tests/sign: new test for summary file verification

Add test for signature verification of summary file during the pull. Adopted version of GPG tests from `test-pull-summary-sigs.sh`. Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>
2019-11-26 13:01:36 +03:00 · 2019-11-26 13:01:36 +03:00 · 1de2efa2ed
parent 40b80344f8
commit 1de2efa2ed
2 changed files with 288 additions and 5 deletions
--- a/Makefile-tests.am
+++ b/Makefile-tests.am
@ -138,13 +138,9 @@ _installed_or_uninstalled_test_scripts = \
 	tests/test-pull-collections.sh \
 	tests/test-config.sh \
 	tests/test-signed-commit.sh \
-	$(NULL)
-
-if USE_LIBSODIUM
-_installed_or_uninstalled_test_scripts += \
 	tests/test-signed-pull.sh \
+	tests/test-signed-pull-summary.sh \
 	$(NULL)
-endif

 if USE_GPGME
 _installed_or_uninstalled_test_scripts += \
--- a/tests/test-signed-pull-summary.sh
+++ b/tests/test-signed-pull-summary.sh
@ -0,0 +1,287 @@
+#!/bin/bash
+#
+# Copyright (C) 2019 Collabora Ltd.
+#
+# SPDX-License-Identifier: LGPL-2.0+
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+# Based on test-pull-summary-sigs.sh test.
+
+set -euo pipefail
+
+. $(dirname $0)/libtest.sh
+
+echo "1..14"
+
+repo_reinit () {
+    ARGS="$*"
+    cd ${test_tmpdir}
+    rm -rf repo
+    mkdir repo
+    ostree_repo_init repo --mode=archive
+    ${OSTREE} --repo=repo remote add \
+        --set=gpg-verify=false --set=gpg-verify-summary=false \
+        --set=sign-verify=false --set=sign-verify-summary=true \
+        ${ARGS} origin $(cat httpd-address)/ostree/gnomerepo
+}
+
+for engine in dummy ed25519
+do
+    case "${engine}" in
+        dummy)
+            # Tests with dummy engine
+            SIGN_KEY="dummysign"
+            PUBLIC_KEY="dummysign"
+            ;;
+        ed25519)
+            if ! has_libsodium; then
+                echo "ok ${engine} pull mirror summary # SKIP due libsodium unavailability"
+                echo "ok ${engine} pull with signed summary # SKIP due libsodium unavailability"
+                echo "ok ${engine} prune summary cache # SKIP due libsodium unavailability"
+                echo "ok ${engine} pull with signed summary and cachedir # SKIP due libsodium unavailability"
+                echo "ok ${engine} pull with invalid ${engine} summary signature fails # SKIP due libsodium unavailability"
+                echo "ok ${engine} pull delta with signed summary # SKIP due libsodium unavailability"
+
+                continue
+            fi
+            gen_ed25519_keys
+            SIGN_KEY="${ED25519SECRET}"
+            PUBLIC_KEY="${ED25519PUBLIC}"
+            ;;
+        *)
+            fatal "Unsupported engine ${engine}"
+            ;;
+    esac
+
+    COMMIT_SIGN="--sign-type=${engine} --sign=${SIGN_KEY}"
+
+    # clenup the testdir prior the next engine
+    rm -rf ${test_tmpdir}/ostree-srv ${test_tmpdir}/gnomerepo ${test_tmpdir}/httpd ${test_tmpdir}/repo ${test_tmpdir}/cachedir\
+        ${test_tmpdir}/main-copy ${test_tmpdir}/other-copy ${test_tmpdir}/yet-another-copy 
+
+    setup_fake_remote_repo1 "archive" "${COMMIT_SIGN}"
+
+    # Now, setup multiple branches
+    mkdir ${test_tmpdir}/ostree-srv/other-files
+    cd ${test_tmpdir}/ostree-srv/other-files
+    echo 'hello world another object' > hello-world
+    ${CMD_PREFIX} ostree  --repo=${test_tmpdir}/ostree-srv/gnomerepo commit ${COMMIT_SIGN} -b other -s "A commit" -m "Another Commit body"
+
+    mkdir ${test_tmpdir}/ostree-srv/yet-other-files
+    cd ${test_tmpdir}/ostree-srv/yet-other-files
+    echo 'hello world yet another object' > yet-another-hello-world
+    ${CMD_PREFIX} ostree  --repo=${test_tmpdir}/ostree-srv/gnomerepo commit ${COMMIT_SIGN} -b yet-another -s "A commit" -m "Another Commit body"
+
+    ${CMD_PREFIX} ostree --repo=${test_tmpdir}/ostree-srv/gnomerepo summary -u
+
+    prev_dir=`pwd`
+    cd ${test_tmpdir}
+    ostree_repo_init repo --mode=archive
+    ${CMD_PREFIX} ostree --repo=repo remote add \
+        --set=gpg-verify=false --set=gpg-verify-summary=false \
+        --set=sign-verify=false --set=sign-verify-summary=false \
+        origin $(cat httpd-address)/ostree/gnomerepo
+    ${CMD_PREFIX} ostree --repo=repo pull --mirror origin
+    assert_has_file repo/summary
+    ${CMD_PREFIX} ostree --repo=repo checkout -U main main-copy
+    assert_file_has_content main-copy/baz/cow "moo"
+    ${CMD_PREFIX} ostree --repo=repo checkout -U other other-copy
+    assert_file_has_content other-copy/hello-world "hello world another object"
+    ${CMD_PREFIX} ostree --repo=repo checkout -U yet-another yet-another-copy
+    assert_file_has_content yet-another-copy/yet-another-hello-world "hello world yet another object"
+    ${CMD_PREFIX} ostree --repo=repo fsck
+    echo "ok ${engine} pull mirror summary"
+
+
+    cd $prev_dir
+
+    ${OSTREE} --repo=${test_tmpdir}/ostree-srv/gnomerepo summary -u ${COMMIT_SIGN}
+
+    cd ${test_tmpdir}
+    repo_reinit --set=verification-key=${PUBLIC_KEY}
+    ${OSTREE} --repo=repo pull origin main
+    assert_has_file repo/tmp/cache/summaries/origin
+    assert_has_file repo/tmp/cache/summaries/origin.sig
+
+    rm repo/tmp/cache/summaries/origin
+    ${OSTREE} --repo=repo pull origin main
+    assert_has_file repo/tmp/cache/summaries/origin
+
+    echo "ok ${engine} pull with signed summary"
+
+    touch repo/tmp/cache/summaries/foo
+    touch repo/tmp/cache/summaries/foo.sig
+    ${OSTREE} --repo=repo prune
+    assert_not_has_file repo/tmp/cache/summaries/foo
+    assert_not_has_file repo/tmp/cache/summaries/foo.sig
+    assert_has_file repo/tmp/cache/summaries/origin
+    assert_has_file repo/tmp/cache/summaries/origin.sig
+    echo "ok ${engine} prune summary cache"
+
+    cd ${test_tmpdir}
+    repo_reinit --set=verification-key=${PUBLIC_KEY}
+    mkdir cachedir
+    ${OSTREE} --repo=repo pull --cache-dir=cachedir origin main
+    assert_not_has_file repo/tmp/cache/summaries/origin
+    assert_not_has_file repo/tmp/cache/summaries/origin.sig
+    assert_has_file cachedir/summaries/origin
+    assert_has_file cachedir/summaries/origin.sig
+
+    rm cachedir/summaries/origin
+    ${OSTREE} --repo=repo pull --cache-dir=cachedir origin main
+    assert_not_has_file repo/tmp/cache/summaries/origin
+    assert_has_file cachedir/summaries/origin
+
+    echo "ok ${engine} pull with signed summary and cachedir"
+
+    cd ${test_tmpdir}
+    repo_reinit --set=verification-key=${PUBLIC_KEY}
+    mv ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{,.good}
+    echo invalid > ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig
+    if ${OSTREE} --repo=repo pull origin main 2>err.txt; then
+        assert_not_reached "Successful pull with invalid ${engine} signature"
+    fi
+    assert_file_has_content err.txt "Can't verify summary"
+    mv ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{.good,}
+    echo "ok ${engine} pull with invalid ${engine} summary signature fails"
+
+    # Generate a delta
+    ${OSTREE} --repo=${test_tmpdir}/ostree-srv/gnomerepo static-delta generate --empty main
+    ${OSTREE} --repo=${test_tmpdir}/ostree-srv/gnomerepo summary -u ${COMMIT_SIGN}
+
+    cd ${test_tmpdir}
+    repo_reinit --set=verification-key=${PUBLIC_KEY}
+    ${OSTREE} --repo=repo pull origin main
+    echo "ok ${engine} pull delta with signed summary"
+
+done
+
+if ! has_libsodium; then
+    echo "ok ${engine} pull with signed summary remote old summary # SKIP due libsodium unavailability"
+    echo "ok ${engine} pull with signed summary broken cache # SKIP due libsodium unavailability"
+    exit 0
+fi
+
+gen_ed25519_keys
+SIGN_KEY="${ED25519SECRET}"
+PUBLIC_KEY="${ED25519PUBLIC}"
+COMMIT_SIGN="--sign-type=${engine} --sign=${SIGN_KEY}"
+
+
+# Verify 'ostree remote summary' output.
+${OSTREE} --repo=repo remote summary origin > summary.txt
+assert_file_has_content summary.txt "* main"
+assert_file_has_content summary.txt "* other"
+assert_file_has_content summary.txt "* yet-another"
+grep static-deltas summary.txt > static-deltas.txt
+assert_file_has_content static-deltas.txt \
+    $(${OSTREE} --repo=repo rev-parse origin:main)
+
+## Tests for handling of cached summaries while racing with remote summary updates
+
+# Make 2 different but valid summary/signature pairs to test races with
+${OSTREE} --repo=${test_tmpdir}/ostree-srv/gnomerepo summary -u ${COMMIT_SIGN}
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary{,.1}
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{,.1}
+mkdir ${test_tmpdir}/ostree-srv/even-another-files
+cd ${test_tmpdir}/ostree-srv/even-another-files
+echo 'hello world even another object' > even-another-hello-world
+${OSTREE} --repo=${test_tmpdir}/ostree-srv/gnomerepo commit ${COMMIT_SIGN} -b even-another -s "A commit" -m "Another Commit body"
+${OSTREE} --repo=${test_tmpdir}/ostree-srv/gnomerepo summary -u ${COMMIT_SIGN}
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary{,.2}
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{,.2}
+cd ${test_tmpdir}
+
+# Reset to the old valid summary and pull to cache it
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary{.1,}
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{.1,}
+repo_reinit --set=verification-key=${PUBLIC_KEY}
+${OSTREE} --repo=repo pull origin main
+assert_has_file repo/tmp/cache/summaries/origin
+assert_has_file repo/tmp/cache/summaries/origin.sig
+cmp repo/tmp/cache/summaries/origin ${test_tmpdir}/ostree-srv/gnomerepo/summary.1 >&2
+cmp repo/tmp/cache/summaries/origin.sig ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig.1 >&2
+
+# Simulate a pull race where the client gets the old summary and the new
+# summary signature since it was generated on the server between the
+# requests
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{.2,}
+if ${OSTREE} --repo=repo pull origin main 2>err.txt; then
+    assert_not_reached "Successful pull with old summary"
+fi
+assert_file_has_content err.txt "Can't verify summary"
+assert_has_file repo/tmp/cache/summaries/origin
+assert_has_file repo/tmp/cache/summaries/origin.sig
+cmp repo/tmp/cache/summaries/origin ${test_tmpdir}/ostree-srv/gnomerepo/summary.1 >&2
+cmp repo/tmp/cache/summaries/origin.sig ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig.1 >&2
+
+# Publish correct summary and check that subsequent pull succeeds
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary{.2,}
+${OSTREE} --repo=repo pull origin main
+assert_has_file repo/tmp/cache/summaries/origin
+assert_has_file repo/tmp/cache/summaries/origin.sig
+cmp repo/tmp/cache/summaries/origin ${test_tmpdir}/ostree-srv/gnomerepo/summary.2 >&2
+cmp repo/tmp/cache/summaries/origin.sig ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig.2 >&2
+
+echo "ok ${engine} pull with signed summary remote old summary"
+
+
+# Reset to the old valid summary and pull to cache it
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary{.1,}
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{.1,}
+repo_reinit --set=verification-key=${PUBLIC_KEY}
+${OSTREE} --repo=repo pull origin main
+assert_has_file repo/tmp/cache/summaries/origin
+assert_has_file repo/tmp/cache/summaries/origin.sig
+cmp repo/tmp/cache/summaries/origin ${test_tmpdir}/ostree-srv/gnomerepo/summary.1 >&2
+cmp repo/tmp/cache/summaries/origin.sig ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig.1 >&2
+
+# Simulate a broken summary cache to see if it can be recovered from.
+# Prior to commit c4c2b5eb the client would save the summary to the
+# cache before validating the signature. That would mean the cache would
+# have mismatched summary and signature and ostree would remain
+# deadlocked there until the remote published a new signature.
+#
+# First pull with OSTREE_REPO_TEST_ERROR=invalid-cache to see the
+# invalid cache is detected. Then pull again to check if it can be
+# recovered from.
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary.2 repo/tmp/cache/summaries/origin
+if OSTREE_REPO_TEST_ERROR=invalid-cache ${OSTREE} --repo=repo pull origin main 2>err.txt; then
+    assert_not_reached "Should have hit OSTREE_REPO_TEST_ERROR_INVALID_CACHE"
+fi
+assert_file_has_content err.txt "OSTREE_REPO_TEST_ERROR_INVALID_CACHE"
+assert_has_file repo/tmp/cache/summaries/origin
+assert_has_file repo/tmp/cache/summaries/origin.sig
+cmp repo/tmp/cache/summaries/origin ${test_tmpdir}/ostree-srv/gnomerepo/summary.2 >&2
+cmp repo/tmp/cache/summaries/origin.sig ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig.1 >&2
+${OSTREE} --repo=repo pull origin main
+assert_has_file repo/tmp/cache/summaries/origin
+assert_has_file repo/tmp/cache/summaries/origin.sig
+cmp repo/tmp/cache/summaries/origin ${test_tmpdir}/ostree-srv/gnomerepo/summary.1 >&2
+cmp repo/tmp/cache/summaries/origin.sig ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig.1 >&2
+
+# Publish new signature and check that subsequent pull succeeds
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary{.2,}
+cp ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig{.2,}
+${OSTREE} --repo=repo pull origin main
+assert_has_file repo/tmp/cache/summaries/origin
+assert_has_file repo/tmp/cache/summaries/origin.sig
+cmp repo/tmp/cache/summaries/origin ${test_tmpdir}/ostree-srv/gnomerepo/summary.2 >&2
+cmp repo/tmp/cache/summaries/origin.sig ${test_tmpdir}/ostree-srv/gnomerepo/summary.sig.2 >&2
+
+echo "ok ${engine} pull with signed summary broken cache"
+