pull: Allow disabling commit binding verification

In some cases such as backups or mirroring you may want to pull commits
from one repo to another even if there commits that have incorrect
bindings. Fixing the commits in the source repository to have correct
bindings may not be feasible, so provide a pull option to disable
verification.

For Endless we have several repositories that predate collection IDs and
ref bindings. Later these repositories gained collection IDs to support
the features they provide and ref bindings as the ostree tooling was
upgraded. These repositories contain released commits that were valid to
the clients they were targeting at the time. Correcting the bindings is
not really an option as it would mean invalidating the repository
history.
This commit is contained in:
Dan Nicholson 2020-12-17 14:07:08 -07:00
parent 5551c54c6e
commit 4db2ba0eb1
8 changed files with 51 additions and 11 deletions

View File

@ -849,6 +849,7 @@ _ostree_pull_local() {
--gpg-verify-summary --gpg-verify-summary
--require-static-deltas --require-static-deltas
--untrusted --untrusted
--disable-verify-bindings
" "
local options_with_args=" local options_with_args="
@ -904,6 +905,7 @@ _ostree_pull() {
--untrusted --untrusted
--bareuseronly-files --bareuseronly-files
--dry-run --dry-run
--disable-verify-bindings
" "
local options_with_args=" local options_with_args="

View File

@ -90,6 +90,14 @@ Boston, MA 02111-1307, USA.
Do not trust source, verify checksums and don't hardlink into source. Do not trust source, verify checksums and don't hardlink into source.
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><option>--disable-verify-bindings</option></term>
<listitem><para>
Disable verification of commit metadata bindings.
</para></listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

View File

@ -137,6 +137,14 @@ Boston, MA 02111-1307, USA.
Specifies how many times each download should be retried upon error (default: 5) Specifies how many times each download should be retried upon error (default: 5)
</para></listitem> </para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><option>--disable-verify-bindings</option></term>
<listitem><para>
Disable verification of commit metadata bindings.
</para></listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

View File

@ -70,6 +70,7 @@ typedef struct {
gboolean require_static_deltas; gboolean require_static_deltas;
gboolean disable_static_deltas; gboolean disable_static_deltas;
gboolean has_tombstone_commits; gboolean has_tombstone_commits;
gboolean disable_verify_bindings;
GBytes *summary_data; GBytes *summary_data;
char *summary_etag; char *summary_etag;

View File

@ -1620,6 +1620,7 @@ scan_commit_object (OtPullData *pull_data,
if (!ostree_repo_load_commit (pull_data->repo, checksum, &commit, &commitstate, error)) if (!ostree_repo_load_commit (pull_data->repo, checksum, &commit, &commitstate, error))
return FALSE; return FALSE;
if (!pull_data->disable_verify_bindings) {
/* If ref is non-NULL then the commit we fetched was requested through the /* If ref is non-NULL then the commit we fetched was requested through the
* branch, otherwise we requested a commit checksum without specifying a branch. * branch, otherwise we requested a commit checksum without specifying a branch.
*/ */
@ -1629,6 +1630,7 @@ scan_commit_object (OtPullData *pull_data,
(ref != NULL) ? ref->ref_name : NULL, (ref != NULL) ? ref->ref_name : NULL,
commit, error)) commit, error))
return glnx_prefix_error (error, "Commit %s", checksum); return glnx_prefix_error (error, "Commit %s", checksum);
}
guint64 new_ts = ostree_commit_get_timestamp (commit); guint64 new_ts = ostree_commit_get_timestamp (commit);
if (pull_data->timestamp_check) if (pull_data->timestamp_check)
@ -3670,6 +3672,8 @@ all_requested_refs_have_commit (GHashTable *requested_refs /* (element-type Ostr
* specified, the `summary` will be downloaded from the remote. Since: 2020.5 * specified, the `summary` will be downloaded from the remote. Since: 2020.5
* * `summary-sig-bytes` (`ay`): Contents of the `summary.sig` file. If this * * `summary-sig-bytes` (`ay`): Contents of the `summary.sig` file. If this
* is specified, `summary-bytes` must also be specified. Since: 2020.5 * is specified, `summary-bytes` must also be specified. Since: 2020.5
* * `disable-verify-bindings` (`b`): Disable verification of commit bindings.
* Since: 2020.9
*/ */
gboolean gboolean
ostree_repo_pull_with_options (OstreeRepo *self, ostree_repo_pull_with_options (OstreeRepo *self,
@ -3771,6 +3775,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
g_variant_lookup (options, "ref-keyring-map", "a(sss)", &ref_keyring_map_iter); g_variant_lookup (options, "ref-keyring-map", "a(sss)", &ref_keyring_map_iter);
(void) g_variant_lookup (options, "summary-bytes", "@ay", &summary_bytes_v); (void) g_variant_lookup (options, "summary-bytes", "@ay", &summary_bytes_v);
(void) g_variant_lookup (options, "summary-sig-bytes", "@ay", &summary_sig_bytes_v); (void) g_variant_lookup (options, "summary-sig-bytes", "@ay", &summary_sig_bytes_v);
(void) g_variant_lookup (options, "disable-verify-bindings", "b", &pull_data->disable_verify_bindings);
if (pull_data->remote_refspec_name != NULL) if (pull_data->remote_refspec_name != NULL)
pull_data->remote_name = g_strdup (pull_data->remote_refspec_name); pull_data->remote_name = g_strdup (pull_data->remote_refspec_name);

View File

@ -40,6 +40,7 @@ static gboolean opt_bareuseronly_files;
static gboolean opt_require_static_deltas; static gboolean opt_require_static_deltas;
static gboolean opt_gpg_verify; static gboolean opt_gpg_verify;
static gboolean opt_gpg_verify_summary; static gboolean opt_gpg_verify_summary;
static gboolean opt_disable_verify_bindings;
static int opt_depth = 0; static int opt_depth = 0;
/* ATTENTION: /* ATTENTION:
@ -57,6 +58,7 @@ static GOptionEntry options[] = {
{ "require-static-deltas", 0, 0, G_OPTION_ARG_NONE, &opt_require_static_deltas, "Require static deltas", NULL }, { "require-static-deltas", 0, 0, G_OPTION_ARG_NONE, &opt_require_static_deltas, "Require static deltas", NULL },
{ "gpg-verify", 0, 0, G_OPTION_ARG_NONE, &opt_gpg_verify, "GPG verify commits (must specify --remote)", NULL }, { "gpg-verify", 0, 0, G_OPTION_ARG_NONE, &opt_gpg_verify, "GPG verify commits (must specify --remote)", NULL },
{ "gpg-verify-summary", 0, 0, G_OPTION_ARG_NONE, &opt_gpg_verify_summary, "GPG verify summary (must specify --remote)", NULL }, { "gpg-verify-summary", 0, 0, G_OPTION_ARG_NONE, &opt_gpg_verify_summary, "GPG verify summary (must specify --remote)", NULL },
{ "disable-verify-bindings", 0, 0, G_OPTION_ARG_NONE, &opt_disable_verify_bindings, "Do not verify commit bindings", NULL },
{ "depth", 0, 0, G_OPTION_ARG_INT, &opt_depth, "Traverse DEPTH parents (-1=infinite) (default: 0)", "DEPTH" }, { "depth", 0, 0, G_OPTION_ARG_INT, &opt_depth, "Traverse DEPTH parents (-1=infinite) (default: 0)", "DEPTH" },
{ NULL } { NULL }
}; };
@ -181,6 +183,8 @@ ostree_builtin_pull_local (int argc, char **argv, OstreeCommandInvocation *invoc
if (opt_gpg_verify_summary) if (opt_gpg_verify_summary)
g_variant_builder_add (&builder, "{s@v}", "gpg-verify-summary", g_variant_builder_add (&builder, "{s@v}", "gpg-verify-summary",
g_variant_new_variant (g_variant_new_boolean (TRUE))); g_variant_new_variant (g_variant_new_boolean (TRUE)));
g_variant_builder_add (&builder, "{s@v}", "disable-verify-bindings",
g_variant_new_variant (g_variant_new_boolean (opt_disable_verify_bindings)));
g_variant_builder_add (&builder, "{s@v}", "depth", g_variant_builder_add (&builder, "{s@v}", "depth",
g_variant_new_variant (g_variant_new_int32 (opt_depth))); g_variant_new_variant (g_variant_new_int32 (opt_depth)));
/* local pulls always disable signapi verification. If you don't want this, use /* local pulls always disable signapi verification. If you don't want this, use

View File

@ -38,6 +38,7 @@ static gboolean opt_require_static_deltas;
static gboolean opt_untrusted; static gboolean opt_untrusted;
static gboolean opt_http_trusted; static gboolean opt_http_trusted;
static gboolean opt_timestamp_check; static gboolean opt_timestamp_check;
static gboolean opt_disable_verify_bindings;
static char* opt_timestamp_check_from_rev; static char* opt_timestamp_check_from_rev;
static gboolean opt_bareuseronly_files; static gboolean opt_bareuseronly_files;
static char** opt_subpaths; static char** opt_subpaths;
@ -76,6 +77,7 @@ static GOptionEntry options[] = {
{ "localcache-repo", 'L', 0, G_OPTION_ARG_FILENAME_ARRAY, &opt_localcache_repos, "Add REPO as local cache source for objects during this pull", "REPO" }, { "localcache-repo", 'L', 0, G_OPTION_ARG_FILENAME_ARRAY, &opt_localcache_repos, "Add REPO as local cache source for objects during this pull", "REPO" },
{ "timestamp-check", 'T', 0, G_OPTION_ARG_NONE, &opt_timestamp_check, "Require fetched commits to have newer timestamps", NULL }, { "timestamp-check", 'T', 0, G_OPTION_ARG_NONE, &opt_timestamp_check, "Require fetched commits to have newer timestamps", NULL },
{ "timestamp-check-from-rev", 0, 0, G_OPTION_ARG_STRING, &opt_timestamp_check_from_rev, "Require fetched commits to have newer timestamps than given rev", NULL }, { "timestamp-check-from-rev", 0, 0, G_OPTION_ARG_STRING, &opt_timestamp_check_from_rev, "Require fetched commits to have newer timestamps than given rev", NULL },
{ "disable-verify-bindings", 0, 0, G_OPTION_ARG_NONE, &opt_disable_verify_bindings, "Do not verify commit bindings", NULL },
/* let's leave this hidden for now; we just need it for tests */ /* let's leave this hidden for now; we just need it for tests */
{ "append-user-agent", 0, G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_STRING, &opt_append_user_agent, "Append string to user agent", NULL }, { "append-user-agent", 0, G_OPTION_FLAG_HIDDEN, G_OPTION_ARG_STRING, &opt_append_user_agent, "Append string to user agent", NULL },
{ NULL } { NULL }
@ -330,6 +332,8 @@ ostree_builtin_pull (int argc, char **argv, OstreeCommandInvocation *invocation,
if (opt_per_object_fsync) if (opt_per_object_fsync)
g_variant_builder_add (&builder, "{s@v}", "per-object-fsync", g_variant_builder_add (&builder, "{s@v}", "per-object-fsync",
g_variant_new_variant (g_variant_new_boolean (TRUE))); g_variant_new_variant (g_variant_new_boolean (TRUE)));
g_variant_builder_add (&builder, "{s@v}", "disable-verify-bindings",
g_variant_new_variant (g_variant_new_boolean (opt_disable_verify_bindings)));
if (opt_http_headers) if (opt_http_headers)
{ {
GVariantBuilder hdr_builder; GVariantBuilder hdr_builder;

View File

@ -117,7 +117,7 @@ do_pull() {
local branch=$3 local branch=$3
shift 3 shift 3
if ${CMD_PREFIX} ostree "--repo=${repo}" pull "${remote_repo}-remote" "${branch}" if ${CMD_PREFIX} ostree "--repo=${repo}" pull "$@" "${remote_repo}-remote" "${branch}"
then return 0 then return 0
else return 1 else return 1
fi fi
@ -129,7 +129,7 @@ do_local_pull() {
local branch=$3 local branch=$3
shift 3 shift 3
if ${CMD_PREFIX} ostree "--repo=${repo}" pull-local "${remote_repo}" "${branch}" if ${CMD_PREFIX} ostree "--repo=${repo}" pull-local "$@" "${remote_repo}" "${branch}"
then return 0 then return 0
else return 1 else return 1
fi fi
@ -221,19 +221,23 @@ if do_pull local collection-repo badcref1
then then
assert_not_reached "pulling a commit without collection ID from a repo with collection ID should fail" assert_not_reached "pulling a commit without collection ID from a repo with collection ID should fail"
fi fi
do_pull local collection-repo badcref1 --disable-verify-bindings
if do_pull local collection-repo badcref2 if do_pull local collection-repo badcref2
then then
assert_not_reached "pulling a commit with a mismatched collection ID from a repo with collection ID should fail" assert_not_reached "pulling a commit with a mismatched collection ID from a repo with collection ID should fail"
fi fi
do_pull local collection-repo badcref2 --disable-verify-bindings
if do_pull local collection-repo badcref3 if do_pull local collection-repo badcref3
then then
assert_not_reached "pulling a commit with empty collection ID from repo with collection ID should fail" assert_not_reached "pulling a commit with empty collection ID from repo with collection ID should fail"
fi fi
do_pull local collection-repo badcref3 --disable-verify-bindings
do_pull local collection-repo goodcref1 do_pull local collection-repo goodcref1
if do_pull local collection-repo badcref4 if do_pull local collection-repo badcref4
then then
assert_not_reached "pulling a commit that was not requested from repo with collection ID should fail" assert_not_reached "pulling a commit that was not requested from repo with collection ID should fail"
fi fi
do_pull local collection-repo badcref4 --disable-verify-bindings
echo "ok 5 pull refs from remote repos" echo "ok 5 pull refs from remote repos"
@ -243,19 +247,23 @@ if do_local_pull local collection-local-repo badclref1
then then
assert_not_reached "pulling a commit without collection ID from a repo with collection ID should fail" assert_not_reached "pulling a commit without collection ID from a repo with collection ID should fail"
fi fi
do_local_pull local collection-local-repo badclref1 --disable-verify-bindings
if do_local_pull local collection-local-repo badclref2 if do_local_pull local collection-local-repo badclref2
then then
assert_not_reached "pulling a commit with a mismatched collection ID from a repo with collection ID should fail" assert_not_reached "pulling a commit with a mismatched collection ID from a repo with collection ID should fail"
fi fi
do_local_pull local collection-local-repo badclref2 --disable-verify-bindings
if do_local_pull local collection-local-repo badclref3 if do_local_pull local collection-local-repo badclref3
then then
assert_not_reached "pulling a commit with empty collection ID from repo with collection ID should fail" assert_not_reached "pulling a commit with empty collection ID from repo with collection ID should fail"
fi fi
do_local_pull local collection-local-repo badclref3 --disable-verify-bindings
do_local_pull local collection-local-repo goodclref1 do_local_pull local collection-local-repo goodclref1
if do_local_pull local collection-local-repo badclref4 if do_local_pull local collection-local-repo badclref4
then then
assert_not_reached "pulling a commit that was not requested from repo with collection ID should fail" assert_not_reached "pulling a commit that was not requested from repo with collection ID should fail"
fi fi
do_local_pull local collection-local-repo badclref4 --disable-verify-bindings
echo "ok 6 pull refs from local repos" echo "ok 6 pull refs from local repos"