mirror of
https://github.com/ostreedev/ostree.git
synced 2024-12-22 17:35:55 +03:00
455cc5e892
There are a lot of things suboptimal about this approach, but on the other hand we need to get our CI back up and running. The basic approach is to - in the test suite, detect if we're on overlayfs. If so, set a flag in the repo, which gets picked up by a few strategic places in the core to turn on "ignore xattrs". I also had to add a variant of this for the sysroot work. The core problem here is while overlayfs will let us read and see the SELinux labels, it won't let us write them. Down the line, we should improve this so that we can selectively ignore e.g. `security.*` attributes but not `user.*` say. Closes: https://github.com/ostreedev/ostree/issues/758 Closes: #759 Approved by: jlebon
140 lines
5.2 KiB
Bash
Executable File
140 lines
5.2 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Copyright (C) 2013 Jeremy Whiting <jeremy.whiting@collabora.com>
|
|
#
|
|
# This library is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2 of the License, or (at your option) any later version.
|
|
#
|
|
# This library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# Lesser General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Lesser General Public
|
|
# License along with this library; if not, write to the
|
|
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
# Boston, MA 02111-1307, USA.
|
|
|
|
set -euo pipefail
|
|
|
|
. $(dirname $0)/libtest.sh
|
|
|
|
if ! has_gpgme; then
|
|
echo "1..0 #SKIP no gpg support compiled in"
|
|
exit 0
|
|
fi
|
|
|
|
echo "1..1"
|
|
|
|
keyid="472CDAFA"
|
|
oldpwd=`pwd`
|
|
mkdir ostree-srv
|
|
cd ostree-srv
|
|
mkdir gnomerepo
|
|
ostree_repo_init gnomerepo --mode="archive-z2"
|
|
mkdir gnomerepo-files
|
|
cd gnomerepo-files
|
|
echo first > firstfile
|
|
mkdir baz
|
|
echo moo > baz/cow
|
|
echo alien > baz/saucer
|
|
${CMD_PREFIX} ostree --repo=${test_tmpdir}/ostree-srv/gnomerepo commit -b main -s "A remote commit" -m "Some Commit body" --gpg-sign=$keyid --gpg-homedir=${test_tmpdir}/gpghome
|
|
mkdir baz/deeper
|
|
${CMD_PREFIX} ostree --repo=${test_tmpdir}/ostree-srv/gnomerepo commit -b main -s "Add deeper" --gpg-sign=$keyid --gpg-homedir=${test_tmpdir}/gpghome
|
|
echo hi > baz/deeper/ohyeah
|
|
mkdir baz/another/
|
|
echo x > baz/another/y
|
|
${CMD_PREFIX} ostree --repo=${test_tmpdir}/ostree-srv/gnomerepo commit -b main -s "The rest" --gpg-sign=$keyid --gpg-homedir=${test_tmpdir}/gpghome
|
|
cd ..
|
|
|
|
cd ${test_tmpdir}
|
|
mkdir ${test_tmpdir}/httpd
|
|
cd httpd
|
|
ln -s ${test_tmpdir}/ostree-srv ostree
|
|
${OSTREE_HTTPD} --autoexit --daemonize -P 18081 -p ${test_tmpdir}/httpd-port
|
|
port=$(cat ${test_tmpdir}/httpd-port)
|
|
assert_streq $port 18081
|
|
echo "http://127.0.0.1:${port}" > ${test_tmpdir}/httpd-address
|
|
cd ${oldpwd}
|
|
|
|
export OSTREE="${CMD_PREFIX} ostree --repo=repo"
|
|
|
|
repopath=${test_tmpdir}/ostree-srv/gnomerepo
|
|
cp -a ${repopath} ${repopath}.orig
|
|
|
|
# Set OSTREE_GPG_HOME to a place with no keyrings, we shouldn't trust the signature
|
|
cd ${test_tmpdir}
|
|
mkdir repo
|
|
ostree_repo_init repo
|
|
${CMD_PREFIX} ostree --repo=repo remote add origin $(cat httpd-address)/ostree/gnomerepo
|
|
if env OSTREE_GPG_HOME=${test_tmpdir} ${CMD_PREFIX} ostree --repo=repo pull origin main; then
|
|
assert_not_reached "pull with no trusted GPG keys unexpectedly succeeded!"
|
|
fi
|
|
rm repo -rf
|
|
|
|
# And a test case with valid signature
|
|
cd ${test_tmpdir}
|
|
mkdir repo
|
|
ostree_repo_init repo
|
|
${CMD_PREFIX} ostree --repo=repo remote add origin $(cat httpd-address)/ostree/gnomerepo
|
|
${CMD_PREFIX} ostree --repo=repo pull origin main
|
|
${CMD_PREFIX} ostree --repo=repo show --gpg-verify-remote=origin main | grep -o 'Found [[:digit:]] signature' > show-verify-remote
|
|
assert_file_has_content show-verify-remote 'Found 1 signature'
|
|
rm repo -rf
|
|
|
|
# A test with corrupted detached signature
|
|
cd ${test_tmpdir}
|
|
find ${test_tmpdir}/ostree-srv/gnomerepo -name '*.commitmeta' | while read fname; do
|
|
echo borkborkbork > ${fname};
|
|
done
|
|
mkdir repo
|
|
ostree_repo_init repo
|
|
${CMD_PREFIX} ostree --repo=repo remote add origin $(cat httpd-address)/ostree/gnomerepo
|
|
if ${CMD_PREFIX} ostree --repo=repo pull origin main; then
|
|
assert_not_reached "pull with corrupted signature unexpectedly succeeded!"
|
|
fi
|
|
rm repo -rf
|
|
|
|
# And now attempt to pull the same corrupted commit, but with GPG
|
|
# verification off
|
|
cd ${test_tmpdir}
|
|
mkdir repo
|
|
ostree_repo_init repo
|
|
${CMD_PREFIX} ostree --repo=repo remote add --set=gpg-verify=false origin $(cat httpd-address)/ostree/gnomerepo
|
|
${CMD_PREFIX} ostree --repo=repo pull origin main
|
|
rm repo -rf
|
|
|
|
# Add an unsigned commit to the repo, then pull, then sign the commit,
|
|
# then pull again. Make sure we get the expected number of signatures
|
|
# each time.
|
|
cd ${test_tmpdir}/ostree-srv/gnomerepo-files
|
|
echo secret > signme
|
|
${CMD_PREFIX} ostree --repo=${test_tmpdir}/ostree-srv/gnomerepo commit -b main -s "Don't forget to sign me!"
|
|
cd ${test_tmpdir}
|
|
mkdir repo
|
|
ostree_repo_init repo
|
|
${CMD_PREFIX} ostree --repo=repo remote add --set=gpg-verify=false origin $(cat httpd-address)/ostree/gnomerepo
|
|
${CMD_PREFIX} ostree --repo=repo pull origin main
|
|
if ${CMD_PREFIX} ostree --repo=repo show main | grep -o 'Found [[:digit:]] signature'; then
|
|
assert_not_reached
|
|
fi
|
|
${CMD_PREFIX} ostree --repo=${test_tmpdir}/ostree-srv/gnomerepo gpg-sign --gpg-homedir=${test_tmpdir}/gpghome main $keyid
|
|
${CMD_PREFIX} ostree --repo=repo pull origin main
|
|
${CMD_PREFIX} ostree --repo=repo show main | grep -o 'Found [[:digit:]] signature' > show
|
|
assert_file_has_content show 'Found 1 signature'
|
|
|
|
# Delete the signature from the commit so the detached metadata is empty,
|
|
# then pull and verify the signature is also deleted on the client side.
|
|
${CMD_PREFIX} ostree --repo=${test_tmpdir}/ostree-srv/gnomerepo gpg-sign --gpg-homedir=${test_tmpdir}/gpghome --delete main $keyid
|
|
${CMD_PREFIX} ostree --repo=repo pull origin main
|
|
if ${CMD_PREFIX} ostree --repo=repo show main | grep -o 'Found [[:digit:]] signature'; then
|
|
assert_not_reached
|
|
fi
|
|
|
|
rm -rf repo gnomerepo-files
|
|
libtest_cleanup_gpg
|
|
|
|
echo "ok"
|