test-apt-update-rollback 8.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222
  1. #!/bin/sh
  2. #
  3. # test that apt-get update is transactional
  4. #
  5. set -e
  6. avoid_ims_hit() {
  7. touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages*
  8. touch -d '+1hour' aptarchive/dists/unstable/main/source/Sources*
  9. touch -d '+1hour' aptarchive/dists/unstable/*Release*
  10. touch -d '-1hour' rootdir/var/lib/apt/lists/*
  11. }
  12. create_fresh_archive()
  13. {
  14. rm -rf aptarchive/*
  15. rm -f rootdir/var/lib/apt/lists/_* rootdir/var/lib/apt/lists/partial/*
  16. insertpackage 'unstable' 'old' 'all' '1.0'
  17. setupaptarchive --no-update
  18. }
  19. add_new_package() {
  20. insertpackage 'unstable' 'new' 'all' '1.0'
  21. insertsource 'unstable' 'new' 'all' '1.0'
  22. setupaptarchive --no-update "$@"
  23. }
  24. break_repository_sources_index() {
  25. mv "$APTARCHIVE/dists/unstable/main/source/Sources.gz" "$APTARCHIVE/dists/unstable/main/source/Sources.gz.orig"
  26. printf 'xxx' > "$APTARCHIVE/dists/unstable/main/source/Sources"
  27. compressfile "$APTARCHIVE/dists/unstable/main/source/Sources" "$@"
  28. }
  29. start_with_good_inrelease() {
  30. create_fresh_archive
  31. testsuccess aptget update
  32. listcurrentlistsdirectory > lists.before
  33. testsuccessequal 'old/unstable 1.0 all' apt list -qq
  34. }
  35. test_inrelease_to_new_inrelease() {
  36. msgmsg 'Test InRelease to new InRelease works fine'
  37. start_with_good_inrelease
  38. add_new_package '+1hour'
  39. testsuccess aptget update -o Debug::Acquire::Transaction=1
  40. testsuccessequal 'new/unstable 1.0 all
  41. old/unstable 1.0 all' apt list -qq
  42. }
  43. test_inrelease_to_broken_hash_reverts_all() {
  44. msgmsg 'Test InRelease to broken InRelease reverts everything'
  45. start_with_good_inrelease
  46. add_new_package '+1hour'
  47. # break the Sources file
  48. break_repository_sources_index '+1hour'
  49. # test the error condition
  50. testfailureequal "E: Failed to fetch file:${APTARCHIVE}/dists/unstable/main/source/Sources.gz Hash Sum mismatch
  51. Hashes of expected file:
  52. - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz.orig')
  53. - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz.orig' | cut -d' ' -f 1)
  54. Hashes of received file:
  55. - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz' | cut -d' ' -f 1)
  56. - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz')
  57. Last modification reported: $(lastmodification 'aptarchive/dists/unstable/main/source/Sources.gz')
  58. Release file created at: $(releasefiledate 'aptarchive/dists/unstable/InRelease')
  59. E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
  60. # ensure that the Packages file is also rolled back
  61. testfileequal lists.before "$(listcurrentlistsdirectory)"
  62. testfailureequal "E: Unable to locate package new" aptget install new -s -qq
  63. }
  64. test_inrelease_to_valid_release() {
  65. msgmsg 'Test InRelease to valid Release'
  66. start_with_good_inrelease
  67. add_new_package '+1hour'
  68. # switch to a unsigned repo now
  69. rm "$APTARCHIVE/dists/unstable/InRelease"
  70. rm "$APTARCHIVE/dists/unstable/Release.gpg"
  71. # update fails
  72. testfailureequal "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update -qq
  73. # test that security downgrade was not successful
  74. testfileequal lists.before "$(listcurrentlistsdirectory)"
  75. testsuccess aptget install old -s
  76. testfailure aptget install new -s
  77. testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
  78. testempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_Release'
  79. }
  80. test_inrelease_to_release_reverts_all() {
  81. msgmsg 'Test InRelease to broken Release reverts everything'
  82. start_with_good_inrelease
  83. # switch to a unsigned repo now
  84. add_new_package '+1hour'
  85. rm "$APTARCHIVE/dists/unstable/InRelease"
  86. rm "$APTARCHIVE/dists/unstable/Release.gpg"
  87. # break it
  88. break_repository_sources_index '+1hour'
  89. # ensure error
  90. testfailureequal "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update -qq # -o Debug::acquire::transaction=1
  91. # ensure that the Packages file is also rolled back
  92. testfileequal lists.before "$(listcurrentlistsdirectory)"
  93. testsuccess aptget install old -s
  94. testfailure aptget install new -s
  95. testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
  96. testempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_Release'
  97. }
  98. test_unauthenticated_to_invalid_inrelease() {
  99. msgmsg 'Test UnAuthenticated to invalid InRelease reverts everything'
  100. create_fresh_archive
  101. rm "$APTARCHIVE/dists/unstable/InRelease"
  102. rm "$APTARCHIVE/dists/unstable/Release.gpg"
  103. testwarning aptget update --allow-insecure-repositories
  104. listcurrentlistsdirectory > lists.before
  105. testfailureequal "WARNING: The following packages cannot be authenticated!
  106. old
  107. E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y old
  108. # go to authenticated but not correct
  109. add_new_package '+1hour'
  110. break_repository_sources_index '+1hour'
  111. testfailureequal "E: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources.gz Hash Sum mismatch
  112. Hashes of expected file:
  113. - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz.orig')
  114. - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz.orig' | cut -d' ' -f 1)
  115. Hashes of received file:
  116. - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz' | cut -d' ' -f 1)
  117. - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz')
  118. Last modification reported: $(lastmodification 'aptarchive/dists/unstable/main/source/Sources.gz')
  119. Release file created at: $(releasefiledate 'aptarchive/dists/unstable/InRelease')
  120. E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
  121. testfileequal lists.before "$(listcurrentlistsdirectory)"
  122. testempty find "${ROOTDIR}/var/lib/apt/lists" -maxdepth 1 -name '*_InRelease'
  123. testfailureequal "WARNING: The following packages cannot be authenticated!
  124. old
  125. E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y old
  126. }
  127. test_inrelease_to_unauth_inrelease() {
  128. msgmsg 'Test InRelease to InRelease without good sig'
  129. start_with_good_inrelease
  130. signreleasefiles 'Marvin Paranoid'
  131. testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
  132. W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
  133. W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
  134. testfileequal lists.before "$(listcurrentlistsdirectory)"
  135. testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
  136. }
  137. test_inrelease_to_broken_gzip() {
  138. msgmsg "Test InRelease to broken gzip"
  139. start_with_good_inrelease
  140. break_repository_sources_index '+1hour'
  141. generatereleasefiles '+2hours'
  142. signreleasefiles
  143. # append junk at the end of the compressed file
  144. echo "lala" >> "$APTARCHIVE/dists/unstable/main/source/Sources.gz"
  145. touch -d '+2min' "$APTARCHIVE/dists/unstable/main/source/Sources.gz"
  146. # remove uncompressed file to avoid fallback
  147. rm "$APTARCHIVE/dists/unstable/main/source/Sources"
  148. testfailure aptget update
  149. testsuccess grep 'Hash Sum mismatch' rootdir/tmp/testfailure.output
  150. testfileequal lists.before "$(listcurrentlistsdirectory)"
  151. }
  152. TESTDIR="$(readlink -f "$(dirname "$0")")"
  153. . "$TESTDIR/framework"
  154. setupenvironment
  155. configarchitecture "i386"
  156. # setup the archive and ensure we have a single package that installs fine
  157. setupaptarchive
  158. APTARCHIVE="$(readlink -f ./aptarchive)"
  159. ROOTDIR="${TMPWORKINGDIRECTORY}/rootdir"
  160. APTARCHIVE_LISTS="$(echo "$APTARCHIVE" | tr "/" "_" )"
  161. # test the following cases:
  162. # - InRelease -> broken InRelease revert to previous state
  163. # - empty lists dir and broken remote leaves nothing on the system
  164. # - InRelease -> hashsum mismatch for one file reverts all files to previous state
  165. # - Release/Release.gpg -> hashsum mismatch
  166. # - InRelease -> Release with hashsum mismatch revert entire state and kills Release
  167. # - Release -> InRelease with broken Sig/Hash removes InRelease
  168. # going from Release/Release.gpg -> InRelease and vice versa
  169. # - unauthenticated -> invalid InRelease
  170. # stuff to do:
  171. # - ims-hit
  172. # - gzip-index tests
  173. test_inrelease_to_new_inrelease
  174. test_inrelease_to_broken_hash_reverts_all
  175. test_inrelease_to_valid_release
  176. test_inrelease_to_release_reverts_all
  177. test_unauthenticated_to_invalid_inrelease
  178. test_inrelease_to_unauth_inrelease
  179. test_inrelease_to_broken_gzip