test/integration/test-apt-update-rollback

   1 #!/bin/sh
   2 #
   3 # test that apt-get update is transactional
   4 #
   5 set -e
   6
   7 avoid_ims_hit() {
   8     touch -d '+1hour' aptarchive/dists/unstable/main/binary-i386/Packages*
   9     touch -d '+1hour' aptarchive/dists/unstable/main/source/Sources*
  10     touch -d '+1hour' aptarchive/dists/unstable/*Release*
  11
  12     touch -d '-1hour' rootdir/var/lib/apt/lists/*
  13 }
  14
  15 create_fresh_archive()
  16 {
  17     rm -rf aptarchive/*
  18     rm -f rootdir/var/lib/apt/lists/_* rootdir/var/lib/apt/lists/partial/*
  19
  20     insertpackage 'unstable' 'old' 'all' '1.0'
  21
  22     setupaptarchive --no-update
  23 }
  24
  25 add_new_package() {
  26     insertpackage 'unstable' 'new' 'all' '1.0'
  27     insertsource 'unstable' 'new' 'all' '1.0'
  28
  29     setupaptarchive --no-update "$@"
  30 }
  31
  32 break_repository_sources_index() {
  33     mv "$APTARCHIVE/dists/unstable/main/source/Sources.gz" "$APTARCHIVE/dists/unstable/main/source/Sources.gz.orig"
  34     printf 'xxx' > "$APTARCHIVE/dists/unstable/main/source/Sources"
  35     compressfile "$APTARCHIVE/dists/unstable/main/source/Sources" "$@"
  36 }
  37
  38 start_with_good_inrelease() {
  39     create_fresh_archive
  40     testsuccess aptget update
  41     listcurrentlistsdirectory > lists.before
  42     testsuccessequal 'old/unstable 1.0 all' apt list -qq
  43 }
  44
  45 test_inrelease_to_new_inrelease() {
  46     msgmsg 'Test InRelease to new InRelease works fine'
  47     start_with_good_inrelease
  48
  49     add_new_package '+1hour'
  50     testsuccess aptget update -o Debug::Acquire::Transaction=1
  51     testsuccessequal 'new/unstable 1.0 all
  52 old/unstable 1.0 all' apt list -qq
  53 }
  54
  55 test_inrelease_to_broken_hash_reverts_all() {
  56     msgmsg 'Test InRelease to broken InRelease reverts everything'
  57     start_with_good_inrelease
  58
  59     add_new_package '+1hour'
  60     # break the Sources file
  61     break_repository_sources_index '+1hour'
  62
  63     # test the error condition
  64     testfailureequal "E: Failed to fetch file:${APTARCHIVE}/dists/unstable/main/source/Sources.gz  Hash Sum mismatch
  65    Hashes of expected file:
  66     - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz.orig')
  67     - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz.orig' | cut -d' ' -f 1)
  68    Hashes of received file:
  69     - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz' | cut -d' ' -f 1)
  70     - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz')
  71    Last modification reported: $(lastmodification 'aptarchive/dists/unstable/main/source/Sources.gz')
  72    Release file created at: $(releasefiledate 'aptarchive/dists/unstable/InRelease')
  73 E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
  74     # ensure that the Packages file is also rolled back
  75     testfileequal lists.before "$(listcurrentlistsdirectory)"
  76     testfailureequal "E: Unable to locate package new" aptget install new -s -qq
  77 }
  78
  79 test_inrelease_to_valid_release() {
  80     msgmsg 'Test InRelease to valid Release'
  81     start_with_good_inrelease
  82
  83     add_new_package '+1hour'
  84     # switch to a unsigned repo now
  85     rm "$APTARCHIVE/dists/unstable/InRelease"
  86     rm "$APTARCHIVE/dists/unstable/Release.gpg"
  87
  88     # update fails
  89     testfailureequal "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update -qq
  90
  91     # test that security downgrade was not successful
  92     testfileequal lists.before "$(listcurrentlistsdirectory)"
  93     testsuccess aptget install old -s
  94     testfailure aptget install new -s
  95     testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
  96     testempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_Release'
  97 }
  98
  99 test_inrelease_to_release_reverts_all() {
 100     msgmsg 'Test InRelease to broken Release reverts everything'
 101     start_with_good_inrelease
 102
 103     # switch to a unsigned repo now
 104     add_new_package '+1hour'
 105     rm "$APTARCHIVE/dists/unstable/InRelease"
 106     rm "$APTARCHIVE/dists/unstable/Release.gpg"
 107
 108     # break it
 109     break_repository_sources_index '+1hour'
 110
 111     # ensure error
 112     testfailureequal "E: The repository 'file:${APTARCHIVE} unstable Release' is no longer signed." aptget update -qq # -o Debug::acquire::transaction=1
 113
 114     # ensure that the Packages file is also rolled back
 115     testfileequal lists.before "$(listcurrentlistsdirectory)"
 116     testsuccess aptget install old -s
 117     testfailure aptget install new -s
 118     testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
 119     testempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_Release'
 120 }
 121
 122 test_unauthenticated_to_invalid_inrelease() {
 123     msgmsg 'Test UnAuthenticated to invalid InRelease reverts everything'
 124     create_fresh_archive
 125     rm "$APTARCHIVE/dists/unstable/InRelease"
 126     rm "$APTARCHIVE/dists/unstable/Release.gpg"
 127
 128     testwarning aptget update --allow-insecure-repositories
 129     listcurrentlistsdirectory > lists.before
 130     testfailureequal "WARNING: The following packages cannot be authenticated!
 131   old
 132 E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y old
 133
 134     # go to authenticated but not correct
 135     add_new_package '+1hour'
 136     break_repository_sources_index '+1hour'
 137
 138     testfailureequal "E: Failed to fetch file:$APTARCHIVE/dists/unstable/main/source/Sources.gz  Hash Sum mismatch
 139    Hashes of expected file:
 140     - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz.orig')
 141     - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz.orig' | cut -d' ' -f 1)
 142    Hashes of received file:
 143     - SHA256:$(sha256sum 'aptarchive/dists/unstable/main/source/Sources.gz' | cut -d' ' -f 1)
 144     - Checksum-FileSize:$(stat -c '%s' 'aptarchive/dists/unstable/main/source/Sources.gz')
 145    Last modification reported: $(lastmodification 'aptarchive/dists/unstable/main/source/Sources.gz')
 146    Release file created at: $(releasefiledate 'aptarchive/dists/unstable/InRelease')
 147 E: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
 148
 149     testfileequal lists.before "$(listcurrentlistsdirectory)"
 150     testempty find "${ROOTDIR}/var/lib/apt/lists" -maxdepth 1 -name '*_InRelease'
 151     testfailureequal "WARNING: The following packages cannot be authenticated!
 152   old
 153 E: There were unauthenticated packages and -y was used without --allow-unauthenticated" aptget install -qq -y old
 154 }
 155
 156 test_inrelease_to_unauth_inrelease() {
 157     msgmsg 'Test InRelease to InRelease without good sig'
 158     start_with_good_inrelease
 159
 160     signreleasefiles 'Marvin Paranoid'
 161
 162     testwarningequal "W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: file:${APTARCHIVE} unstable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
 163 W: Failed to fetch file:$APTARCHIVE/dists/unstable/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E8525D47528144E2
 164 W: Some index files failed to download. They have been ignored, or old ones used instead." aptget update -qq
 165
 166     testfileequal lists.before "$(listcurrentlistsdirectory)"
 167     testnotempty find "${ROOTDIR}/var/lib/apt/lists" -name '*_InRelease'
 168 }
 169
 170 test_inrelease_to_broken_gzip() {
 171     msgmsg "Test InRelease to broken gzip"
 172     start_with_good_inrelease
 173
 174     break_repository_sources_index '+1hour'
 175     generatereleasefiles '+2hours'
 176     signreleasefiles
 177
 178     # append junk at the end of the compressed file
 179     echo "lala" >> "$APTARCHIVE/dists/unstable/main/source/Sources.gz"
 180     touch -d '+2min' "$APTARCHIVE/dists/unstable/main/source/Sources.gz"
 181     # remove uncompressed file to avoid fallback
 182     rm "$APTARCHIVE/dists/unstable/main/source/Sources"
 183
 184     testfailure aptget update
 185     testsuccess grep 'Hash Sum mismatch' rootdir/tmp/testfailure.output
 186     testfileequal lists.before "$(listcurrentlistsdirectory)"
 187 }
 188
 189 TESTDIR="$(readlink -f "$(dirname "$0")")"
 190 . "$TESTDIR/framework"
 191
 192 setupenvironment
 193 configarchitecture "i386"
 194
 195 # setup the archive and ensure we have a single package that installs fine
 196 setupaptarchive
 197 APTARCHIVE="$(readlink -f ./aptarchive)"
 198 ROOTDIR="${TMPWORKINGDIRECTORY}/rootdir"
 199 APTARCHIVE_LISTS="$(echo "$APTARCHIVE" | tr "/" "_" )"
 200
 201 # test the following cases:
 202 # - InRelease -> broken InRelease revert to previous state
 203 # - empty lists dir and broken remote leaves nothing on the system
 204 # - InRelease -> hashsum mismatch for one file reverts all files to previous state
 205 # - Release/Release.gpg -> hashsum mismatch
 206 # - InRelease -> Release with hashsum mismatch revert entire state and kills Release
 207 # - Release -> InRelease with broken Sig/Hash removes InRelease
 208 # going from Release/Release.gpg -> InRelease and vice versa
 209 # - unauthenticated -> invalid InRelease
 210
 211 # stuff to do:
 212 # - ims-hit
 213 # - gzip-index tests
 214
 215 test_inrelease_to_new_inrelease
 216 test_inrelease_to_broken_hash_reverts_all
 217 test_inrelease_to_valid_release
 218 test_inrelease_to_release_reverts_all
 219 test_unauthenticated_to_invalid_inrelease
 220 test_inrelease_to_unauth_inrelease
 221 test_inrelease_to_broken_gzip