X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=dak%2Fprocess_unchecked.py;h=aac33d234662ac6831bc89219169740490467d67;hb=6c92853af8a7ca65fad19cb0f1a0ffaecec48fb7;hp=688fd63c273363b407d96c56f655c09c68ec1ba7;hpb=c226cee81a6268cfdb03dd2ac42efaaae748bdbb;p=dak.git diff --git a/dak/process_unchecked.py b/dak/process_unchecked.py index 688fd63c..aac33d23 100755 --- a/dak/process_unchecked.py +++ b/dak/process_unchecked.py @@ -987,7 +987,7 @@ def check_timestamps(): apt_inst.debExtract(deb_file,tar.callback,"data.tar.gz") except SystemError, e: # If we can't find a data.tar.gz, look for data.tar.bz2 instead. - if not re.match(r"Cannot f[ui]nd chunk data.tar.gz$", str(e)): + if not re.search(r"Cannot f[ui]nd chunk data.tar.gz$", str(e)): raise deb_file.seek(0) apt_inst.debExtract(deb_file,tar.callback,"data.tar.bz2") @@ -1013,6 +1013,48 @@ def check_timestamps(): except: reject("%s: deb contents timestamp check failed [%s: %s]" % (filename, sys.exc_type, sys.exc_value)) +################################################################################ + +def check_signed_by_key(): + """Ensure the .changes is signed by an authorized uploader.""" + + # We only check binary-only uploads right now + if changes["architecture"].has_key("source"): + return + + if not Cnf.Exists("Binary-Upload-Restrictions"): + return + + restrictions = Cnf.SubTree("Binary-Upload-Restrictions") + + # If the restrictions only apply to certain components make sure + # that the upload is actual targeted there. + if restrictions.Exists("Components"): + restricted_components = restrictions.SubTree("Components").ValueList() + is_restricted = False + for file in files: + if files[file]["component"] in restricted_components: + is_restricted = True + break + if not is_restricted: + return + + # Assuming binary only upload restrictions are in place we then + # iterate over suite and architecture checking the key is in the + # allowed list. If no allowed list exists for a given suite or + # architecture it's assumed to be open to anyone. + for suite in changes["distribution"].keys(): + if not restrictions.Exists(suite): + continue + for arch in changes["architecture"].keys(): + if not restrictions.SubTree(suite).Exists(arch): + continue + allowed_keys = restrictions.SubTree("%s::%s" % (suite, arch)).ValueList() + if changes["fingerprint"] not in allowed_keys: + base_filename = os.path.basename(pkg.changes_file) + reject("%s: not signed by authorised uploader for %s/%s" + % (base_filename, suite, arch)) + ################################################################################ ################################################################################ @@ -1202,7 +1244,7 @@ def is_stableupdate (): return 0 if not changes["architecture"].has_key("source"): - pusuite = database.get_suite_id("proposed-updates") + pusuite = daklib.database.get_suite_id("proposed-updates") q = Upload.projectB.query( "SELECT S.source FROM source s JOIN src_associations sa ON (s.id = sa.source) WHERE s.source = '%s' AND s.version = '%s' AND sa.suite = %d" % (changes["source"], changes["version"], pusuite)) @@ -1320,6 +1362,7 @@ def process_it (changes_file): check_md5sums() check_urgency() check_timestamps() + check_signed_by_key() Upload.update_subst(reject_message) action() except SystemExit: