15 Commits

Author SHA1 Message Date
Julian Andres Klode a9916c3faa netrc: Add warning when ignoring entries for unencrypted protocols
Commit 93f33052de restricted auth.conf
entries to only apply to https by default, but this was silent - there
was no information why http sources with auth.conf entries suddenly
started failing. Add such information, and extend test case to cover
it.
2020-01-15 22:07:25 +01:00
Julian Andres Klode 93f33052de netrc: Restrict auth.conf entries to https by default
This avoids downgrade attacks where an attacker could inject

Location: http://private.example/

and then (having access to raw data to private.example, for example,
by opening a port there, or sniffing network traffic) read the credentials
for the private repository.

Closes: #945911
2019-12-02 14:27:38 +01:00
Julian Andres Klode bbfcc05c19 Add support for /etc/apt/auth.conf.d/*.conf (netrcparts)
This allows us to install matching auth files for sources.list.d
files, for example; very useful.

This converts aptmethod's authfd from one FileFd to a vector of
pointers to FileFd, as FileFd cannot be copied, and move operators
are hard.
2018-12-04 17:48:41 +01:00
David Kalnischkies 8580574ec6 suggest using auth.conf for sources with passwords
The feature exists for a long while even if we get around to document
it properly only now, so we should push for its adoption a bit to avoid
the problems its supposed to solve like avoiding usage of non-world
readable configuration files as they can cause strange behaviour for the
unsuspecting user (like different solutions as root and non-root).
2017-07-26 19:09:04 +02:00
David Kalnischkies 6291fa81da lookup login info for proxies in auth.conf
On HTTP Connect we since recently look into the auth.conf file for login
information, so we should really look for all proxies into the file as
the argument is the same as for sources entries and it is easier to
document (especially as the manpage already mentions it as supported).
2017-07-26 19:09:04 +02:00
David Kalnischkies ea408c560e reimplement and document auth.conf
We have support for an netrc-like auth.conf file since 0.7.25 (closing
518473), but it was never documented in apt that it even exists and
netrc seems to have fallen out of usage as a manpage for it no longer
exists making the feature even more arcane.

On top of that the code was a bit of a mess (as it is written in c-style)
and as a result the matching of machine tokens to URIs also a bit
strange by checking for less specific matches (= without path) first.
We now do a single pass over the stanzas.

In practice early adopters of the undocumented implementation will not
really notice the differences and the 'new' behaviour is simpler to
document and more usual for an apt user.

Closes: #811181
2017-07-26 19:09:04 +02:00
Julian Andres Klode 757ec4e1ef test: Use :$(id -gn) instead of :root (when run as root)
On BSD systems, the root group is wheel, not root, so let's
just use the default group here.

Gbp-Dch: ignore
2016-08-26 22:24:24 +02:00
David Kalnischkies 28b2efcb19 tests: reenable basic auth test and add @ in username
On launchpad #1558484 a user reports that @ in the authentication tokens
parsing of sources.list isn't working in an older (precise) version. It
isn't the recommended way of specifying passwords and co (auth.conf is),
but we can at least test for regressions (and in this case test at all…
who was that "clever" boy disabling a test with exit……… oh, nevermind.

Git-Dch: Ignore
2016-03-19 09:48:44 +01:00
David Kalnischkies 3abb6a6a1e tests: support spaces in path and TMPDIR
This doesn't allow all tests to run cleanly, but it at least allows to
write tests which could run successfully in such environments.

Git-Dch: Ignore
2015-12-19 23:04:34 +01:00
David Kalnischkies 87d6947d51 tests: use quiet level 0 by default in tests
Git-Dch: Ignore
2015-11-19 17:13:56 +01:00
David Kalnischkies 6c0765c096 tests: don't use hardcoded port for http and https
This allows running tests in parallel.

Git-Dch: Ignore
2015-09-15 10:16:09 +02:00
David Kalnischkies 25b86db159 test exitcode as well as string equality
We use test{success,failure} now all over the place in the framework, so
its only consequencial to do this in the situations in which we test for
a specific output as well.

Git-Dch: Ignore
2015-03-16 18:01:54 +01:00
David Kalnischkies 4bb006d1dd fix file ownership tests to work on kfreebsd
While on linux files are created in /tmp with $USER:$USER, on my
kfreebsd testmachine they are created with $USER:root, so we pull some
strings here to make it work on both.
2014-11-18 02:41:20 +01:00
David Kalnischkies e52aad5208 tests: enhance output of grep and test fails
Git-Dch: Ignore
2014-10-26 14:14:42 +01:00
David Kalnischkies b0314abb0c add test for Basic Authentication scheme
Git-Dch: Ignore
2014-10-23 16:54:27 +02:00