packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

lib/pull: Allow downgrade protection with overrides 

There's a valid use case for enabling the timestamp downgrade check
while still also using override commits.

We'll make use of this in Fedora CoreOS, where the agent specifies the
exact commit to upgrade to, while still enforcing that it be newer.

Closes: #1891
Approved by: cgwalters
This commit is contained in:
Jonathan Lebon 2019-07-26 11:52:18 -04:00 committed by Atomic Bot
parent c9ecfb1d81
commit 9332830e09
2 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/libostree/ostree-repo-pull.c
View File

@ -4335,16 +4335,16 @@ ostree_repo_pull_with_options (OstreeRepo *self,
const char*, override_commitid) const char*, override_commitid)
{ {
g_autofree char *contents = NULL; g_autofree char *contents = NULL;
g_autoptr(OstreeCollectionRef) ref_with_collection = NULL;
/* Support specifying "" for an override commitid */ /* Support specifying "" for an override commitid */
if (override_commitid && *override_commitid) if (override_commitid && *override_commitid)
{ {
g_hash_table_replace (updated_requested_refs_to_fetch, ostree_collection_ref_dup (ref), g_strdup (override_commitid)); ref_with_collection = ostree_collection_ref_dup (ref);
contents = g_strdup (override_commitid);
} }
else else
{ {
g_autoptr(OstreeCollectionRef) ref_with_collection = NULL;
if (pull_data->summary) if (pull_data->summary)
{ {
gsize commit_size = 0; gsize commit_size = 0;
@ -4367,6 +4367,7 @@ ostree_repo_pull_with_options (OstreeRepo *self,
ref_with_collection = ostree_collection_ref_dup (ref); ref_with_collection = ostree_collection_ref_dup (ref);
} }
}
/* If we have timestamp checking enabled, find the current value of /* If we have timestamp checking enabled, find the current value of
* the ref, and store its timestamp in the hash map, to check later. * the ref, and store its timestamp in the hash map, to check later.
@ -4390,7 +4391,6 @@ ostree_repo_pull_with_options (OstreeRepo *self,
g_steal_pointer (&ref_with_collection), g_steal_pointer (&ref_with_collection),
g_steal_pointer (&contents)); g_steal_pointer (&contents));
} }
}
g_hash_table_unref (requested_refs_to_fetch); g_hash_table_unref (requested_refs_to_fetch);
requested_refs_to_fetch = g_steal_pointer (&updated_requested_refs_to_fetch); requested_refs_to_fetch = g_steal_pointer (&updated_requested_refs_to_fetch);

6
tests/pull-test.sh
View File

@ -334,6 +334,12 @@ if ${CMD_PREFIX} ostree --repo=repo pull -T origin main 2>err.txt; then
fi fi
assert_file_has_content err.txt "Upgrade.*is chronologically older" assert_file_has_content err.txt "Upgrade.*is chronologically older"
assert_streq ${newrev} "$(${CMD_PREFIX} ostree --repo=repo rev-parse main)" assert_streq ${newrev} "$(${CMD_PREFIX} ostree --repo=repo rev-parse main)"
# And also check we can't pull it when using overrides
if ${CMD_PREFIX} ostree --repo=repo pull -T origin main@${newrev2} 2>err.txt; then
fatal "pulled older commit override with timestamp checking enabled?"
fi
assert_file_has_content err.txt "Upgrade.*is chronologically older"
assert_streq ${newrev} "$(${CMD_PREFIX} ostree --repo=repo rev-parse main)"
# But we can pull it without timestamp checking # But we can pull it without timestamp checking
${CMD_PREFIX} ostree --repo=repo pull origin main ${CMD_PREFIX} ostree --repo=repo pull origin main
echo "ok pull timestamp checking" echo "ok pull timestamp checking"