2017-05-26 20:08:45 +00:00
|
|
|
"""
|
2018-01-04 03:53:35 +00:00
|
|
|
Copyright 2018 Oliver Smith
|
2017-05-26 20:08:45 +00:00
|
|
|
|
|
|
|
|
This file is part of pmbootstrap.
|
|
|
|
|
|
|
|
|
|
pmbootstrap is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
pmbootstrap is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with pmbootstrap. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
"""
|
|
|
|
|
import os
|
|
|
|
|
import sys
|
|
|
|
|
import tarfile
|
|
|
|
|
import glob
|
|
|
|
|
import pytest
|
|
|
|
|
|
|
|
|
|
# Import from parent directory
|
2017-08-15 14:08:48 +00:00
|
|
|
pmb_src = os.path.realpath(os.path.join(os.path.dirname(__file__) + "/.."))
|
2017-05-26 20:08:45 +00:00
|
|
|
sys.path.append(pmb_src)
|
|
|
|
|
import pmb.chroot.apk_static
|
2018-09-17 10:06:57 +00:00
|
|
|
import pmb.config
|
2017-05-26 20:08:45 +00:00
|
|
|
import pmb.parse.apkindex
|
Properly rebuild/install packages when something changed (Fix #120, #108, #131) (#129)
TLDR: Always rebuild/install packages when something changed when executing "pmbootstrap install/initfs/flash", more speed in dependency resolution.
---
pmbootstrap has already gotten some support for "timestamp based rebuilds", which modifies the logic for when packages should be rebuilt. It doesn't only consider packages outdated with old pkgver/pkgrel combinations, but also packages, where a source file has a newer timestamp, than the built package has.
I've found out, that this can lead to more rebuilds than expected. For example, when you check out the pmbootstrap git repository again into another folder, although you have already built packages. Then all files have the timestamp of the checkout, and the packages will appear to be outdated. While this is not largely a concern now, this will become a problem once we have a binary package repository, because then the packages from the binary repo will always seem to be outdated, if you just freshly checked out the repository.
To combat this, git gets asked if the files from the aport we're looking at are in sync with upstream, or not. Only when the files are not in sync with upstream and the timestamps of the sources are newer, a rebuild gets triggered from now on.
In case this logic should fail, I've added an option during "pmbootstrap init" where you can enable or disable the "timestamp based rebuilds" option.
In addition to that, this commit also works on fixing #120: packages do not get updated in "pmbootstrap install" after they have been rebuilt. For this to work, we specify all packages explicitly for abuild, instead of letting abuild do the resolving. This feature will also work with the "timestamp based rebuilds".
This commit also fixes the working_dir argument in pmb.helpers.run.user, which was simply ignored before.
Finally, the performance of the dependency resolution is faster again (when compared to the current version in master), because the parsed apkbuilds and finding the aport by pkgname gets cached during one pmbootstrap call (in args.cache, which also makes it easy to put fake data there in testcases).
The new dependency resolution code can output lots of verbose messages for debugging by specifying the `-v` parameter. The meaning of that changed, it used to output the file names where log messages come from, but no one seemed to use that anyway.
2017-07-10 15:23:43 +00:00
|
|
|
import pmb.helpers.logging
|
2017-05-26 20:08:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.fixture
|
Debian Jessie/Python 3.4 support for the most part (#6)
* automatically find the chroot binary on Debian, even if it is not
in the user's PATH
* don't use subprocess.run anymore (remove related testcase, that explicitly
checked for subprocess.run usage, and used recursive globbing, another
post 3.4 Python feature, for the checks. A similar case can be added in the
future, but right now it's more important to get Debian 3.4 working and all
PRs are reviewed anyway.)
* pytest fixtures: don't use the newer "yield" feature, as this is only
supported in a newer version of pytest, than provided on Debian Jessie
From manually testing, most stuff works in Debian Jessie. However, the
testsuite does not run through - creating an empty .tar.gz with Python
fails for some reason (this is done in test_apk_static.py).
2017-05-29 18:38:11 +00:00
|
|
|
def args(request):
|
2017-05-26 20:08:45 +00:00
|
|
|
import pmb.parse
|
|
|
|
|
sys.argv = ["pmbootstrap.py", "chroot"]
|
|
|
|
|
args = pmb.parse.arguments()
|
Properly rebuild/install packages when something changed (Fix #120, #108, #131) (#129)
TLDR: Always rebuild/install packages when something changed when executing "pmbootstrap install/initfs/flash", more speed in dependency resolution.
---
pmbootstrap has already gotten some support for "timestamp based rebuilds", which modifies the logic for when packages should be rebuilt. It doesn't only consider packages outdated with old pkgver/pkgrel combinations, but also packages, where a source file has a newer timestamp, than the built package has.
I've found out, that this can lead to more rebuilds than expected. For example, when you check out the pmbootstrap git repository again into another folder, although you have already built packages. Then all files have the timestamp of the checkout, and the packages will appear to be outdated. While this is not largely a concern now, this will become a problem once we have a binary package repository, because then the packages from the binary repo will always seem to be outdated, if you just freshly checked out the repository.
To combat this, git gets asked if the files from the aport we're looking at are in sync with upstream, or not. Only when the files are not in sync with upstream and the timestamps of the sources are newer, a rebuild gets triggered from now on.
In case this logic should fail, I've added an option during "pmbootstrap init" where you can enable or disable the "timestamp based rebuilds" option.
In addition to that, this commit also works on fixing #120: packages do not get updated in "pmbootstrap install" after they have been rebuilt. For this to work, we specify all packages explicitly for abuild, instead of letting abuild do the resolving. This feature will also work with the "timestamp based rebuilds".
This commit also fixes the working_dir argument in pmb.helpers.run.user, which was simply ignored before.
Finally, the performance of the dependency resolution is faster again (when compared to the current version in master), because the parsed apkbuilds and finding the aport by pkgname gets cached during one pmbootstrap call (in args.cache, which also makes it easy to put fake data there in testcases).
The new dependency resolution code can output lots of verbose messages for debugging by specifying the `-v` parameter. The meaning of that changed, it used to output the file names where log messages come from, but no one seemed to use that anyway.
2017-07-10 15:23:43 +00:00
|
|
|
args.log = args.work + "/log_testsuite.txt"
|
|
|
|
|
pmb.helpers.logging.init(args)
|
Debian Jessie/Python 3.4 support for the most part (#6)
* automatically find the chroot binary on Debian, even if it is not
in the user's PATH
* don't use subprocess.run anymore (remove related testcase, that explicitly
checked for subprocess.run usage, and used recursive globbing, another
post 3.4 Python feature, for the checks. A similar case can be added in the
future, but right now it's more important to get Debian 3.4 working and all
PRs are reviewed anyway.)
* pytest fixtures: don't use the newer "yield" feature, as this is only
supported in a newer version of pytest, than provided on Debian Jessie
From manually testing, most stuff works in Debian Jessie. However, the
testsuite does not run through - creating an empty .tar.gz with Python
fails for some reason (this is done in test_apk_static.py).
2017-05-29 18:38:11 +00:00
|
|
|
request.addfinalizer(args.logfd.close)
|
|
|
|
|
return args
|
2017-05-26 20:08:45 +00:00
|
|
|
|
|
|
|
|
|
2017-05-30 18:47:19 +00:00
|
|
|
def test_read_signature_info(args):
|
|
|
|
|
# Tempfolder inside chroot for fake apk files
|
|
|
|
|
tmp_path = "/tmp/test_read_signature_info"
|
2017-06-19 17:53:31 +00:00
|
|
|
tmp_path_outside = args.work + "/chroot_native" + tmp_path
|
|
|
|
|
if os.path.exists(tmp_path_outside):
|
2017-05-30 18:47:19 +00:00
|
|
|
pmb.chroot.root(args, ["rm", "-r", tmp_path])
|
|
|
|
|
pmb.chroot.user(args, ["mkdir", "-p", tmp_path])
|
|
|
|
|
|
|
|
|
|
# No signature found
|
|
|
|
|
pmb.chroot.user(args, ["tar", "-czf", tmp_path + "/no_sig.apk",
|
|
|
|
|
"/etc/issue"])
|
2017-06-19 17:53:31 +00:00
|
|
|
with tarfile.open(tmp_path_outside + "/no_sig.apk", "r:gz") as tar:
|
2017-05-26 20:08:45 +00:00
|
|
|
with pytest.raises(RuntimeError) as e:
|
|
|
|
|
pmb.chroot.apk_static.read_signature_info(tar)
|
|
|
|
|
assert "Could not find signature" in str(e.value)
|
|
|
|
|
|
2017-05-30 18:47:19 +00:00
|
|
|
# Signature file with invalid name
|
|
|
|
|
pmb.chroot.user(args, ["mkdir", "-p", tmp_path + "/sbin"])
|
|
|
|
|
pmb.chroot.user(args, ["cp", "/etc/issue", tmp_path +
|
|
|
|
|
"/sbin/apk.static.SIGN.RSA.invalid.pub"])
|
|
|
|
|
pmb.chroot.user(args, ["tar", "-czf", tmp_path + "/invalid_sig.apk",
|
|
|
|
|
"sbin/apk.static.SIGN.RSA.invalid.pub"],
|
|
|
|
|
working_dir=tmp_path)
|
2017-06-19 17:53:31 +00:00
|
|
|
with tarfile.open(tmp_path_outside + "/invalid_sig.apk", "r:gz") as tar:
|
2017-05-26 20:08:45 +00:00
|
|
|
with pytest.raises(RuntimeError) as e:
|
|
|
|
|
pmb.chroot.apk_static.read_signature_info(tar)
|
|
|
|
|
assert "Invalid signature key" in str(e.value)
|
|
|
|
|
|
2017-05-30 18:47:19 +00:00
|
|
|
# Signature file with realistic name
|
2018-09-17 10:06:57 +00:00
|
|
|
path = glob.glob(pmb.config.apk_keys_path + "/*.pub")[0]
|
2017-05-26 20:08:45 +00:00
|
|
|
name = os.path.basename(path)
|
|
|
|
|
path_archive = "sbin/apk.static.SIGN.RSA." + name
|
2017-05-30 18:47:19 +00:00
|
|
|
pmb.chroot.user(args, ["mv", tmp_path + "/sbin/apk.static.SIGN.RSA.invalid.pub",
|
|
|
|
|
tmp_path + "/" + path_archive])
|
|
|
|
|
pmb.chroot.user(args, ["tar", "-czf", tmp_path + "/realistic_name_sig.apk",
|
|
|
|
|
path_archive], working_dir=tmp_path)
|
2017-06-19 17:53:31 +00:00
|
|
|
with tarfile.open(tmp_path_outside + "/realistic_name_sig.apk", "r:gz") as tar:
|
2017-05-26 20:08:45 +00:00
|
|
|
sigfilename, sigkey_path = pmb.chroot.apk_static.read_signature_info(
|
|
|
|
|
tar)
|
2017-05-30 18:47:19 +00:00
|
|
|
assert sigfilename == path_archive
|
|
|
|
|
assert sigkey_path == path
|
|
|
|
|
|
|
|
|
|
# Clean up
|
|
|
|
|
pmb.chroot.user(args, ["rm", "-r", tmp_path])
|
2017-05-26 20:08:45 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_successful_extraction(args, tmpdir):
|
|
|
|
|
if os.path.exists(args.work + "/apk.static"):
|
|
|
|
|
os.remove(args.work + "/apk.static")
|
|
|
|
|
|
|
|
|
|
pmb.chroot.apk_static.init(args)
|
|
|
|
|
assert os.path.exists(args.work + "/apk.static")
|
|
|
|
|
os.remove(args.work + "/apk.static")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_signature_verification(args, tmpdir):
|
|
|
|
|
if os.path.exists(args.work + "/apk.static"):
|
|
|
|
|
os.remove(args.work + "/apk.static")
|
|
|
|
|
|
2018-02-20 19:52:28 +00:00
|
|
|
version = pmb.parse.apkindex.package(args, "apk-tools-static")["version"]
|
2017-05-26 20:08:45 +00:00
|
|
|
apk_path = pmb.chroot.apk_static.download(args,
|
|
|
|
|
"apk-tools-static-" + version + ".apk")
|
|
|
|
|
|
|
|
|
|
# Extract to temporary folder
|
|
|
|
|
with tarfile.open(apk_path, "r:gz") as tar:
|
|
|
|
|
sigfilename, sigkey_path = pmb.chroot.apk_static.read_signature_info(
|
|
|
|
|
tar)
|
|
|
|
|
files = pmb.chroot.apk_static.extract_temp(tar, sigfilename)
|
|
|
|
|
|
|
|
|
|
# Verify signature (successful)
|
|
|
|
|
pmb.chroot.apk_static.verify_signature(args, files, sigkey_path)
|
|
|
|
|
|
|
|
|
|
# Append data to extracted apk.static
|
|
|
|
|
with open(files["apk"]["temp_path"], "ab") as handle:
|
|
|
|
|
handle.write("appended something".encode())
|
|
|
|
|
|
|
|
|
|
# Verify signature again (fail) (this deletes the tempfiles)
|
|
|
|
|
with pytest.raises(RuntimeError) as e:
|
|
|
|
|
pmb.chroot.apk_static.verify_signature(args, files, sigkey_path)
|
|
|
|
|
assert "Failed to validate signature" in str(e.value)
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Test "apk.static --version" check
|
|
|
|
|
#
|
|
|
|
|
with pytest.raises(RuntimeError) as e:
|
|
|
|
|
pmb.chroot.apk_static.extract(args, "99.1.2-r1", apk_path)
|
|
|
|
|
assert "downgrade attack" in str(e.value)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def test_outdated_version(args):
|
|
|
|
|
if os.path.exists(args.work + "/apk.static"):
|
|
|
|
|
os.remove(args.work + "/apk.static")
|
|
|
|
|
|
|
|
|
|
# change min version
|
|
|
|
|
min = pmb.config.apk_tools_static_min_version
|
|
|
|
|
pmb.config.apk_tools_static_min_version = "99.1.2-r1"
|
|
|
|
|
|
|
|
|
|
with pytest.raises(RuntimeError) as e:
|
|
|
|
|
pmb.chroot.apk_static.init(args)
|
|
|
|
|
assert "outdated version" in str(e.value)
|
|
|
|
|
|
|
|
|
|
# reset min version
|
|
|
|
|
pmb.config.apk_tools_static_min_version = min
|