# dgit-repos-server
#
# usages:
-# .../dgit-repos-server DISTRO SUITES KEYRING-AUTH-SPEC DGIT-REPOS-DIR --ssh
+# .../dgit-repos-server DISTRO SUITES KEYRING-AUTH-SPEC \
+# DGIT-REPOS-DIR POLICY-HOOK-SCRIPT --ssh
# internal usage:
# .../dgit-repos-server --pre-receive-hook PACKAGE
#
use Fcntl qw(:flock);
use File::Path qw(rmtree);
-open DEBUG, ">/dev/null" or die $!;
+use Debian::Dgit qw(:DEFAULT :policyflags);
-our $package_re = '[0-9a-z][-+.0-9a-z]+';
+open DEBUG, ">/dev/null" or die $!;
our $func;
our $dgitrepos;
our $package;
our $suitesfile;
+our $policyhook;
our $realdestrepo;
our $destrepo;
our $workrepo;
our $keyrings;
our @lockfhs;
our $debug='';
+our @deliberatelies;
+our %supersedes;
+our $policy;
#----- utilities -----
debug " locking $lock failed";
return undef;
}
- if (!stat $lock) {
- next if $! == ENOENT;
- die "stat $lock: $!";
- }
+ next unless stat_exists $lock;
my $want = (stat _)[1];
stat $fh or die $!;
my $got = (stat _)[1];
die "@_ $? $!" if $r;
}
+sub policyhook {
+ my ($policyallowbits, @polargs) = @_;
+ # => ($exitstatuspolicybitmap, $policylockfh);
+ die if $policyallowbits & ~0x3e;
+ my @cmd = ($policyhook,$distro,$repos,@polargs);
+ debugcmd @_;
+ my $r = system @_;
+ die "system: $!" if $r < 0;
+ die "hook (@cmd) failed ($?)" if $r & ~($policyallowbits << 8);
+ return $r >> 8;
+}
+
+sub mkemptyrepo ($$) {
+ my ($dir,$sharedperm) = @_;
+ runcmd qw(git init --bare --quiet), "--shared=$sharedperm", $dir;
+}
+
+sub mkrepo_fromtemplate ($) {
+ my ($dir) = @_;
+ my $template = "$dgitrepos/_template";
+ debug "copy tempalate $template -> $dir";
+ my $r = system qw(cp -a --), $template, $dir;
+ !$r or die "create new repo $dir failed: $r $!";
+}
+
+sub movetogarbage () {
+ my $garbagerepo = "$dgitrepos/${package}_garbage";
+ my $lfh =acquiretree($garbagerepo,1);
+ # We arrange to always keep at least one old tree, for anti-rewind
+ # purposes (and, I guess, recovery from mistakes). This is either
+ # $garbage or $garbage-old.
+ if (stat_exists "$garbagerepo") {
+ rmtree "$garbagerepo-tmp";
+ if (rename "$garbagerepo-old", "$garbagerepo-tmp") {
+ rmtree "$garbagerepo-tmp";
+ } else {
+ die "$garbagerepo $!" unless $!==ENOENT;
+ }
+ rename "$garbagerepo", "$garbagerepo-old" or die "$garbagerepo $!";
+ }
+ rename $realdestrepo, $garbagerepo
+ or $! == ENOENT
+ or die "$garbagerepo $!";
+ close $lfh;
+}
+
+sub onwardpush () {
+ my @cmd = (qw(git send-pack), $destrepo);
+ push @cmd, qw(--force) if $policy & NOFFCHECK;
+ push @cmd, "$commit:refs/dgit/$suite",
+ "$tagval:refs/tags/$tagname");
+ debugcmd @cmd;
+ $!=0;
+ my $r = system @cmd;
+ !$r or die "onward push to $destrepo failed: $r $!";
+}
+
#----- git-receive-pack -----
sub fixmissing__git_receive_pack () {
mkrepotmp();
$destrepo = "$dgitrepos/_tmp/${package}_prospective";
acquiretree($destrepo, 1);
- my $template = "$dgitrepos/_template";
- debug "fixmissing copy tempalate $template -> $destrepo";
- my $r = system qw(cp -a --), $template, $destrepo;
- !$r or die "create new repo failed failed: $r $!";
+ mkrepo_fromtemplate($destrepo);
}
sub makeworkingclone () {
$workrepo = "$dgitrepos/_tmp/${package}_incoming$$";
acquiretree($workrepo, 1);
runcmd qw(git clone -l -q --mirror), $destrepo, $workrepo;
+ rmtree "${workrepo}_fresh";
}
sub setupstunthook () {
debug " stunt hook set up $prerecv";
}
+sub dealwithfreshrepo () {
+ my $freshrepo = "${workrepo}_fresh";
+ return unless stat_exists $freshrepo;
+ $destrepo = $freshrepo;
+}
+
sub maybeinstallprospective () {
return if $destrepo eq $realdestrepo;
die Dumper(\%got)." -- missing refs in new repo"
if grep { !$_ } values %got;
+ movetogarbage; # in case of FRESHREPO
+
debug "install $destrepo => $realdestrepo";
rename $destrepo, $realdestrepo or die $!;
remove "$destrepo.lock" or die $!;
makeworkingclone();
setupstunthook();
runcmd qw(git receive-pack), $workrepo;
+ dealwithfreshrepo();
maybeinstallprospective();
}
for (;;) {
if (s/^distro\=(\S+) //) {
die "$1 != $distro" unless $1 eq $distro;
- } elsif (s/^[-+.=0-9a-z]+ //) {
+ } elsif (s/^(--deliberately-$package_re) //) {
+ push @deliberatelies, $1;
+ } elsif (s/^supersede:(\S+)=(\w+) //) {
+ die "supersede $1 twice" if defined $supersedes{$1};
+ $supersedes{$1} = $2;
+ } elsif (s/^[-+.=0-9a-z]\S* //) {
} else {
die "unknown dgit info in tag";
}
reject "unknown suite";
}
+sub checktagnoreplay () {
+ # We check that the signed tag mentions the name and value of
+ # (a) in the case of FRESHREPO all tags in the repo;
+ # (b) in the case of just NOFFCHECK all tags referring to
+ # the current head for the suite (there must be at least one).
+ # This prevents a replay attack using an earlier signed tag.
+ return unless $policy & (FRESHREPO|NOFFCHECK);
+
+ my $garbagerepo = "$dgitrepos/${package}_garbage";
+ acquiretree($garbagerepo,1);
+
+ local $ENV{GIT_DIR};
+ foreach my $garb ("$garbagerepo", "$garbagerepo-old") {
+ if (stat_exists $garb) {
+ $ENV{GIT_DIR} = $garb;
+ last;
+ }
+ }
+ if (!defined $ENV{GIT_DIR}) {
+ # Nothing to overwrite so the FRESHREPO and NOFFCHECK were
+ # pointless. Oh well.
+ debug "checktagnoreplay - no garbage, ok";
+ return;
+ }
+
+ my $onlyreferring;
+ if (!($policy & FRESHREPO)) {
+ my $branch = server_branch($suite);
+ $!=0; $?=0; $_ =
+ `git for-each-ref --format='%(objectname)' '[r]efs/$branch'`;
+ defined or die "$branch $? $!";
+ $? and die "$branch $?";
+ if (!length) {
+ # No such branch - NOFFCHECK was unnecessary. Oh well.
+ debug "checktagnoreplay - not FRESHREPO, new branch, ok";
+ return;
+ }
+ m/^(\w+)\n$/ or die "$branch $_ ?";
+ $onlyreferring = $1;
+ debug "checktagnoreplay - not FRESHREPO,".
+ " checking for overwriting refs/$branch=$onlyreferring";
+ }
+
+ my @problems;
+
+ git_for_each_tag_referring($objreferring, sub {
+ my ($objid,$fullrefname,$tagname) = @_;
+ debug "checktagnoreplay - overwriting $fullrefname=$objid";
+ my $supers = $supersedes{$fullrefname};
+ if (!defined $supers) {
+ push @problems, "does not supersede $fullrefname";
+ } elsif ($supers ne $objid) {
+ push @problems,
+ "supersedes $fullrefname=$supers but previously $fullrefname=$objid";
+ } else {
+ # ok;
+ }
+ });
+
+ if (@problems) {
+ reject "replay attack prevention check failed:".
+ " signed tag for $version: ".
+ join("; ", @problems).
+ "\n";
+ }
+ debug "checktagnoreply - all ok"
+}
+
sub tagh1 ($) {
my ($tag) = @_;
my $vals = $tagh{$tag};
debug "translated version $v";
$tagname eq "debian/$v" or die;
+ $policy = policyhook(NOFFCHECK|FRESHREPO, 'push',$package,
+ $version,$suite,$tagname,
+ join(",",@delberatelies));
+
+ checktagnoreplay();
checksuite();
# check that our ref is being fast-forwarded
debug "oldcommit $oldcommit";
- if ($oldcommit =~ m/[^0]/) {
+ if (!($policy & NOFFCHECK) && $oldcommit =~ m/[^0]/) {
$?=0; $!=0; my $mb = `git merge-base $commit $oldcommit`;
chomp $mb;
$mb eq $oldcommit or reject "not fast forward on dgit branch";
}
-}
-sub onwardpush () {
- my @cmd = (qw(git send-pack), $destrepo,
- "$commit:refs/dgit/$suite",
- "$tagval:refs/tags/$tagname");
- debugcmd @cmd;
- $!=0;
- my $r = system @cmd;
- !$r or die "onward push failed: $r $!";
-}
+ if ($policy & FRESHREPO) {
+ # This is troublesome. We have been asked by the policy hook
+ # to receive the push into a fresh repo. But of course we
+ # have actually already mostly received the push into the working
+ # repo. (This is unavoidable because the instruction to use a new
+ # repo comes ultimately from the signed tag for the dgit push,
+ # which has to have been received into some repo.)
+ #
+ # So what we do is generate a fresh working repo right now and
+ # push the head and tag into it. The presence of this fresh
+ # working repo is detected by the parent, which responds by
+ # making a fresh master repo from the template.
+
+ $destrepo = "${workrepo}_fresh"; # workrepo lock covers
+ mkrepo_fromtemplate $destrepo;
+ }
+}
sub stunthook () {
debug "stunthook";
sub fixmissing__git_upload_pack () {
$destrepo = "$dgitrepos/_empty";
my $lfh = acquiretree($destrepo,1);
- return if stat $destrepo;
- die $! unless $!==ENOENT;
+ return if stat_exists $destrepo;
rmtree "$destrepo.new";
- umask 022;
- runcmd qw(git init --bare --quiet), "$destrepo.new";
+ mkemptyrepo "$destrepo.new", "0644";
rename "$destrepo.new", $destrepo or die $!;
unlink "$destrepo.lock" or die $!;
close $lfh;
defined($workrepo = $ENV{'DGIT_DRS_WORK'}) or die;
defined($destrepo = $ENV{'DGIT_DRS_DEST'}) or die;
defined($keyrings = $ENV{'DGIT_DRS_KEYRINGS'}) or die $!;
+ defined($policyhook = $ENV{'DGIT_DRS_POLICYHOOK'}) or die $!;
open STDOUT, ">&STDERR" or die $!;
eval {
stunthook();
$ENV{'DGIT_DRS_SUITES'} = argval();
$ENV{'DGIT_DRS_KEYRINGS'} = argval();
$dgitrepos = argval();
+ $ENV{'DGIT_DRS_POLICYHOOK'} = $policyhook = argval();
die unless @ARGV==1 && $ARGV[0] eq '--ssh';
reject "unknown method" unless $mainfunc;
- if (stat $realdestrepo) {
+ my ($policy, $pollock) = policyhook(FRESHREPO,'check-package',$package);
+ if ($policy & FRESHREPO) {
+ movetogarbage;
+ }
+ close $pollock or die $!;
+
+ if (stat_exists $realdestrepo) {
$destrepo = $realdestrepo;
} else {
- $! == ENOENT or die "stat dest repo $destrepo: $!";
debug " fixmissing $funcn";
my $fixfunc = $main::{"fixmissing__$funcn"};
&$fixfunc;
~ianmdlvl / dgit.git / blobdiff