test/integration/test-apt-update-rollback

   1 #!/bin/sh
   2 #
   3 # test that apt-get update is transactional
   4 #
   5 set -e
   6
   7 avoid_ims_hit() {
   8     touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages*
   9     touch -d '+1hour' aptarchive/dists/unstable/main/source/Sources*
  10     touch -d '+1hour' aptarchive/dists/unstable/*Release*
  11
  12     touch -d '-1hour' rootdir/var/lib/apt/lists/*
  13 }
  14
  15 create_fresh_archive()
  16 {
  17     rm -rf aptarchive/*
  18     rm -f rootdir/var/lib/apt/lists/_* rootdir/var/lib/apt/lists/partial/*
  19
  20     insertpackage 'unstable' 'old' 'all' '1.0'
  21
  22     setupaptarchive --no-update
  23 }
  24
  25 add_new_package() {
  26     insertpackage 'unstable' 'new' 'all' '1.0'
  27     insertsource 'unstable' 'new' 'all' '1.0'
  28
  29     setupaptarchive --no-update "$@"
  30 }
  31
  32 break_repository_sources_index() {
  33     mv "$APTARCHIVE/dists/unstable/main/source/Sources.gz" "$APTARCHIVE/dists/unstable/main/source/Sources.gz.orig"
  34     printf 'xxx' > "$APTARCHIVE/dists/unstable/main/source/Sources"
  35     compressfile "$APTARCHIVE/dists/unstable/main/source/Sources" "$@"
  36 }
  37
  38 start_with_good_inrelease() {
  39     create_fresh_archive
  40     testsuccess aptget update
  41     listcurrentlistsdirectory > lists.before
  42     testsuccessequal 'old/unstable 1.0 all' apt list -qq
  43 }
  44
  45 test_inrelease_to_new_inrelease() {
  46     msgmsg 'Test InRelease to new InRelease works fine'
  47     start_with_good_inrelease
  48
  49     add_new_package '+1hour'
  50     testsuccess aptget update -o Debug::Acquire::Transaction=1
  51     testsuccessequal 'new/unstable 1.0 all
  52 old/unstable 1.0 all' apt list -qq
  53 }
  54
  55 test_inrelease_to_broken_hash_reverts_all() {
  56     msgmsg 'Test InRelease to broken InRelease reverts everything'
  57     start_with_good_inrelease
  58
  59     add_new_package '+1hour'
  60     # break the Sources file
  61     break_repository_sources_index '+1hour'
  62
  63     # test the error condition
  64     testfailureequal "E: Failed to fetch file:${APTARCHIVE}/dists/unstable/main/source/Sources.gz  Hash Sum mismatch
  65    Hashes of expected file:
  66     - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz.orig') [weak]
  67     - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz.orig' | cut -d' ' -f 1)
  68    Hashes of received file:
  69     - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz' | cut -d' ' -f 1)
  70     - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz') [weak]
  71    Last modification reported: $(lastmodification 'aptarchive/dists/unstable/main/source/Sources.gz')
  72    Release file created at: $(releasefiledate 'aptarchive/dists/unstable/InRelease')
  73 E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
  74     # ensure that the Packages file is also rolled back
  75     testfileequal lists.before "$(listcurrentlistsdirectory)"
  76     testfailureequal "E: Unable to locate package new" aptget install new -s -qq
  77 }
  78
  79 test_inrelease_to_valid_release() {
  80     msgmsg 'Test InRelease to valid Release'
  81     start_with_good_inrelease
  82
  83     add_new_package '+1hour'
  84     # switch to a unsigned repo now
  85     rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
  86
  87     # update fails
  88     testfailureequal "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update -qq
  89
  90     # test that security downgrade was not successful
  91     testfileequal lists.before "$(listcurrentlistsdirectory)"
  92     testsuccess aptget install old -s
  93     testfailure aptget install new -s
  94     testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
  95     testempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_Release'
  96 }
  97
  98 test_inrelease_to_release_reverts_all() {
  99     msgmsg 'Test InRelease to broken Release reverts everything'
 100     start_with_good_inrelease
 101
 102     # switch to a unsigned repo now
 103     add_new_package '+1hour'
 104     rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
 105
 106     # break it
 107     break_repository_sources_index '+1hour'
 108
 109     # ensure error
 110     testfailureequal "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update -qq # -o Debug::acquire::transaction=1
 111
 112     # ensure that the Packages file is also rolled back
 113     testfileequal lists.before "$(listcurrentlistsdirectory)"
 114     testsuccess aptget install old -s
 115     testfailure aptget install new -s
 116     testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
 117     testempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_Release'
 118 }
 119
 120 test_unauthenticated_to_invalid_inrelease() {
 121     msgmsg 'Test UnAuthenticated to invalid InRelease reverts everything'
 122     create_fresh_archive
 123     rm -f "$APTARCHIVE/dists/unstable/InRelease" "$APTARCHIVE/dists/unstable/Release.gpg"
 124
 125     testwarning aptget update --allow-insecure-repositories
 126     listcurrentlistsdirectory > lists.before
 127     testfailureequal "WARNING: The following packages cannot be authenticated!
 128   old
 129 E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y old
 130
 131     # go to authenticated but not correct
 132     add_new_package '+1hour'
 133     break_repository_sources_index '+1hour'
 134
 135     testfailureequal "E: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources.gz  Hash Sum mismatch
 136    Hashes of expected file:
 137     - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz.orig') [weak]
 138     - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz.orig' | cut -d' ' -f 1)
 139    Hashes of received file:
 140     - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz' | cut -d' ' -f 1)
 141     - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz') [weak]
 142    Last modification reported: $(lastmodification 'aptarchive/dists/unstable/main/source/Sources.gz')
 143    Release file created at: $(releasefiledate 'aptarchive/dists/unstable/InRelease')
 144 E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
 145
 146     testfileequal lists.before "$(listcurrentlistsdirectory)"
 147     testempty find "${ROOTDIR}/var/lib/apt/lists" -maxdepth 1 -name '*_InRelease'
 148     testfailureequal "WARNING: The following packages cannot be authenticated!
 149   old
 150 E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y old
 151 }
 152
 153 test_inrelease_to_unauth_inrelease() {
 154     msgmsg 'Test InRelease to InRelease without good sig'
 155     start_with_good_inrelease
 156
 157     signreleasefiles 'Marvin Paranoid'
 158
 159     testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
 160 W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
 161 W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
 162
 163     testfileequal lists.before "$(listcurrentlistsdirectory)"
 164     testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
 165 }
 166
 167 test_inrelease_to_broken_gzip() {
 168     msgmsg "Test InRelease to broken gzip"
 169     start_with_good_inrelease
 170
 171     break_repository_sources_index '+1hour'
 172     generatereleasefiles '+2hours'
 173     signreleasefiles
 174
 175     # append junk at the end of the compressed file
 176     echo "lala" >> "$APTARCHIVE/dists/unstable/main/source/Sources.gz"
 177     touch -d '+2min' "$APTARCHIVE/dists/unstable/main/source/Sources.gz"
 178     # remove uncompressed file to avoid fallback
 179     rm "$APTARCHIVE/dists/unstable/main/source/Sources"
 180
 181     testfailure aptget update
 182     testsuccess grep 'Hash Sum mismatch' rootdir/tmp/testfailure.output
 183     testfileequal lists.before "$(listcurrentlistsdirectory)"
 184 }
 185
 186 TESTDIR="$(readlink -f "$(dirname "$0")")"
 187 . "$TESTDIR/framework"
 188
 189 setupenvironment
 190 configarchitecture "i386"
 191 export APT_DONT_SIGN='Release.gpg'
 192
 193 APTARCHIVE="$(readlink -f ./aptarchive)"
 194 ROOTDIR="${TMPWORKINGDIRECTORY}/rootdir"
 195 APTARCHIVE_LISTS="$(echo "$APTARCHIVE" | tr "/" "_" )"
 196
 197 # test the following cases:
 198 # - InRelease -> broken InRelease revert to previous state
 199 # - empty lists dir and broken remote leaves nothing on the system
 200 # - InRelease -> hashsum mismatch for one file reverts all files to previous state
 201 # - Release/Release.gpg -> hashsum mismatch
 202 # - InRelease -> Release with hashsum mismatch revert entire state and kills Release
 203 # - Release -> InRelease with broken Sig/Hash removes InRelease
 204 # going from Release/Release.gpg -> InRelease and vice versa
 205 # - unauthenticated -> invalid InRelease
 206
 207 # stuff to do:
 208 # - ims-hit
 209 # - gzip-index tests
 210
 211 test_inrelease_to_new_inrelease
 212 test_inrelease_to_broken_hash_reverts_all
 213 test_inrelease_to_valid_release
 214 test_inrelease_to_release_reverts_all
 215 test_unauthenticated_to_invalid_inrelease
 216 test_inrelease_to_unauth_inrelease
 217 test_inrelease_to_broken_gzip