def action_dm(self, fingerprint, section, session): cnf = Config() if 'Command::DM::AdminKeyrings' not in cnf \ or 'Command::DM::ACL' not in cnf \ or 'Command::DM::Keyrings' not in cnf: raise CommandError('DM command is not configured for this archive.') allowed_keyrings = cnf.value_list('Command::DM::AdminKeyrings') if fingerprint.keyring.keyring_name not in allowed_keyrings: raise CommandError('Key {0} is not allowed to set DM'.format(fingerprint.fingerprint)) acl_name = cnf.get('Command::DM::ACL', 'dm') acl = session.query(ACL).filter_by(name=acl_name).one() fpr_hash = section['Fingerprint'].translate(None, ' ') fpr = session.query(Fingerprint).filter_by(fingerprint=fpr_hash).first() if fpr is None: raise CommandError('Unknown fingerprint {0}'.format(fpr_hash)) if fpr.keyring is None or fpr.keyring.keyring_name not in cnf.value_list('Command::DM::Keyrings'): raise CommandError('Key {0} is not in DM keyring.'.format(fpr.fingerprint)) addresses = gpg_get_key_addresses(fpr.fingerprint) if len(addresses) > 0: self.cc.append(addresses[0]) self.log.log(['dm', 'fingerprint', fpr.fingerprint]) self.result.append('Fingerprint: {0}'.format(fpr.fingerprint)) if len(addresses) > 0: self.log.log(['dm', 'uid', addresses[0]]) self.result.append('Uid: {0}'.format(addresses[0])) for source in self._split_packages(section.get('Allow', '')): # Check for existance of source package to catch typos if session.query(DBSource).filter_by(source=source).first() is None: raise CommandError('Tried to grant permissions for unknown source package: {0}'.format(source)) if session.query(ACLPerSource).filter_by(acl=acl, fingerprint=fpr, source=source).first() is None: aps = ACLPerSource() aps.acl = acl aps.fingerprint = fpr aps.source = source aps.created_by = fingerprint aps.reason = section.get('Reason') session.add(aps) self.log.log(['dm', 'allow', fpr.fingerprint, source]) self.result.append('Allowed: {0}'.format(source)) else: self.result.append('Already-Allowed: {0}'.format(source)) session.flush() for source in self._split_packages(section.get('Deny', '')): count = session.query(ACLPerSource).filter_by(acl=acl, fingerprint=fpr, source=source).delete() if count == 0: raise CommandError('Tried to remove upload permissions for package {0}, ' 'but no upload permissions were granted before.'.format(source)) self.log.log(['dm', 'deny', fpr.fingerprint, source]) self.result.append('Denied: {0}'.format(source)) session.commit()
def evaluate(self): """evaluate commands file @rtype: bool @returns: C{True} if the file was processed sucessfully, C{False} otherwise """ result = True session = DBConn().session() keyrings = session.query(Keyring).filter_by(active=True).order_by(Keyring.priority) keyring_files = [ k.keyring_name for k in keyrings ] signed_file = SignedFile(self.data, keyring_files) if not signed_file.valid: self.log.log(['invalid signature', self.filename]) return False self.fingerprint = session.query(Fingerprint).filter_by(fingerprint=signed_file.primary_fingerprint).one() if self.fingerprint.keyring is None: self.log.log(['singed by key in unknown keyring', self.filename]) return False assert self.fingerprint.keyring.active self.log.log(['processing', self.filename, 'signed-by={0}'.format(self.fingerprint.fingerprint)]) with tempfile.TemporaryFile() as fh: fh.write(signed_file.contents) fh.seek(0) sections = apt_pkg.TagFile(fh) self.uploader = None addresses = gpg_get_key_addresses(self.fingerprint.fingerprint) if len(addresses) > 0: self.uploader = addresses[0] try: sections.next() section = sections.section if 'Uploader' in section: self.uploader = section['Uploader'] # TODO: Verify first section has valid Archive field if 'Archive' not in section: raise CommandError('No Archive field in first section.') # TODO: send mail when we detected a replay. # sync actions can happen multiple times, so we won't keep a history if not self._has_only_sync_actions(sections): self._check_replay(signed_file, session) self._evaluate_sections(sections, session) self.result.append('') except Exception as e: self.log.log(['ERROR', e]) self.result.append("There was an error processing this section. No changes were committed.\nDetails:\n{0}".format(e)) result = False self._notify_uploader() session.close() return result
def evaluate(self): """evaluate commands file @rtype: bool @returns: C{True} if the file was processed sucessfully, C{False} otherwise """ result = True session = DBConn().session() keyrings = session.query(Keyring).filter_by(active=True).order_by( Keyring.priority) keyring_files = [k.keyring_name for k in keyrings] signed_file = SignedFile(self.data, keyring_files) if not signed_file.valid: self.log.log(['invalid signature', self.filename]) return False self.fingerprint = session.query(Fingerprint).filter_by( fingerprint=signed_file.primary_fingerprint).one() if self.fingerprint.keyring is None: self.log.log(['singed by key in unknown keyring', self.filename]) return False assert self.fingerprint.keyring.active self.log.log([ 'processing', self.filename, 'signed-by={0}'.format(self.fingerprint.fingerprint) ]) with tempfile.TemporaryFile() as fh: fh.write(signed_file.contents) fh.seek(0) sections = apt_pkg.TagFile(fh) self.uploader = None addresses = gpg_get_key_addresses(self.fingerprint.fingerprint) if len(addresses) > 0: self.uploader = addresses[0] try: sections.next() section = sections.section if 'Uploader' in section: self.uploader = section['Uploader'] if 'Cc' in section: self.cc.append(section['Cc']) # TODO: Verify first section has valid Archive field if 'Archive' not in section: raise CommandError('No Archive field in first section.') # TODO: send mail when we detected a replay. # sync actions can happen multiple times, so we won't keep a history if not self._has_only_sync_actions(sections): self._check_replay(signed_file, session) self._evaluate_sections(sections, session) self.result.append('') except Exception as e: self.log.log(['ERROR', e]) self.result.append( "There was an error processing this section. No changes were committed.\nDetails:\n{0}" .format(e)) result = False self._notify_uploader() session.close() return result
def action_dm(self, fingerprint, section, session): cnf = Config() if 'Command::DM::AdminKeyrings' not in cnf \ or 'Command::DM::ACL' not in cnf \ or 'Command::DM::Keyrings' not in cnf: raise CommandError( 'DM command is not configured for this archive.') allowed_keyrings = cnf.value_list('Command::DM::AdminKeyrings') if fingerprint.keyring.keyring_name not in allowed_keyrings: raise CommandError('Key {0} is not allowed to set DM'.format( fingerprint.fingerprint)) acl_name = cnf.get('Command::DM::ACL', 'dm') acl = session.query(ACL).filter_by(name=acl_name).one() fpr_hash = section['Fingerprint'].translate(None, ' ') fpr = session.query(Fingerprint).filter_by( fingerprint=fpr_hash).first() if fpr is None: raise CommandError('Unknown fingerprint {0}'.format(fpr_hash)) if fpr.keyring is None or fpr.keyring.keyring_name not in cnf.value_list( 'Command::DM::Keyrings'): raise CommandError('Key {0} is not in DM keyring.'.format( fpr.fingerprint)) addresses = gpg_get_key_addresses(fpr.fingerprint) if len(addresses) > 0: self.cc.append(addresses[0]) self.log.log(['dm', 'fingerprint', fpr.fingerprint]) self.result.append('Fingerprint: {0}'.format(fpr.fingerprint)) if len(addresses) > 0: self.log.log(['dm', 'uid', addresses[0]]) self.result.append('Uid: {0}'.format(addresses[0])) for source in self._split_packages(section.get('Allow', '')): # Check for existance of source package to catch typos if session.query(DBSource).filter_by( source=source).first() is None: raise CommandError( 'Tried to grant permissions for unknown source package: {0}' .format(source)) if session.query(ACLPerSource).filter_by( acl=acl, fingerprint=fpr, source=source).first() is None: aps = ACLPerSource() aps.acl = acl aps.fingerprint = fpr aps.source = source aps.created_by = fingerprint aps.reason = section.get('Reason') session.add(aps) self.log.log(['dm', 'allow', fpr.fingerprint, source]) self.result.append('Allowed: {0}'.format(source)) else: self.result.append('Already-Allowed: {0}'.format(source)) session.flush() for source in self._split_packages(section.get('Deny', '')): count = session.query(ACLPerSource).filter_by( acl=acl, fingerprint=fpr, source=source).delete() if count == 0: raise CommandError( 'Tried to remove upload permissions for package {0}, ' 'but no upload permissions were granted before.'.format( source)) self.log.log(['dm', 'deny', fpr.fingerprint, source]) self.result.append('Denied: {0}'.format(source)) session.commit()
def action_dm(self, fingerprint, section, session): cnf = Config() if ( "Command::DM::AdminKeyrings" not in cnf or "Command::DM::ACL" not in cnf or "Command::DM::Keyrings" not in cnf ): raise CommandError("DM command is not configured for this archive.") allowed_keyrings = cnf.value_list("Command::DM::AdminKeyrings") if fingerprint.keyring.keyring_name not in allowed_keyrings: raise CommandError("Key {0} is not allowed to set DM".format(fingerprint.fingerprint)) acl_name = cnf.get("Command::DM::ACL", "dm") acl = session.query(ACL).filter_by(name=acl_name).one() fpr_hash = section["Fingerprint"].translate(None, " ") fpr = session.query(Fingerprint).filter_by(fingerprint=fpr_hash).first() if fpr is None: raise CommandError("Unknown fingerprint {0}".format(fpr_hash)) if fpr.keyring is None or fpr.keyring.keyring_name not in cnf.value_list("Command::DM::Keyrings"): raise CommandError("Key {0} is not in DM keyring.".format(fpr.fingerprint)) addresses = gpg_get_key_addresses(fpr.fingerprint) if len(addresses) > 0: self.cc.append(addresses[0]) self.log.log(["dm", "fingerprint", fpr.fingerprint]) self.result.append("Fingerprint: {0}".format(fpr.fingerprint)) if len(addresses) > 0: self.log.log(["dm", "uid", addresses[0]]) self.result.append("Uid: {0}".format(addresses[0])) for source in self._split_packages(section.get("Allow", "")): # Check for existance of source package to catch typos if session.query(DBSource).filter_by(source=source).first() is None: raise CommandError("Tried to grant permissions for unknown source package: {0}".format(source)) if session.query(ACLPerSource).filter_by(acl=acl, fingerprint=fpr, source=source).first() is None: aps = ACLPerSource() aps.acl = acl aps.fingerprint = fpr aps.source = source aps.created_by = fingerprint aps.reason = section.get("Reason") session.add(aps) self.log.log(["dm", "allow", fpr.fingerprint, source]) self.result.append("Allowed: {0}".format(source)) else: self.result.append("Already-Allowed: {0}".format(source)) session.flush() for source in self._split_packages(section.get("Deny", "")): count = session.query(ACLPerSource).filter_by(acl=acl, fingerprint=fpr, source=source).delete() if count == 0: raise CommandError( "Tried to remove upload permissions for package {0}, " "but no upload permissions were granted before.".format(source) ) self.log.log(["dm", "deny", fpr.fingerprint, source]) self.result.append("Denied: {0}".format(source)) session.commit()