Add --untrusted option to pull and pull-local

https://bugzilla.gnome.org/show_bug.cgi?id=764125 Closes: #221 Approved by: cgwalters
2025-03-11 20:58:45 +03:00 · 2016-03-23 12:32:03 +01:00 · 2016-03-23 12:32:03 +01:00 · 456f515522
commit 456f515522
parent ed1e0c6d04
6 changed files with 92 additions and 1 deletions
--- a/Makefile-tests.am
+++ b/Makefile-tests.am
@ -48,6 +48,7 @@ test_scripts = \
 	tests/test-pull-metalink.sh \
 	tests/test-pull-summary-sigs.sh \
 	tests/test-pull-resume.sh \
+	tests/test-pull-untrusted.sh \
 	tests/test-local-pull-depth.sh \
 	tests/test-gpg-signed-commit.sh \
 	tests/test-admin-upgrade-unconfigured.sh \
--- a/man/ostree-pull-local.xml
+++ b/man/ostree-pull-local.xml
@ -80,6 +80,14 @@ Boston, MA 02111-1307, USA.
                    Do no invoke fsync().
                </para></listitem>
            </varlistentry>
+
+            <varlistentry>
+                <term><option>--untrusted</option></term>
+
+                <listitem><para>
+                    Do not trust source, verify checksums and don't hardlink into source.
+                </para></listitem>
+            </varlistentry>
        </variablelist>
    </refsect1>

--- a/man/ostree-pull.xml
+++ b/man/ostree-pull.xml
@ -73,6 +73,14 @@ Boston, MA 02111-1307, USA.
                </para></listitem>
            </varlistentry>

+            <varlistentry>
+                <term><option>--untrusted</option></term>
+
+                <listitem><para>
+                    Do not trust local sources, verify checksums and don't hardlink into source.
+                </para></listitem>
+            </varlistentry>
+
            <varlistentry>
                <term><option>--disable-static-deltas</option></term>

--- a/src/ostree/ot-builtin-pull-local.c
+++ b/src/ostree/ot-builtin-pull-local.c
@ -32,11 +32,13 @@

 static char *opt_remote;
 static gboolean opt_disable_fsync;
+static gboolean opt_untrusted;
 static int opt_depth = 0;

 static GOptionEntry options[] = {
  { "remote", 0, 0, G_OPTION_ARG_STRING, &opt_remote, "Add REMOTE to refspec", "REMOTE" },
  { "disable-fsync", 0, 0, G_OPTION_ARG_NONE, &opt_disable_fsync, "Do not invoke fsync()", NULL },
+  { "untrusted", 0, 0, G_OPTION_ARG_NONE, &opt_untrusted, "Do not trust source", NULL },
  { "depth", 0, 0, G_OPTION_ARG_INT, &opt_depth, "Traverse DEPTH parents (-1=infinite) (default: 0)", "DEPTH" },
  { NULL }
 };
@ -54,6 +56,7 @@ ostree_builtin_pull_local (int argc, char **argv, GCancellable *cancellable, GEr
  glnx_unref_object OstreeAsyncProgress *progress = NULL;
  g_autoptr(GPtrArray) refs_to_fetch = NULL;
  g_autoptr(GHashTable) source_objects = NULL;
+  OstreeRepoPullFlags pullflags = 0;

  context = g_option_context_new ("SRC_REPO [REFS...] -  Copy data from SRC_REPO");

@ -83,6 +86,9 @@ ostree_builtin_pull_local (int argc, char **argv, GCancellable *cancellable, GEr
      src_repo_uri = g_strconcat ("file://", cwd, "/", src_repo_arg, NULL);
    }

+  if (opt_untrusted)
+    pullflags |= OSTREE_REPO_PULL_FLAGS_UNTRUSTED;
+
  if (opt_disable_fsync)
    ostree_repo_set_disable_fsync (repo, TRUE);

@ -133,7 +139,7 @@ ostree_builtin_pull_local (int argc, char **argv, GCancellable *cancellable, GEr
    g_variant_builder_init (&builder, G_VARIANT_TYPE ("a{sv}"));

    g_variant_builder_add (&builder, "{s@v}", "flags",
-                           g_variant_new_variant (g_variant_new_int32 (OSTREE_REPO_PULL_FLAGS_NONE)));
+                           g_variant_new_variant (g_variant_new_int32 (pullflags)));
    g_variant_builder_add (&builder, "{s@v}", "refs",
                           g_variant_new_variant (g_variant_new_strv ((const char *const*) refs_to_fetch->pdata, -1)));
    if (opt_remote)
--- a/src/ostree/ot-builtin-pull.c
+++ b/src/ostree/ot-builtin-pull.c
@ -33,6 +33,7 @@ static gboolean opt_commit_only;
 static gboolean opt_dry_run;
 static gboolean opt_disable_static_deltas;
 static gboolean opt_require_static_deltas;
+static gboolean opt_untrusted;
 static char* opt_subpath;
 static int opt_depth = 0;
 
@ -43,6 +44,7 @@ static GOptionEntry options[] = {
   { "require-static-deltas", 0, 0, G_OPTION_ARG_NONE, &opt_require_static_deltas, "Require static deltas", NULL },
   { "mirror", 0, 0, G_OPTION_ARG_NONE, &opt_mirror, "Write refs suitable for a mirror", NULL },
   { "subpath", 0, 0, G_OPTION_ARG_STRING, &opt_subpath, "Only pull the provided subpath", NULL },
+   { "untrusted", 0, 0, G_OPTION_ARG_NONE, &opt_untrusted, "Do not trust (local) sources", NULL },
   { "dry-run", 0, 0, G_OPTION_ARG_NONE, &opt_dry_run, "Only print information on what will be downloaded (requires static deltas)", NULL },
   { "depth", 0, 0, G_OPTION_ARG_INT, &opt_depth, "Traverse DEPTH parents (-1=infinite) (default: 0)", "DEPTH" },
   { NULL }
@ -134,6 +136,9 @@ ostree_builtin_pull (int argc, char **argv, GCancellable *cancellable, GError **
  if (opt_commit_only)
    pullflags |= OSTREE_REPO_PULL_FLAGS_COMMIT_ONLY;

+  if (opt_untrusted)
+    pullflags |= OSTREE_REPO_PULL_FLAGS_UNTRUSTED;
+
  if (opt_dry_run && !opt_require_static_deltas)
    {
      g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
--- a/tests/test-pull-untrusted.sh
+++ b/tests/test-pull-untrusted.sh
@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# Copyright (C) 2014 Alexander Larsson <alexl@redhat.com>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+
+set -euo pipefail
+
+. $(dirname $0)/libtest.sh
+
+echo '1..3'
+
+setup_test_repository "bare"
+
+cd ${test_tmpdir}
+mkdir repo2
+${CMD_PREFIX} ostree --repo=repo2 init --mode="bare"
+
+${CMD_PREFIX} ostree --repo=repo2 --untrusted pull-local repo
+
+find repo2 -type f -links +1 | while read line; do
+    assert_not_reached "pull-local created hardlinks"
+done
+echo "ok pull-local --untrusted didn't hardlink"
+
+# Corrupt repo
+for i in ${test_tmpdir}/repo/objects/*/*.file; do
+    echo "corrupting $i"
+    echo "broke" >> $i
+    break;
+done
+
+rm -rf repo2
+mkdir repo2
+${CMD_PREFIX} ostree --repo=repo2 init --mode="bare"
+if ${CMD_PREFIX} ostree --repo=repo2 pull-local repo; then
+    echo "ok trusted pull with corruption succeeded"
+else
+    assert_not_reached "corrupted trusted pull unexpectedly succeeded!"
+fi
+
+rm -rf repo2
+mkdir repo2
+${CMD_PREFIX} ostree --repo=repo2 init --mode="bare"
+if ${CMD_PREFIX} ostree --repo=repo2 pull-local --untrusted repo; then
+    assert_not_reached "corrupted untrusted pull unexpectedly failed!"
+else
+    echo "ok untrusted pull with corruption failed"
+fi