dak/new_security_install.py

   1 #!/usr/bin/env python
   2
   3 # Wrapper for Debian Security team
   4 # Copyright (C) 2006  Anthony Towns <ajt@debian.org>
   5
   6 # This program is free software; you can redistribute it and/or modify
   7 # it under the terms of the GNU General Public License as published by
   8 # the Free Software Foundation; either version 2 of the License, or
   9 # (at your option) any later version.
  10
  11 # This program is distributed in the hope that it will be useful, but
  12 # WITHOUT ANY WARRANTY; without even the implied warranty of
  13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14 # General Public License for more details.
  15
  16 # You should have received a copy of the GNU General Public License
  17 # along with this program; if not, write to the Free Software
  18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
  19 # USA
  20
  21 ################################################################################
  22
  23 import daklib.queue, daklib.logging, daklib.utils, daklib.database
  24 import apt_pkg, os, sys, pwd, time, re, commands
  25
  26 re_taint_free = re.compile(r"^['/;\-\+\.\s\w]+$");
  27
  28 Cnf = None
  29 Options = None
  30 Upload = None
  31 Logger = None
  32
  33 advisory = None
  34 changes = []
  35 srcverarches = {}
  36
  37 def init():
  38     global Cnf, Upload, Options, Logger
  39
  40     Cnf = daklib.utils.get_conf()
  41     Cnf["Dinstall::Options::No-Mail"] = "y"
  42     Arguments = [('h', "help", "Security-Install::Options::Help"),
  43                  ('a', "automatic", "Security-Install::Options::Automatic"),
  44                  ('n', "no-action", "Security-Install::Options::No-Action"),
  45                  ('s', "sudo", "Security-Install::Options::Sudo"),
  46                  (' ', "no-upload", "Security-Install::Options::No-Upload"),
  47                  (' ', "drop-advisory", "Security-Install::Options::Drop-Advisory"),
  48                  ('A', "approve", "Security-Install::Options::Approve"),
  49                  ('R', "reject", "Security-Install::Options::Reject"),
  50                  ('D', "disembargo", "Security-Install::Options::Disembargo") ]
  51
  52     for i in Arguments:
  53         Cnf[i[2]] = ""
  54
  55     arguments = apt_pkg.ParseCommandLine(Cnf, Arguments, sys.argv)
  56
  57     Options = Cnf.SubTree("Security-Install::Options")
  58
  59     whoami = os.getuid()
  60     whoamifull = pwd.getpwuid(whoami)
  61     username = whoamifull[0]
  62     if username != "dak":
  63         print "Non-dak user: %s" % username
  64         Options["Sudo"] = "y"
  65
  66     if Options["Help"]:
  67         print "help yourself"
  68         sys.exit(0)
  69
  70     if len(arguments) == 0:
  71         daklib.utils.fubar("Process what?")
  72
  73     Upload = daklib.queue.Upload(Cnf)
  74     if not Options["Sudo"] and not Options["No-Action"]:
  75         Logger = Upload.Logger = daklib.logging.Logger(Cnf, "new-security-install")
  76
  77     return arguments
  78
  79 def quit():
  80     if Logger:
  81         Logger.close()
  82     sys.exit(0)
  83
  84 def load_args(arguments):
  85     global advisory, changes
  86
  87     adv_ids = {}
  88     if not arguments[0].endswith(".changes"):
  89         adv_ids [arguments[0]] = 1
  90         arguments = arguments[1:]
  91
  92     null_adv_changes = []
  93
  94     changesfiles = {}
  95     for a in arguments:
  96         if "/" in a:
  97             daklib.utils.fubar("can only deal with files in the current directory")
  98         if not a.endswith(".changes"):
  99             daklib.utils.fubar("not a .changes file: %s" % (a))
 100         Upload.init_vars()
 101         Upload.pkg.changes_file = a
 102         Upload.update_vars()
 103         if "adv id" in Upload.pkg.changes:
 104             changesfiles[a] = 1
 105             adv_ids[Upload.pkg.changes["adv id"]] = 1
 106         else:
 107             null_adv_changes.append(a)
 108
 109     adv_ids = adv_ids.keys()
 110     if len(adv_ids) > 1:
 111         daklib.utils.fubar("multiple advisories selected: %s" % (", ".join(adv_ids)))
 112     if adv_ids == []:
 113         advisory = None
 114     else:
 115         advisory = adv_ids[0]
 116
 117     changes = changesfiles.keys()
 118     return null_adv_changes
 119
 120 def load_adv_changes():
 121     global srcverarches, changes
 122
 123     for c in os.listdir("."):
 124         if not c.endswith(".changes"): continue
 125         Upload.init_vars()
 126         Upload.pkg.changes_file = c
 127         Upload.update_vars()
 128         if "adv id" not in Upload.pkg.changes:
 129             continue
 130         if Upload.pkg.changes["adv id"] != advisory:
 131             continue
 132
 133         if c not in changes: changes.append(c)
 134         srcver = "%s %s" % (Upload.pkg.changes["source"],
 135                             Upload.pkg.changes["version"])
 136         srcverarches.setdefault(srcver, {})
 137         for arch in Upload.pkg.changes["architecture"].keys():
 138             srcverarches[srcver][arch] = 1
 139
 140 def advisory_info():
 141     if advisory != None:
 142         print "Advisory: %s" % (advisory)
 143     print "Changes:"
 144     for c in changes:
 145         print " %s" % (c)
 146
 147     print "Packages:"
 148     svs = srcverarches.keys()
 149     svs.sort()
 150     for sv in svs:
 151         as = srcverarches[sv].keys()
 152         as.sort()
 153         print " %s (%s)" % (sv, ", ".join(as))
 154
 155 def prompt(opts, default):
 156     p = ""
 157     v = {}
 158     for o in opts:
 159         v[o[0].upper()] = o
 160         if o[0] == default:
 161             p += ", [%s]%s" % (o[0], o[1:])
 162         else:
 163             p += ", " + o
 164     p = p[2:] + "? "
 165     a = None
 166
 167     if Options["Automatic"]:
 168         a = default
 169
 170     while a not in v:
 171         a = daklib.utils.our_raw_input(p) + default
 172         a = a[:1].upper()
 173
 174     return v[a]
 175
 176 def add_changes(extras):
 177     for c in extras:
 178         changes.append(c)
 179         Upload.init_vars()
 180         Upload.pkg.changes_file = c
 181         Upload.update_vars()
 182         srcver = "%s %s" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"])
 183         srcverarches.setdefault(srcver, {})
 184         for arch in Upload.pkg.changes["architecture"].keys():
 185             srcverarches[srcver][arch] = 1
 186         Upload.pkg.changes["adv id"] = advisory
 187         Upload.dump_vars(os.getcwd())
 188
 189 def yes_no(prompt):
 190     if Options["Automatic"]: return True
 191     while 1:
 192         answer = daklib.utils.our_raw_input(prompt + " ").lower()
 193         if answer in "yn":
 194             return answer == "y"
 195         print "Invalid answer; please try again."
 196
 197 def do_upload():
 198     if Options["No-Upload"]:
 199         print "Not uploading as requested"
 200         return
 201
 202     print "Would upload to ftp-master" # XXX
 203
 204 def generate_advisory(template):
 205     global changes, advisory
 206
 207     adv_packages = []
 208     updated_pkgs = {};  # updated_pkgs[distro][arch][file] = {path,md5,size}
 209
 210     for arg in changes:
 211         arg = daklib.utils.validate_changes_file_arg(arg)
 212         Upload.pkg.changes_file = arg
 213         Upload.init_vars()
 214         Upload.update_vars()
 215
 216         src = Upload.pkg.changes["source"]
 217         src_ver = "%s (%s)" % (src, Upload.pkg.changes["version"])
 218         if src_ver not in adv_packages:
 219             adv_packages.append(src_ver)
 220
 221         suites = Upload.pkg.changes["distribution"].keys()
 222         for suite in suites:
 223             if not updated_pkgs.has_key(suite):
 224                 updated_pkgs[suite] = {}
 225
 226         files = Upload.pkg.files
 227         for file in files.keys():
 228             arch = files[file]["architecture"]
 229             md5 = files[file]["md5sum"]
 230             size = files[file]["size"]
 231             poolname = Cnf["Dir::PoolRoot"] + \
 232                 daklib.utils.poolify(src, files[file]["component"])
 233             if arch == "source" and file.endswith(".dsc"):
 234                 dscpoolname = poolname
 235             for suite in suites:
 236                 if not updated_pkgs[suite].has_key(arch):
 237                     updated_pkgs[suite][arch] = {}
 238                 updated_pkgs[suite][arch][file] = {
 239                     "md5": md5, "size": size, "poolname": poolname }
 240
 241         dsc_files = Upload.pkg.dsc_files
 242         for file in dsc_files.keys():
 243             arch = "source"
 244             if not dsc_files[file].has_key("files id"):
 245                 continue
 246
 247             # otherwise, it's already in the pool and needs to be
 248             # listed specially
 249             md5 = dsc_files[file]["md5sum"]
 250             size = dsc_files[file]["size"]
 251             for suite in suites:
 252                 if not updated_pkgs[suite].has_key(arch):
 253                     updated_pkgs[suite][arch] = {}
 254                 updated_pkgs[suite][arch][file] = {
 255                     "md5": md5, "size": size, "poolname": dscpoolname }
 256
 257     if os.environ.has_key("SUDO_UID"):
 258         whoami = long(os.environ["SUDO_UID"])
 259     else:
 260         whoami = os.getuid()
 261     whoamifull = pwd.getpwuid(whoami)
 262     username = whoamifull[4].split(",")[0]
 263
 264     Subst = {
 265         "__ADVISORY__": advisory,
 266         "__WHOAMI__": username,
 267         "__DATE__": time.strftime("%B %d, %Y", time.gmtime(time.time())),
 268         "__PACKAGE__": ", ".join(adv_packages),
 269         "__DAK_ADDRESS__": Cnf["Dinstall::MyEmailAddress"]
 270         }
 271
 272     if Cnf.has_key("Dinstall::Bcc"):
 273         Subst["__BCC__"] = "Bcc: %s" % (Cnf["Dinstall::Bcc"])
 274
 275     adv = ""
 276     archive = Cnf["Archive::%s::PrimaryMirror" % (daklib.utils.where_am_i())]
 277     for suite in updated_pkgs.keys():
 278         ver = Cnf["Suite::%s::Version" % suite]
 279         if ver != "": ver += " "
 280         suite_header = "%s %s(%s)" % (Cnf["Dinstall::MyDistribution"],
 281                                        ver, suite)
 282         adv += "%s\n%s\n\n" % (suite_header, "-"*len(suite_header))
 283
 284         arches = Cnf.ValueList("Suite::%s::Architectures" % suite)
 285         if "source" in arches:
 286             arches.remove("source")
 287         if "all" in arches:
 288             arches.remove("all")
 289         arches.sort()
 290
 291         adv += "%s updates are available for %s.\n\n" % (
 292                 suite.capitalize(), daklib.utils.join_with_commas_and(arches))
 293
 294         for a in ["source", "all"] + arches:
 295             if not updated_pkgs[suite].has_key(a):
 296                 continue
 297
 298             if a == "source":
 299                 adv += "Source archives:\n\n"
 300             elif a == "all":
 301                 adv += "Architecture independent packages:\n\n"
 302             else:
 303                 adv += "%s architecture (%s)\n\n" % (a,
 304                         Cnf["Architectures::%s" % a])
 305
 306             for file in updated_pkgs[suite][a].keys():
 307                 adv += "  http://%s/%s%s\n" % (
 308                                 archive, updated_pkgs[suite][a][file]["poolname"], file)
 309                 adv += "    Size/MD5 checksum: %8s %s\n" % (
 310                         updated_pkgs[suite][a][file]["size"],
 311                         updated_pkgs[suite][a][file]["md5"])
 312             adv += "\n"
 313     adv = adv.rstrip()
 314
 315     Subst["__ADVISORY_TEXT__"] = adv
 316
 317     adv = daklib.utils.TemplateSubst(Subst, template)
 318     return adv
 319
 320
 321 def spawn(command):
 322     if not re_taint_free.match(command):
 323         daklib.utils.fubar("Invalid character in \"%s\"." % (command))
 324
 325     if Options["No-Action"]:
 326         print "[%s]" % (command)
 327     else:
 328         (result, output) = commands.getstatusoutput(command)
 329         if (result != 0):
 330             daklib.utils.fubar("Invocation of '%s' failed:\n%s\n" % (command, output), result)
 331
 332
 333 ##################### ! ! ! N O T E ! ! !  #####################
 334 #
 335 # These functions will be reinvoked by semi-priveleged users, be careful not
 336 # to invoke external programs that will escalate privileges, etc.
 337 #
 338 ##################### ! ! ! N O T E ! ! !  #####################
 339
 340 def sudo(arg, fn, exit):
 341     if Options["Sudo"]:
 342         if advisory == None:
 343             daklib.utils.fubar("Must set advisory name")
 344         os.spawnl(os.P_WAIT, "/usr/bin/sudo", "/usr/bin/sudo", "-u", "dak", "-H",
 345                   "/usr/local/bin/dak new-security-install", "-"+arg, "--", advisory)
 346     else:
 347         fn()
 348     if exit:
 349         quit()
 350
 351 def do_Approve(): sudo("A", _do_Approve, True)
 352 def _do_Approve():
 353     # 1. dump advisory in drafts
 354     draft = "/org/security.debian.org/advisories/drafts/%s" % (advisory)
 355     print "Advisory in %s" % (draft)
 356     if not Options["No-Action"]:
 357         adv_file = "./advisory.%s" % (advisory)
 358         if not os.path.exists(adv_file):
 359             adv_file = Cnf["Dir::Templates"]+"/security-install.advisory"
 360         adv_fd = os.open(draft, os.O_RDWR|os.O_CREAT|os.O_EXCL, 0664)
 361         os.write(adv_fd, generate_advisory(adv_file))
 362         os.close(adv_fd)
 363         adv_fd = None
 364
 365     # 2. run dak process-accepted on changes
 366     print "Accepting packages..."
 367     spawn("dak process-accepted -pa %s" % (" ".join(changes)))
 368
 369     # 3. run dak make-suite-file-list / apt-ftparchve / dak generate-releases
 370     print "Updating file lists for apt-ftparchive..."
 371     spawn("dak make-suite-file-list")
 372     print "Updating Packages and Sources files..."
 373     spawn("apt-ftparchive generate %s" % (daklib.utils.which_apt_conf_file()))
 374     print "Updating Release files..."
 375     spawn("dak generate-releases")
 376     print "Triggering security mirrors..."
 377     spawn("sudo -u archvsync /home/archvsync/signal_security")
 378
 379     # 4. chdir to done - do upload
 380     if not Options["No-Action"]:
 381         os.chdir(Cnf["Dir::Queue::Done"])
 382     do_upload()
 383
 384 def do_Disembargo(): sudo("D", _do_Disembargo, True)
 385 def _do_Disembargo():
 386     if os.getcwd() != Cnf["Dir::Queue::Embargoed"].rstrip("/"):
 387         daklib.utils.fubar("Can only disembargo from %s" % Cnf["Dir::Queue::Embargoed"])
 388
 389     dest = Cnf["Dir::Queue::Unembargoed"]
 390     emb_q = daklib.database.get_or_set_queue_id("embargoed")
 391     une_q = daklib.database.get_or_set_queue_id("unembargoed")
 392
 393     for c in changes:
 394         print "Disembargoing %s" % (c)
 395
 396         Upload.init_vars()
 397         Upload.pkg.changes_file = c
 398         Upload.update_vars()
 399
 400         if "source" in Upload.pkg.changes["architecture"].keys():
 401             print "Adding %s %s to disembargo table" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"])
 402             Upload.projectB.query("INSERT INTO disembargo (package, version) VALUES ('%s', '%s')" % (Upload.pkg.changes["source"], Upload.pkg.changes["version"]))
 403
 404         files = {}
 405         for suite in Upload.pkg.changes["distribution"].keys():
 406             if suite not in Cnf.ValueList("Dinstall::QueueBuildSuites"):
 407                 continue
 408             dest_dir = Cnf["Dir::QueueBuild"]
 409             if Cnf.FindB("Dinstall::SecurityQueueBuild"):
 410                 dest_dir = os.path.join(dest_dir, suite)
 411             for file in Upload.pkg.files.keys():
 412                 files[os.path.join(dest_dir, file)] = 1
 413
 414         files = files.keys()
 415         Upload.projectB.query("BEGIN WORK")
 416         for f in files:
 417             Upload.projectB.query("UPDATE queue_build SET queue = %s WHERE filename = '%s' AND queue = %s" % (une_q, f, emb_q))
 418         Upload.projectB.query("COMMIT WORK")
 419
 420         for file in Upload.pkg.files.keys():
 421             daklib.utils.copy(file, os.path.join(dest, file))
 422             os.unlink(file)
 423
 424     for c in changes:
 425         daklib.utils.copy(c, os.path.join(dest, c))
 426         os.unlink(c)
 427         k = c[:8] + ".dak"
 428         daklib.utils.copy(k, os.path.join(dest, k))
 429         os.unlink(k)
 430
 431 def do_Reject(): sudo("R", _do_Reject, True)
 432 def _do_Reject():
 433     global changes
 434     for c in changes:
 435         print "Rejecting %s..." % (c)
 436         Upload.init_vars()
 437         Upload.pkg.changes_file = c
 438         Upload.update_vars()
 439         files = {}
 440         for suite in Upload.pkg.changes["distribution"].keys():
 441             if suite not in Cnf.ValueList("Dinstall::QueueBuildSuites"):
 442                 continue
 443             dest_dir = Cnf["Dir::QueueBuild"]
 444             if Cnf.FindB("Dinstall::SecurityQueueBuild"):
 445                 dest_dir = os.path.join(dest_dir, suite)
 446             for file in Upload.pkg.files.keys():
 447                 files[os.path.join(dest_dir, file)] = 1
 448
 449         files = files.keys()
 450
 451         aborted = Upload.do_reject()
 452         if not aborted:
 453             os.unlink(c[:-8]+".katie")
 454             for f in files:
 455                 Upload.projectB.query(
 456                     "DELETE FROM queue_build WHERE filename = '%s'" % (f))
 457                 os.unlink(f)
 458
 459     print "Updating buildd information..."
 460     spawn("/org/security.debian.org/katie/cron.buildd-security")
 461
 462     adv_file = "./advisory.%s" % (advisory)
 463     if os.path.exists(adv_file):
 464         os.unlink(adv_file)
 465
 466 def do_DropAdvisory():
 467     for c in changes:
 468         Upload.init_vars()
 469         Upload.pkg.changes_file = c
 470         Upload.update_vars()
 471         del Upload.pkg.changes["adv id"]
 472         Upload.dump_vars(os.getcwd())
 473     quit()
 474
 475 def do_Edit():
 476     adv_file = "./advisory.%s" % (advisory)
 477     if not os.path.exists(adv_file):
 478         daklib.utils.copy(Cnf["Dir::Templates"]+"/security-install.advisory", adv_file)
 479     editor = os.environ.get("EDITOR", "vi")
 480     result = os.system("%s %s" % (editor, adv_file))
 481     if result != 0:
 482         daklib.utils.fubar("%s invocation failed for %s." % (editor, adv_file))
 483
 484 def do_Show():
 485     adv_file = "./advisory.%s" % (advisory)
 486     if not os.path.exists(adv_file):
 487         adv_file = Cnf["Dir::Templates"]+"/security-install.advisory"
 488     print "====\n%s\n====" % (generate_advisory(adv_file))
 489
 490 def do_Quit():
 491     quit()
 492
 493 def main():
 494     global changes
 495
 496     args = init()
 497     extras = load_args(args)
 498     if advisory:
 499         load_adv_changes()
 500     if extras:
 501         if not advisory:
 502             changes = extras
 503         else:
 504             if srcverarches == {}:
 505                 if not yes_no("Create new advisory %s?" % (advisory)):
 506                     print "Not doing anything, then"
 507                     quit()
 508             else:
 509                 advisory_info()
 510                 doextras = []
 511                 for c in extras:
 512                     if yes_no("Add %s to %s?" % (c, advisory)):
 513                         doextras.append(c)
 514                 extras = doextras
 515             add_changes(extras)
 516
 517     if not advisory:
 518         daklib.utils.fubar("Must specify an advisory id")
 519
 520     if not changes:
 521         daklib.utils.fubar("No changes specified")
 522
 523     if Options["Approve"]:
 524         advisory_info()
 525         do_Approve()
 526     elif Options["Reject"]:
 527         advisory_info()
 528         do_Reject()
 529     elif Options["Disembargo"]:
 530         advisory_info()
 531         do_Disembargo()
 532     elif Options["Drop-Advisory"]:
 533         advisory_info()
 534         do_DropAdvisory()
 535     else:
 536         while 1:
 537             default = "Q"
 538             opts = ["Approve", "Edit advisory"]
 539             if os.path.exists("./advisory.%s" % advisory):
 540                 default = "A"
 541             else:
 542                 default = "E"
 543             if os.getcwd() == Cnf["Dir::Queue::Embargoed"].rstrip("/"):
 544                 opts.append("Disembargo")
 545             opts += ["Show advisory", "Reject", "Quit"]
 546
 547             advisory_info()
 548             what = prompt(opts, default)
 549
 550             if what == "Quit":
 551                 do_Quit()
 552             elif what == "Approve":
 553                 do_Approve()
 554             elif what == "Edit advisory":
 555                 do_Edit()
 556             elif what == "Show advisory":
 557                 do_Show()
 558             elif what == "Disembargo":
 559                 do_Disembargo()
 560             elif what == "Reject":
 561                 do_Reject()
 562             else:
 563                 daklib.utils.fubar("Impossible answer '%s', wtf?" % (what))
 564
 565 ################################################################################
 566
 567 if __name__ == '__main__':
 568     main()
 569
 570 ################################################################################