." aptget update +Reading package lists..." aptget update -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 + + # ensure that we still do a hash check on ims hit + msgtest 'Test I-M-S reverify' + aptget update -o Debug::pkgAcquire::Auth=1 2>&1 | grep -A1 'RecivedHash:' | grep -q -- '- SHA' && msgpass || msgfail + + # ensure no leftovers in partial + testfailure ls "rootdir/var/lib/apt/lists/partial/*" +} + +runtest -# ensure that we still do a hash check on ims hit -msgtest 'Test I-M-S reverify' -aptget update -o Debug::pkgAcquire::Auth=1 2>&1 | grep -A1 'RecivedHash:' | grep -q -- '- SHA' && msgpass || msgfail +echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex +runtest -- cgit v1.2.3 From 1e8ba0d4087f72a930a588ce5fbf0c22dddb9403 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 2 Oct 2014 00:38:35 +0200 Subject: donkults fixes --- test/integration/test-apt-by-hash-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-by-hash-update b/test/integration/test-apt-by-hash-update index 23282bf86..6e1ecdaff 100755 --- a/test/integration/test-apt-by-hash-update +++ b/test/integration/test-apt-by-hash-update @@ -34,7 +34,7 @@ Building dependency tree... E: Unable to locate package foo" aptget install -q -s foo # ensure we can apt-get update by hash -testsuccess aptget update -o APT::Acquire::By-Hash=1 +testsuccess aptget update -o APT::Acquire::By-Hash=1 # ensure it works testequal "Inst foo (1.0 unstable [all]) -- cgit v1.2.3 From 1ce243188c2ba218f5dce8ec8b40556d58ed8ec2 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 2 Oct 2014 18:28:55 +0200 Subject: cleanup around pkgAcqMetaSig and improved tests --- test/integration/test-apt-update-ims | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims index 946dfc7af..38dcd73fd 100755 --- a/test/integration/test-apt-update-ims +++ b/test/integration/test-apt-update-ims @@ -20,11 +20,7 @@ runtest() { testfailure ls "rootdir/var/lib/apt/lists/partial/*" # check that I-M-S header is kept in redirections - testequal "Hit http://localhost:8080 unstable InRelease -Hit http://localhost:8080 unstable/main Sources -Hit http://localhost:8080 unstable/main amd64 Packages -Hit http://localhost:8080 unstable/main Translation-en -Reading package lists..." aptget update -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 + testequal "$EXPECT" aptget update -o Debug::pkgAcquire::Worker=0 -o Debug::Acquire::http=0 # ensure that we still do a hash check on ims hit msgtest 'Test I-M-S reverify' @@ -34,6 +30,34 @@ Reading package lists..." aptget update -o Debug::pkgAcquire::Worker=0 -o Debug testfailure ls "rootdir/var/lib/apt/lists/partial/*" } +EXPECT="Hit http://localhost:8080 unstable InRelease +Hit http://localhost:8080 unstable/main Sources +Hit http://localhost:8080 unstable/main amd64 Packages +Hit http://localhost:8080 unstable/main Translation-en +Reading package lists..." +# with InRelease +runtest + +# with gzip +echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex +runtest + +# FIXME: how can we get rid of this extra line +# "Get:1 http://localhost:8080 unstable Release.gpg" +# +# with Release/Release.gpg +EXPECT="Ign http://localhost:8080 unstable InRelease +Hit http://localhost:8080 unstable Release +Hit http://localhost:8080 unstable Release.gpg +Get:1 http://localhost:8080 unstable Release.gpg +Hit http://localhost:8080 unstable/main Sources +Hit http://localhost:8080 unstable/main amd64 Packages +Hit http://localhost:8080 unstable/main Translation-en +Reading package lists..." + +find aptarchive -name "InRelease" | xargs rm -f + +echo "Acquire::GzipIndexes "0";" > rootdir/etc/apt/apt.conf.d/02compressindex runtest echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex -- cgit v1.2.3 From 0f56b51e125d24cf5af68459077ad1b682743bc2 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 6 Oct 2014 09:34:06 +0200 Subject: update test --- test/integration/test-apt-get-update-unauth-warning | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning index 510249747..75863615e 100755 --- a/test/integration/test-apt-get-update-unauth-warning +++ b/test/integration/test-apt-get-update-unauth-warning @@ -20,13 +20,17 @@ rm -f $APTARCHIVE/dists/unstable/*Release* # update without authenticated files leads to warning testequal "Ign file: unstable InRelease -Ign file: unstable Release -Reading package lists... +Err file: unstable Release + W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated. -W: Use --allow-insecure-repositories to force the update" aptget update +W: Use --allow-insecure-repositories to force the update +W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release + +E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update # no package foo testequal "Listing..." apt list foo +testequal "partial" ls rootdir/var/lib/apt/lists # allow override testequal "Ign file: unstable InRelease -- cgit v1.2.3 From f30976478e684fc19e48d71881805454ceb6ecae Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 6 Oct 2014 11:45:42 +0200 Subject: Rework pkgAcqMeta{Index,Sig,ClearSig}::Done() for readability Move common code out but do not use subclassing for ::Done to make it easier to understand what each class is doing when its done --- test/integration/test-apt-update-ims | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims index 38dcd73fd..61b808b0f 100755 --- a/test/integration/test-apt-update-ims +++ b/test/integration/test-apt-update-ims @@ -30,6 +30,7 @@ runtest() { testfailure ls "rootdir/var/lib/apt/lists/partial/*" } +msgmsg "InRelease" EXPECT="Hit http://localhost:8080 unstable InRelease Hit http://localhost:8080 unstable/main Sources Hit http://localhost:8080 unstable/main amd64 Packages @@ -42,14 +43,11 @@ runtest echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex runtest -# FIXME: how can we get rid of this extra line -# "Get:1 http://localhost:8080 unstable Release.gpg" -# +msgmsg "Release/Release.gpg" # with Release/Release.gpg EXPECT="Ign http://localhost:8080 unstable InRelease Hit http://localhost:8080 unstable Release Hit http://localhost:8080 unstable Release.gpg -Get:1 http://localhost:8080 unstable Release.gpg Hit http://localhost:8080 unstable/main Sources Hit http://localhost:8080 unstable/main amd64 Packages Hit http://localhost:8080 unstable/main Translation-en @@ -62,3 +60,23 @@ runtest echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex runtest + + +# no Release.gpg or InRelease +msgmsg "Release only" +EXPECT="Ign http://localhost:8080 unstable InRelease +Hit http://localhost:8080 unstable Release +Ign http://localhost:8080 unstable Release.gpg +Hit http://localhost:8080 unstable/main Sources +Hit http://localhost:8080 unstable/main amd64 Packages +Hit http://localhost:8080 unstable/main Translation-en +Reading package lists..." + +find aptarchive -name "Release.gpg" | xargs rm -f + +echo 'Acquire::AllowInsecureRepositories "1";' > rootdir/etc/apt/apt.conf.d/insecure.conf +echo "Acquire::GzipIndexes "0";" > rootdir/etc/apt/apt.conf.d/02compressindex +runtest + +echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex +runtest -- cgit v1.2.3 From 673c9469abd656a92c7e8f1f91f919cad09f391e Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 6 Oct 2014 14:34:38 +0200 Subject: cleanup pkgAcq*::Failed() --- test/integration/test-apt-get-update-unauth-warning | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning index 75863615e..37bcea623 100755 --- a/test/integration/test-apt-get-update-unauth-warning +++ b/test/integration/test-apt-get-update-unauth-warning @@ -22,7 +22,7 @@ rm -f $APTARCHIVE/dists/unstable/*Release* testequal "Ign file: unstable InRelease Err file: unstable Release -W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated. +W: The repository 'file: unstable Release' does not have a Release file. This is deprecated, please contact the owner of the repository. W: Use --allow-insecure-repositories to force the update W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release -- cgit v1.2.3 From 42299a28ac40721f6cf29c9b786924c2cd4a210f Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 6 Oct 2014 14:43:05 +0200 Subject: fix test --- test/integration/test-apt-get-update-unauth-warning | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'test/integration') diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning index 37bcea623..27160b5f9 100755 --- a/test/integration/test-apt-get-update-unauth-warning +++ b/test/integration/test-apt-get-update-unauth-warning @@ -36,8 +36,7 @@ testequal "partial" ls rootdir/var/lib/apt/lists testequal "Ign file: unstable InRelease Ign file: unstable Release Reading package lists... -W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-insecure-repositories - +W: The repository 'file: unstable Release' does not have a Release file. This is deprecated, please contact the owner of the repository." aptget update --allow-insecure-repositories # ensure we can not install the package testequal "WARNING: The following packages cannot be authenticated! foo -- cgit v1.2.3 From 04a54261afd1c99686109f102afc83346c01c930 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 6 Oct 2014 11:15:03 +0200 Subject: ensure partial dirs are 0700 and owned by _apt:root Reworks the API involved in creating and setting up the fetcher to be a bit more pleasent to look at and work with as e.g. an empty string for no lock isn't very nice. With the lock we can also stop creating all our partial directories "just in case". This way we can also be a bit more aggressive with the partial directory itself as with a lock, we know we will gone need it. --- test/integration/test-apt-get-clean | 1 + 1 file changed, 1 insertion(+) (limited to 'test/integration') diff --git a/test/integration/test-apt-get-clean b/test/integration/test-apt-get-clean index 646ea31be..98f7c84d0 100755 --- a/test/integration/test-apt-get-clean +++ b/test/integration/test-apt-get-clean @@ -18,6 +18,7 @@ testsuccess aptget clean # generate some dirt and clean it up touch rootdir/var/lib/apt/lists/partial/http.debian.net_debian_dists_sid_main_i18n_Translation-en +mkdir -p rootdir/var/cache/apt/archives touch rootdir/var/cache/apt/archives/foo_1_all.deb touch rootdir/var/cache/apt/archives/foo_2_all.deb touch rootdir/var/cache/apt/archives/foo_3_all.deb -- cgit v1.2.3 From 5684f71fa0f6c1b765aa53e22ca3b024c578b9c9 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 6 Oct 2014 14:29:53 +0200 Subject: use _apt:root only for partial directories Using a different user for calling methods is intended to protect us from methods running amok (via remotely exploited bugs) by limiting what can be done by them. By using root:root for the final directories and just have the files in partial writeable by the methods we enhance this in sofar as a method can't modify already verified data in its parent directory anymore. As a side effect, this also clears most of the problems you could have if the final directories are shared without user-sharing or if these directories disappear as they are now again root owned and only the partial directories contain _apt owned files (usually none if apt isn't running) and the directory itself is autocreated with the right permissions. --- test/integration/framework | 22 +++++++++++++++++----- test/integration/test-apt-get-download | 16 ++++++++++++++++ test/integration/test-apt-update-unauth | 20 +++++++++++--------- 3 files changed, 44 insertions(+), 14 deletions(-) (limited to 'test/integration') diff --git a/test/integration/framework b/test/integration/framework index e83606fae..688a1abf2 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -164,9 +164,10 @@ addtrap() { setupenvironment() { TMPWORKINGDIRECTORY=$(mktemp -d) - TESTDIRECTORY=$(readlink -f $(dirname $0)) + addtrap "cd /; rm -rf $TMPWORKINGDIRECTORY;" msgninfo "Preparing environment for ${CCMD}$(basename $0)${CINFO} in ${TMPWORKINGDIRECTORY}… " + TESTDIRECTORY=$(readlink -f $(dirname $0)) # allow overriding the default BUILDDIR location BUILDDIRECTORY=${APT_INTEGRATION_TESTS_BUILD_DIR:-"${TESTDIRECTORY}/../../build/bin"} LIBRARYPATH=${APT_INTEGRATION_TESTS_LIBRARY_PATH:-"${BUILDDIRECTORY}"} @@ -177,7 +178,6 @@ setupenvironment() { test -x "${BUILDDIRECTORY}/apt-get" || msgdie "You need to build tree first" # ----- - addtrap "cd /; rm -rf $TMPWORKINGDIRECTORY;" cd $TMPWORKINGDIRECTORY mkdir rootdir aptarchive keys cd rootdir @@ -210,6 +210,7 @@ setupenvironment() { cp "${TESTDIRECTORY}/${SOURCESSFILE}" aptarchive/Sources fi cp $(find $TESTDIRECTORY -name '*.pub' -o -name '*.sec') keys/ + chmod 644 $(find keys -name '*.pub' -o -name '*.sec') ln -s ${TMPWORKINGDIRECTORY}/keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg echo "Dir \"${TMPWORKINGDIRECTORY}/rootdir\";" > aptconfig.conf echo "Dir::state::status \"${TMPWORKINGDIRECTORY}/rootdir/var/lib/dpkg/status\";" >> aptconfig.conf @@ -837,9 +838,7 @@ setupaptarchive() { fi signreleasefiles if [ "$1" != '--no-update' ]; then - msgninfo "\tSync APT's cache with the archive… " - aptget update -qq - msgdone "info" + testsuccess aptget update -o Debug::pkgAcquire::Worker=true -o Debug::Acquire::gpgv=true fi } @@ -1175,6 +1174,19 @@ testfailure() { fi } +testaccessrights() { + msgtest "Test that file $1 has access rights set to" "$2" + if [ "$2" = "$(stat --format '%a' "$1")" ]; then + msgpass + else + echo >&2 + ls -l >&2 "$1" + echo -n >&2 "stat(1) reports access rights: " + stat --format '%a' "$1" + msgfail + fi +} + testwebserverlaststatuscode() { local DOWNLOG='rootdir/tmp/webserverstatus-testfile.log' local STATUS='rootdir/tmp/webserverstatus-statusfile.log' diff --git a/test/integration/test-apt-get-download b/test/integration/test-apt-get-download index 58ed44f8f..0514542b3 100755 --- a/test/integration/test-apt-get-download +++ b/test/integration/test-apt-get-download @@ -11,8 +11,23 @@ buildsimplenativepackage 'apt' 'all' '1.0' 'stable' buildsimplenativepackage 'apt' 'all' '2.0' 'unstable' insertinstalledpackage 'vrms' 'all' '1.0' +umask 0027 + setupaptarchive +# apt-ftparchive knows how to chmod files +find aptarchive/dists -name '*Packages*' -type f | while read file; do + testaccessrights "$file" '644' +done +# created by the framework without special care +find aptarchive/dists -name '*Release*' -type f | while read file; do + testaccessrights "$file" '640' +done +# all copied files are properly chmodded +find rootdir/var/lib/apt/lists -type f | while read file; do + testaccessrights "$file" '644' +done + testdownload() { local APT="$2" if [ -n "$3" ]; then @@ -65,6 +80,7 @@ testsuccess aptget update # test with already stored deb testsuccess aptget install -d apt testsuccess test -s rootdir/var/cache/apt/archives/apt_2.0_all.deb +testaccessrights 'aptarchive/pool/apt_2.0_all.deb' '644' mv aptarchive/pool/apt_2.0_all.deb aptarchive/pool/apt_2.0_all.deb.gone testdownload apt_2.0_all.deb apt mv aptarchive/pool/apt_2.0_all.deb.gone aptarchive/pool/apt_2.0_all.deb diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth index cf5195024..b7ccd6cf3 100755 --- a/test/integration/test-apt-update-unauth +++ b/test/integration/test-apt-update-unauth @@ -27,7 +27,7 @@ runtest() { find rootdir/var/lib/apt/lists/ -type f | xargs rm -f rm -f aptarchive/dists/unstable/*Release* - aptget update -qq --allow-insecure-repositories + testsuccess aptget update -qq --allow-insecure-repositories # FIXME: this really shouldn't be needed rm -f rootdir/var/lib/apt/lists/partial/* @@ -41,7 +41,6 @@ runtest() { aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed # and ensure we re-check the downloaded data - msgtest "Check rollback on going from unauth -> auth" # change the local packages file PKGS=$(ls rootdir/var/lib/apt/lists/*Packages*) @@ -49,18 +48,22 @@ runtest() { ls rootdir/var/lib/apt/lists/ > lists.before # update and ensure all is reverted on the hashsum failure - aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 > output.log 2>&1 || true + testfailure aptget update -o Debug::Acquire::Transaction=0 -o Debug::pkgAcquire::Auth=1 -o Debug::pkgAcquire::worker=0 -o Debug::acquire::http=0 # ensure we have before what we have after + msgtest 'Check rollback on going from' 'unauth -> auth' ls rootdir/var/lib/apt/lists/ > lists.after - if diff -u lists.before lists.after; then + if cmp lists.before lists.after; then msgpass else - cat output.log - msgfail + echo >&2 '### Output of previous apt-get update ###' + cat >&2 rootdir/tmp/testfailure.output + echo >&2 '### Changes in the lists-directory: ###' + diff -u >&2 lists.before lists.after + msgfail fi - # move uncompressed back for release file + # move uncompressed back for release file mv aptarchive/dists/unstable/main/binary-i386/Packages.uncompressed \ aptarchive/dists/unstable/main/binary-i386/Packages } @@ -72,6 +75,5 @@ for COMPRESSEDINDEXES in 'false' 'true'; do else msgmsg 'Run tests with GzipIndexes disabled' fi - - runtest + runtest done -- cgit v1.2.3 From 4dbfe436c60880f2625e4d3a9d0127a83dd6276e Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Tue, 7 Oct 2014 01:46:30 +0200 Subject: display errortext for all Err as well as Ign logs consistently using Item::Failed in all specializec classes helps setting up some information bits otherwise unset, so some errors had an empty reason as an error. Ign is upgraded to display the error message we ignored to further help in understanding what happens. --- test/integration/framework | 13 ++- .../integration/test-apt-get-update-unauth-warning | 7 +- test/integration/test-apt-update-ims | 5 +- test/integration/test-apt-update-nofallback | 2 +- test/integration/test-apt-update-rollback | 101 ++++++++++----------- .../test-bug-595691-empty-and-broken-archive-files | 2 +- 6 files changed, 70 insertions(+), 60 deletions(-) (limited to 'test/integration') diff --git a/test/integration/framework b/test/integration/framework index 688a1abf2..29e5fafe6 100644 --- a/test/integration/framework +++ b/test/integration/framework @@ -715,7 +715,7 @@ buildaptarchivefromincoming() { aptftparchive -qq generate ftparchive.conf cd - > /dev/null msgdone "info" - generatereleasefiles + generatereleasefiles "$@" } buildaptarchivefromfiles() { @@ -830,14 +830,19 @@ setupflataptarchive() { } setupaptarchive() { - buildaptarchive + local NOUPDATE=0 + if [ "$1" = '--no-update' ]; then + NOUPDATE=1 + shift + fi + buildaptarchive "$@" if [ -e aptarchive/dists ]; then setupdistsaptarchive else setupflataptarchive fi - signreleasefiles - if [ "$1" != '--no-update' ]; then + signreleasefiles 'Joe Sixpack' "$@" + if [ "1" != "$NOUPDATE" ]; then testsuccess aptget update -o Debug::pkgAcquire::Worker=true -o Debug::Acquire::gpgv=true fi } diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning index 27160b5f9..8e212a3c4 100755 --- a/test/integration/test-apt-get-update-unauth-warning +++ b/test/integration/test-apt-get-update-unauth-warning @@ -20,11 +20,12 @@ rm -f $APTARCHIVE/dists/unstable/*Release* # update without authenticated files leads to warning testequal "Ign file: unstable InRelease + File not found Err file: unstable Release - + File not found W: The repository 'file: unstable Release' does not have a Release file. This is deprecated, please contact the owner of the repository. W: Use --allow-insecure-repositories to force the update -W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release +W: Failed to fetch file:$APTARCHIVE/dists/unstable/Release File not found E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update @@ -34,7 +35,9 @@ testequal "partial" ls rootdir/var/lib/apt/lists # allow override testequal "Ign file: unstable InRelease + File not found Ign file: unstable Release + File not found Reading package lists... W: The repository 'file: unstable Release' does not have a Release file. This is deprecated, please contact the owner of the repository." aptget update --allow-insecure-repositories # ensure we can not install the package diff --git a/test/integration/test-apt-update-ims b/test/integration/test-apt-update-ims index 61b808b0f..8aa5a7262 100755 --- a/test/integration/test-apt-update-ims +++ b/test/integration/test-apt-update-ims @@ -44,8 +44,9 @@ echo "Acquire::GzipIndexes "1";" > rootdir/etc/apt/apt.conf.d/02compressindex runtest msgmsg "Release/Release.gpg" -# with Release/Release.gpg +# with Release/Release.gpg EXPECT="Ign http://localhost:8080 unstable InRelease + 404 Not Found Hit http://localhost:8080 unstable Release Hit http://localhost:8080 unstable Release.gpg Hit http://localhost:8080 unstable/main Sources @@ -65,8 +66,10 @@ runtest # no Release.gpg or InRelease msgmsg "Release only" EXPECT="Ign http://localhost:8080 unstable InRelease + 404 Not Found Hit http://localhost:8080 unstable Release Ign http://localhost:8080 unstable Release.gpg + 404 Not Found Hit http://localhost:8080 unstable/main Sources Hit http://localhost:8080 unstable/main amd64 Packages Hit http://localhost:8080 unstable/main Translation-en diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback index c400dcc36..321472c2e 100755 --- a/test/integration/test-apt-update-nofallback +++ b/test/integration/test-apt-update-nofallback @@ -161,7 +161,7 @@ test_inrelease_to_invalid_inrelease() testequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) -W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease +W: Failed to fetch file:${APTARCHIVE}/dists/unstable/InRelease The following signatures were invalid: BADSIG 5A90D141DBAC8DAE Joe Sixpack (APT Testcases Dummy) W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback index ee8bc6926..5b9c200fe 100755 --- a/test/integration/test-apt-update-rollback +++ b/test/integration/test-apt-update-rollback @@ -19,44 +19,44 @@ create_fresh_archive() insertpackage 'unstable' 'old' 'all' '1.0' - setupaptarchive + setupaptarchive --no-update } add_new_package() { insertpackage "unstable" "new" "all" "1.0" insertsource "unstable" "new" "all" "1.0" - setupaptarchive --no-update - - avoid_ims_hit + setupaptarchive --no-update "$@" } break_repository_sources_index() { - printf "xxx" > $APTARCHIVE/dists/unstable/main/source/Sources - gzip -c $APTARCHIVE/dists/unstable/main/source/Sources > \ - $APTARCHIVE/dists/unstable/main/source/Sources.gz - avoid_ims_hit + printf 'xxx' > $APTARCHIVE/dists/unstable/main/source/Sources + compressfile "$APTARCHIVE/dists/unstable/main/source/Sources" "$@" } -test_inrelease_to_new_inrelease() { - msgmsg "Test InRelease to new InRelease works fine" +start_with_good_inrelease() { create_fresh_archive + testsuccess aptget update testequal "old/unstable 1.0 all" apt list -q +} - add_new_package +test_inrelease_to_new_inrelease() { + msgmsg 'Test InRelease to new InRelease works fine' + start_with_good_inrelease + add_new_package '+1hour' testsuccess aptget update -o Debug::Acquire::Transaction=1 - testequal "new/unstable 1.0 all old/unstable 1.0 all" apt list -q } test_inrelease_to_broken_hash_reverts_all() { - msgmsg "Test InRelease to broken InRelease reverts everything" - create_fresh_archive - add_new_package + msgmsg 'Test InRelease to broken InRelease reverts everything' + start_with_good_inrelease + + add_new_package '+1hour' # break the Sources file - break_repository_sources_index + break_repository_sources_index '+1hour' # test the error condition testequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/main/source/Sources Hash Sum mismatch @@ -66,14 +66,14 @@ E: Some index files failed to download. They have been ignored, or old ones used testequal "E: Unable to locate package new" aptget install new -s -qq } -test_inreleae_to_valid_release() { - msgmsg "Test InRelease to valid Release" - create_fresh_archive - add_new_package - # switch to a unsinged repo now +test_inrelease_to_valid_release() { + msgmsg 'Test InRelease to valid Release' + start_with_good_inrelease + + add_new_package '+1hour' + # switch to a unsigned repo now rm $APTARCHIVE/dists/unstable/InRelease rm $APTARCHIVE/dists/unstable/Release.gpg - avoid_ims_hit # update fails testequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq @@ -85,16 +85,17 @@ test_inreleae_to_valid_release() { testfailure ls $ROOTDIR/var/lib/apt/lists/*_Release } -test_inreleae_to_release_reverts_all() { - msgmsg "Test InRelease to broken Release reverts everything" - create_fresh_archive +test_inrelease_to_release_reverts_all() { + msgmsg 'Test InRelease to broken Release reverts everything' + start_with_good_inrelease - # switch to a unsinged repo now - add_new_package + # switch to a unsigned repo now + add_new_package '+1hour' rm $APTARCHIVE/dists/unstable/InRelease rm $APTARCHIVE/dists/unstable/Release.gpg + # break it - break_repository_sources_index + break_repository_sources_index '+1hour' # ensure error testequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq # -o Debug::acquire::transaction=1 @@ -107,21 +108,19 @@ test_inreleae_to_release_reverts_all() { } test_unauthenticated_to_invalid_inrelease() { - msgmsg "Test UnAuthenticated to invalid InRelease reverts everything" + msgmsg 'Test UnAuthenticated to invalid InRelease reverts everything' create_fresh_archive - rm -rf rootdir/var/lib/apt/lists/* rm $APTARCHIVE/dists/unstable/InRelease rm $APTARCHIVE/dists/unstable/Release.gpg - avoid_ims_hit - - testsuccess aptget update -qq --allow-insecure-repositories + + testsuccess aptget update --allow-insecure-repositories testequal "WARNING: The following packages cannot be authenticated! old E: There are problems and -y was used without --force-yes" aptget install -qq -y old - + # go to authenticated but not correct - add_new_package - break_repository_sources_index + add_new_package '+1hour' + break_repository_sources_index '+1hour' testequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch @@ -134,14 +133,14 @@ E: There are problems and -y was used without --force-yes" aptget install -qq -y } test_inrelease_to_unauth_inrelease() { - msgmsg "Test InRelease to InRelease without sig" - create_fresh_archive - signreleasefiles 'Marvin Paranoid' - avoid_ims_hit - + msgmsg 'Test InRelease to InRelease without good sig' + start_with_good_inrelease + + signreleasefiles 'Marvin Paranoid' '+1hour' + testequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2 -W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease +W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2 W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq @@ -150,13 +149,13 @@ W: Some index files failed to download. They have been ignored, or old ones used test_inrelease_to_broken_gzip() { msgmsg "Test InRelease to broken gzip" - create_fresh_archive - # append junk at the end of the gzip, this + start_with_good_inrelease + + # append junk at the end of the compressed file echo "lala" >> $APTARCHIVE/dists/unstable/main/source/Sources.gz - # remove uncompressed file, otherwise apt will just fallback fetching - # that + touch -d '+2min' $APTARCHIVE/dists/unstable/main/source/Sources.gz + # remove uncompressed file to avoid fallback rm $APTARCHIVE/dists/unstable/main/source/Sources - avoid_ims_hit testfailure aptget update } @@ -174,7 +173,7 @@ ROOTDIR=${TMPWORKINGDIRECTORY}/rootdir APTARCHIVE_LISTS="$(echo $APTARCHIVE | tr "/" "_" )" # test the following cases: -# - InRelease -> broken InRelease revert to previous state +# - InRelease -> broken InRelease revert to previous state # - empty lists dir and broken remote leaves nothing on the system # - InRelease -> hashsum mismatch for one file reverts all files to previous state # - Release/Release.gpg -> hashsum mismatch @@ -184,13 +183,13 @@ APTARCHIVE_LISTS="$(echo $APTARCHIVE | tr "/" "_" )" # - unauthenticated -> invalid InRelease # stuff to do: -# - ims-hit +# - ims-hit # - gzip-index tests test_inrelease_to_new_inrelease test_inrelease_to_broken_hash_reverts_all -test_inreleae_to_valid_release -test_inreleae_to_release_reverts_all +test_inrelease_to_valid_release +test_inrelease_to_release_reverts_all test_unauthenticated_to_invalid_inrelease test_inrelease_to_unauth_inrelease test_inrelease_to_broken_gzip diff --git a/test/integration/test-bug-595691-empty-and-broken-archive-files b/test/integration/test-bug-595691-empty-and-broken-archive-files index 683c174bd..fedf82c92 100755 --- a/test/integration/test-bug-595691-empty-and-broken-archive-files +++ b/test/integration/test-bug-595691-empty-and-broken-archive-files @@ -13,7 +13,7 @@ setupflataptarchive testaptgetupdate() { rm -rf rootdir/var/lib/apt aptget update 2>> testaptgetupdate.diff >> testaptgetupdate.diff || true - sed -i -e '/Ign / d' -e '/Release/ d' -e 's#Get:[0-9]\+ #Get: #' -e 's#\[[0-9]* [kMGTPY]*B\]#\[\]#' testaptgetupdate.diff + sed -i -e '/Ign /,+1d' -e '/Release/ d' -e 's#Get:[0-9]\+ #Get: #' -e 's#\[[0-9]* [kMGTPY]*B\]#\[\]#' testaptgetupdate.diff GIVEN="$1" shift msgtest "Test for correctness of" "apt-get update with $*" -- cgit v1.2.3