Infra: in dgit-repos-policy-debian, fix history tagg lookup

[dgit.git] / infra / dgit-repos-policy-debian

#!/usr/bin/perl -w
# dgit repos policy hook script for Debian

use strict;
$SIG{__WARN__} = sub { die $_[0]; };

use POSIX;
use JSON;
use File::Temp qw(tempfile);
use DBI;
use IPC::Open2;
use Data::Dumper;

use Debian::Dgit qw(:DEFAULT :policyflags);
use Debian::Dgit::Policy::Debian;

initdebug('%');
enabledebuglevel $ENV{'DGIT_DRS_DEBUG'};

our $distro = shift @ARGV // die "need DISTRO";
our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
our $dgitlive = shift @ARGV // die "need DGIT-LIVE-DIR";
our $distrodir = shift @ARGV // die "need DISTRO-DIR";
our $action = shift @ARGV // die "need ACTION";

our $publicmode = 02775;
our $new_upload_propagation_slop = 3600*4 + 100;# fixme config;

our $poldbh;
our $pkg;
our $pkgdir;
our ($pkg_exists,$pkg_secret);

our $stderr;

our ($version,$suite,$tagname);
our %deliberately;

# We assume that it is not possible for NEW to have a version older
# than sid.

# Whenever pushing, we check for
#   source-package-local tainted history
#   global tainted history
#   can be overridden by --deliberately except for an admin prohib taint
# 
# ALL of the following apply only if history is secret:
# 
# if NEW has no version, or a version which is not in our history[1]
#   (always)
#   check all suites
#   if any suite's version is in our history[1], publish our history
#   otherwise discard our history,
#     tainting --deliberately-include-questionable-history
# 
# if NEW has a version which is in our history[1]
#   (on push only)
#   require explicit specification of one of
#     --deliberately-include-questionable-history
#     --deliberately-not-fast-forward
#       (latter will taint old NEW version --d-i-q-h)
#   (otherwise)
#   leave it be
# 
# [1] looking for the relevant git tag for the version number and not
#    caring what that tag refers to.
#
# A wrinkle: if we approved a push recently, we treat NEW as having
# a version which is in our history.  This is because the package may
# still be being uploaded.  (We record this using the timestamp of the
# package's git repo directory.)

# We aim for the following invariants and properties:
#
# - .dsc of published dgit package will have corresponding publicly
#   visible dgit-repo (soon)
#
# - when a new package is rejected we help maintainer avoid
#   accidentally including bad objects in published dgit history
#
# - .dsc of NEW dgit package has corresponding dgit-repo but not
#   publicly readable

sub apiquery ($) {
    my ($subpath) = @_;
    local $/=undef;
    my $cmd = "$dgitlive/dgit -d$distro \$DGIT_TEST_OPTS";
    $cmd .= " -".("D" x $debuglevel) if $debuglevel;
    $cmd .= " archive-api-query $subpath";
    printdebug "apiquery $cmd\n";
    $!=0; $?=0; my $json = `$cmd`;
    defined $json && !$? or die "$subpath $! $?";
    my $r = decode_json $json;
    my $d = new Data::Dumper([$r], [qw(r)]);
    printdebug "apiquery $subpath | ", $d->Dump() if $debuglevel>=2;
    return $r;
}

sub specific_suite_has_vsn_in_our_history ($) {
    my ($suite) = @_;
    my $in_suite = apiquery "dsc_in_suite/$suite/$pkg";
    foreach my $entry (@$in_suite) {
        my $vsn = $entry->{version};
        die "$pkg ?" unless defined $vsn;
        my $tagref = "refs/tags/".debiantag $vsn;
        printdebug " checking history suite=$suite vsn=$vsn tagref=$tagref\n";
        $?=0; my $r = system qw(git show-ref --verify --quiet), $tagref;
        return 1 if !$r;
        next if $r==256;
        die "$pkg tagref $tagref $? $!";
    }
    return 0;
}

sub new_has_vsn_in_our_history () {
    return specific_suite_has_vsn_in_our_history('new');
}

sub good_suite_has_vsn_in_our_history () {
    my $suites = apiquery "suites";
    foreach my $suitei (@$suites) {
        my $suite = $suitei->{name};
        die unless defined $suite;
        next if $suite =~ m/\bnew$/;
        return 1 if specific_suite_has_vsn_in_our_history($suite);
    }
    return 0;
}

sub statpackage () {
    $pkgdir = "$repos/$pkg.git";
    if (!stat_exists $pkgdir) {
        printdebug "statpackage $pkg => ENOENT\n";
        $pkg_exists = 0;
    } else {
        $pkg_exists = 1;
        $pkg_secret = !!(~(stat _)[2] & 05);
        printdebug "statpackage $pkg => exists, secret=$pkg_secret.\n";
    }
}

sub getpackage () {
    die unless @ARGV >= 1;
    $pkg = shift @ARGV;
    die unless $pkg =~ m/^$package_re$/;

    statpackage();
}

sub add_taint ($$) {
    my ($refobj, $reason) = @_;

    printdebug "TAINTING $refobj\n",
        (map { "\%| $_" } split "\n", $reason),
        "\n";

    my $tf = new File::Temp or die $!;
    print $tf "$refobj^0\n" or die $!;
    flush $tf or die $!;
    seek $tf,0,0 or die $!;

    my $gcfpid = open GCF, "-|";
    defined $gcfpid or die $!;
    if (!$gcfpid) {
        open STDIN, "<&", $tf or die $!;
        exec 'git', 'cat-file', '--batch';
        die $!;
    }

    close $tf or die $!;
    $_ = <GCF>;
    defined $_ or die;
    m/^(\w+) (\w+) (\d+)\n/ or die "$_ ?";
    my $gitobjid = $1;
    my $gitobjtype = $2;
    my $bytes = $3;

    my $gitobjdata;
    if ($gitobjtype eq 'commit' or $gitobjtype eq 'tag') {
        $!=0; read GCF, $gitobjdata, $bytes == $bytes
            or die "$gitobjid $bytes $!";
    }
    close GCF;

    $poldbh->do("INSERT INTO taints".
                " (package, gitobjid, gitobjtype, gitobjdata, time, comment)".
                " VALUES (?,?,?,?,?,?)", {},
                $pkg, $gitobjid, $gitobjtype, $gitobjdata, time, $reason);

    my $taint_id = $poldbh->last_insert_id(undef,undef,"taints","taint_id");
    die unless defined $taint_id;

    $poldbh->do("INSERT INTO taintoverrides".
                " (taint_id, deliberately)".
                " VALUES (?, '--deliberately-include-questionable-history')", 
                {}, $taint_id);
}

sub add_taint_by_tag ($$) {
    my ($tagname,$refobjid) = @_;
    add_taint($refobjid,
              "tag $tagname referred to this object in git tree but all".
              " previously pushed versions were found to have been".
              " removed from NEW (ie, rejected) (or never arrived)");
}

sub action_check_package () {
    getpackage();
    return 0 unless $pkg_exists;
    return 0 unless $pkg_secret;

    printdebug "check_package\n";

    chdir $pkgdir or die "$pkgdir $!";

    stat '.' or die "$pkgdir $!";
    my $mtime = ((stat _)[9]);
    my $age = time -  $mtime;
    printdebug "check_package age=$age\n";

    return 0 if $age < $new_upload_propagation_slop;

    return 0 if new_has_vsn_in_our_history();

    if (good_suite_has_vsn_in_our_history) {
        chmod $publicmode, "." or die $!;
        return 0;
    }

    printdebug "check_package secret, deleted, tainting\n";

    git_for_each_ref('refs/tags', sub {
        my ($objid,$objtype,$fullrefname,$tagname) = @_;
        add_taint_by_tag($tagname,$objid);
    });

    return FRESHREPO;
}

sub getpushinfo () {
    die unless @ARGV >= 4;
    $version = shift @ARGV;
    $suite = shift @ARGV;
    $tagname = shift @ARGV;
    my $delibs = shift @ARGV;
    foreach my $delib (split /\,/, $delibs) {
        $deliberately{$delib} = 1;
    }
}

sub deliberately ($) { return $deliberately{$_[0]}; }

sub action_push () {
    getpackage();
    getpushinfo();

    return 0 unless $pkg_exists;
    return 0 unless $pkg_secret;

    # we suppose that NEW has a version which is already in our
    # history, as otherwise the repo would have been blown away

    if (deliberately('not-fast-forward')) {
        add_taint(server_ref($suite),
                  "suite $suite when --deliberately-not-fast-forward".
                  " specified in signed tag $tagname for upload of".
                  " version $version into suite $suite");
        return NOFFCHECK|FRESHREPO;
    }
    if (deliberately('include-questionable-history')) {
        return 0;
    }
    die "Package is in NEW and has not been accepted or rejected yet;".
        " use a --deliberately option to specify whether you are".
        " keeping or discarding the previously pushed history. ".
        " Please RTFM dgit(1).\n";
}

sub action_push_confirm () {
    getpackage();
    getpushinfo();
    die unless @ARGV >= 1;
    my $freshrepo = shift @ARGV;

    my $initq = $poldbh->prepare(<<END);
        SELECT taint_id, gitobjid FROM taints t
            WHERE (package = ? OR package = '')
END
    $initq->execute($pkg);

    my @taintids;
    my $chkinput = tempfile();
    while (my $taint = $initq->fetchrow_hashref()) {
        push @taintids, $taint->{taint_id};
        print $chkinput $taint->{gitobjid}, "\n" or die $!;
    }
    flush $chkinput or die $!;
    seek $chkinput,0,0 or die $!;

    my $checkpid = open CHKOUT, "-|" // die $!;
    if (!$checkpid) {
        open STDIN, "<&", $chkinput or die $!;
        exec qw(git cat-file --batch) or die $!;
    }

    my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);

    my $overridesstmt = <<END;
        SELECT deliberately FROM taintoverrides WHERE (
            1=0
END
    my @overridesv = sort keys %deliberately;
    $overridesstmt .= <<END foreach @overridesv;
            OR deliberately = ?
END
    $overridesstmt .= <<END;
        ) AND taint_id = ?
        ORDER BY deliberately ASC
END

    my $mustreject=0;

    while (my $taintid = shift @taintids) {
        # git cat-file prints a spurious newline after it gets EOF
        # This is not documented.  I guess it might go away.  So we
        # just read what we expect and then let it get SIGPIPE.
        $!=0; $_ = <CHKOUT>;
        die "$? $!" unless defined $_;

        next if m/^\w+ missing$/;
        die unless m/^(\w+) (\w+) (\d+)\s/;
        my ($objid,$objtype,$nbytes) = ($1,$2,$3);

        my $drop;
        (read CHKOUT, $drop, $nbytes) == $nbytes or die;

        $taintinfoq ||= $poldbh->prepare(<<END);
            SELECT package, time, comment FROM taints WHERE taint_id =  ?
END
        $taintinfoq->execute($taintid);

        my $ti = $taintinfoq->fetchrow_hashref();
        die unless $ti;

        my $timeshow = defined $ti->{time}
            ? " at time ".strftime("%Y-%m-%d %H:%M:%S Z", gmtime $ti->{time})
            : "";
        my $pkgshow = length $ti->{package}
            ? "package $ti->{package}"
            : "any package";

        $stderr .= <<END;

History contains tainted $objtype $objid
Taint recorded$timeshow for $pkgshow
Reason: $ti->{comment}
END

        printdebug "SQL overrides: @overridesv $taintid /\n$overridesstmt\n";

        $overridesq ||= $poldbh->prepare($overridesstmt);
        $overridesq->execute(@overridesv, $taintid);
        my ($ovwhy) = $overridesq->fetchrow_array();
        if (!defined $ovwhy) {
            $overridesanyq ||= $poldbh->prepare(<<END);
                SELECT 1 FROM taintoverrides WHERE taint_id = ? LIMIT 1
END
            $overridesanyq->execute($taintid);
            my ($ovany) = $overridesanyq->fetchrow_array();
            $stderr .= $ovany ? <<END : <<END;
Could be forced using --deliberately.  Consult documentation.
END
Uncorrectable error.  If confused, consult administrator.
END
            $mustreject = 1;
        } else {
            $stderr .= <<END;
Forcing due to --deliberately-$ovwhy
END
            $untaintq ||= $poldbh->prepare(<<END);
                DELETE FROM taints WHERE taint_id = ?
END
            $untaintq->execute($taintid);
        }
    }
    close CHKOUT;

    if ($mustreject) {
        $stderr .= <<END;

Rejecting push due to questionable history.
END
        return 1;
    }

    if (length $freshrepo) {
        if (!good_suite_has_vsn_in_our_history()) {
            stat $freshrepo or die "$freshrepo $!";
            my $oldmode = ((stat _)[2]);
            my $oldwrites = $oldmode & 0222;
            # remove r and x bits which have corresponding w bits clear
            my $newmode = $oldmode &
                (~0555 | ($oldwrites << 1) | ($oldwrites >> 1));
            printdebug sprintf "chmod %#o (was %#o) %s\n",
                $newmode, $oldmode, $freshrepo;
            chmod $newmode, $freshrepo or die $!;
            utime undef, undef, $freshrepo or die $!;
        }
    }

    return 0;
}

sub action_check_list () {
    opendir L, "$repos" or die "$repos $!";
    while (defined (my $dent = readdir L)) {
        next unless $dent =~ m/^($package_re)\.git$/;
        $pkg = $1;
        statpackage();
        next unless $pkg_exists;
        next unless $pkg_secret;
        print "$pkg\n" or die $!;
    }
    closedir L or die $!;
    close STDOUT or die $!;
    return 0;
}

$action =~ y/-/_/;
my $fn = ${*::}{"action_$action"};
if (!$fn) {
    printdebug "dgit-repos-policy-debian: unknown action $action\n";
    exit 0;
}

my $sleepy=0;
our $rcode = 127;

for (;;) {
    poldb_setup(poldb_path($repos));
    $stderr = '';

    $rcode = $fn->();
    die unless defined $rcode;

    eval { $poldbh->commit; };
    last unless length $@;

    die if $sleepy >= 20;
    print STDERR "[policy database busy, retrying]\n";
    sleep ++$sleepy;

    $poldbh->rollback;
}

print STDERR $stderr;
exit $rcode;