From 456f515522b31bb59f03e2b30a2d86b0faa7d106 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Wed, 23 Mar 2016 12:32:03 +0100
Subject: [PATCH] Add --untrusted option to pull and pull-local

https://bugzilla.gnome.org/show_bug.cgi?id=764125

Closes: #221
Approved by: cgwalters
---
 Makefile-tests.am                  |  1 +
 man/ostree-pull-local.xml          |  8 ++++
 man/ostree-pull.xml                |  8 ++++
 src/ostree/ot-builtin-pull-local.c |  8 +++-
 src/ostree/ot-builtin-pull.c       |  5 +++
 tests/test-pull-untrusted.sh       | 63 ++++++++++++++++++++++++++++++
 6 files changed, 92 insertions(+), 1 deletion(-)
 create mode 100755 tests/test-pull-untrusted.sh

diff --git a/Makefile-tests.am b/Makefile-tests.am
index 50c714a9..ce562265 100644
--- a/Makefile-tests.am
+++ b/Makefile-tests.am
@@ -48,6 +48,7 @@ test_scripts = \
 	tests/test-pull-metalink.sh \
 	tests/test-pull-summary-sigs.sh \
 	tests/test-pull-resume.sh \
+	tests/test-pull-untrusted.sh \
 	tests/test-local-pull-depth.sh \
 	tests/test-gpg-signed-commit.sh \
 	tests/test-admin-upgrade-unconfigured.sh \
diff --git a/man/ostree-pull-local.xml b/man/ostree-pull-local.xml
index 2ecd12c1..67898743 100644
--- a/man/ostree-pull-local.xml
+++ b/man/ostree-pull-local.xml
@@ -80,6 +80,14 @@ Boston, MA 02111-1307, USA.
                     Do no invoke fsync().
                 </para></listitem>
             </varlistentry>
+
+            <varlistentry>
+                <term><option>--untrusted</option></term>
+
+                <listitem><para>
+                    Do not trust source, verify checksums and don't hardlink into source.
+                </para></listitem>
+            </varlistentry>
         </variablelist>
     </refsect1>
 
diff --git a/man/ostree-pull.xml b/man/ostree-pull.xml
index c419307e..24ab0b72 100644
--- a/man/ostree-pull.xml
+++ b/man/ostree-pull.xml
@@ -73,6 +73,14 @@ Boston, MA 02111-1307, USA.
                 </para></listitem>
             </varlistentry>
 
+            <varlistentry>
+                <term><option>--untrusted</option></term>
+
+                <listitem><para>
+                    Do not trust local sources, verify checksums and don't hardlink into source.
+                </para></listitem>
+            </varlistentry>
+
             <varlistentry>
                 <term><option>--disable-static-deltas</option></term>
 
diff --git a/src/ostree/ot-builtin-pull-local.c b/src/ostree/ot-builtin-pull-local.c
index ed87d806..f3ca184a 100644
--- a/src/ostree/ot-builtin-pull-local.c
+++ b/src/ostree/ot-builtin-pull-local.c
@@ -32,11 +32,13 @@
 
 static char *opt_remote;
 static gboolean opt_disable_fsync;
+static gboolean opt_untrusted;
 static int opt_depth = 0;
 
 static GOptionEntry options[] = {
   { "remote", 0, 0, G_OPTION_ARG_STRING, &opt_remote, "Add REMOTE to refspec", "REMOTE" },
   { "disable-fsync", 0, 0, G_OPTION_ARG_NONE, &opt_disable_fsync, "Do not invoke fsync()", NULL },
+  { "untrusted", 0, 0, G_OPTION_ARG_NONE, &opt_untrusted, "Do not trust source", NULL },
   { "depth", 0, 0, G_OPTION_ARG_INT, &opt_depth, "Traverse DEPTH parents (-1=infinite) (default: 0)", "DEPTH" },
   { NULL }
 };
@@ -54,6 +56,7 @@ ostree_builtin_pull_local (int argc, char **argv, GCancellable *cancellable, GEr
   glnx_unref_object OstreeAsyncProgress *progress = NULL;
   g_autoptr(GPtrArray) refs_to_fetch = NULL;
   g_autoptr(GHashTable) source_objects = NULL;
+  OstreeRepoPullFlags pullflags = 0;
 
   context = g_option_context_new ("SRC_REPO [REFS...] -  Copy data from SRC_REPO");
 
@@ -83,6 +86,9 @@ ostree_builtin_pull_local (int argc, char **argv, GCancellable *cancellable, GEr
       src_repo_uri = g_strconcat ("file://", cwd, "/", src_repo_arg, NULL);
     }
 
+  if (opt_untrusted)
+    pullflags |= OSTREE_REPO_PULL_FLAGS_UNTRUSTED;
+
   if (opt_disable_fsync)
     ostree_repo_set_disable_fsync (repo, TRUE);
 
@@ -133,7 +139,7 @@ ostree_builtin_pull_local (int argc, char **argv, GCancellable *cancellable, GEr
     g_variant_builder_init (&builder, G_VARIANT_TYPE ("a{sv}"));
 
     g_variant_builder_add (&builder, "{s@v}", "flags",
-                           g_variant_new_variant (g_variant_new_int32 (OSTREE_REPO_PULL_FLAGS_NONE)));
+                           g_variant_new_variant (g_variant_new_int32 (pullflags)));
     g_variant_builder_add (&builder, "{s@v}", "refs",
                            g_variant_new_variant (g_variant_new_strv ((const char *const*) refs_to_fetch->pdata, -1)));
     if (opt_remote)
diff --git a/src/ostree/ot-builtin-pull.c b/src/ostree/ot-builtin-pull.c
index 7c91890f..8bef63a3 100644
--- a/src/ostree/ot-builtin-pull.c
+++ b/src/ostree/ot-builtin-pull.c
@@ -33,6 +33,7 @@ static gboolean opt_commit_only;
 static gboolean opt_dry_run;
 static gboolean opt_disable_static_deltas;
 static gboolean opt_require_static_deltas;
+static gboolean opt_untrusted;
 static char* opt_subpath;
 static int opt_depth = 0;
  
@@ -43,6 +44,7 @@ static GOptionEntry options[] = {
    { "require-static-deltas", 0, 0, G_OPTION_ARG_NONE, &opt_require_static_deltas, "Require static deltas", NULL },
    { "mirror", 0, 0, G_OPTION_ARG_NONE, &opt_mirror, "Write refs suitable for a mirror", NULL },
    { "subpath", 0, 0, G_OPTION_ARG_STRING, &opt_subpath, "Only pull the provided subpath", NULL },
+   { "untrusted", 0, 0, G_OPTION_ARG_NONE, &opt_untrusted, "Do not trust (local) sources", NULL },
    { "dry-run", 0, 0, G_OPTION_ARG_NONE, &opt_dry_run, "Only print information on what will be downloaded (requires static deltas)", NULL },
    { "depth", 0, 0, G_OPTION_ARG_INT, &opt_depth, "Traverse DEPTH parents (-1=infinite) (default: 0)", "DEPTH" },
    { NULL }
@@ -134,6 +136,9 @@ ostree_builtin_pull (int argc, char **argv, GCancellable *cancellable, GError **
   if (opt_commit_only)
     pullflags |= OSTREE_REPO_PULL_FLAGS_COMMIT_ONLY;
 
+  if (opt_untrusted)
+    pullflags |= OSTREE_REPO_PULL_FLAGS_UNTRUSTED;
+
   if (opt_dry_run && !opt_require_static_deltas)
     {
       g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
diff --git a/tests/test-pull-untrusted.sh b/tests/test-pull-untrusted.sh
new file mode 100755
index 00000000..95f7ab93
--- /dev/null
+++ b/tests/test-pull-untrusted.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# Copyright (C) 2014 Alexander Larsson <alexl@redhat.com>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+
+set -euo pipefail
+
+. $(dirname $0)/libtest.sh
+
+echo '1..3'
+
+setup_test_repository "bare"
+
+cd ${test_tmpdir}
+mkdir repo2
+${CMD_PREFIX} ostree --repo=repo2 init --mode="bare"
+
+${CMD_PREFIX} ostree --repo=repo2 --untrusted pull-local repo
+
+find repo2 -type f -links +1 | while read line; do
+    assert_not_reached "pull-local created hardlinks"
+done
+echo "ok pull-local --untrusted didn't hardlink"
+
+# Corrupt repo
+for i in ${test_tmpdir}/repo/objects/*/*.file; do
+    echo "corrupting $i"
+    echo "broke" >> $i
+    break;
+done
+
+rm -rf repo2
+mkdir repo2
+${CMD_PREFIX} ostree --repo=repo2 init --mode="bare"
+if ${CMD_PREFIX} ostree --repo=repo2 pull-local repo; then
+    echo "ok trusted pull with corruption succeeded"
+else
+    assert_not_reached "corrupted trusted pull unexpectedly succeeded!"
+fi
+
+rm -rf repo2
+mkdir repo2
+${CMD_PREFIX} ostree --repo=repo2 init --mode="bare"
+if ${CMD_PREFIX} ostree --repo=repo2 pull-local --untrusted repo; then
+    assert_not_reached "corrupted untrusted pull unexpectedly failed!"
+else
+    echo "ok untrusted pull with corruption failed"
+fi