X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=dgit.git;a=blobdiff_plain;f=infra%2Fdgit-repos-server;h=2d61db988be72b7ffcd61794ba50487342e9748c;hp=7925d04510515acc6cb16e0a51d8af00ec273e03;hb=2522d3ba9ca4b00bffc107342f471fabac0a04b9;hpb=c02c4c21a1ae474acf22b09b400081d4e21fb149 diff --git a/infra/dgit-repos-server b/infra/dgit-repos-server index 7925d045..2d61db98 100755 --- a/infra/dgit-repos-server +++ b/infra/dgit-repos-server @@ -7,9 +7,10 @@ # settings # --repos=GIT-REPOS-DIR default DISTRO-DIR/repos/ # --suites=SUITES-FILE default DISTRO-DIR/suites +# --suites-master=SUITES-FILE default DISTRO-DIR/suites-master # --policy-hook=POLICY-HOOK default DISTRO-DIR/policy-hook # --dgit-live=DGIT-LIVE-DIR default DISTRO-DIR/dgit-live -# (DISTRO-DIR is not used other than as default) +# (DISTRO-DIR is not used other than as default and to pass to policy hook) # internal usage: # .../dgit-repos-server --pre-receive-hook PACKAGE # @@ -17,8 +18,10 @@ # # Works like git-receive-pack # -# SUITES is the name of a file which lists the permissible suites -# one per line (#-comments and blank lines ignored) +# SUITES-FILE is the name of a file which lists the permissible suites +# one per line (#-comments and blank lines ignored). For --suites-master +# it is a list of the suite(s) which should, when pushed to, update +# `master' on the server (if fast forward). # # AUTH-SPEC is a :-separated list of # KEYRING.GPG,AUTH-SPEC @@ -62,7 +65,7 @@ $SIG{__WARN__} = sub { die $_[0]; }; # as a result of this the stunt pre-receive hook runs; it does this: # + understand what refs we are allegedly updating and # check some correspondences: -# * we are updating only refs/tags/debian/* and refs/dgit/* +# * we are updating only refs/tags/DISTRO/* and refs/dgit/* # * and only one of each # * and the tag does not already exist # and @@ -117,7 +120,7 @@ $SIG{__WARN__} = sub { die $_[0]; }; # cleanup to do # # Policy hook script is invoked like this: -# POLICY-HOOK-SCRIPT DISTRO DGIT-REPOS-DIR DGIT-LIVE-DIR ACTION... +# POLICY-HOOK-SCRIPT DISTRO DGIT-REPOS-DIR DGIT-LIVE-DIR DISTRO-DIR ACTION... # ie. # POLICY-HOOK-SCRIPT ... check-list [...] # POLICY-HOOK-SCRIPT ... check-package PACKAGE [...] @@ -126,6 +129,8 @@ $SIG{__WARN__} = sub { die $_[0]; }; # POLICY-HOOK-SCRIPT ... push-confirm PACKAGE \ # VERSION SUITE TAGNAME DELIBERATELIES FRESH-REPO|'' [...] # +# DELIBERATELIES is like this: --deliberately-foo,--deliberately-bar,... +# # Exit status is a bitmask. Bit weight constants are defined in Dgit.pm. # NOFFCHECK (2) # suppress dgit-repos-server's fast-forward check ("push" only) @@ -137,18 +142,19 @@ $SIG{__WARN__} = sub { die $_[0]; }; # of any expected bits set). So, eg, exit 0 means "continue normally" # and would be appropriate for an unknown action. # -# cwd for push and push-confirm is a temporary repo where the -# to-be-pushed objects have been received; TAGNAME is the -# version-based tag +# cwd for push and push-confirm is a temporary repo where the incoming +# objects have been received; TAGNAME is the version-based tag. # # FRESH-REPO is '' iff the repo for this package already existed, or # the pathname of the newly-created repo which will be renamed into # place if everything goes well. (NB that this is generally not the # same repo as the cwd, because the objects are first received into a -# temporary repo so they can be examined.) +# temporary repo so they can be examined.) In this case FRESH-REPO +# contains exactly the objects and refs that will appear in the +# destination if push-confirm approves. # -# if push requested FRESHREPO, push-confirm happens in said fresh repo -# and FRESH-REPO is guaranteed not to be ''. +# if push requested FRESHREPO, push-confirm happens in the old working +# repo and FRESH-REPO is guaranteed not to be ''. # # policy hook for a particular package will be invoked only once at # a time - (see comments about DGIT-REPOS-DIR, above) @@ -160,7 +166,8 @@ $SIG{__WARN__} = sub { die $_[0]; }; # appropriate lock. # # If policy hook wants to run dgit (or something else in the dgit -# package), it should use DGIT-LIVE-DIR/dgit (etc.) +# package), it should use DGIT-LIVE-DIR/dgit (etc.), or if that is +# ENOENT, use the installed version. use POSIX; @@ -177,16 +184,19 @@ our $dgitrepos; our $package; our $distro; our $suitesfile; +our $suitesformasterfile; our $policyhook; our $dgitlive; +our $distrodir; our $destrepo; our $workrepo; our $keyrings; our @lockfhs; our @deliberatelies; -our %supersedes; +our %previously; our $policy; +our @policy_args; #----- utilities ----- @@ -233,12 +243,9 @@ sub lockrealtree () { locksometree(realdestrepo); } -sub mkrepotmp () { - my $tmpdir = "$dgitrepos/_tmp"; - return if mkdir $tmpdir; - return if $! == EEXIST; - die $!; -} +sub mkrepotmp () { ensuredir "$dgitrepos/_tmp" }; + +sub removedtagsfile () { "$dgitrepos/_removed-tags/$package"; } sub recorderror ($) { my ($why) = @_; @@ -270,13 +277,13 @@ sub policyhook { my ($policyallowbits, @polargs) = @_; # => ($exitstatuspolicybitmap); die if $policyallowbits & ~0x3e; - my @cmd = ($policyhook,$distro,$dgitrepos,$dgitlive,@polargs); + my @cmd = ($policyhook,$distro,$dgitrepos,$dgitlive,$distrodir,@polargs); debugcmd '+',@cmd; my $r = system @cmd; die "system: $!" if $r < 0; - die "hook (".(shellquote @cmd).") failed ($?)" + die "dgit-repos-server: policy hook failed (or rejected) ($?)\n" if $r & ~($policyallowbits << 8); - printdebug sprintf "hook (%s) => %#x\n", (shellquote @polargs), $r; + printdebug sprintf "hook => %#x\n", $r; return $r >> 8; } @@ -288,28 +295,46 @@ sub mkemptyrepo ($$) { sub mkrepo_fromtemplate ($) { my ($dir) = @_; my $template = "$dgitrepos/_template"; - locksometree($template); + my $templatelock = locksometree($template); printdebug "copy template $template -> $dir\n"; my $r = system qw(cp -a --), $template, $dir; !$r or die "create new repo $dir failed: $r $!"; + close $templatelock; } sub movetogarbage () { # realdestrepo must have been locked + + my $real = realdestrepo; + return unless stat_exists $real; + my $garbagerepo = "$dgitrepos/${package}_garbage"; - # We arrange to always keep at least one old tree, for anti-rewind - # purposes (and, I guess, recovery from mistakes). This is either - # $garbage or $garbage-old. + # We arrange to always keep at least one old tree, for recovery + # from mistakes. This is either $garbage or $garbage-old. if (stat_exists "$garbagerepo") { + printdebug "movetogarbage: rmtree $garbagerepo-tmp\n"; rmtree "$garbagerepo-tmp"; if (rename "$garbagerepo-old", "$garbagerepo-tmp") { + printdebug "movetogarbage: $garbagerepo-old -> -tmp, rmtree\n"; rmtree "$garbagerepo-tmp"; } else { die "$garbagerepo $!" unless $!==ENOENT; + printdebug "movetogarbage: $garbagerepo-old -> -tmp\n"; } + printdebug "movetogarbage: $garbagerepo -> -old\n"; rename "$garbagerepo", "$garbagerepo-old" or die "$garbagerepo $!"; } - rename realdestrepo, $garbagerepo + + ensuredir "$dgitrepos/_removed-tags"; + open PREVIOUS, ">>", removedtagsfile or die removedtagsfile." $!"; + git_for_each_ref('refs/tags/'.debiantag('*',$distro), sub { + my ($objid,$objtype,$fullrefname,$reftail) = @_; + print PREVIOUS "\n$objid $reftail .\n" or die $!; + }, $real); + close PREVIOUS or die $!; + + printdebug "movetogarbage: $real -> $garbagerepo\n"; + rename $real, $garbagerepo or $! == ENOENT or die "$garbagerepo $!"; } @@ -392,6 +417,7 @@ sub maybeinstallprospective () { chomp or die; printdebug " show-refs| $_\n"; s/^\S*[1-9a-f]\S* (\S+)$/$1/ or die; + next if m{^refs/heads/master$}; my $wh = m{^refs/tags/} ? 'tag' : m{^refs/dgit/} ? 'head' : @@ -412,7 +438,7 @@ sub maybeinstallprospective () { printdebug "install $destrepo => ".realdestrepo."\n"; rename $destrepo, realdestrepo or die $!; - remove "$destrepo.lock" or die $!; + remove realdestrepo.".lock" or die $!; } sub main__git_receive_pack () { @@ -428,6 +454,8 @@ sub main__git_receive_pack () { our ($tagname, $tagval, $suite, $oldcommit, $commit); our ($version, %tagh); +our ($tagexists_error); + sub readupdates () { printdebug " updates ...\n"; while () { @@ -435,11 +463,11 @@ sub readupdates () { printdebug " upd.| $_\n"; m/^(\S+) (\S+) (\S+)$/ or die "$_ ?"; my ($old, $sha1, $refname) = ($1, $2, $3); - if ($refname =~ m{^refs/tags/(?=debian/)}) { + if ($refname =~ m{^refs/tags/(?=$distro/)}) { reject "pushing multiple tags!" if defined $tagname; $tagname = $'; #'; $tagval = $sha1; - reject "tag $tagname already exists -". + $tagexists_error= "tag $tagname already exists -". " not replacing previously-pushed version" if $old =~ m/[^0]/; } elsif ($refname =~ m{^refs/dgit/}) { @@ -492,11 +520,11 @@ sub parsetag () { while (length) { if (s/^distro\=(\S+) //) { die "$1 != $distro" unless $1 eq $distro; - } elsif (s/^(--deliberately-$package_re) //) { + } elsif (s/^(--deliberately-$deliberately_re) //) { push @deliberatelies, $1; - } elsif (s/^supersede:(\S+)=(\w+) //) { - die "supersede $1 twice" if defined $supersedes{$1}; - $supersedes{$1} = $2; + } elsif (s/^previously:(\S+)=(\w+) //) { + die "previously $1 twice" if defined $previously{$1}; + $previously{$1} = $2; } elsif (s/^[-+.=0-9a-z]\S* //) { } else { die "unknown dgit info in tag ($_)"; @@ -613,78 +641,128 @@ sub verifytag () { reject "key not found in keyrings"; } -sub checksuite () { - printdebug "checksuite ($suitesfile)\n"; - open SUITES, "<", $suitesfile or die $!; +sub suite_is_in ($) { + my ($sf) = @_; + printdebug "suite_is_in ($sf)\n"; + if (!open SUITES, "<", $sf) { + $!==ENOENT or die $!; + return 0; + } while () { chomp; next unless m/\S/; next if m/^\#/; s/\s+$//; - return if $_ eq $suite; + return 1 if $_ eq $suite; } die $! if SUITES->error; + return 0; +} + +sub checksuite () { + printdebug "checksuite ($suitesfile)\n"; + return if suite_is_in $suitesfile; reject "unknown suite"; } sub checktagnoreplay () { - # We check that the signed tag mentions the name and value of - # (a) in the case of FRESHREPO all tags in the repo; - # (b) in the case of just NOFFCHECK all tags referring to - # the current head for the suite (there must be at least one). - # This prevents a replay attack using an earlier signed tag. + # We need to prevent a replay attack using an earlier signed tag. + # We also want to archive in the history the object ids of + # anything we remove, even if we get rid of the actual objects. + # + # So, we check that the signed tag mentions the name and tag + # object id of: + # + # (a) In the case of FRESHREPO: all tags and refs/heads/* in + # the repo. That is, effectively, all the things we are + # deleting. + # + # This prevents any tag implying a FRESHREPO push + # being replayed into a different state of the repo. + # + # There is still the folowing risk: If a non-ff push is of a + # head which is an ancestor of a previous ff-only push, the + # previous push can be replayed. + # + # So we keep a separate list, as a file in the repo, of all + # the tag object ids we have ever seen and removed. Any such + # tag object id will be rejected even for ff-only pushes. + # + # (b) In the case of just NOFFCHECK: all tags referring to the + # current head for the suite (there must be at least one). + # + # This prevents any tag implying a NOFFCHECK push being + # replayed to rewind from a different head. + # + # The possibility of an earlier ff-only push being replayed is + # eliminated as follows: the tag from such a push would still + # be in our repo, and therefore the replayed push would be + # rejected because the set of refs being updated would be + # wrong. + + if (!open PREVIOUS, "<", removedtagsfile) { + die removedtagsfile." $!" unless $!==ENOENT; + } else { + # Protocol for updating this file is to append to it, not + # write-new-and-rename. So all updates are prefixed with \n + # and suffixed with " .\n" so that partial writes can be + # ignored. + while () { + next unless m/^(\w+) (.*) \.\n/; + next unless $1 eq $tagval; + reject "Replay of previously-rewound upload ($tagval $2)"; + } + die removedtagsfile." $!" if PREVIOUS->error; + close PREVIOUS; + } + return unless $policy & (FRESHREPO|NOFFCHECK); my $garbagerepo = "$dgitrepos/${package}_garbage"; lockrealtree(); - local $ENV{GIT_DIR}; - foreach my $garb ("$garbagerepo", "$garbagerepo-old") { - if (stat_exists $garb) { - $ENV{GIT_DIR} = $garb; - last; + my $nchecked = 0; + my @problems; + + my $check_ref_previously= sub { + my ($objid,$objtype,$fullrefname,$reftail) = @_; + my $supkey = $fullrefname; + $supkey =~ s{^refs/}{} or die "$supkey $objid ?"; + my $supobjid = $previously{$supkey}; + if (!defined $supobjid) { + printdebug "checktagnoreply - missing\n"; + push @problems, "does not declare previously $supkey"; + } elsif ($supobjid ne $objid) { + push @problems, "declared previously $supkey=$supobjid". + " but actually previously $supkey=$objid"; + } else { + $nchecked++; } - } - if (!defined $ENV{GIT_DIR}) { - # Nothing to overwrite so the FRESHREPO and NOFFCHECK were - # pointless. Oh well. - printdebug "checktagnoreplay - no garbage, ok\n"; - return; - } + }; - my $onlyreferring; - if (!($policy & FRESHREPO)) { - my $branch = server_branch($suite); - $!=0; $?=0; $_ = - `git for-each-ref --format='%(objectname)' '[r]efs/$branch'`; - defined or die "$branch $? $!"; - $? and die "$branch $?"; - if (!length) { + if ($policy & FRESHREPO) { + foreach my $kind (qw(tags heads)) { + git_for_each_ref("refs/$kind", $check_ref_previously); + } + } else { + my $branch= server_branch($suite); + my $branchhead= git_get_ref(server_ref($suite)); + if (!length $branchhead) { # No such branch - NOFFCHECK was unnecessary. Oh well. printdebug "checktagnoreplay - not FRESHREPO, new branch, ok\n"; - return; - } - m/^(\w+)\n$/ or die "$branch $_ ?"; - $onlyreferring = $1; - printdebug "checktagnoreplay - not FRESHREPO,". - " checking for overwriting refs/$branch=$onlyreferring\n"; - } - - my @problems; - - git_for_each_tag_referring($onlyreferring, sub { - my ($objid,$fullrefname,$tagname) = @_; - printdebug "checktagnoreplay - overwriting $fullrefname=$objid\n"; - my $supers = $supersedes{$fullrefname}; - if (!defined $supers) { - push @problems, "does not supersede $fullrefname"; - } elsif ($supers ne $objid) { - push @problems, - "supersedes $fullrefname=$supers but previously $fullrefname=$objid"; } else { - # ok; + printdebug "checktagnoreplay - not FRESHREPO,". + " checking for overwriting refs/$branch=$branchhead\n"; + git_for_each_tag_referring($branchhead, sub { + my ($tagobjid,$refobjid,$fullrefname,$tagname) = @_; + $check_ref_previously->($tagobjid,undef,$fullrefname,undef); + }); + printdebug "checktagnoreplay - not FRESHREPO, nchecked=$nchecked"; + push @problems, "does not declare previously any tag". + " referring to branch head $branch=$branchhead" + unless $nchecked; } - }); + } if (@problems) { reject "replay attack prevention check failed:". @@ -692,7 +770,7 @@ sub checktagnoreplay () { join("; ", @problems). "\n"; } - printdebug "checktagnoreply - all ok\n" + printdebug "checktagnoreplay - all ok ($tagval)\n" } sub tagh1 ($) { @@ -710,18 +788,24 @@ sub checks () { tagh1('object') eq $commit or reject "tag refers to wrong commit"; tagh1('tag') eq $tagname or reject "tag name in tag is wrong"; - my $v = $version; - $v =~ y/~:/_%/; - - printdebug "translated version $v\n"; - $tagname eq "debian/$v" or die; + my $expecttagname = debiantag $version, $distro; + printdebug "expected tag $expecttagname\n"; + $tagname eq $expecttagname or die; lockrealtree(); - my @policy_args = ($package,$version,$suite,$tagname, - join(",",@deliberatelies)); + @policy_args = ($package,$version,$suite,$tagname, + join(",",@deliberatelies)); $policy = policyhook(NOFFCHECK|FRESHREPO, 'push', @policy_args); + if (defined $tagexists_error) { + if ($policy & FRESHREPO) { + printdebug "ignoring tagexists_error: $tagexists_error\n"; + } else { + reject $tagexists_error; + } + } + checktagnoreplay(); checksuite(); @@ -732,37 +816,68 @@ sub checks () { chomp $mb; $mb eq $oldcommit or reject "not fast forward on dgit branch"; } - if ($policy & FRESHREPO) { - # This is troublesome. We have been asked by the policy hook - # to receive the push into a fresh repo. But of course we - # have actually already mostly received the push into the working - # repo. (This is unavoidable because the instruction to use a new - # repo comes ultimately from the signed tag for the dgit push, - # which has to have been received into some repo.) + # It's a bit late to be discovering this here, isn't it ? + # + # What we do is: Generate a fresh destination repo right now, + # and arrange to treat it from now on as if it were a + # prospective repo. + # + # The presence of this fresh destination repo is detected by + # the parent, which responds by making a fresh master repo + # from the template. (If the repo didn't already exist then + # $destrepo was _prospective, and we change it here. This is + # OK because the parent's check for _fresh persuades it not to + # use _prospective.) # - # So what we do is generate a fresh working repo right now and - # push the head and tag into it. The presence of this fresh - # working repo is detected by the parent, which responds by - # making a fresh master repo from the template. - $destrepo = "${workrepo}_fresh"; # workrepo lock covers mkrepo_fromtemplate $destrepo; } - - my $willinstall = ($destrepo eq realdestrepo ? '' : $destrepo); - policyhook(0, 'push-confirm', @policy_args, $willinstall); } sub onwardpush () { - my @cmd = (qw(git send-pack), $destrepo); - push @cmd, qw(--force) if $policy & NOFFCHECK; + my @cmdbase = (qw(git send-pack), $destrepo); + push @cmdbase, qw(--force) if $policy & NOFFCHECK; + + my @cmd = @cmdbase; push @cmd, "$commit:refs/dgit/$suite", "$tagval:refs/tags/$tagname"; debugcmd '+',@cmd; $!=0; my $r = system @cmd; !$r or die "onward push to $destrepo failed: $r $!"; + + if (suite_is_in $suitesformasterfile) { + @cmd = @cmdbase; + push @cmd, "$commit:refs/heads/master"; + debugcmd '+', @cmd; + $!=0; my $r = system @cmd; + # tolerate errors (might be not ff) + !($r & ~0xff00) or die + "onward push to $destrepo#master failed: $r $!"; + } +} + +sub finalisepush () { + if ($destrepo eq realdestrepo) { + policyhook(0, 'push-confirm', @policy_args, ''); + onwardpush(); + } else { + # We are to receive the push into a new repo (perhaps + # because the policy push hook asked us to with FRESHREPO, or + # perhaps because the repo didn't exist before). + # + # We want to provide the policy push-confirm hook with a repo + # which looks like the one which is going to be installed. + # The working repo is no good because it might contain + # previous history. + # + # So we push the objects into the prospective new repo right + # away. If the hook declines, we decline, and the prospective + # repo is never installed. + onwardpush(); + policyhook(0, 'push-confirm', @policy_args, $destrepo); + } } sub stunthook () { @@ -773,7 +888,7 @@ sub stunthook () { parsetag(); verifytag(); checks(); - onwardpush(); + finalisepush(); printdebug "stunthook done.\n"; } @@ -811,11 +926,13 @@ our %indistrodir = ( # keys are used for DGIT_DRS_XXX too 'repos' => \$dgitrepos, 'suites' => \$suitesfile, + 'suites-master' => \$suitesformasterfile, 'policy-hook' => \$policyhook, 'dgit-live' => \$dgitlive, ); -our @hookenvs = qw(distro suitesfile policyhook dgitlive keyrings dgitrepos); +our @hookenvs = qw(distro suitesfile suitesformasterfile policyhook + dgitlive keyrings dgitrepos distrodir); # workrepo and destrepo handled ad-hoc @@ -912,9 +1029,9 @@ sub parseargsdispatch () { exit 0; } - $distro = $ENV{'DGIT_DRS_DISTRO'} = argval(); - my $distrodir = argval(); - $keyrings = $ENV{'DGIT_DRS_KEYRINGS'} = argval(); + $distro = argval(); + $distrodir = argval(); + $keyrings = argval(); foreach my $dk (keys %indistrodir) { ${ $indistrodir{$dk} } = "$distrodir/$dk";