dgit-repos-policy-debian: Fix misleading varible name

[dgit.git] / infra / dgit-repos-policy-debian

#!/usr/bin/perl -w
# dgit repos policy hook script for Debian

use strict;
use POSIX;
use JSON;
use File::Temp;

use Debian::Dgit qw(:DEFAULT :policyflags);

our $distro = shift @ARGV // die "need DISTRO";
our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
our $action = shift @ARGV // die "need ACTION";

our $publicmode = 02775;
our $policydb = "dbi:SQLite:$repos/policy.sqlite3";
our $new_upload_propagation_slop = 3600*4 + 100;

our $poldbh;
our $pkg;
our $pkgdir;
our ($pkg_exists,$pkg_secret);

our $stderr;

our ($version,$suite,$tagname);
our %deliberately;

# We assume that it is not possible for NEW to have a version older
# than sid.

# Whenever pushing, we check for
#   source-package-local tainted history
#   global tainted history
#   can be overridden by --deliberately except for an admin prohib taint
# 
# ALL of the following apply only if history is secret:
# 
# if NEW has no version, or a version which is not in our history[1]
#   (always)
#   check all suites
#   if any suite's version is in our history[1], publish our history
#   otherwise discard our history,
#     tainting --deliberately-include-questionable-history
# 
# if NEW has a version which is in our history[1]
#   (on push only)
#   require explicit specification of one of
#     --deliberately-include-questionable-history
#     --deliberately-not-fast-forward
#       (latter will taint old NEW version --d-i-q-h)
#   (otherwise)
#   leave it be
# 
# [1] looking for the relevant git tag for the version number and not
#    caring what that tag refers to.
#
# A wrinkle: if we approved a push recently, we treat NEW as having
# a version which is in our history.  This is because the package may
# still be being uploaded.  (We record this using the timestamp of the
# package's git repo directory.)

# We aim for the following invariants and properties:
#
# - .dsc of published dgit package will have corresponding publicly
#   visible dgit-repo (soon)
#
# - when a new package is rejected we help maintainer avoid
#   accidentally including bad objects in published dgit history
#
# - .dsc of NEW dgit package has corresponding dgit-repo but not
#   publicly readable

sub poldb_setup () {
    $poldbh ||= DBI->connect($policydb,'','', {
        RaiseError=>1, PrintError=>1, AutoCommit=>0
                           });
    $poldbh->do("PRAGMA foreign_keys = ON");

    $poldbh->do(<<END);
        CREATE TABLE IF NOT EXISTS taints (
            taint_id   INTEGER NOT NULL PRIMARY KEY ASC AUTOINCREMENT,
            package    TEXT    NOT NULL,
            gitobjid   TEXT    NOT NULL,
            comment    TEXT    NOT NULL,
            time       INTEGER,
            gitobjtype TEXT,
            gitobjdata TEXT
            )
END
    $poldbh->do(<<END);
        CREATE INDEX IF NOT EXISTS taints_by_package
            ON taints (package, gitobject)
END
    # any one of of the listed deliberatelies will override its taint
    $poldbh->do(<<END);
        CREATE TABLE IF NOT EXISTS taintoverrides (
            taint_id  INTEGER NOT NULL
                      REFERENCES taints (taint_id)
                          ON UPDATE RESTRICT
                          ON DELETE CASCADE
                      DEFERRABLE INITIALLY DEFERRED,
            deliberately TEXT NOT NULL,
            PRIMARY KEY (taint_id, deliberately)
        )
END
}

sub apiquery ($) {
    my ($subpath) = @_;
    local $/=undef;
    $!=0; $?=0; my $json = `dgit -d $distro archive-api-query $subpath`;
    defined $json or die "$subpath $! $?";
    return decode_json $json;
}

sub specific_suite_has_vsn_in_our_history ($) {
    my ($suite) = @_;
    my $in_suite = apiquery "/dsc_in_suite/$suite/$pkg";
    foreach my $entry (@$in_suite) {
        my $vsn = $entry->{version};
        die "$pkg ?" unless defined $vsn;
        my $tag = debiantag $vsn;
        $?=0; my $r = system qw(git show-ref --verify --quiet), $tag;
        return 1 if !$r;
        next if $r==256;
        die "$pkg tag $tag $? $!";
    }
    return 0;
}

sub new_has_vsn_in_our_history () {
    stat $pkgdir or die "$pkgdir $!";
    my $mtime = ((stat _)[9]);
    my $age = time -  $mtime;
    return 1 if $age < $new_upload_propagation_slop;
    return specific_suite_has_vsn_in_our_history('new');
}

sub good_suite_has_vsn_in_our_history () {
    my $suites = apiquery "/suites";
    foreach my $suitei (@$suites) {
        my $suite = $suitei->{name};
        die unless defined $suite;
        next if $suite =~ m/\bnew$/;
        return 1 if specific_suite_has_vsn_in_our_history($suite);
    }
    return 0;
}

sub getpackage () {
    die unless @ARGV > 1;
    $pkg = shift @ARGV;
    die if $pkg =~ m#[^-+.0-9a-z]#;
    die unless $pkg =~ m#^[^-]#;

    $pkgdir = "$repos/$pkg";
    if (!stat $pkgdir) {
        die "$pkgdir $!" unless $!==ENOENT;
        $pkg_exists = 0;
    }
    $pkg_exists = 1;
    $pkg_secret = !!(~(stat _)[2] & 05);
}

sub add_taint ($$) {
    my ($refobj, $reason);

    my $tf = new File::Temp or die $!;
    print $tf "$refobj^0\n" or die $!;

    my $gcfpid = open GCF, "-|";
    defined $gcfpid or die $!;
    if (!$gcfpid) {
        open STDIN, "<&", $tf or die $!;
        exec 'git', 'cat-file';
        die $!;
    }

    close $tf or die $!;
    $_ = <GCF>;
    m/^(\w+) (\w+) (\d+)\n/ or die "$objline ?";
    my $gitobjid = $1;
    my $gitobjtype = $2;
    my $bytes = $3;

    my $gitobjdata;
    if ($gitobjtype eq 'commit' or $gitobjtype eq 'tag') {
        $!=0; read GCF, $gitobjdata, $bytes == $bytes
            or die "$gitobjid $bytes $!";
    }
    close GCF;

    $poldbh->do("INSERT INTO taints".
                " (package, gitobjid, gitobjtype, gitobjdata, time, comment)",
                " VALUES (?,?,?,?,?,?)", {},
                $pkg, $gitobjid, $gitobjtype, $gitobjdata, time, $reason);

    my $taint_id = $poldbh->last_insert_id(undef,undef,"taints","taint_id");
    die unless defined $taint_id;

    $poldbh->do("INSERT INTO taintoverrides".
                " (taint_id, deliberately)",
                " VALUES (?, 'include-questionable-history')", {},
                $taint_id);
}

sub add_taint_by_tag ($$) {
    my ($tagname,$refobjid) = @_;
    add_taint($refobjid,
              "tag $tagname referred to this object in git tree but all".
              " previously pushed versions were found to have been".
              " removed from NEW (ie, rejected) (or never arrived)");
}

sub action__check_package () {
    getpackage();
    return 0 unless $pkg_exists;
    return 0 unless $pkg_secret;

    chdir $pkgdir or die "$pkgdir $!";
    return if new_has_vsn_in_our_history();

    if (good_suite_has_vsn_in_our_history) {
        chmod $publicmode, "." or die $!;
        return 0;
    }

    git_for_each_ref('refs/tags', sub {
        my ($objid,$objtype,$fullrefname,$tagname) = @_;
        add_taint_by_tag($tagname,$refobjid);
    });
    $?=0; $!=0; close TAGL or die "git for-each-ref $? $!";

    return FRESHREPO;
}

sub getpushinfo () {
    die unless @ARGV >= 4;
    $version = shift @ARGV;
    $suite = shift @ARGV;
    $tagname = shift @ARGV;
    my $delibs = shift @ARGV;
    foreach my $delib (split /\,/, $delibs) {
        $deliberately{$delib} = 1;
    }
}

sub deliberately ($) { return $deliberately{$_[0]}; }

sub action_push () {
    getpackage();
    return 0 unless $pkg_exists;
    return 0 unless $pkg_secret;

    # we suppose that NEW has a version which is already in our
    # history, as otherwise the repo would have been blown away

    if (deliberately('not-fast-forward')) {
        add_taint(server_ref($suite),
                  "suite $suite when --deliberately-not-fast-forward".
                  " specified in signed tag $tagname for upload of".
                  " version $version into suite $suite");
        return NOFFCHECK|FRESHREPO;
    }
    if (deliberately('include-questionable-history')) {
        return 0;
    }
    die "Package is in NEW and has not been accepted or rejected yet;".
        " use a --deliberately option to specify whether you are".
        " keeping or discarding the previously pushed history. ".
        " Please RTFM dgit(1).\n";
}

sub action_push_confirm () {
    my $initq = $dbh->prepare(<<END);
        SELECT taint_id, gitobjid FROM taints t
            WHERE (package = ? OR package = '')
END
    $initq->execute($pkg);

    my @taintids;
    my $chkinput = tempfile();
    while (my $taint = $initq->fetchrow_hashref()) {
        push @taintids, $taint->{taint_id};
        print $chkinput, $taint->{gitobjid}, "\n" or die $!;
    }
    flush $chkinput or die $!;
    seek $chkinput,0,0 or die $!;

    my $checkpid = open2("<&$chkinput", \*CHKOUT, qw(git cat-file --batch));
    $checkpid or die $!;

    my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);

    my $overridesstmt = <<END;
        SELECT deliberately FROM taintoverrides WHERE (
    my @overridesv = sort keys %deliberately;
    $overridesstmt .= join <<END, (<<END x @overridesv);
END
            OR
END
            deliberately = ?
END
    $overridesstmt .= <<END;
        ) AND taint_id = ?
        ORDER BY deliberately ASC
END

    my $mustreject=0;

    while (<CHKOUT>) {
        my $taintid = shift @taintids;
        die unless defined $taintid;

        next if m/^\w+ missing$/;
        die unless m/^(\w+) (\s+) (\d+)\s/;
        my ($objid,$objtype,$nbytes) = @_;

        read CHKOUT, $_, $nbytes == $bytes or last;

        $taintinfoq ||= $dbh->prepare(<<END);
            SELECT package, time, comment FROM taints WHERE taint_id =  ?
END
        $taintinfoq->execute($taintid);

        my $ti = $taintinfoq->fetchrow_hashref();
        die unless $ti;

        my $timeshow = defined $ti->{time}
            ? " at time ".strftime("%Y-%m-%d %H:%M:%S Z", gmtime $ti->time)
            : "";
        my $pkgshow = length $ti->{package}
            ? "package $ti->{package}"
            : "any package";

        $stderr .= <<END;

History contains tainted $objtype $objid
Taint recorded$timeshow for $pkginfo
Reason: $ti->{comment}
END

        $overridesq ||= $dbh->prepare($overridesstmt);
        $overridesq->execute(@overridesv, $taintid);
        my ($ovwhy) = $overridesq->fetchrow_array();
        if (!defined $ovwhy) {
            $overridesanyq ||= $dbh->prepare(<<END);
                SELECT 1 FROM taintoverrides WHERE taint_id = ? LIMIT 1
END
            $overridesanyq->execute($taintid);
            my ($ovany) = $overridesanyq->fetchrow_array();
            $stderr .= $ovany ? <<END : <<END;
Could be forced using --deliberately.  Consult documentation.
END
Uncorrectable error.  If confused, consult administrator.
END
            $mustreject = 1;
        } else {
            $stderr .= <<END;
Forcing due to --deliberately-$ovwhy
END
            $untaintq ||= $dbh->prepare(<<END);
                DELETE FROM taints WHERE taint_id = ?
END
            $untaintq->execute($taint_id);
        }
    }
    if (@taintids) {
        $?=0; my $gotpid = waitpid $checkpid, WNOHANG;
        die "@taintids $gotpid $? $!";
    }

    if ($mustreject) {
        $stderr .= <<END;

Rejecting push due to questionable history.
END
        return 1;
    }

    return 0;
}

$cmd =~ y/-/_/;
my $fn = ${*::}{"action__$cmd"};
if (!$fn) {
    exit 0;
}

my $sleepy=0;

for (;;) {
    poldb_setup();
    $stderr = '';

    my $rcode = $fn->();
    die unless defined $rcode;

    eval { $poldbh->commit; };
    last unless length $@;

    die if $sleepy >= 20;
    print STDERR "[policy database busy, retrying]\n";
    sleep ++$sleepy;

    $poldbh->rollback;
}

print STDERR $stderr;
exit $rcode;