X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=dgit.git;a=blobdiff_plain;f=infra%2Fdgit-repos-policy-debian;h=3c7c006bc6c8b0edd271b5b0fb6c512cc8be9b33;hp=66bf8be6d63ffc937e776c78c04cb95fe8ef3b5a;hb=ab3be575e6a64ca698684995a02563b3cb82f68a;hpb=b7dec4080f555d202570cd3293465db52a9139ec

diff --git a/infra/dgit-repos-policy-debian b/infra/dgit-repos-policy-debian
index 66bf8be6..3c7c006b 100755
--- a/infra/dgit-repos-policy-debian
+++ b/infra/dgit-repos-policy-debian
@@ -1,35 +1,24 @@
 #!/usr/bin/perl -w
 # dgit repos policy hook script for Debian
-#
-# usages:
-#   dgit-repos-policy-debian DISTRO DGIT-REPOS-DIR ACTION...
-# ie.
-#   dgit-repos-policy-debian ... check-list [...]
-#   dgit-repos-policy-debian ... check-package PACKAGE [...]
-#   dgit-repos-policy-debian ... push PACKAGE \
-#         VERSION SUITE TAGNAME DELIBERATELIES [...]
-#
-# cwd for push is a temporary repo where the to-be-pushed objects have
-#  been received; TAGNAME is the version-based tag
-#
-# if push requested FRESHREPO, push-confirm happens in said fresh repo
-#
-# policy hook for a particular package will be invoked only once at
-# a time
 
 use strict;
+$SIG{__WARN__} = sub { die $_[0]; };
+
 use POSIX;
 use JSON;
-use File::Temp;
+use File::Temp qw(tempfile);
+use DBI;
+use IPC::Open2;
 
 use Debian::Dgit qw(:DEFAULT :policyflags);
+use Debian::Dgit::Policy::Debian;
 
 our $distro = shift @ARGV // die "need DISTRO";
 our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
+our $dgitlive = shift @ARGV // die "need DGIT-LIVE-DIR";
 our $action = shift @ARGV // die "need ACTION";
 
 our $publicmode = 02775;
-our $policydb = "dbi:SQLite:$repos/policy";
 our $new_upload_propagation_slop = 3600*4 + 100;
 
 our $poldbh;
@@ -37,6 +26,11 @@ our $pkg;
 our $pkgdir;
 our ($pkg_exists,$pkg_secret);
 
+our $stderr;
+
+our ($version,$suite,$tagname);
+our %deliberately;
+
 # We assume that it is not possible for NEW to have a version older
 # than sid.
 
@@ -71,58 +65,31 @@ our ($pkg_exists,$pkg_secret);
 # still be being uploaded.  (We record this using the timestamp of the
 # package's git repo directory.)
 
-
-sub poldb_setup () {
-    $poldbh = DBI->connect($policydb,'','', {
-	RaiseError=>1, PrintError=>1, AutoCommit=>0
-			   });
-    $poldbh->do("PRAGMA foreign_keys = ON");
-
-    $poldbh->do(<<END);
-	CREATE TABLE IF NOT EXISTS taints (
-	    taint_id   INTEGER NOT NULL PRIMARY KEY ASC AUTOINCREMENT,
-	    package    TEXT    NOT NULL,
-	    gitobjid   TEXT    NOT NULL,
-	    comment    TEXT    NOT NULL,
-	    time       INTEGER,
-	    gitobjtype TEXT,
-	    gitobjdata TEXT
-	    )
-END
-    $poldbh->do(<<END);
-	CREATE INDEX IF NOT EXISTS taints_by_package
-	    ON taints (package, gitobject)
-END
-    # any one of of the listed deliberatelies will override its taint
-    $poldbh->do(<<END);
-	CREATE TABLE IF NOT EXISTS taintoverrides (
-	    taint_id  INTEGER NOT NULL
-		      REFERENCES taints (taint_id)
-			  ON UPDATE RESTRICT
-			  ON DELETE CASCADE
-		      DEFERRABLE INITIALLY DEFERRED,
-	    deliberately TEXT NOT NULL,
-	    PRIMARY KEY (taint_id, deliberately)
-	)
-END
-}
-
-sub poldb_commit () {
-    $poldbh->commit;
-}
+# We aim for the following invariants and properties:
+#
+# - .dsc of published dgit package will have corresponding publicly
+#   visible dgit-repo (soon)
+#
+# - when a new package is rejected we help maintainer avoid
+#   accidentally including bad objects in published dgit history
+#
+# - .dsc of NEW dgit package has corresponding dgit-repo but not
+#   publicly readable
 
 sub apiquery ($) {
     my ($subpath) = @_;
     local $/=undef;
-    $!=0; $?=0; my $json = `dgit -d $distro archive-api-query $subpath`;
+    my $cmd = "$dgitlive/dgit -d $distro ".
+	"\$DGIT_TEST_OPTS \$DGIT_TEST_DEBUG archive-api-query $subpath";
+    $!=0; $?=0; my $json = `$cmd`;
     defined $json or die "$subpath $! $?";
     return decode_json $json;
 }
 
 sub specific_suite_has_vsn_in_our_history ($) {
     my ($suite) = @_;
-    my $in_new = apiquery "/dsc_in_suite/$suite/$pkg";
-    foreach my $entry (@$in_new) {
+    my $in_suite = apiquery "/dsc_in_suite/$suite/$pkg";
+    foreach my $entry (@$in_suite) {
 	my $vsn = $entry->{version};
 	die "$pkg ?" unless defined $vsn;
 	my $tag = debiantag $vsn;
@@ -153,26 +120,29 @@ sub good_suite_has_vsn_in_our_history () {
     return 0;
 }
 
+sub statpackage () {
+    $pkgdir = "$repos/$pkg.git";
+    if (!stat_exists $pkgdir) {
+	$pkg_exists = 0;
+    } else {
+	$pkg_exists = 1;
+	$pkg_secret = !!(~(stat _)[2] & 05);
+    }
+}
+
 sub getpackage () {
-    die unless @ARGV > 1;
+    die unless @ARGV >= 1;
     $pkg = shift @ARGV;
-    die if $pkg =~ m#[^-+.0-9a-z]#;
-    die unless $pkg =~ m#^[^-]#;
+    die unless $pkg =~ m/^$package_re$/;
 
-    $pkgdir = "$repos/$pkg";
-    if (!stat $pkgdir) {
-	die "$pkgdir $!" unless $!==ENOENT;
-	$pkg_exists = 0;
-    }
-    $pkg_exists = 1;
-    $pkg_secret = !!(~(stat _)[2] & 05);
+    statpackage();
 }
 
 sub add_taint ($$) {
-    my ($gitobjid, $gitobjtype, $reason) = @_;
+    my ($refobj, $reason);
 
     my $tf = new File::Temp or die $!;
-    print $tf "$gitobjid\n" or die $!;
+    print $tf "$refobj^0\n" or die $!;
 
     my $gcfpid = open GCF, "-|";
     defined $gcfpid or die $!;
@@ -184,13 +154,16 @@ sub add_taint ($$) {
 
     close $tf or die $!;
     $_ = <GCF>;
-    m/^(\w+) (\w+) (\d+)\n/ or die "$objline ?";
-    $1 eq $gitobjid or die "$! $gitobjid ?";
-    $2 eq $gitobjtype or die "$! $gitobjtype ?";
+    m/^(\w+) (\w+) (\d+)\n/ or die "$_ ?";
+    my $gitobjid = $1;
+    my $gitobjtype = $2;
     my $bytes = $3;
 
     my $gitobjdata;
-    $!=0; read GCF, $gitobjdata, $bytes == $bytes or die "$gitobjid $bytes $!";
+    if ($gitobjtype eq 'commit' or $gitobjtype eq 'tag') {
+	$!=0; read GCF, $gitobjdata, $bytes == $bytes
+	    or die "$gitobjid $bytes $!";
+    }
     close GCF;
 
     $poldbh->do("INSERT INTO taints".
@@ -202,11 +175,18 @@ sub add_taint ($$) {
     die unless defined $taint_id;
 
     $poldbh->do("INSERT INTO taintoverrides".
-		" (taint_id, 'include-questionable-history')",
-		" VALUES (?)", {},
+		" (taint_id, deliberately)",
+		" VALUES (?, 'include-questionable-history')", {},
 		$taint_id);
 }
 
+sub add_taint_by_tag ($$) {
+    my ($tagname,$refobjid) = @_;
+    add_taint($refobjid,
+	      "tag $tagname referred to this object in git tree but all".
+	      " previously pushed versions were found to have been".
+	      " removed from NEW (ie, rejected) (or never arrived)");
+}
 
 sub action__check_package () {
     getpackage();
@@ -223,40 +203,216 @@ sub action__check_package () {
 
     git_for_each_ref('refs/tags', sub {
 	my ($objid,$objtype,$fullrefname,$tagname) = @_;
-	add_taint($objid,$objtype,
-		  "tag $tagname referred to this object in git tree but all".
-		  " previously pushed versions were found to have been".
-		  " removed from NEW (ie, rejected) (or never arrived)");
+	add_taint_by_tag($tagname,$objid);
     });
-    $?=0; $!=0; close TAGL or die "git for-each-ref $? $!";
 
     return FRESHREPO;
 }
 
-sub action_push () {
-    # we suppose that NEW has a version which is already in our
-    # history, as otherwise the repo would have been blown away
+sub getpushinfo () {
+    die unless @ARGV >= 4;
+    $version = shift @ARGV;
+    $suite = shift @ARGV;
+    $tagname = shift @ARGV;
+    my $delibs = shift @ARGV;
+    foreach my $delib (split /\,/, $delibs) {
+	$deliberately{$delib} = 1;
+    }
+}
 
+sub deliberately ($) { return $deliberately{$_[0]}; }
+
+sub action_push () {
     getpackage();
     return 0 unless $pkg_exists;
     return 0 unless $pkg_secret;
 
-    xxx up to here
+    # we suppose that NEW has a version which is already in our
+    # history, as otherwise the repo would have been blown away
+
+    if (deliberately('not-fast-forward')) {
+	add_taint(server_ref($suite),
+		  "suite $suite when --deliberately-not-fast-forward".
+		  " specified in signed tag $tagname for upload of".
+		  " version $version into suite $suite");
+	return NOFFCHECK|FRESHREPO;
+    }
+    if (deliberately('include-questionable-history')) {
+	return 0;
+    }
+    die "Package is in NEW and has not been accepted or rejected yet;".
+	" use a --deliberately option to specify whether you are".
+	" keeping or discarding the previously pushed history. ".
+	" Please RTFM dgit(1).\n";
 }
 
+sub action_push_confirm () {
+    getpackage();
+    die unless @ARGV;
+    my $freshrepo = shift @ARGV;
+
+    my $initq = $poldbh->prepare(<<END);
+        SELECT taint_id, gitobjid FROM taints t
+            WHERE (package = ? OR package = '')
+END
+    $initq->execute($pkg);
+
+    my @taintids;
+    my $chkinput = tempfile();
+    while (my $taint = $initq->fetchrow_hashref()) {
+	push @taintids, $taint->{taint_id};
+	print $chkinput $taint->{gitobjid}, "\n" or die $!;
+    }
+    flush $chkinput or die $!;
+    seek $chkinput,0,0 or die $!;
+
+    my $checkpid = open CHKOUT, "-|" // die $!;
+    if (!$checkpid) {
+	open STDIN, "<&", $chkinput or die $!;
+	exec qw(git cat-file --batch) or die $!;
+    }
+
+    my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);
+
+    my $overridesstmt = <<END;
+        SELECT deliberately FROM taintoverrides WHERE ( 1
+END
+    my @overridesv = sort keys %deliberately;
+    $overridesstmt .= join '', (<<END x @overridesv);
+            OR deliberately = ?
+END
+    $overridesstmt .= <<END;
+	) AND taint_id = ?
+        ORDER BY deliberately ASC
+END
+
+    my $mustreject=0;
+
+    while (my $taintid = shift @taintids) {
+	# git cat-file prints a spurious newline after it gets EOF
+	# This is not documented.  I guess it might go away.  So we
+	# just read what we expect and then let it get SIGPIPE.
+	$!=0; $_ = <CHKOUT>;
+	die "$? $!" unless defined $_;
+
+	next if m/^\w+ missing$/;
+	die unless m/^(\w+) (\w+) (\d+)\s/;
+	my ($objid,$objtype,$nbytes) = ($1,$2,$3);
+
+	my $drop;
+	(read CHKOUT, $drop, $nbytes) == $nbytes or die;
+
+	$taintinfoq ||= $poldbh->prepare(<<END);
+            SELECT package, time, comment FROM taints WHERE taint_id =  ?
+END
+        $taintinfoq->execute($taintid);
+
+	my $ti = $taintinfoq->fetchrow_hashref();
+	die unless $ti;
+
+	my $timeshow = defined $ti->{time}
+	    ? " at time ".strftime("%Y-%m-%d %H:%M:%S Z", gmtime $ti->{time})
+	    : "";
+	my $pkgshow = length $ti->{package}
+	    ? "package $ti->{package}"
+	    : "any package";
+
+	$stderr .= <<END;
+
+History contains tainted $objtype $objid
+Taint recorded$timeshow for $pkgshow
+Reason: $ti->{comment}
+END
+
+        $overridesq ||= $poldbh->prepare($overridesstmt);
+	$overridesq->execute(@overridesv, $taintid);
+	my ($ovwhy) = $overridesq->fetchrow_array();
+	if (!defined $ovwhy) {
+	    $overridesanyq ||= $poldbh->prepare(<<END);
+	        SELECT 1 FROM taintoverrides WHERE taint_id = ? LIMIT 1
+END
+	    $overridesanyq->execute($taintid);
+	    my ($ovany) = $overridesanyq->fetchrow_array();
+	    $stderr .= $ovany ? <<END : <<END;
+Could be forced using --deliberately.  Consult documentation.
+END
+Uncorrectable error.  If confused, consult administrator.
+END
+            $mustreject = 1;
+	} else {
+	    $stderr .= <<END;
+Forcing due to --deliberately-$ovwhy
+END
+            $untaintq ||= $poldbh->prepare(<<END);
+                DELETE FROM taints WHERE taint_id = ?
+END
+            $untaintq->execute($taintid);
+        }
+    }
+    close CHKOUT;
 
+    if ($mustreject) {
+	$stderr .= <<END;
 
-if (defined $pkg) {
-    selectpackage;
+Rejecting push due to questionable history.
+END
+        return 1;
+    }
+
+    if (length $freshrepo) {
+	if (!good_suite_has_vsn_in_our_history()) {
+	    stat $freshrepo or die "$freshrepo $!";
+	    my $oldmode = ((stat _)[2]);
+	    my $oldwrites = $oldmode & 0222;
+	    # remove r and x bits which have corresponding w bits clear
+	    my $newmode = $oldmode & ($oldwrites << 1) & ($oldwrites > 1);
+	    chmod $newmode, $freshrepo or die $!;
+	}
+    }
+
+    return 0;
 }
 
-my $fn = ${*::}{"action__$cmd"};
-$fn or die "unknown ACTION";
+sub action_check_list () {
+    opendir L, "$repos" or die "$repos $!";
+    while (defined (my $dent = readdir L)) {
+	next unless $dent =~ m/^($package_re)\.git$/;
+	$pkg = $1;
+	statpackage();
+	next unless $pkg_exists;
+	next unless $pkg_secret;
+	print "$pkg\n" or die $!;
+    }
+    closedir L or die $!;
+    close STDOUT or die $!;
+    return 0;
+}
+
+$action =~ y/-/_/;
+my $fn = ${*::}{"action_$action"};
+if (!$fn) {
+    exit 0;
+}
 
-poldb_setup();
+my $sleepy=0;
+our $rcode = 127;
 
-my $rcode = $fn->();
-die unless defined $rcode;
+for (;;) {
+    poldb_setup(poldb_path($repos));
+    $stderr = '';
+
+    $rcode = $fn->();
+    die unless defined $rcode;
+
+    eval { $poldbh->commit; };
+    last unless length $@;
+
+    die if $sleepy >= 20;
+    print STDERR "[policy database busy, retrying]\n";
+    sleep ++$sleepy;
+
+    $poldbh->rollback;
+}
 
-poldb_commit();
+print STDERR $stderr;
 exit $rcode;