From e2c005b490df6762e23da3223944151c17d1de80 Mon Sep 17 00:00:00 2001 From: Pierre Schmitz Date: Fri, 13 Aug 2010 08:20:27 +0200 Subject: Check permission before any action Added a function to check if user has permission to alter the repos and db files. --- db-functions | 29 ++++++++++++++++++++++++++++- db-move | 5 +++++ db-remove | 5 +++++ db-update | 10 +--------- test/lib/common.inc | 49 +++++++++++++++++++++++++++++++++---------------- 5 files changed, 72 insertions(+), 26 deletions(-) diff --git a/db-functions b/db-functions index c4fc8f3..f22567b 100644 --- a/db-functions +++ b/db-functions @@ -73,7 +73,7 @@ die() { cleanup 1 } -trap abort INT QUIT TERM +trap abort INT QUIT TERM HUP trap cleanup EXIT @@ -274,3 +274,30 @@ pkgver_from_src() { tmp=${tmp%-any} echo $tmp | sed 's|.*-\(.*-.*\)$|\1|g' } + +check_repo_permission() { + local repo=$1 + + local repos="$(get_repos_for_host)" + local found=false + local r + for r in $repos; do + if [ "$r" = "$repo" ]; then + found=true + fi + done + [ $found ] || return 1 + + [ -w "$FTP_BASE/$(get_pkgpool_for_host)" ] || return 1 + + local arch + for arch in ${ARCHES} any; do + local w + local ws=("${FTP_BASE}/${repo}/os/${arch}/"{,${repo}${DBEXT}}) + for w in ws; do + [ -w ] || return 1 + done + done + + return 0 +} diff --git a/db-move b/db-move index d18a4fa..41b360d 100755 --- a/db-move +++ b/db-move @@ -23,6 +23,11 @@ ftppath_to="$FTP_BASE/$repoto/os/" svnrepo_from="$repofrom-$arch" svnrepo_to="$repoto-$arch" +if ! check_repo_permission $repoto || ! check_repo_permission $repofrom; then + echo "Error: You don't have permission to move packages from ${repofrom} to ${repoto}" + exit 1 +fi + repo_lock $repoto $arch || exit 1 repo_lock $repofrom $arch || exit 1 diff --git a/db-remove b/db-remove index 5a55849..1492d18 100755 --- a/db-remove +++ b/db-remove @@ -15,6 +15,11 @@ arch="$3" ftppath="$FTP_BASE/$reponame/os" svnrepo="$reponame-$arch" +if ! check_repo_permission $reponame; then + echo "Error: You don't have permission to remove packages from ${reponam}" + exit 1 +fi + repo_lock $reponame $arch || exit 1 echo -n "Removing $packagebase from $reponame..." diff --git a/db-update b/db-update index 46becac..c049714 100755 --- a/db-update +++ b/db-update @@ -11,15 +11,7 @@ fi reponame="$1" current_arch="" -# ensure we should be playing with this DB on this server -repos="$(get_repos_for_host)" -found=0 -for r in $repos; do - if [ "$r" = "$reponame" ]; then - found=1 - fi -done -if [ $found -ne 1 ]; then +if ! check_repo_permission "$reponame"; then echo "error: you shouldn't be updating $reponame on this server!" exit 1 fi diff --git a/test/lib/common.inc b/test/lib/common.inc index 89155c7..795d01a 100644 --- a/test/lib/common.inc +++ b/test/lib/common.inc @@ -1,3 +1,5 @@ +set -E + . "${curdir}/../db-functions" oneTimeSetUp() { @@ -8,7 +10,9 @@ oneTimeSetUp() { for p in "${pkgdir}"/*; do pushd $p >/dev/null linux32 makepkg -cf --config ${curdir}/lib/makepkg-i686.conf >/dev/null 2>&1 || die 'makepkg failed' - [ -f *-any.pkg.tar.* ] || linux64 makepkg -cf --config ${curdir}/lib/makepkg-x86_64.conf >/dev/null 2>&1 || die 'makepkg failed' + [ -f *-any.pkg.tar.* ] \ + || linux64 makepkg -cf --config ${curdir}/lib/makepkg-x86_64.conf >/dev/null 2>&1 \ + || die 'makepkg failed' popd >/dev/null done echo 'done' @@ -23,7 +27,7 @@ setUp() { local p local pkg - [ -f "${curdir}/../config.local" ] && die "${curdir}/../config.local exists" + #[ -f "${curdir}/../config.local" ] && die "${curdir}/../config.local exists" TMP="$(mktemp -d /dev/shm/$(basename $0).XXXXXXXXXX)" #echo "Using ${TMP}" @@ -82,17 +86,20 @@ checkAnyPackage() { local pkg=$2 local arch - [ -f "${FTP_BASE}/$(get_pkgpool_for_host)/${pkg}" ] || fail "$(get_pkgpool_for_host)/${pkg} not found" + [ -r "${FTP_BASE}/$(get_pkgpool_for_host)/${pkg}" ] || fail "$(get_pkgpool_for_host)/${pkg} not found" for arch in i686 x86_64; do [ -L "${FTP_BASE}/${repo}/os/${arch}/${pkg}" ] || fail "${repo}/os/${arch}/${pkg} not a symlink" - [ "$(readlink -e "${FTP_BASE}/${repo}/os/${arch}/${pkg}")" == "${FTP_BASE}/$(get_pkgpool_for_host)/${pkg}" ] || fail "${repo}/os/${arch}/${pkg} does not link to $(get_pkgpool_for_host)/${pkg}" + [ "$(readlink -e "${FTP_BASE}/${repo}/os/${arch}/${pkg}")" == "${FTP_BASE}/$(get_pkgpool_for_host)/${pkg}" ] \ + || fail "${repo}/os/${arch}/${pkg} does not link to $(get_pkgpool_for_host)/${pkg}" done - [ -f "${STAGING}"/${repo}/${pkg} ] && fail "${repo}/${pkg} found in staging dir" + [ -r "${STAGING}"/${repo}/${pkg} ] && fail "${repo}/${pkg} found in staging dir" - bsdtar -xf "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" -O | grep -q ${pkg} || fail "${pkg} not in ${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" + ( [ -r "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" ] \ + && bsdtar -xf "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" -O | grep -q ${pkg}) \ + || fail "${pkg} not in ${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" - [ -f "${FTP_BASE}/${repo}/os/any/${pkg}" ] && fail "${repo}/os/any/${pkg} should not exist" + [ -r "${FTP_BASE}/${repo}/os/any/${pkg}" ] && fail "${repo}/os/any/${pkg} should not exist" } checkPackage() { @@ -100,17 +107,21 @@ checkPackage() { local pkg=$2 local arch=$3 - [ -f "${FTP_BASE}/$(get_pkgpool_for_host)/${pkg}" ] || fail "$(get_pkgpool_for_host)/${pkg} not found" + [ -r "${FTP_BASE}/$(get_pkgpool_for_host)/${pkg}" ] || fail "$(get_pkgpool_for_host)/${pkg} not found" [ -L "${FTP_BASE}/${repo}/os/${arch}/${pkg}" ] || fail "${repo}/os/${arch}/${pkg} not a symlink" - [ -f "${STAGING}"/${repo}/${pkg} ] && fail "${repo}/${pkg} found in staging dir" + [ -r "${STAGING}"/${repo}/${pkg} ] && fail "${repo}/${pkg} found in staging dir" - [ "$(readlink -e "${FTP_BASE}/${repo}/os/${arch}/${pkg}")" == "${FTP_BASE}/$(get_pkgpool_for_host)/${pkg}" ] || fail "${repo}/os/${arch}/${pkg} does not link to $(get_pkgpool_for_host)/${pkg}" + [ "$(readlink -e "${FTP_BASE}/${repo}/os/${arch}/${pkg}")" == "${FTP_BASE}/$(get_pkgpool_for_host)/${pkg}" ] \ + || fail "${repo}/os/${arch}/${pkg} does not link to $(get_pkgpool_for_host)/${pkg}" - bsdtar -xf "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" -O | grep -q ${pkg} || fail "${pkg} not in ${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" + ( [ -r "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" ] \ + && bsdtar -xf "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" -O | grep -q ${pkg}) \ + || fail "${pkg} not in ${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" local pkgbase=$(getpkgbase "${FTP_BASE}/$(get_pkgpool_for_host)/${pkg}") svn up -q "${TMP}/svn-packages-copy/${pkgbase}" - [ -d "${TMP}/svn-packages-copy/${pkgbase}/repos/${repo}-${arch}" ] || fail "svn-packages-copy/${pkgbase}/repos/${repo}-${arch} does not exist" + [ -d "${TMP}/svn-packages-copy/${pkgbase}/repos/${repo}-${arch}" ] \ + || fail "svn-packages-copy/${pkgbase}/repos/${repo}-${arch} does not exist" } checkRemovedPackage() { @@ -118,10 +129,13 @@ checkRemovedPackage() { local pkgbase=$2 local arch=$3 - bsdtar -xf "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" -O | grep -q ${pkgbase} && fail "${pkgbase} should not be in ${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" + ( [ -r "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" ] \ + && bsdtar -xf "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" -O | grep -q ${pkgbase}) \ + && fail "${pkgbase} should not be in ${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" svn up -q "${TMP}/svn-packages-copy/${pkgbase}" - [ -d "${TMP}/svn-packages-copy/${pkgbase}/repos/${repo}-${arch}" ] && fail "svn-packages-copy/${pkgbase}/repos/${repo}-${arch} should not exist" + [ -d "${TMP}/svn-packages-copy/${pkgbase}/repos/${repo}-${arch}" ] \ + && fail "svn-packages-copy/${pkgbase}/repos/${repo}-${arch} should not exist" } checkRemovedAnyPackage() { @@ -130,9 +144,12 @@ checkRemovedAnyPackage() { local arch for arch in i686 x86_64; do - bsdtar -xf "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" -O | grep -q ${pkgbase} && fail "${pkgbase} should not be in ${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" + ( [ -r "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" ] \ + && bsdtar -xf "${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" -O | grep -q ${pkgbase}) \ + && fail "${pkgbase} should not be in ${repo}/os/${arch}/${repo}${DBEXT%.tar.*}" done svn up -q "${TMP}/svn-packages-copy/${pkgbase}" - [ -d "${TMP}/svn-packages-copy/${pkgbase}/repos/${repo}-any" ] && fail "svn-packages-copy/${pkgbase}/repos/${repo}-any should not exist" + [ -d "${TMP}/svn-packages-copy/${pkgbase}/repos/${repo}-any" ] \ + && fail "svn-packages-copy/${pkgbase}/repos/${repo}-any should not exist" } \ No newline at end of file -- cgit v1.2.3-24-g4f1b