From: James Troup Date: Thu, 8 Feb 2007 00:08:43 +0000 (+0000) Subject: Add configurable binary upload restrictions. X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e6fbf1d68ed68b0ee047858e1375f50697c1eb1;p=dak Add configurable binary upload restrictions. --- diff --git a/ChangeLog b/ChangeLog index 5f347bbb..c35c46b5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2007-02-08 James Troup + + * dak/process_unchecked.py (check_signed_by_key): new function to + ensure .changes files are signed by an authorized uploader. + (process_it): use it. + + * config/debian/dak.conf (Binary-Upload-Restrictions): new stanza + to configure per suite/component/architecture binary upload + restrictions. + 2006-06-26 Ryan Murray * dak/process_unchecked.py (check_files): strip optional source version diff --git a/config/debian/dak.conf b/config/debian/dak.conf index 741a4a11..6615e9f9 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -34,6 +34,29 @@ Dinstall }; }; +Binary-Upload-Restrictions +{ + Components + { + main; + contrib; + }; + unstable + { + arm + { + 9BF093BC475BABF8B6AEA5F6D7C3F131AB2A91F5; + 70BC7F9D8C60D2265B7076A23760DBCFFD6645AB; + F849E2025D1C194DE62BC6C829BE5D2268FD549F; + }; + alpha + { + 9BF093BC475BABF8B6AEA5F6D7C3F131AB2A91F5; + 70BC7F9D8C60D2265B7076A23760DBCFFD6645AB; + }; + }; +}; + Generate-Index-Diffs { Options diff --git a/dak/process_unchecked.py b/dak/process_unchecked.py index 688fd63c..df2e7a35 100755 --- a/dak/process_unchecked.py +++ b/dak/process_unchecked.py @@ -1013,6 +1013,48 @@ def check_timestamps(): except: reject("%s: deb contents timestamp check failed [%s: %s]" % (filename, sys.exc_type, sys.exc_value)) +################################################################################ + +def check_signed_by_key(): + """Ensure the .changes is signed by an authorized uploader.""" + + # We only check binary-only uploads right now + if changes["architecture"].has_key("source"): + return + + if not Cnf.Exists("Binary-Upload-Restrictions"): + return + + restrictions = Cnf.SubTree("Binary-Upload-Restrictions") + + # If the restrictions only apply to certain components make sure + # that the upload is actual targeted there. + if restrictions.Exists("Components"): + restricted_components = restrictions.SubTree("Components").ValueList() + is_restricted = False + for file in files: + if files[file]["component"] in restricted_components: + is_restricted = True + break + if not is_restricted: + return + + # Assuming binary only upload restrictions are in place we then + # iterate over suite and architecture checking the key is in the + # allowed list. If no allowed list exists for a given suite or + # architecture it's assumed to be open to anyone. + for suite in changes["distribution"].keys(): + if not restrictions.Exists(suite): + continue + for arch in changes["architecture"].keys(): + if not restrictions.SubTree(suite).Exists(arch): + continue + allowed_keys = restrictions.SubTree("%s::%s" % (suite, arch)).ValueList() + if changes["fingerprint"] not in allowed_keys: + base_filename = os.path.basename(pkg.changes_file) + reject("%s: not signed by authorised uploader for %s/%s" + % (base_filename, suite, arch)) + ################################################################################ ################################################################################ @@ -1320,6 +1362,7 @@ def process_it (changes_file): check_md5sums() check_urgency() check_timestamps() + check_signed_by_key() Upload.update_subst(reject_message) action() except SystemExit: