mirror of
https://github.com/ukui/apt.git
synced 2026-06-16 19:16:16 -07:00
a9916c3faa
Commit 93f33052de restricted auth.conf
entries to only apply to https by default, but this was silent - there
was no information why http sources with auth.conf entries suddenly
started failing. Add such information, and extend test case to cover
it.
154 lines
4.5 KiB
Bash
Executable File
154 lines
4.5 KiB
Bash
Executable File
#!/bin/sh
|
|
set -e
|
|
|
|
TESTDIR="$(readlink -f "$(dirname "$0")")"
|
|
. "$TESTDIR/framework"
|
|
|
|
setupenvironment
|
|
configarchitecture 'i386'
|
|
|
|
insertpackage 'unstable' 'foo' 'all' '1'
|
|
setupaptarchive --no-update
|
|
|
|
changetohttpswebserver --authorization="$(printf '%s' 'star@irc:hunter2' | base64 )"
|
|
|
|
echo 'See, when YOU type hunter2, it shows to us as *******' > aptarchive/bash
|
|
echo 'Debug::Acquire::netrc "true";' > rootdir/etc/apt/apt.conf.d/netrcdebug.conf
|
|
|
|
testauthfailure() {
|
|
testfailure apthelper download-file "${1}/bash" ./downloaded/bash
|
|
# crappy test, but http and https output are wastely different…
|
|
testsuccess grep 401 rootdir/tmp/testfailure.output
|
|
testfailure test -s ./downloaded/bash
|
|
}
|
|
|
|
testauthsuccess() {
|
|
testsuccess apthelper download-file "${1}/bash" ./downloaded/bash
|
|
testfileequal ./downloaded/bash "$(cat aptarchive/bash)"
|
|
testfilestats ./downloaded/bash '%U:%G:%a' '=' "${TEST_DEFAULT_USER}:${TEST_DEFAULT_GROUP}:644"
|
|
rm -f ./downloaded/bash
|
|
|
|
# lets see if got/retains acceptable permissions
|
|
if [ -n "$AUTHCONF" ]; then
|
|
if [ "$(id -u)" = '0' ]; then
|
|
testfilestats "$AUTHCONF" '%U:%G:%a' '=' "_apt:$(id -gn):600"
|
|
else
|
|
testfilestats "$AUTHCONF" '%U:%G:%a' '=' "${TEST_DEFAULT_USER}:${TEST_DEFAULT_GROUP}:600"
|
|
fi
|
|
fi
|
|
|
|
rm -rf rootdir/var/lib/apt/lists
|
|
if expr index "$1" '@' >/dev/null; then
|
|
testsuccesswithnotice aptget update
|
|
else
|
|
testsuccess aptget update
|
|
fi
|
|
testsuccessequal 'Reading package lists...
|
|
Building dependency tree...
|
|
The following NEW packages will be installed:
|
|
foo
|
|
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
|
|
Inst foo (1 unstable [all])
|
|
Conf foo (1 unstable [all])' aptget install foo -s
|
|
}
|
|
|
|
authfile() {
|
|
local AUTHCONF="${2:-rootdir/etc/apt/auth.conf}"
|
|
mkdir -p "$(dirname "$AUTHCONF")"
|
|
rm -f "$AUTHCONF"
|
|
printf '%s' "$1" > "$AUTHCONF"
|
|
chmod 600 "$AUTHCONF"
|
|
}
|
|
|
|
runtest() {
|
|
# unauthorized fails
|
|
authfile ''
|
|
testauthfailure "$1"
|
|
|
|
protocol="${1%%://*}"
|
|
|
|
# good auth
|
|
authfile "machine ${protocol}://localhost
|
|
login star@irc
|
|
password hunter2"
|
|
testauthsuccess "$1"
|
|
|
|
# bad auth
|
|
authfile "machine ${protocol}://localhost
|
|
login anonymous
|
|
password hunter2"
|
|
testauthfailure "$1"
|
|
|
|
# 2 stanzas: unmatching + good auth
|
|
authfile "machine ${protocol}://debian.org
|
|
login debian
|
|
password jessie
|
|
|
|
machine ${protocol}://localhost
|
|
login star@irc
|
|
password hunter2"
|
|
testauthsuccess "$1"
|
|
|
|
# no protocol specifier
|
|
authfile "machine localhost
|
|
login star@irc
|
|
password hunter2"
|
|
if [ "$protocol" = "https" ]; then
|
|
testauthsuccess "$1"
|
|
else
|
|
testfailure apthelper download-file "${1}/bash" ./downloaded/bash
|
|
testsuccessequal "W: ${1}/bash: ${TMPWORKINGDIRECTORY}/rootdir/etc/apt/auth.conf: Credentials for localhost match, but the protocol is not encrypted. Annotate with http:// to use." grep "Credentials.*match" rootdir/tmp/testfailure.output
|
|
testauthfailure "$1"
|
|
fi
|
|
|
|
# wrong protocol specifier
|
|
if [ "$protocol" = "https" ]; then
|
|
authfile "machine http://localhost
|
|
login star@irc
|
|
password hunter2"
|
|
else
|
|
authfile "machine https://localhost
|
|
login star@irc
|
|
password hunter2"
|
|
fi
|
|
testauthfailure "$1"
|
|
|
|
# delete file, make sure it fails; add auth.conf.d snippet, works again.
|
|
rm rootdir/etc/apt/auth.conf
|
|
testauthfailure "$1"
|
|
|
|
authfile "machine ${protocol}://localhost
|
|
login star@irc
|
|
password hunter2" rootdir/etc/apt/auth.conf.d/myauth.conf
|
|
testauthsuccess "$1"
|
|
rm rootdir/etc/apt/auth.conf.d/myauth.conf
|
|
}
|
|
|
|
msgmsg 'server basic auth'
|
|
rewritesourceslist "http://localhost:${APTHTTPPORT}"
|
|
runtest "http://localhost:${APTHTTPPORT}"
|
|
rewritesourceslist "http://star%40irc:hunter2@localhost:${APTHTTPPORT}"
|
|
authfile ''
|
|
testauthsuccess "http://star%40irc:hunter2@localhost:${APTHTTPPORT}"
|
|
rewritesourceslist "https://localhost:${APTHTTPSPORT}"
|
|
runtest "https://localhost:${APTHTTPSPORT}"
|
|
rewritesourceslist "http://localhost:${APTHTTPPORT}"
|
|
|
|
msgmsg 'proxy to server basic auth'
|
|
webserverconfig 'aptwebserver::request::absolute' 'uri'
|
|
# using ip instead of localhost avoids picking up the auth for the repo
|
|
# for the proxy as well as we serve them both over the same server…
|
|
export http_proxy="http://127.0.0.1:${APTHTTPPORT}"
|
|
runtest "http://localhost:${APTHTTPPORT}"
|
|
unset http_proxy
|
|
|
|
msgmsg 'proxy basic auth to server basic auth'
|
|
webserverconfig 'aptwebserver::proxy-authorization' "$(printf 'moon:deer2' | base64)"
|
|
export http_proxy="http://moon:deer2@localhost:${APTHTTPPORT}"
|
|
runtest "http://localhost:${APTHTTPPORT}"
|
|
|
|
msgmsg 'proxy basic auth to server'
|
|
authfile ''
|
|
webserverconfig 'aptwebserver::authorization' ''
|
|
testauthsuccess "http://localhost:${APTHTTPPORT}"
|