import: make image verification optional

author: Lennart Poettering <lennart@poettering.net> 2015-01-20 16:36:40 +0100
committer: Lennart Poettering <lennart@poettering.net> 2015-01-20 20:40:44 +0100
commit: 8f6950587ab7b4d6fe1b51241759cc3a4682b96d (patch)
tree: 26725324e6c459e0601630e9ca4269cc3981df41 /src/import
parent: 950a1705dcedf7c71ee28ee995fb51f95cfb2ed5 (diff)
5 files changed, 70 insertions, 19 deletions
diff --git a/src/import/import-raw.c b/src/import/import-raw.c
index 8ca10919af..6fb088278a 100644
--- a/src/import/import-raw.c
+++ b/src/import/import-raw.c
@@ -56,6 +56,8 @@ struct RawImport {
 
         char *temp_path;
         char *final_path;
+
+        ImportVerify verify;
 };
 
 RawImport* raw_import_unref(RawImport *i) {
@@ -251,6 +253,7 @@ static int raw_import_verify_sha256sum(RawImport *i) {
         int r;
 
         assert(i);
+        assert(i->verify != IMPORT_VERIFY_NO);
 
         assert(i->raw_job);
         assert(i->raw_job->sha256);
@@ -291,10 +294,12 @@ static int raw_import_finalize(RawImport *i) {
         assert(i);
 
         if (!IMPORT_JOB_STATE_IS_COMPLETE(i->raw_job) ||
-            !IMPORT_JOB_STATE_IS_COMPLETE(i->sha256sums_job))
+            (i->verify != IMPORT_VERIFY_NO && !IMPORT_JOB_STATE_IS_COMPLETE(i->sha256sums_job)))
                 return 0;
 
-        if (!i->raw_job->etag_exists) {
+        if (i->verify != IMPORT_VERIFY_NO &&
+            i->raw_job->etag_exists) {
+
                 assert(i->temp_path);
                 assert(i->final_path);
                 assert(i->raw_job->disk_fd >= 0);
@@ -379,7 +384,10 @@ static void raw_import_sha256sums_job_on_finished(ImportJob *j) {
         assert(j->userdata);
 
         i = j->userdata;
+        assert(i->verify != IMPORT_VERIFY_NO);
+
         if (j->error != 0) {
+                log_error_errno(j->error, "Failed to retrieve SHA256 checksum, cannot verify.");
                 r = j->error;
                 goto finish;
         }
@@ -425,11 +433,13 @@ static int raw_import_raw_job_on_open_disk(ImportJob *j) {
         return 0;
 }
 
-int raw_import_pull(RawImport *i, const char *url, const char *local, bool force_local) {
+int raw_import_pull(RawImport *i, const char *url, const char *local, bool force_local, ImportVerify verify) {
         _cleanup_free_ char *sha256sums_url = NULL;
         int r;
 
         assert(i);
+        assert(verify < _IMPORT_VERIFY_MAX);
+        assert(verify >= 0);
 
         if (i->raw_job)
                 return -EBUSY;
@@ -444,6 +454,7 @@ int raw_import_pull(RawImport *i, const char *url, const char *local, bool force
         if (r < 0)
                 return r;
         i->force_local = force_local;
+        i->verify = verify;
 
         /* Queue job for the image itself */
         r = import_job_new(&i->raw_job, url, i->glue, i);
@@ -458,23 +469,25 @@ int raw_import_pull(RawImport *i, const char *url, const char *local, bool force
         if (r < 0)
                 return r;
 
-        /* Queue job for the SHA256SUMS file for the image */
-        r = import_url_change_last_component(url, "SHA256SUMS", &sha256sums_url);
-        if (r < 0)
-                return r;
+        if (verify != IMPORT_VERIFY_NO) {
+                /* Queue job for the SHA256SUMS file for the image */
+                r = import_url_change_last_component(url, "SHA256SUMS", &sha256sums_url);
+                if (r < 0)
+                        return r;
 
-        r = import_job_new(&i->sha256sums_job, sha256sums_url, i->glue, i);
-        if (r < 0)
-                return r;
+                r = import_job_new(&i->sha256sums_job, sha256sums_url, i->glue, i);
+                if (r < 0)
+                        return r;
 
-        i->sha256sums_job->on_finished = raw_import_sha256sums_job_on_finished;
-        i->sha256sums_job->uncompressed_max = i->sha256sums_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
+                i->sha256sums_job->on_finished = raw_import_sha256sums_job_on_finished;
+                i->sha256sums_job->uncompressed_max = i->sha256sums_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
 
-        r = import_job_begin(i->raw_job);
-        if (r < 0)
-                return r;
+                r = import_job_begin(i->sha256sums_job);
+                if (r < 0)
+                        return r;
+        }
 
-        r = import_job_begin(i->sha256sums_job);
+        r = import_job_begin(i->raw_job);
         if (r < 0)
                 return r;
 
diff --git a/src/import/import-raw.h b/src/import/import-raw.h
index 9e23142fee..ae2c29991f 100644
--- a/src/import/import-raw.h
+++ b/src/import/import-raw.h
@@ -23,6 +23,7 @@
 
 #include "sd-event.h"
 #include "macro.h"
+#include "import-util.h"
 
 typedef struct RawImport RawImport;
 
@@ -33,4 +34,4 @@ RawImport* raw_import_unref(RawImport *import);
 
 DEFINE_TRIVIAL_CLEANUP_FUNC(RawImport*, raw_import_unref);
 
-int raw_import_pull(RawImport *import, const char *url, const char *local, bool force_local);
+int raw_import_pull(RawImport *import, const char *url, const char *local, bool force_local, ImportVerify verify);
diff --git a/src/import/import-util.c b/src/import/import-util.c
index 1212025d43..79c60b376d 100644
--- a/src/import/import-util.c
+++ b/src/import/import-util.c
@@ -270,3 +270,11 @@ int import_url_change_last_component(const char *url, const char *suffix, char *
         *ret = s;
         return 0;
 }
+
+static const char* const import_verify_table[_IMPORT_VERIFY_MAX] = {
+        [IMPORT_VERIFY_NO] = "no",
+        [IMPORT_VERIFY_SUM] = "sum",
+        [IMPORT_VERIFY_SIGNATURE] = "signature",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(import_verify, ImportVerify);
diff --git a/src/import/import-util.h b/src/import/import-util.h
index a8a5ca5699..811f3fa6d2 100644
--- a/src/import/import-util.h
+++ b/src/import/import-util.h
@@ -23,6 +23,14 @@
 
 #include <stdbool.h>
 
+typedef enum ImportVerify {
+        IMPORT_VERIFY_NO,
+        IMPORT_VERIFY_SUM,
+        IMPORT_VERIFY_SIGNATURE,
+        _IMPORT_VERIFY_MAX,
+        _IMPORT_VERIFY_INVALID = -1,
+} ImportVerify;
+
 bool http_etag_is_valid(const char *etag);
 
 int import_make_local_copy(const char *final, const char *root, const char *local, bool force_local);
@@ -36,3 +44,6 @@ int import_make_path(const char *url, const char *etag, const char *image_root,
 
 int import_url_last_component(const char *url, char **ret);
 int import_url_change_last_component(const char *url, const char *suffix, char **ret);
+
+const char* import_verify_to_string(ImportVerify v) _const_;
+ImportVerify import_verify_from_string(const char *s) _pure_;
diff --git a/src/import/import.c b/src/import/import.c
index 3362f4a9ef..f44d47df9d 100644
--- a/src/import/import.c
+++ b/src/import/import.c
@@ -33,7 +33,7 @@
 
 static bool arg_force = false;
 static const char *arg_image_root = "/var/lib/machines";
-
+static ImportVerify arg_verify = IMPORT_VERIFY_SIGNATURE;
 static const char* arg_dkr_index_url = DEFAULT_DKR_INDEX_URL;
 
 static void on_tar_finished(TarImport *import, int error, void *userdata) {
@@ -263,7 +263,7 @@ static int pull_raw(int argc, char *argv[], void *userdata) {
         if (r < 0)
                 return log_error_errno(r, "Failed to allocate importer: %m");
 
-        r = raw_import_pull(import, url, local, arg_force);
+        r = raw_import_pull(import, url, local, arg_force, arg_verify);
         if (r < 0)
                 return log_error_errno(r, "Failed to pull image: %m");
 
@@ -299,6 +299,11 @@ static int pull_dkr(int argc, char *argv[], void *userdata) {
                 return -EINVAL;
         }
 
+        if (arg_verify != IMPORT_VERIFY_NO) {
+                log_error("Imports from dkr do not support image verification, please pass --verify=no.");
+                return -EINVAL;
+        }
+
         tag = strchr(argv[1], ':');
         if (tag) {
                 name = strndupa(argv[1], tag - argv[1]);
@@ -384,6 +389,8 @@ static int help(int argc, char *argv[], void *userdata) {
                "  -h --help                   Show this help\n"
                "     --version                Show package version\n"
                "     --force                  Force creation of image\n"
+               "     --verify=                Verify downloaded image, one of: 'no', 'sum'\n"
+               "                              'signature'.\n"
                "     --image-root=            Image root directory\n"
                "     --dkr-index-url=URL      Specify index URL to use for downloads\n\n"
                "Commands:\n"
@@ -402,6 +409,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_FORCE,
                 ARG_DKR_INDEX_URL,
                 ARG_IMAGE_ROOT,
+                ARG_VERIFY,
         };
 
         static const struct option options[] = {
@@ -410,6 +418,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "force",           no_argument,       NULL, ARG_FORCE           },
                 { "dkr-index-url",   required_argument, NULL, ARG_DKR_INDEX_URL   },
                 { "image-root",      required_argument, NULL, ARG_IMAGE_ROOT      },
+                { "verify",          required_argument, NULL, ARG_VERIFY          },
                 {}
         };
 
@@ -447,6 +456,15 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_image_root = optarg;
                         break;
 
+                case ARG_VERIFY:
+                        arg_verify = import_verify_from_string(optarg);
+                        if (arg_verify < 0) {
+                                log_error("Invalid verification setting '%s'", optarg);
+                                return -EINVAL;
+                        }
+
+                        break;
+
                 case '?':
                         return -EINVAL;
author	Lennart Poettering <lennart@poettering.net>	2015-01-20 16:36:40 +0100
committer	Lennart Poettering <lennart@poettering.net>	2015-01-20 20:40:44 +0100
commit	8f6950587ab7b4d6fe1b51241759cc3a4682b96d (patch)
tree	26725324e6c459e0601630e9ca4269cc3981df41 /src/import
parent	950a1705dcedf7c71ee28ee995fb51f95cfb2ed5 (diff)