From: Ansgar Burchardt Date: Tue, 18 Dec 2012 16:13:55 +0000 (+0100) Subject: Check hashes from .changes before loading .dsc. X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6b1c633b7127f1d2ef938b7ea2181ce9e184906;p=dak Check hashes from .changes before loading .dsc. --- diff --git a/daklib/archive.py b/daklib/archive.py index 806ba402..e2b3a17a 100644 --- a/daklib/archive.py +++ b/daklib/archive.py @@ -887,9 +887,8 @@ class ArchiveUpload(object): try: # Validate signatures and hashes before we do any real work: for chk in ( - checks.SignatureCheck, + checks.SignatureAndHashesCheck, checks.ChangesCheck, - checks.HashesCheck, checks.ExternalHashesCheck, checks.SourceCheck, checks.BinaryCheck, diff --git a/daklib/checks.py b/daklib/checks.py index 3c22f390..bfc8a172 100644 --- a/daklib/checks.py +++ b/daklib/checks.py @@ -99,7 +99,7 @@ class Check(object): """ return False -class SignatureCheck(Check): +class SignatureAndHashesCheck(Check): """Check signature of changes and dsc file (if included in upload) Make sure the signature is valid and done by a known user. @@ -108,14 +108,47 @@ class SignatureCheck(Check): changes = upload.changes if not changes.valid_signature: raise Reject("Signature for .changes not valid.") - if changes.source is not None: - if not changes.source.valid_signature: + self._check_hashes(upload, changes.filename, changes.files.itervalues()) + + source = None + try: + source = changes.source + except Exception as e: + raise Reject("Invalid dsc file: {0}".format(e)) + if source is not None: + if not source.valid_signature: raise Reject("Signature for .dsc not valid.") - if changes.source.primary_fingerprint != changes.primary_fingerprint: + if source.primary_fingerprint != changes.primary_fingerprint: raise Reject(".changes and .dsc not signed by the same key.") + self._check_hashes(upload, source.filename, source.files.itervalues()) + if upload.fingerprint is None or upload.fingerprint.uid is None: raise Reject(".changes signed by unknown key.") + """Make sure hashes match existing files + + @type upload: L{daklib.archive.ArchiveUpload} + @param upload: upload we are processing + + @type filename: str + @param filename: name of the file the expected hash values are taken from + + @type files: sequence of L{daklib.upload.HashedFile} + @param files: files to check the hashes for + """ + def _check_hashes(self, upload, filename, files): + try: + for f in files: + f.check(upload.directory) + except IOError as e: + if e.errno == errno.ENOENT: + raise Reject('{0} refers to non-existing file: {1}\n' + 'Perhaps you need to include it in your upload?' + .format(filename, os.path.basename(e.filename))) + raise + except InvalidHashException as e: + raise Reject('{0}: {1}'.format(what, unicode(e))) + class ChangesCheck(Check): """Check changes file for syntax errors.""" def check(self, upload): @@ -173,29 +206,6 @@ class ChangesCheck(Check): return True -class HashesCheck(Check): - """Check hashes in .changes and .dsc are valid.""" - def check(self, upload): - what = None - try: - changes = upload.changes - what = changes.filename - for f in changes.files.itervalues(): - f.check(upload.directory) - source = changes.source - if source is not None: - what = source.filename - for f in source.files.itervalues(): - f.check(upload.directory) - except IOError as e: - if e.errno == errno.ENOENT: - raise Reject('{0} refers to non-existing file: {1}\n' - 'Perhaps you need to include it in your upload?' - .format(what, os.path.basename(e.filename))) - raise - except InvalidHashException as e: - raise Reject('{0}: {1}'.format(what, unicode(e))) - class ExternalHashesCheck(Check): """Checks hashes in .changes and .dsc against an external database.""" def check_single(self, session, f):