Add configurable binary upload restrictions.

diff --git a/ChangeLog b/ChangeLog
index 5f347bbb08e281ca5213ef89b2890c30ae126bb9..c35c46b515f9a749b1980679be10e6715f605955 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2007-02-08  James Troup  <james@nocrew.org>
+
+       * dak/process_unchecked.py (check_signed_by_key): new function to
+       ensure .changes files are signed by an authorized uploader.
+       (process_it): use it.
+
+       * config/debian/dak.conf (Binary-Upload-Restrictions): new stanza
+       to configure per suite/component/architecture binary upload
+       restrictions.
+
 2006-06-26  Ryan Murray  <rmurray@debian.org>
 
        * dak/process_unchecked.py (check_files): strip optional source version

diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 741a4a1144c2e48e19916081562556a9312a3384..6615e9f97bb8804a8b97329ebb25cbee590d20bf 100644 (file)
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -34,6 +34,29 @@ Dinstall
    };
 };
 
+Binary-Upload-Restrictions
+{
+ Components
+ {
+   main;
+   contrib;
+ };
+ unstable
+ {
+   arm
+   {
+     9BF093BC475BABF8B6AEA5F6D7C3F131AB2A91F5;
+     70BC7F9D8C60D2265B7076A23760DBCFFD6645AB;
+     F849E2025D1C194DE62BC6C829BE5D2268FD549F;
+   };
+   alpha 
+   {
+     9BF093BC475BABF8B6AEA5F6D7C3F131AB2A91F5;
+     70BC7F9D8C60D2265B7076A23760DBCFFD6645AB;
+   };   
+  };
+};
+
 Generate-Index-Diffs
 {
    Options

diff --git a/dak/process_unchecked.py b/dak/process_unchecked.py
index 688fd63c273363b407d96c56f655c09c68ec1ba7..df2e7a35c63fe7fbe001a39ad7d138846603b8be 100755 (executable)
--- a/dak/process_unchecked.py
+++ b/dak/process_unchecked.py
@@ -1013,6 +1013,48 @@ def check_timestamps():
             except:
                 reject("%s: deb contents timestamp check failed [%s: %s]" % (filename, sys.exc_type, sys.exc_value))
 
+################################################################################
+
+def check_signed_by_key():
+    """Ensure the .changes is signed by an authorized uploader."""
+
+    # We only check binary-only uploads right now
+    if changes["architecture"].has_key("source"):
+        return
+
+    if not Cnf.Exists("Binary-Upload-Restrictions"):
+        return
+
+    restrictions = Cnf.SubTree("Binary-Upload-Restrictions")
+
+    # If the restrictions only apply to certain components make sure
+    # that the upload is actual targeted there.
+    if restrictions.Exists("Components"):
+        restricted_components = restrictions.SubTree("Components").ValueList()
+        is_restricted = False
+        for file in files:
+            if files[file]["component"] in restricted_components:
+                is_restricted = True
+                break
+        if not is_restricted:
+            return
+
+    # Assuming binary only upload restrictions are in place we then
+    # iterate over suite and architecture checking the key is in the
+    # allowed list.  If no allowed list exists for a given suite or
+    # architecture it's assumed to be open to anyone.
+    for suite in changes["distribution"].keys():
+        if not restrictions.Exists(suite):
+            continue
+        for arch in changes["architecture"].keys():
+            if not restrictions.SubTree(suite).Exists(arch):
+                continue
+            allowed_keys = restrictions.SubTree("%s::%s" % (suite, arch)).ValueList()
+            if changes["fingerprint"] not in allowed_keys:
+                base_filename = os.path.basename(pkg.changes_file)
+                reject("%s: not signed by authorised uploader for %s/%s"
+                       % (base_filename, suite, arch))
+
 ################################################################################
 ################################################################################
 
@@ -1320,6 +1362,7 @@ def process_it (changes_file):
                 check_md5sums()
                 check_urgency()
                 check_timestamps()
+                check_signed_by_key()
         Upload.update_subst(reject_message)
         action()
     except SystemExit: