diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:00:48 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 09:00:48 +0000 |
commit | 851b6a097165af4d51c0db01b5e05256e5006896 (patch) | |
tree | 5f7c388ec894a7806c49a99f3bdb605d0b299a7c /test/integration/test-releasefile-date | |
parent | Initial commit. (diff) | |
download | apt-upstream.tar.xz apt-upstream.zip |
Adding upstream version 2.6.1.upstream/2.6.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rwxr-xr-x | test/integration/test-releasefile-date | 46 | ||||
-rwxr-xr-x | test/integration/test-releasefile-date-older | 132 |
2 files changed, 178 insertions, 0 deletions
diff --git a/test/integration/test-releasefile-date b/test/integration/test-releasefile-date new file mode 100755 index 0000000..a985074 --- /dev/null +++ b/test/integration/test-releasefile-date @@ -0,0 +1,46 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'i386' + +insertpackage 'wheezy' 'apt' 'all' '0.8.15' + +getlabelfromsuite() { + echo -n 'Testcases' +} + +setupaptarchive --no-update + +runtest() { + local MSG="$1" + msgtest "Release file is $MSG as it has" "$2" + rm -rf rootdir/var/lib/apt/lists + generatereleasefiles "$3" + signreleasefiles + shift 3 + if [ "$MSG" = 'accepted' ]; then + testsuccess --nomsg aptget update "$@" + testfailure grep -q 'is not valid yet' rootdir/tmp/testsuccess.output + else + testfailure --nomsg aptget update "$@" + testsuccess grep -q 'is not valid yet' rootdir/tmp/testfailure.output + fi +} + + +runtest 'accepted' 'no date' '' +runtest 'accepted' 'ok date' 'now + 1 hour' +runtest 'rejected' 'date to far in the future' 'now + 12 hours' +runtest 'accepted' 'date to far in the future, but accepted via option' 'now + 12 hours' -o Acquire::Max-FutureTime=86400 + +sed -i -e 's#\(deb\(-src\)\?\) #\1 [check-date=no] #' rootdir/etc/apt/sources.list.d/* +runtest 'accepted' 'bad Date but overridden by sources option' 'now + 1 day' + +sed -i -e 's#\(deb\(-src\)\?\) \[.*\] #\1 [date-max-future=86400] #' rootdir/etc/apt/sources.list.d/* +runtest 'accepted' 'Date allowed via sources list option via sources option' 'now + 12 hours' + +sed -i -e 's#\(deb\(-src\)\?\) \[.*\] #\1 [date-max-future=86405] #' rootdir/etc/apt/sources.list.d/* +runtest 'rejected' 'Date further in the future than allowed by sources.list option' 'now + 2 day' diff --git a/test/integration/test-releasefile-date-older b/test/integration/test-releasefile-date-older new file mode 100755 index 0000000..81c71ea --- /dev/null +++ b/test/integration/test-releasefile-date-older @@ -0,0 +1,132 @@ +#!/bin/sh +set -e + +TESTDIR="$(readlink -f "$(dirname "$0")")" +. "$TESTDIR/framework" +setupenvironment +configarchitecture 'i386' + +insertpackage 'wheezy' 'apt' 'all' '0.8.15' + +setupaptarchive --no-update + +# we don't complain as the server could have just sent a 'Hit' here and this +# 'downgrade attack' is usually performed by out-of-sync mirrors. Valid-Until +# catches the 'real' downgrade attacks (expect that it finds stale mirrors). +# Scaring users with an error here serves hence no point. + +msgmsg 'InRelease file is silently rejected if' 'new Date is before old Date' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +testsuccess aptget update +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testsuccess aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" + +msgmsg 'Release.gpg file is silently rejected if' 'new Date is before old Date' +export APT_DONT_SIGN='InRelease' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +testsuccess aptget update +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testsuccess aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +unset APT_DONT_SIGN + +msgmsg 'Crisscross InRelease/Release.gpg file is silently rejected if' 'new Date is before old Date' +export APT_DONT_SIGN='Release.gpg' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +testsuccess aptget update +export APT_DONT_SIGN='InRelease' +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testsuccess aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +unset APT_DONT_SIGN + +msgmsg 'Crisscross Release.gpg/InRelease file is silently rejected if' 'new Date is before old Date' +export APT_DONT_SIGN='InRelease' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +find aptarchive -name 'InRelease' -delete +testsuccess aptget update +export APT_DONT_SIGN='Release.gpg' +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testsuccess aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +unset APT_DONT_SIGN + +msgmsg 'Release file has' 'no Date and no Valid-Until field' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' +sed -i '/^Date: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testwarning aptget update +listcurrentlistsdirectory > listsdir.lst +# have no effect as Date is unknown +testwarning aptget update -o Acquire::Min-ValidTime=$((3600*24*30)) +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +testwarning aptget update -o Acquire::Max-ValidTime=1 +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +sed -i '/^Codename: / a\ +Another-Field: yes' $(find aptarchive/ -name 'Release') +touch -d 'now + 1 day' $(find aptarchive/ -name 'Release') +signreleasefiles "${2:-Joe Sixpack}" +testwarning aptget update +testsuccess cmp $(find aptarchive/ -name 'InRelease') $(find rootdir/var/lib/apt/ -name '*_InRelease') + +msgmsg 'Release file has' 'no Date field, but Valid-Until expired' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now - 2 days' +sed -i '/^Date: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testfailure aptget update +listcurrentlistsdirectory > listsdir.lst +# have no effect as Date is unknown +testfailure aptget update -o Acquire::Min-ValidTime=$((3600*24*30)) +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +testfailure aptget update -o Acquire::Max-ValidTime=1 +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" + +msgmsg 'Release file has' 'no Date field, but Valid-Until is good' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 2 days' +sed -i '/^Date: / d' $(find ./aptarchive -name 'Release') +signreleasefiles +testwarning aptget update + +# the repo is now signed by unknown key, but marked as trusted +rm -rf rootdir/etc/apt/trusted.gpg.d +sed -i -e 's#\(deb\(-src\)\?\) #\1 [trusted=yes] #' rootdir/etc/apt/sources.list.d/* + +msgmsg 'Forgot to disable in follow-up' 'Check-Date' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now + 3 days' 'now + 7 days' +signreleasefiles +testfailure aptget update +testwarning aptget update -o Acquire::Check-Date=no +listcurrentlistsdirectory > listsdir.lst +generatereleasefiles 'now + 5 days' 'now + 13 days' +signreleasefiles +testfailure aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" +testwarning aptget update -o Acquire::Check-Date=no +testsuccess cmp "$(find aptarchive/ -name 'InRelease')" "$(find rootdir/var/lib/apt/ -name '*_Release')" + +msgmsg 'Force-Trusted InRelease file is silently ignored' 'new Date is before old Date' +rm -rf rootdir/var/lib/apt/lists +generatereleasefiles 'now' 'now + 7 days' +signreleasefiles +testwarning aptget update +listcurrentlistsdirectory > listsdir.lst +redatereleasefiles 'now - 2 days' +testwarning aptget update +testfileequal 'listsdir.lst' "$(listcurrentlistsdirectory)" |