[apt.git] / test / integration / test-apt-update-rollback

#!/bin/sh
#
# test that apt-get update is transactional
# 
set -e

avoid_ims_hit() {
    touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages*
    touch -d '+1hour' aptarchive/dists/unstable/main/source/Sources*
    touch -d '+1hour' aptarchive/dists/unstable/*Release*

    touch -d '-1hour' rootdir/var/lib/apt/lists/*
}

create_fresh_archive()
{
    rm -rf aptarchive/*
    rm -f rootdir/var/lib/apt/lists/_* rootdir/var/lib/apt/lists/partial/*

    insertpackage 'unstable' 'old' 'all' '1.0'

    setupaptarchive --no-update
}

add_new_package() {
    insertpackage "unstable" "new" "all" "1.0"
    insertsource "unstable" "new" "all" "1.0"

    setupaptarchive --no-update "$@"
}

break_repository_sources_index() {
    printf 'xxx' > $APTARCHIVE/dists/unstable/main/source/Sources
    compressfile "$APTARCHIVE/dists/unstable/main/source/Sources" "$@"
}

start_with_good_inrelease() {
    create_fresh_archive
    testsuccess aptget update
    listcurrentlistsdirectory > lists.before
    testsuccessequal "old/unstable 1.0 all" apt list -q
}

test_inrelease_to_new_inrelease() {
    msgmsg 'Test InRelease to new InRelease works fine'
    start_with_good_inrelease

    add_new_package '+1hour'
    testsuccess aptget update -o Debug::Acquire::Transaction=1
    testsuccessequal "new/unstable 1.0 all
old/unstable 1.0 all" apt list -q
}

test_inrelease_to_broken_hash_reverts_all() {
    msgmsg 'Test InRelease to broken InRelease reverts everything'
    start_with_good_inrelease

    add_new_package '+1hour'
    # break the Sources file
    break_repository_sources_index '+1hour'

    # test the error condition
    testfailureequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/main/source/Sources  Hash Sum mismatch

E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
    # ensure that the Packages file is also rolled back
    testfileequal lists.before "$(listcurrentlistsdirectory)"
    testfailureequal "E: Unable to locate package new" aptget install new -s -qq
}

test_inrelease_to_valid_release() {
    msgmsg 'Test InRelease to valid Release'
    start_with_good_inrelease

    add_new_package '+1hour'
    # switch to a unsigned repo now
    rm $APTARCHIVE/dists/unstable/InRelease
    rm $APTARCHIVE/dists/unstable/Release.gpg

    # update fails
    testfailureequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq

    # test that security downgrade was not successful
    testfileequal lists.before "$(listcurrentlistsdirectory)"
    testsuccess aptget install old -s
    testfailure aptget install new -s
    testsuccess ls $ROOTDIR/var/lib/apt/lists/*_InRelease
    testfailure ls $ROOTDIR/var/lib/apt/lists/*_Release
}

test_inrelease_to_release_reverts_all() {
    msgmsg 'Test InRelease to broken Release reverts everything'
    start_with_good_inrelease

    # switch to a unsigned repo now
    add_new_package '+1hour'
    rm $APTARCHIVE/dists/unstable/InRelease
    rm $APTARCHIVE/dists/unstable/Release.gpg

    # break it
    break_repository_sources_index '+1hour'

    # ensure error
    testfailureequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq # -o Debug::acquire::transaction=1

    # ensure that the Packages file is also rolled back
    testfileequal lists.before "$(listcurrentlistsdirectory)"
    testsuccess aptget install old -s
    testfailure aptget install new -s
    testsuccess ls $ROOTDIR/var/lib/apt/lists/*_InRelease
    testfailure ls $ROOTDIR/var/lib/apt/lists/*_Release
}

test_unauthenticated_to_invalid_inrelease() {
    msgmsg 'Test UnAuthenticated to invalid InRelease reverts everything'
    create_fresh_archive
    rm $APTARCHIVE/dists/unstable/InRelease
    rm $APTARCHIVE/dists/unstable/Release.gpg

    testwarning aptget update --allow-insecure-repositories
    listcurrentlistsdirectory > lists.before
    testfailureequal "WARNING: The following packages cannot be authenticated!
  old
E: There are problems and -y was used without --force-yes" aptget install -qq -y old

    # go to authenticated but not correct
    add_new_package '+1hour'
    break_repository_sources_index '+1hour'

    testfailureequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources  Hash Sum mismatch

E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq

    testfileequal lists.before "$(listcurrentlistsdirectory)"
    testfailure ls rootdir/var/lib/apt/lists/*_InRelease
    testfailureequal "WARNING: The following packages cannot be authenticated!
  old
E: There are problems and -y was used without --force-yes" aptget install -qq -y old
}

test_inrelease_to_unauth_inrelease() {
    msgmsg 'Test InRelease to InRelease without good sig'
    start_with_good_inrelease

    signreleasefiles 'Marvin Paranoid'

    testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2

W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2

W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq

    testfileequal lists.before "$(listcurrentlistsdirectory)"
    testsuccess ls rootdir/var/lib/apt/lists/*_InRelease
}

test_inrelease_to_broken_gzip() {
    msgmsg "Test InRelease to broken gzip"
    start_with_good_inrelease

    redatereleasefiles '+2hours'
    # append junk at the end of the compressed file
    echo "lala" >> $APTARCHIVE/dists/unstable/main/source/Sources.gz
    touch -d '+2min' $APTARCHIVE/dists/unstable/main/source/Sources.gz
    # remove uncompressed file to avoid fallback
    rm $APTARCHIVE/dists/unstable/main/source/Sources

    testfailure aptget update
    testfileequal lists.before "$(listcurrentlistsdirectory)"
}

TESTDIR=$(readlink -f $(dirname $0))
. $TESTDIR/framework

setupenvironment
configarchitecture "i386"

# setup the archive and ensure we have a single package that installs fine
setupaptarchive
APTARCHIVE=$(readlink -f ./aptarchive)
ROOTDIR=${TMPWORKINGDIRECTORY}/rootdir
APTARCHIVE_LISTS="$(echo $APTARCHIVE | tr "/" "_" )"

# test the following cases:
# - InRelease -> broken InRelease revert to previous state
# - empty lists dir and broken remote leaves nothing on the system
# - InRelease -> hashsum mismatch for one file reverts all files to previous state
# - Release/Release.gpg -> hashsum mismatch
# - InRelease -> Release with hashsum mismatch revert entire state and kills Release
# - Release -> InRelease with broken Sig/Hash removes InRelease
# going from Release/Release.gpg -> InRelease and vice versa
# - unauthenticated -> invalid InRelease

# stuff to do:
# - ims-hit
# - gzip-index tests

test_inrelease_to_new_inrelease
test_inrelease_to_broken_hash_reverts_all
test_inrelease_to_valid_release
test_inrelease_to_release_reverts_all
test_unauthenticated_to_invalid_inrelease
test_inrelease_to_unauth_inrelease
test_inrelease_to_broken_gzip
Commit	Line	Data
e05672e8 MV	1	#!/bin/sh
	2	#
	3	# test that apt-get update is transactional
	4	#
	5	set -e
	6
	7	avoid_ims_hit() {
	8	touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages*
	9	touch -d '+1hour' aptarchive/dists/unstable/main/source/Sources*
	10	touch -d '+1hour' aptarchive/dists/unstable/Release
	11
	12	touch -d '-1hour' rootdir/var/lib/apt/lists/*
	13	}
	14
	15	create_fresh_archive()
	16	{
	17	rm -rf aptarchive/*
	18	rm -f rootdir/var/lib/apt/lists/_* rootdir/var/lib/apt/lists/partial/*
	19
	20	insertpackage 'unstable' 'old' 'all' '1.0'
	21
4dbfe436	22	setupaptarchive --no-update
e05672e8 MV	23	}
	24
	25	add_new_package() {
	26	insertpackage "unstable" "new" "all" "1.0"
	27	insertsource "unstable" "new" "all" "1.0"
	28
4dbfe436	29	setupaptarchive --no-update "$@"
e05672e8 MV	30	}
	31
	32	break_repository_sources_index() {
4dbfe436 DK	33	printf 'xxx' > $APTARCHIVE/dists/unstable/main/source/Sources
4dbfe436 DK	34	compressfile "$APTARCHIVE/dists/unstable/main/source/Sources" "$@"
e05672e8 MV	35	}
e05672e8 MV	36
4dbfe436	37	start_with_good_inrelease() {
e05672e8	38	create_fresh_archive
4dbfe436	39	testsuccess aptget update
846bc058	40	listcurrentlistsdirectory > lists.before
25b86db1	41	testsuccessequal "old/unstable 1.0 all" apt list -q
4dbfe436	42	}
e05672e8	43
4dbfe436 DK	44	test_inrelease_to_new_inrelease() {
	45	msgmsg 'Test InRelease to new InRelease works fine'
	46	start_with_good_inrelease
80976dd5	47
4dbfe436	48	add_new_package '+1hour'
80976dd5	49	testsuccess aptget update -o Debug::Acquire::Transaction=1
25b86db1	50	testsuccessequal "new/unstable 1.0 all
e05672e8 MV	51	old/unstable 1.0 all" apt list -q
	52	}
	53
	54	test_inrelease_to_broken_hash_reverts_all() {
4dbfe436 DK	55	msgmsg 'Test InRelease to broken InRelease reverts everything'
	56	start_with_good_inrelease
	57
	58	add_new_package '+1hour'
e05672e8	59	# break the Sources file
4dbfe436	60	break_repository_sources_index '+1hour'
e05672e8 MV	61
e05672e8 MV	62	# test the error condition
25b86db1	63	testfailureequal "W: Failed to fetch file:${APTARCHIVE}/dists/unstable/main/source/Sources Hash Sum mismatch
e05672e8 MV	64
	65	E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
	66	# ensure that the Packages file is also rolled back
846bc058	67	testfileequal lists.before "$(listcurrentlistsdirectory)"
25b86db1	68	testfailureequal "E: Unable to locate package new" aptget install new -s -qq
e05672e8 MV	69	}
e05672e8 MV	70
4dbfe436 DK	71	test_inrelease_to_valid_release() {
	72	msgmsg 'Test InRelease to valid Release'
	73	start_with_good_inrelease
	74
	75	add_new_package '+1hour'
	76	# switch to a unsigned repo now
e05672e8 MV	77	rm $APTARCHIVE/dists/unstable/InRelease
e05672e8 MV	78	rm $APTARCHIVE/dists/unstable/Release.gpg
e05672e8	79
bca84917	80	# update fails
25b86db1	81	testfailureequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq
e05672e8	82
846bc058 DK	83	# test that security downgrade was not successful
846bc058 DK	84	testfileequal lists.before "$(listcurrentlistsdirectory)"
e05672e8	85	testsuccess aptget install old -s
bca84917 MV	86	testfailure aptget install new -s
	87	testsuccess ls $ROOTDIR/var/lib/apt/lists/*_InRelease
	88	testfailure ls $ROOTDIR/var/lib/apt/lists/*_Release
e05672e8 MV	89	}
e05672e8 MV	90
4dbfe436 DK	91	test_inrelease_to_release_reverts_all() {
	92	msgmsg 'Test InRelease to broken Release reverts everything'
	93	start_with_good_inrelease
e05672e8	94
4dbfe436 DK	95	# switch to a unsigned repo now
4dbfe436 DK	96	add_new_package '+1hour'
e05672e8 MV	97	rm $APTARCHIVE/dists/unstable/InRelease
e05672e8 MV	98	rm $APTARCHIVE/dists/unstable/Release.gpg
4dbfe436	99
e05672e8	100	# break it
4dbfe436	101	break_repository_sources_index '+1hour'
e05672e8 MV	102
e05672e8 MV	103	# ensure error
25b86db1	104	testfailureequal "E: The repository 'file: unstable Release.gpg' is no longer signed." aptget update -qq # -o Debug::acquire::transaction=1
e05672e8 MV	105
e05672e8 MV	106	# ensure that the Packages file is also rolled back
846bc058	107	testfileequal lists.before "$(listcurrentlistsdirectory)"
e05672e8 MV	108	testsuccess aptget install old -s
	109	testfailure aptget install new -s
	110	testsuccess ls $ROOTDIR/var/lib/apt/lists/*_InRelease
	111	testfailure ls $ROOTDIR/var/lib/apt/lists/*_Release
	112	}
	113
	114	test_unauthenticated_to_invalid_inrelease() {
4dbfe436	115	msgmsg 'Test UnAuthenticated to invalid InRelease reverts everything'
e05672e8 MV	116	create_fresh_archive
	117	rm $APTARCHIVE/dists/unstable/InRelease
	118	rm $APTARCHIVE/dists/unstable/Release.gpg
4dbfe436	119
4fa34122	120	testwarning aptget update --allow-insecure-repositories
846bc058	121	listcurrentlistsdirectory > lists.before
25b86db1	122	testfailureequal "WARNING: The following packages cannot be authenticated!
e05672e8 MV	123	old
e05672e8 MV	124	E: There are problems and -y was used without --force-yes" aptget install -qq -y old
4dbfe436	125
e05672e8	126	# go to authenticated but not correct
4dbfe436 DK	127	add_new_package '+1hour'
4dbfe436 DK	128	break_repository_sources_index '+1hour'
e05672e8	129
25b86db1	130	testfailureequal "W: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources Hash Sum mismatch
6d979490	131
e05672e8 MV	132	E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
e05672e8 MV	133
846bc058	134	testfileequal lists.before "$(listcurrentlistsdirectory)"
e05672e8	135	testfailure ls rootdir/var/lib/apt/lists/*_InRelease
25b86db1	136	testfailureequal "WARNING: The following packages cannot be authenticated!
e05672e8 MV	137	old
	138	E: There are problems and -y was used without --force-yes" aptget install -qq -y old
	139	}
	140
c5fced38	141	test_inrelease_to_unauth_inrelease() {
4dbfe436 DK	142	msgmsg 'Test InRelease to InRelease without good sig'
	143	start_with_good_inrelease
	144
9d653a6d	145	signreleasefiles 'Marvin Paranoid'
4dbfe436	146
25b86db1	147	testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file: unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
c5fced38	148
4dbfe436	149	W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
c5fced38	150
21638c3a MV	151	W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
21638c3a MV	152
846bc058	153	testfileequal lists.before "$(listcurrentlistsdirectory)"
21638c3a	154	testsuccess ls rootdir/var/lib/apt/lists/*_InRelease
c5fced38 MV	155	}
c5fced38 MV	156
7abcfdde MV	157	test_inrelease_to_broken_gzip() {
7abcfdde MV	158	msgmsg "Test InRelease to broken gzip"
4dbfe436 DK	159	start_with_good_inrelease
4dbfe436 DK	160
8eafc759	161	redatereleasefiles '+2hours'
4dbfe436	162	# append junk at the end of the compressed file
7abcfdde	163	echo "lala" >> $APTARCHIVE/dists/unstable/main/source/Sources.gz
4dbfe436 DK	164	touch -d '+2min' $APTARCHIVE/dists/unstable/main/source/Sources.gz
4dbfe436 DK	165	# remove uncompressed file to avoid fallback
7abcfdde	166	rm $APTARCHIVE/dists/unstable/main/source/Sources
7abcfdde MV	167
7abcfdde MV	168	testfailure aptget update
846bc058	169	testfileequal lists.before "$(listcurrentlistsdirectory)"
7abcfdde MV	170	}
7abcfdde MV	171
e05672e8 MV	172	TESTDIR=$(readlink -f $(dirname $0))
	173	. $TESTDIR/framework
	174
	175	setupenvironment
	176	configarchitecture "i386"
	177
	178	# setup the archive and ensure we have a single package that installs fine
	179	setupaptarchive
	180	APTARCHIVE=$(readlink -f ./aptarchive)
	181	ROOTDIR=${TMPWORKINGDIRECTORY}/rootdir
	182	APTARCHIVE_LISTS="$(echo $APTARCHIVE \| tr "/" "_" )"
	183
	184	# test the following cases:
4dbfe436	185	# - InRelease -> broken InRelease revert to previous state
e05672e8 MV	186	# - empty lists dir and broken remote leaves nothing on the system
	187	# - InRelease -> hashsum mismatch for one file reverts all files to previous state
	188	# - Release/Release.gpg -> hashsum mismatch
	189	# - InRelease -> Release with hashsum mismatch revert entire state and kills Release
	190	# - Release -> InRelease with broken Sig/Hash removes InRelease
	191	# going from Release/Release.gpg -> InRelease and vice versa
	192	# - unauthenticated -> invalid InRelease
	193
67f2f9e2	194	# stuff to do:
4dbfe436	195	# - ims-hit
67f2f9e2 MV	196	# - gzip-index tests
67f2f9e2 MV	197
e05672e8 MV	198	test_inrelease_to_new_inrelease
e05672e8 MV	199	test_inrelease_to_broken_hash_reverts_all
4dbfe436 DK	200	test_inrelease_to_valid_release
4dbfe436 DK	201	test_inrelease_to_release_reverts_all
6d979490	202	test_unauthenticated_to_invalid_inrelease
c5fced38	203	test_inrelease_to_unauth_inrelease
7abcfdde	204	test_inrelease_to_broken_gzip