Policy hook protocol: pass dgit live directory (nfc)

[dgit.git] / infra / dgit-repos-policy-debian

#!/usr/bin/perl -w
# dgit repos policy hook script for Debian

use strict;
$SIG{__WARN__} = sub { die $_[0]; };

use POSIX;
use JSON;
use File::Temp qw(tempfile);
use DBI;
use IPC::Open2;

use Debian::Dgit qw(:DEFAULT :policyflags);
use Debian::Dgit::Policy::Debian;

our $distro = shift @ARGV // die "need DISTRO";
our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
our $dgitlive = shift @ARGV // die "need DGIT-LIVE-DIR";
our $action = shift @ARGV // die "need ACTION";

our $publicmode = 02775;
our $new_upload_propagation_slop = 3600*4 + 100;

our $poldbh;
our $pkg;
our $pkgdir;
our ($pkg_exists,$pkg_secret);

our $stderr;

our ($version,$suite,$tagname);
our %deliberately;

# We assume that it is not possible for NEW to have a version older
# than sid.

# Whenever pushing, we check for
#   source-package-local tainted history
#   global tainted history
#   can be overridden by --deliberately except for an admin prohib taint
# 
# ALL of the following apply only if history is secret:
# 
# if NEW has no version, or a version which is not in our history[1]
#   (always)
#   check all suites
#   if any suite's version is in our history[1], publish our history
#   otherwise discard our history,
#     tainting --deliberately-include-questionable-history
# 
# if NEW has a version which is in our history[1]
#   (on push only)
#   require explicit specification of one of
#     --deliberately-include-questionable-history
#     --deliberately-not-fast-forward
#       (latter will taint old NEW version --d-i-q-h)
#   (otherwise)
#   leave it be
# 
# [1] looking for the relevant git tag for the version number and not
#    caring what that tag refers to.
#
# A wrinkle: if we approved a push recently, we treat NEW as having
# a version which is in our history.  This is because the package may
# still be being uploaded.  (We record this using the timestamp of the
# package's git repo directory.)

# We aim for the following invariants and properties:
#
# - .dsc of published dgit package will have corresponding publicly
#   visible dgit-repo (soon)
#
# - when a new package is rejected we help maintainer avoid
#   accidentally including bad objects in published dgit history
#
# - .dsc of NEW dgit package has corresponding dgit-repo but not
#   publicly readable

sub apiquery ($) {
    my ($subpath) = @_;
    local $/=undef;
    $!=0; $?=0; my $json = `dgit -d $distro archive-api-query $subpath`;
    defined $json or die "$subpath $! $?";
    return decode_json $json;
}

sub specific_suite_has_vsn_in_our_history ($) {
    my ($suite) = @_;
    my $in_suite = apiquery "/dsc_in_suite/$suite/$pkg";
    foreach my $entry (@$in_suite) {
        my $vsn = $entry->{version};
        die "$pkg ?" unless defined $vsn;
        my $tag = debiantag $vsn;
        $?=0; my $r = system qw(git show-ref --verify --quiet), $tag;
        return 1 if !$r;
        next if $r==256;
        die "$pkg tag $tag $? $!";
    }
    return 0;
}

sub new_has_vsn_in_our_history () {
    stat $pkgdir or die "$pkgdir $!";
    my $mtime = ((stat _)[9]);
    my $age = time -  $mtime;
    return 1 if $age < $new_upload_propagation_slop;
    return specific_suite_has_vsn_in_our_history('new');
}

sub good_suite_has_vsn_in_our_history () {
    my $suites = apiquery "/suites";
    foreach my $suitei (@$suites) {
        my $suite = $suitei->{name};
        die unless defined $suite;
        next if $suite =~ m/\bnew$/;
        return 1 if specific_suite_has_vsn_in_our_history($suite);
    }
    return 0;
}

sub getpackage () {
    die unless @ARGV >= 1;
    $pkg = shift @ARGV;
    die unless $pkg =~ m/^$package_re$/;

    $pkgdir = "$repos/$pkg";
    if (!stat_exists $pkgdir) {
        $pkg_exists = 0;
    } else {
        $pkg_exists = 1;
        $pkg_secret = !!(~(stat _)[2] & 05);
    }
}

sub add_taint ($$) {
    my ($refobj, $reason);

    my $tf = new File::Temp or die $!;
    print $tf "$refobj^0\n" or die $!;

    my $gcfpid = open GCF, "-|";
    defined $gcfpid or die $!;
    if (!$gcfpid) {
        open STDIN, "<&", $tf or die $!;
        exec 'git', 'cat-file';
        die $!;
    }

    close $tf or die $!;
    $_ = <GCF>;
    m/^(\w+) (\w+) (\d+)\n/ or die "$_ ?";
    my $gitobjid = $1;
    my $gitobjtype = $2;
    my $bytes = $3;

    my $gitobjdata;
    if ($gitobjtype eq 'commit' or $gitobjtype eq 'tag') {
        $!=0; read GCF, $gitobjdata, $bytes == $bytes
            or die "$gitobjid $bytes $!";
    }
    close GCF;

    $poldbh->do("INSERT INTO taints".
                " (package, gitobjid, gitobjtype, gitobjdata, time, comment)",
                " VALUES (?,?,?,?,?,?)", {},
                $pkg, $gitobjid, $gitobjtype, $gitobjdata, time, $reason);

    my $taint_id = $poldbh->last_insert_id(undef,undef,"taints","taint_id");
    die unless defined $taint_id;

    $poldbh->do("INSERT INTO taintoverrides".
                " (taint_id, deliberately)",
                " VALUES (?, 'include-questionable-history')", {},
                $taint_id);
}

sub add_taint_by_tag ($$) {
    my ($tagname,$refobjid) = @_;
    add_taint($refobjid,
              "tag $tagname referred to this object in git tree but all".
              " previously pushed versions were found to have been".
              " removed from NEW (ie, rejected) (or never arrived)");
}

sub action__check_package () {
    getpackage();
    return 0 unless $pkg_exists;
    return 0 unless $pkg_secret;

    chdir $pkgdir or die "$pkgdir $!";
    return if new_has_vsn_in_our_history();

    if (good_suite_has_vsn_in_our_history) {
        chmod $publicmode, "." or die $!;
        return 0;
    }

    git_for_each_ref('refs/tags', sub {
        my ($objid,$objtype,$fullrefname,$tagname) = @_;
        add_taint_by_tag($tagname,$objid);
    });

    return FRESHREPO;
}

sub getpushinfo () {
    die unless @ARGV >= 4;
    $version = shift @ARGV;
    $suite = shift @ARGV;
    $tagname = shift @ARGV;
    my $delibs = shift @ARGV;
    foreach my $delib (split /\,/, $delibs) {
        $deliberately{$delib} = 1;
    }
}

sub deliberately ($) { return $deliberately{$_[0]}; }

sub action_push () {
    getpackage();
    return 0 unless $pkg_exists;
    return 0 unless $pkg_secret;

    # we suppose that NEW has a version which is already in our
    # history, as otherwise the repo would have been blown away

    if (deliberately('not-fast-forward')) {
        add_taint(server_ref($suite),
                  "suite $suite when --deliberately-not-fast-forward".
                  " specified in signed tag $tagname for upload of".
                  " version $version into suite $suite");
        return NOFFCHECK|FRESHREPO;
    }
    if (deliberately('include-questionable-history')) {
        return 0;
    }
    die "Package is in NEW and has not been accepted or rejected yet;".
        " use a --deliberately option to specify whether you are".
        " keeping or discarding the previously pushed history. ".
        " Please RTFM dgit(1).\n";
}

sub action_push_confirm () {
    my $initq = $poldbh->prepare(<<END);
        SELECT taint_id, gitobjid FROM taints t
            WHERE (package = ? OR package = '')
END
    $initq->execute($pkg);

    my @taintids;
    my $chkinput = tempfile();
    while (my $taint = $initq->fetchrow_hashref()) {
        push @taintids, $taint->{taint_id};
        print $chkinput $taint->{gitobjid}, "\n" or die $!;
    }
    flush $chkinput or die $!;
    seek $chkinput,0,0 or die $!;

    my $checkpid = open CHKOUT, "-|" // die $!;
    if (!$checkpid) {
        open STDIN, "<&", $chkinput or die $!;
        exec qw(git cat-file --batch) or die $!;
    }

    my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);

    my $overridesstmt = <<END;
        SELECT deliberately FROM taintoverrides WHERE ( 1
END
    my @overridesv = sort keys %deliberately;
    $overridesstmt .= join '', (<<END x @overridesv);
            OR deliberately = ?
END
    $overridesstmt .= <<END;
        ) AND taint_id = ?
        ORDER BY deliberately ASC
END

    my $mustreject=0;

    while (my $taintid = shift @taintids) {
        # git cat-file prints a spurious newline after it gets EOF
        # This is not documented.  I guess it might go away.  So we
        # just read what we expect and then let it get SIGPIPE.
        $!=0; $_ = <CHKOUT>;
        die "$? $!" unless defined $_;

        next if m/^\w+ missing$/;
        die unless m/^(\w+) (\w+) (\d+)\s/;
        my ($objid,$objtype,$nbytes) = ($1,$2,$3);

        my $drop;
        (read CHKOUT, $drop, $nbytes) == $nbytes or die;

        $taintinfoq ||= $poldbh->prepare(<<END);
            SELECT package, time, comment FROM taints WHERE taint_id =  ?
END
        $taintinfoq->execute($taintid);

        my $ti = $taintinfoq->fetchrow_hashref();
        die unless $ti;

        my $timeshow = defined $ti->{time}
            ? " at time ".strftime("%Y-%m-%d %H:%M:%S Z", gmtime $ti->{time})
            : "";
        my $pkgshow = length $ti->{package}
            ? "package $ti->{package}"
            : "any package";

        $stderr .= <<END;

History contains tainted $objtype $objid
Taint recorded$timeshow for $pkgshow
Reason: $ti->{comment}
END

        $overridesq ||= $poldbh->prepare($overridesstmt);
        $overridesq->execute(@overridesv, $taintid);
        my ($ovwhy) = $overridesq->fetchrow_array();
        if (!defined $ovwhy) {
            $overridesanyq ||= $poldbh->prepare(<<END);
                SELECT 1 FROM taintoverrides WHERE taint_id = ? LIMIT 1
END
            $overridesanyq->execute($taintid);
            my ($ovany) = $overridesanyq->fetchrow_array();
            $stderr .= $ovany ? <<END : <<END;
Could be forced using --deliberately.  Consult documentation.
END
Uncorrectable error.  If confused, consult administrator.
END
            $mustreject = 1;
        } else {
            $stderr .= <<END;
Forcing due to --deliberately-$ovwhy
END
            $untaintq ||= $poldbh->prepare(<<END);
                DELETE FROM taints WHERE taint_id = ?
END
            $untaintq->execute($taintid);
        }
    }
    close CHKOUT;

    if ($mustreject) {
        $stderr .= <<END;

Rejecting push due to questionable history.
END
        return 1;
    }

    return 0;
}

$action =~ y/-/_/;
my $fn = ${*::}{"action_$action"};
if (!$fn) {
    exit 0;
}

my $sleepy=0;
our $rcode = 127;

for (;;) {
    poldb_setup(poldb_path($repos));
    $stderr = '';

    $rcode = $fn->();
    die unless defined $rcode;

    eval { $poldbh->commit; };
    last unless length $@;

    die if $sleepy >= 20;
    print STDERR "[policy database busy, retrying]\n";
    sleep ++$sleepy;

    $poldbh->rollback;
}

print STDERR $stderr;
exit $rcode;