From 8f6950587ab7b4d6fe1b51241759cc3a4682b96d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 20 Jan 2015 16:36:40 +0100 Subject: [PATCH] import: make image verification optional --- src/import/import-raw.c | 45 ++++++++++++++++++++++++++-------------- src/import/import-raw.h | 3 ++- src/import/import-util.c | 8 +++++++ src/import/import-util.h | 11 ++++++++++ src/import/import.c | 22 ++++++++++++++++++-- 5 files changed, 70 insertions(+), 19 deletions(-) diff --git a/src/import/import-raw.c b/src/import/import-raw.c index 8ca10919a..6fb088278 100644 --- a/src/import/import-raw.c +++ b/src/import/import-raw.c @@ -56,6 +56,8 @@ struct RawImport { char *temp_path; char *final_path; + + ImportVerify verify; }; RawImport* raw_import_unref(RawImport *i) { @@ -251,6 +253,7 @@ static int raw_import_verify_sha256sum(RawImport *i) { int r; assert(i); + assert(i->verify != IMPORT_VERIFY_NO); assert(i->raw_job); assert(i->raw_job->sha256); @@ -291,10 +294,12 @@ static int raw_import_finalize(RawImport *i) { assert(i); if (!IMPORT_JOB_STATE_IS_COMPLETE(i->raw_job) || - !IMPORT_JOB_STATE_IS_COMPLETE(i->sha256sums_job)) + (i->verify != IMPORT_VERIFY_NO && !IMPORT_JOB_STATE_IS_COMPLETE(i->sha256sums_job))) return 0; - if (!i->raw_job->etag_exists) { + if (i->verify != IMPORT_VERIFY_NO && + i->raw_job->etag_exists) { + assert(i->temp_path); assert(i->final_path); assert(i->raw_job->disk_fd >= 0); @@ -379,7 +384,10 @@ static void raw_import_sha256sums_job_on_finished(ImportJob *j) { assert(j->userdata); i = j->userdata; + assert(i->verify != IMPORT_VERIFY_NO); + if (j->error != 0) { + log_error_errno(j->error, "Failed to retrieve SHA256 checksum, cannot verify."); r = j->error; goto finish; } @@ -425,11 +433,13 @@ static int raw_import_raw_job_on_open_disk(ImportJob *j) { return 0; } -int raw_import_pull(RawImport *i, const char *url, const char *local, bool force_local) { +int raw_import_pull(RawImport *i, const char *url, const char *local, bool force_local, ImportVerify verify) { _cleanup_free_ char *sha256sums_url = NULL; int r; assert(i); + assert(verify < _IMPORT_VERIFY_MAX); + assert(verify >= 0); if (i->raw_job) return -EBUSY; @@ -444,6 +454,7 @@ int raw_import_pull(RawImport *i, const char *url, const char *local, bool force if (r < 0) return r; i->force_local = force_local; + i->verify = verify; /* Queue job for the image itself */ r = import_job_new(&i->raw_job, url, i->glue, i); @@ -458,23 +469,25 @@ int raw_import_pull(RawImport *i, const char *url, const char *local, bool force if (r < 0) return r; - /* Queue job for the SHA256SUMS file for the image */ - r = import_url_change_last_component(url, "SHA256SUMS", &sha256sums_url); - if (r < 0) - return r; + if (verify != IMPORT_VERIFY_NO) { + /* Queue job for the SHA256SUMS file for the image */ + r = import_url_change_last_component(url, "SHA256SUMS", &sha256sums_url); + if (r < 0) + return r; - r = import_job_new(&i->sha256sums_job, sha256sums_url, i->glue, i); - if (r < 0) - return r; + r = import_job_new(&i->sha256sums_job, sha256sums_url, i->glue, i); + if (r < 0) + return r; - i->sha256sums_job->on_finished = raw_import_sha256sums_job_on_finished; - i->sha256sums_job->uncompressed_max = i->sha256sums_job->compressed_max = 1ULL * 1024ULL * 1024ULL; + i->sha256sums_job->on_finished = raw_import_sha256sums_job_on_finished; + i->sha256sums_job->uncompressed_max = i->sha256sums_job->compressed_max = 1ULL * 1024ULL * 1024ULL; - r = import_job_begin(i->raw_job); - if (r < 0) - return r; + r = import_job_begin(i->sha256sums_job); + if (r < 0) + return r; + } - r = import_job_begin(i->sha256sums_job); + r = import_job_begin(i->raw_job); if (r < 0) return r; diff --git a/src/import/import-raw.h b/src/import/import-raw.h index 9e23142fe..ae2c29991 100644 --- a/src/import/import-raw.h +++ b/src/import/import-raw.h @@ -23,6 +23,7 @@ #include "sd-event.h" #include "macro.h" +#include "import-util.h" typedef struct RawImport RawImport; @@ -33,4 +34,4 @@ RawImport* raw_import_unref(RawImport *import); DEFINE_TRIVIAL_CLEANUP_FUNC(RawImport*, raw_import_unref); -int raw_import_pull(RawImport *import, const char *url, const char *local, bool force_local); +int raw_import_pull(RawImport *import, const char *url, const char *local, bool force_local, ImportVerify verify); diff --git a/src/import/import-util.c b/src/import/import-util.c index 1212025d4..79c60b376 100644 --- a/src/import/import-util.c +++ b/src/import/import-util.c @@ -270,3 +270,11 @@ int import_url_change_last_component(const char *url, const char *suffix, char * *ret = s; return 0; } + +static const char* const import_verify_table[_IMPORT_VERIFY_MAX] = { + [IMPORT_VERIFY_NO] = "no", + [IMPORT_VERIFY_SUM] = "sum", + [IMPORT_VERIFY_SIGNATURE] = "signature", +}; + +DEFINE_STRING_TABLE_LOOKUP(import_verify, ImportVerify); diff --git a/src/import/import-util.h b/src/import/import-util.h index a8a5ca569..811f3fa6d 100644 --- a/src/import/import-util.h +++ b/src/import/import-util.h @@ -23,6 +23,14 @@ #include +typedef enum ImportVerify { + IMPORT_VERIFY_NO, + IMPORT_VERIFY_SUM, + IMPORT_VERIFY_SIGNATURE, + _IMPORT_VERIFY_MAX, + _IMPORT_VERIFY_INVALID = -1, +} ImportVerify; + bool http_etag_is_valid(const char *etag); int import_make_local_copy(const char *final, const char *root, const char *local, bool force_local); @@ -36,3 +44,6 @@ int import_make_path(const char *url, const char *etag, const char *image_root, int import_url_last_component(const char *url, char **ret); int import_url_change_last_component(const char *url, const char *suffix, char **ret); + +const char* import_verify_to_string(ImportVerify v) _const_; +ImportVerify import_verify_from_string(const char *s) _pure_; diff --git a/src/import/import.c b/src/import/import.c index 3362f4a9e..f44d47df9 100644 --- a/src/import/import.c +++ b/src/import/import.c @@ -33,7 +33,7 @@ static bool arg_force = false; static const char *arg_image_root = "/var/lib/machines"; - +static ImportVerify arg_verify = IMPORT_VERIFY_SIGNATURE; static const char* arg_dkr_index_url = DEFAULT_DKR_INDEX_URL; static void on_tar_finished(TarImport *import, int error, void *userdata) { @@ -263,7 +263,7 @@ static int pull_raw(int argc, char *argv[], void *userdata) { if (r < 0) return log_error_errno(r, "Failed to allocate importer: %m"); - r = raw_import_pull(import, url, local, arg_force); + r = raw_import_pull(import, url, local, arg_force, arg_verify); if (r < 0) return log_error_errno(r, "Failed to pull image: %m"); @@ -299,6 +299,11 @@ static int pull_dkr(int argc, char *argv[], void *userdata) { return -EINVAL; } + if (arg_verify != IMPORT_VERIFY_NO) { + log_error("Imports from dkr do not support image verification, please pass --verify=no."); + return -EINVAL; + } + tag = strchr(argv[1], ':'); if (tag) { name = strndupa(argv[1], tag - argv[1]); @@ -384,6 +389,8 @@ static int help(int argc, char *argv[], void *userdata) { " -h --help Show this help\n" " --version Show package version\n" " --force Force creation of image\n" + " --verify= Verify downloaded image, one of: 'no', 'sum'\n" + " 'signature'.\n" " --image-root= Image root directory\n" " --dkr-index-url=URL Specify index URL to use for downloads\n\n" "Commands:\n" @@ -402,6 +409,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_FORCE, ARG_DKR_INDEX_URL, ARG_IMAGE_ROOT, + ARG_VERIFY, }; static const struct option options[] = { @@ -410,6 +418,7 @@ static int parse_argv(int argc, char *argv[]) { { "force", no_argument, NULL, ARG_FORCE }, { "dkr-index-url", required_argument, NULL, ARG_DKR_INDEX_URL }, { "image-root", required_argument, NULL, ARG_IMAGE_ROOT }, + { "verify", required_argument, NULL, ARG_VERIFY }, {} }; @@ -447,6 +456,15 @@ static int parse_argv(int argc, char *argv[]) { arg_image_root = optarg; break; + case ARG_VERIFY: + arg_verify = import_verify_from_string(optarg); + if (arg_verify < 0) { + log_error("Invalid verification setting '%s'", optarg); + return -EINVAL; + } + + break; + case '?': return -EINVAL; -- 2.30.2