1 files changed, 553 insertions, 0 deletions
diff --git a/infra/dgit-repos-policy-debian b/infra/dgit-repos-policy-debian
new file mode 100755
index 0000000..990abd2
--- /dev/null
+++ b/infra/dgit-repos-policy-debian
@@ -0,0 +1,553 @@
+#!/usr/bin/perl -w
+# dgit repos policy hook script for Debian
+#
+# Copyright (C) 2015-2016  Ian Jackson
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+use strict;
+
+use Debian::Dgit::Infra; # must precede Debian::Dgit; - can change @INC!
+use Debian::Dgit qw(:DEFAULT :policyflags);
+setup_sigwarn();
+
+use POSIX;
+use JSON;
+use File::Temp qw(tempfile);
+use DBI;
+use IPC::Open2;
+use Data::Dumper;
+
+use Debian::Dgit::Policy::Debian;
+
+initdebug('%');
+enabledebuglevel $ENV{'DGIT_DRS_DEBUG'};
+
+END { $? = 127; } # deliberate exit uses _exit
+
+our $distro = shift @ARGV // die "need DISTRO";
+our $repos = shift @ARGV // die "need DGIT-REPOS-DIR";
+our $dgitlive = shift @ARGV // die "need DGIT-LIVE-DIR";
+our $distrodir = shift @ARGV // die "need DISTRO-DIR";
+our $action = shift @ARGV // die "need ACTION";
+
+our $publicmode = 02775;
+our $new_upload_propagation_slop = 3600*4 + 100;# fixme config;
+
+our $poldbh;
+our $pkg;
+our $pkgdir;
+our ($pkg_exists,$pkg_secret);
+
+our $stderr;
+
+our ($version,$suite,$tagname);
+our %deliberately;
+
+# We assume that it is not possible for NEW to have a version older
+# than sid.
+
+# Whenever pushing, we check for
+#   source-package-local tainted history
+#   global tainted history
+#   can be overridden by --deliberately except for an admin prohib taint
+# 
+# ALL of the following apply only if history is secret:
+# 
+# if NEW has no version, or a version which is not in our history[1]
+#   (always)
+#   check all suites
+#   if any suite's version is in our history[1], publish our history
+#   otherwise discard our history,
+#     tainting --deliberately-include-questionable-history
+# 
+# if NEW has a version which is in our history[1]
+#   (on push only)
+#   require explicit specification of one of
+#     --deliberately-include-questionable-history
+#     --deliberately-not-fast-forward
+#       (latter will taint old NEW version --d-i-q-h)
+#   (otherwise)
+#   leave it be
+# 
+# [1] looking for the relevant git tag for the version number and not
+#    caring what that tag refers to.
+#
+#    When we are doing a push to a fresh repo, any version will do: in
+#    this case, this is the first dgit upload of an existing package,
+#    and we trust that the uploader hasn't included in their git
+#    history any previous non-dgit uploads.
+#
+# A wrinkle: if we approved a push recently, we treat NEW as having
+# a version which is in our history.  This is because the package may
+# still be being uploaded.  (We record this using the timestamp of the
+# package's git repo directory.)
+
+# We aim for the following invariants and properties:
+#
+# - .dsc of published dgit package will have corresponding publicly
+#   visible dgit-repo (soon)
+#
+# - when a new package is rejected we help maintainer avoid
+#   accidentally including bad objects in published dgit history
+#
+# - .dsc of NEW dgit package has corresponding dgit-repo but not
+#   publicly readable
+
+sub apiquery ($) {
+    my ($subpath) = @_;
+    local $/=undef;
+    my $dgit = "$dgitlive/dgit";
+    $dgit = "dgit" if !stat_exists $dgit;
+    my $cmd = "$dgit -d$distro \$DGIT_TEST_OPTS";
+    $cmd .= " -".("D" x $debuglevel) if $debuglevel;
+    $cmd .= " archive-api-query $subpath";
+    printdebug "apiquery $cmd\n";
+    $!=0; $?=0; my $json = `$cmd`;
+    defined $json && !$? or die "$subpath $! $?";
+    my $r = decode_json $json;
+    my $d = new Data::Dumper([$r], [qw(r)]);
+    printdebug "apiquery $subpath | ", $d->Dump() if $debuglevel>=2;
+    return $r;
+}
+
+sub vsn_in_our_history ($) {
+    my ($vsn) = @_;
+
+    # Eventually, when we withdraw support for old-format (DEP-14
+    # namespace) tags, we will need to change this to only look
+    # for debiantag_new.  See the commit
+    #   "Tag change: Update dgit-repos-policy-debian"
+    # (reverting which is a good start for that change).
+
+    my @tagrefs = map { "refs/tags/".$_ } debiantags $vsn, $distro;
+    printdebug " checking history  vsn=$vsn tagrefs=@tagrefs\n";
+    open F, "-|", qw(git for-each-ref), @tagrefs;
+    $_ = <F>;
+    close F;
+    return 1 if defined && m/\S/;
+    die "$pkg tagrefs @tagrefs $? $!" if $?;
+    return 0;
+}
+
+sub specific_suite_has_suitable_vsn ($$) {
+    my ($suite, $vsn_check) = @_; # tests $vsn_check->($version)
+    my $in_suite = apiquery "dsc_in_suite/$suite/$pkg";
+    foreach my $entry (@$in_suite) {
+	my $vsn = $entry->{version};
+	die "$pkg ?" unless defined $vsn;
+	printdebug " checking history found suite=$suite vsn=$vsn\n";
+	return 1 if $vsn_check->($vsn);
+    }
+    return 0;
+}
+
+sub new_has_vsn_in_our_history () {
+    return specific_suite_has_suitable_vsn('new', \&vsn_in_our_history);
+}
+
+sub good_suite_has_suitable_vsn ($) {
+    my ($vsn_check) = @_; # as for specific_suite_has_specific_vsn
+    my $suites = apiquery "suites";
+    foreach my $suitei (@$suites) {
+	my $suite = $suitei->{name};
+	die unless defined $suite;
+	next if $suite =~ m/\bnew$/;
+	return 1 if specific_suite_has_suitable_vsn($suite, $vsn_check);
+    }
+    return 0;
+}
+
+sub statpackage () {
+    $pkgdir = "$repos/$pkg.git";
+    if (!stat_exists $pkgdir) {
+	printdebug "statpackage $pkg => ENOENT\n";
+	$pkg_exists = 0;
+    } else {
+	$pkg_exists = 1;
+	$pkg_secret = !!(~(stat _)[2] & 05);
+	printdebug "statpackage $pkg => exists, secret=$pkg_secret.\n";
+    }
+}
+
+sub getpackage () {
+    die unless @ARGV >= 1;
+    $pkg = shift @ARGV;
+    die unless $pkg =~ m/^$package_re$/;
+
+    statpackage();
+}
+
+sub add_taint ($$) {
+    my ($refobj, $reason) = @_;
+
+    printdebug "TAINTING $refobj\n",
+        (map { "\%| $_" } split "\n", $reason),
+        "\n";
+
+    my $tf = new File::Temp or die $!;
+    print $tf "$refobj^0\n" or die $!;
+    flush $tf or die $!;
+    seek $tf,0,0 or die $!;
+
+    my $gcfpid = open GCF, "-|";
+    defined $gcfpid or die $!;
+    if (!$gcfpid) {
+	open STDIN, "<&", $tf or die $!;
+	exec 'git', 'cat-file', '--batch';
+	die $!;
+    }
+
+    close $tf or die $!;
+    $_ = <GCF>;
+    defined $_ or die;
+    m/^(\w+) (\w+) (\d+)\n/ or die "$_ ?";
+    my $gitobjid = $1;
+    my $gitobjtype = $2;
+    my $bytes = $3;
+
+    my $gitobjdata;
+    if ($gitobjtype eq 'commit' or $gitobjtype eq 'tag') {
+	$!=0; read GCF, $gitobjdata, $bytes == $bytes
+	    or die "$gitobjid $bytes $!";
+    }
+    close GCF;
+
+    $poldbh->do("INSERT INTO taints".
+		" (package, gitobjid, gitobjtype, gitobjdata, time, comment)".
+		" VALUES (?,?,?,?,?,?)", {},
+		$pkg, $gitobjid, $gitobjtype, $gitobjdata, time, $reason);
+
+    my $taint_id = $poldbh->last_insert_id(undef,undef,"taints","taint_id");
+    die unless defined $taint_id;
+
+    $poldbh->do("INSERT INTO taintoverrides".
+		" (taint_id, deliberately)".
+		" VALUES (?, '--deliberately-include-questionable-history')", 
+		{}, $taint_id);
+}
+
+sub add_taint_by_tag ($$) {
+    my ($tagname,$refobjid) = @_;
+    add_taint($refobjid,
+	      "tag $tagname referred to this object in git tree but all".
+	      " previously pushed versions were found to have been".
+	      " removed from NEW (ie, rejected) (or never arrived)");
+}
+
+sub check_package () {
+    return 0 unless $pkg_exists;
+    return 0 unless $pkg_secret;
+
+    printdebug "check_package\n";
+
+    chdir $pkgdir or die "$pkgdir $!";
+
+    stat '.' or die "$pkgdir $!";
+    my $mtime = ((stat _)[9]);
+    my $age = time -  $mtime;
+    printdebug "check_package age=$age\n";
+
+    if (good_suite_has_suitable_vsn(\&vsn_in_our_history)) {
+	chmod $publicmode, "." or die $!;
+	$pkg_secret = 0;
+	eval {
+	    my $mirror_hook = "$distrodir/mirror-hook";
+	    if (stat_exists $mirror_hook) {
+		my @mirror_cmd =
+		    ($mirror_hook, $distrodir, "updated-hook", $pkg);
+		debugcmd " (mirror)",@mirror_cmd;
+		system @mirror_cmd and failedcmd @mirror_cmd;
+	    }
+	};
+	if (length $@) {
+	    chomp $@;
+	    print STDERR "policy hook: warning:".
+		" failed to mirror publication of \`$pkg':".
+		" $@\n";
+	}
+	return 0;
+    }
+
+    return 0 if $age < $new_upload_propagation_slop;
+
+    return 0 if new_has_vsn_in_our_history();
+
+    printdebug "check_package secret, deleted, tainting\n";
+
+    git_for_each_ref('refs/tags', sub {
+	my ($objid,$objtype,$fullrefname,$tagname) = @_;
+	add_taint_by_tag($tagname,$objid);
+    });
+
+    return FRESHREPO;
+}
+
+sub action_check_package () {
+    getpackage();
+    return check_package();
+}
+
+sub getpushinfo () {
+    die unless @ARGV >= 4;
+    $version = shift @ARGV;
+    $suite = shift @ARGV;
+    $tagname = shift @ARGV;
+    my $delibs = shift @ARGV;
+    foreach my $delib (split /\,/, $delibs) {
+	$deliberately{$delib} = 1;
+    }
+}
+
+sub deliberately ($) { return $deliberately{"--deliberately-$_[0]"}; }
+
+sub action_push () {
+    getpackage();
+    getpushinfo();
+
+    check_package(); # might make package public, or might add taints
+
+    return 0 unless $pkg_exists;
+    return 0 unless $pkg_secret;
+
+    # we suppose that NEW has a version which is already in our
+    # history, as otherwise the repo would have been blown away
+
+    if (deliberately('not-fast-forward')) {
+	add_taint(server_ref($suite),
+		  "rewound suite $suite; --deliberately-not-fast-forward".
+		  " specified in signed tag $tagname for upload of".
+		  " version $version");
+	return NOFFCHECK|FRESHREPO;
+    }
+    if (deliberately('include-questionable-history')) {
+	return 0;
+    }
+    die "\nPackage is in NEW and has not been accepted or rejected yet;".
+	" use a --deliberately option to specify whether you are".
+	" keeping or discarding the previously pushed history. ".
+	" Please RTFM dgit(1).\n\n";
+}
+
+sub action_push_confirm () {
+    getpackage();
+    getpushinfo();
+    die unless @ARGV >= 1;
+    my $freshrepo = shift @ARGV;
+
+    my $initq = $poldbh->prepare(<<END);
+        SELECT taint_id, gitobjid FROM taints t
+            WHERE (package = ? OR package = '')
+END
+    $initq->execute($pkg);
+
+    my @objscatcmd = qw(git);
+    push @objscatcmd, qw(--git-dir), $freshrepo if length $freshrepo;
+    push @objscatcmd, qw(cat-file --batch);
+    debugcmd '|',@objscatcmd if $debuglevel>=2;
+
+    my @taintids;
+    my $chkinput = tempfile();
+    while (my $taint = $initq->fetchrow_hashref()) {
+	push @taintids, $taint->{taint_id};
+	print $chkinput $taint->{gitobjid}, "\n" or die $!;
+	printdebug '|> ', $taint->{gitobjid}, "\n" if $debuglevel>=2;
+    }
+    flush $chkinput or die $!;
+    seek $chkinput,0,0 or die $!;
+
+    my $checkpid = open CHKOUT, "-|" // die $!;
+    if (!$checkpid) {
+	open STDIN, "<&", $chkinput or die $!;
+	delete $ENV{GIT_ALTERNATE_OBJECT_DIRECTORIES};
+	# ^ recent versions of git set this in the environment of
+	# receive hooks.  This can cause us to see things which
+	# the user is trying to abolish.
+	exec @objscatcmd or die $!;
+    }
+
+    my ($taintinfoq,$overridesanyq,$untaintq,$overridesq);
+
+    my $overridesstmt = <<END;
+        SELECT deliberately FROM taintoverrides WHERE (
+            1=0
+END
+    my @overridesv = sort keys %deliberately;
+    $overridesstmt .= <<END foreach @overridesv;
+            OR deliberately = ?
+END
+    $overridesstmt .= <<END;
+	) AND taint_id = ?
+        ORDER BY deliberately ASC
+END
+
+    my $mustreject=0;
+
+    while (my $taintid = shift @taintids) {
+	$!=0; $_ = <CHKOUT>;
+	die "($taintid @objscatcmd) $!" unless defined $_;
+	printdebug "|< ", $_ if $debuglevel>=2;
+
+	next if m/^\w+ missing$/;
+	die "($taintid @objscatcmd) $_ ?" unless m/^(\w+) (\w+) (\d+)\s/;
+	my ($objid,$objtype,$nbytes) = ($1,$2,$3);
+
+	my $drop;
+	(read CHKOUT, $drop, $nbytes) == $nbytes
+	    or die "($taintid @objscatcmd) $!";
+
+	$!=0; $_ = <CHKOUT>;
+	die "($taintid @objscatcmd) $!" unless defined $_;
+	die "($taintid @objscatcmd) $_ ?" if m/\S/;
+
+	$taintinfoq ||= $poldbh->prepare(<<END);
+            SELECT package, time, comment FROM taints WHERE taint_id =  ?
+END
+        $taintinfoq->execute($taintid);
+
+	my $ti = $taintinfoq->fetchrow_hashref();
+	die "($taintid)" unless $ti;
+
+	my $timeshow = defined $ti->{time}
+	    ? " at time ".strftime("%Y-%m-%d %H:%M:%S Z", gmtime $ti->{time})
+	    : "";
+	my $pkgshow = length $ti->{package}
+	    ? "package $ti->{package}"
+	    : "any package";
+
+	$stderr .= <<END;
+
+History contains tainted $objtype $objid
+Taint recorded$timeshow for $pkgshow
+Reason: $ti->{comment}
+END
+
+        printdebug "SQL overrides: @overridesv $taintid /\n$overridesstmt\n";
+
+        $overridesq ||= $poldbh->prepare($overridesstmt);
+	$overridesq->execute(@overridesv, $taintid);
+	my ($ovwhy) = $overridesq->fetchrow_array();
+	if (!defined $ovwhy) {
+	    $overridesanyq ||= $poldbh->prepare(<<END);
+	        SELECT 1 FROM taintoverrides WHERE taint_id = ? LIMIT 1
+END
+	    $overridesanyq->execute($taintid);
+	    my ($ovany) = $overridesanyq->fetchrow_array();
+	    $stderr .= $ovany ? <<END : <<END;
+Could be forced using --deliberately.  Consult documentation.
+END
+Uncorrectable error.  If confused, consult administrator.
+END
+            $mustreject = 1;
+	} else {
+	    $stderr .= <<END;
+Forcing due to --deliberately-$ovwhy
+END
+            $untaintq ||= $poldbh->prepare(<<END);
+                DELETE FROM taints WHERE taint_id = ?
+END
+            $untaintq->execute($taintid);
+        }
+    }
+    close CHKOUT;
+
+    if ($mustreject) {
+	$stderr .= <<END;
+
+Rejecting push due to questionable history.
+END
+        return 1;
+    }
+
+    if (length $freshrepo) {
+	if (!good_suite_has_suitable_vsn(sub { 1; })) {
+	    stat $freshrepo or die "$freshrepo $!";
+	    my $oldmode = ((stat _)[2]);
+	    my $oldwrites = $oldmode & 0222;
+	    # remove r and x bits which have corresponding w bits clear
+	    my $newmode = $oldmode &
+		(~0555 | ($oldwrites << 1) | ($oldwrites >> 1));
+	    printdebug sprintf "chmod %#o (was %#o) %s\n",
+	        $newmode, $oldmode, $freshrepo;
+	    chmod $newmode, $freshrepo or die $!;
+	    utime undef, undef, $freshrepo or die $!;
+	}
+    }
+
+    return 0;
+}
+
+sub action_check_list () {
+    opendir L, "$repos" or die "$repos $!";
+    while (defined (my $dent = readdir L)) {
+	next unless $dent =~ m/^($package_re)\.git$/;
+	$pkg = $1;
+	statpackage();
+	next unless $pkg_exists;
+	next unless $pkg_secret;
+	print "$pkg\n" or die $!;
+    }
+    closedir L or die $!;
+    close STDOUT or die $!;
+    return 0;
+}
+
+$action =~ y/-/_/;
+my $fn = ${*::}{"action_$action"};
+if (!$fn) {
+    printdebug "dgit-repos-policy-debian: unknown action $action\n";
+    exit 0;
+}
+
+my $sleepy=0;
+my $rcode;
+
+my $db_busy_exception= 'Debian::Dgit::Policy::Debian::DB_BUSY';
+
+my @orgargv = @ARGV;
+
+for (;;) {
+    @ARGV = @orgargv;
+    eval {
+	poldb_setup(poldb_path($repos), sub {
+	    $poldbh->{HandleError} = sub {
+		return 0 unless $poldbh->err == 5; # SQLITE_BUSY, not in .pm :-(
+		die bless { }, $db_busy_exception;
+	    };
+
+	    eval ($ENV{'DGIT_RPD_TEST_DBLOOP_HOOK'}//'');
+	    die $@ if length $@;
+	    # used by tests/tests/debpolicy-dbretry
+        });
+
+	$stderr = '';
+
+	$rcode = $fn->();
+	die unless defined $rcode;
+
+	$poldbh->commit;
+    };
+    last unless length $@;
+    die $@ unless ref $@ eq $db_busy_exception;
+
+    die if $sleepy >= 20;
+    $sleepy++;
+    print STDERR "[policy database busy, retrying (${sleepy}s)]\n";
+
+    eval { $poldbh->rollback; };
+}
+
+print STDERR $stderr or die $!;
+flush STDERR or die $!;
+_exit $rcode;