summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-01-20 16:36:40 +0100
committerLennart Poettering <lennart@poettering.net>2015-01-20 20:40:44 +0100
commit8f6950587ab7b4d6fe1b51241759cc3a4682b96d (patch)
tree26725324e6c459e0601630e9ca4269cc3981df41 /src
parent950a1705dcedf7c71ee28ee995fb51f95cfb2ed5 (diff)
import: make image verification optional
Diffstat (limited to 'src')
-rw-r--r--src/import/import-raw.c45
-rw-r--r--src/import/import-raw.h3
-rw-r--r--src/import/import-util.c8
-rw-r--r--src/import/import-util.h11
-rw-r--r--src/import/import.c22
5 files changed, 70 insertions, 19 deletions
diff --git a/src/import/import-raw.c b/src/import/import-raw.c
index 8ca10919af..6fb088278a 100644
--- a/src/import/import-raw.c
+++ b/src/import/import-raw.c
@@ -56,6 +56,8 @@ struct RawImport {
char *temp_path;
char *final_path;
+
+ ImportVerify verify;
};
RawImport* raw_import_unref(RawImport *i) {
@@ -251,6 +253,7 @@ static int raw_import_verify_sha256sum(RawImport *i) {
int r;
assert(i);
+ assert(i->verify != IMPORT_VERIFY_NO);
assert(i->raw_job);
assert(i->raw_job->sha256);
@@ -291,10 +294,12 @@ static int raw_import_finalize(RawImport *i) {
assert(i);
if (!IMPORT_JOB_STATE_IS_COMPLETE(i->raw_job) ||
- !IMPORT_JOB_STATE_IS_COMPLETE(i->sha256sums_job))
+ (i->verify != IMPORT_VERIFY_NO && !IMPORT_JOB_STATE_IS_COMPLETE(i->sha256sums_job)))
return 0;
- if (!i->raw_job->etag_exists) {
+ if (i->verify != IMPORT_VERIFY_NO &&
+ i->raw_job->etag_exists) {
+
assert(i->temp_path);
assert(i->final_path);
assert(i->raw_job->disk_fd >= 0);
@@ -379,7 +384,10 @@ static void raw_import_sha256sums_job_on_finished(ImportJob *j) {
assert(j->userdata);
i = j->userdata;
+ assert(i->verify != IMPORT_VERIFY_NO);
+
if (j->error != 0) {
+ log_error_errno(j->error, "Failed to retrieve SHA256 checksum, cannot verify.");
r = j->error;
goto finish;
}
@@ -425,11 +433,13 @@ static int raw_import_raw_job_on_open_disk(ImportJob *j) {
return 0;
}
-int raw_import_pull(RawImport *i, const char *url, const char *local, bool force_local) {
+int raw_import_pull(RawImport *i, const char *url, const char *local, bool force_local, ImportVerify verify) {
_cleanup_free_ char *sha256sums_url = NULL;
int r;
assert(i);
+ assert(verify < _IMPORT_VERIFY_MAX);
+ assert(verify >= 0);
if (i->raw_job)
return -EBUSY;
@@ -444,6 +454,7 @@ int raw_import_pull(RawImport *i, const char *url, const char *local, bool force
if (r < 0)
return r;
i->force_local = force_local;
+ i->verify = verify;
/* Queue job for the image itself */
r = import_job_new(&i->raw_job, url, i->glue, i);
@@ -458,23 +469,25 @@ int raw_import_pull(RawImport *i, const char *url, const char *local, bool force
if (r < 0)
return r;
- /* Queue job for the SHA256SUMS file for the image */
- r = import_url_change_last_component(url, "SHA256SUMS", &sha256sums_url);
- if (r < 0)
- return r;
+ if (verify != IMPORT_VERIFY_NO) {
+ /* Queue job for the SHA256SUMS file for the image */
+ r = import_url_change_last_component(url, "SHA256SUMS", &sha256sums_url);
+ if (r < 0)
+ return r;
- r = import_job_new(&i->sha256sums_job, sha256sums_url, i->glue, i);
- if (r < 0)
- return r;
+ r = import_job_new(&i->sha256sums_job, sha256sums_url, i->glue, i);
+ if (r < 0)
+ return r;
- i->sha256sums_job->on_finished = raw_import_sha256sums_job_on_finished;
- i->sha256sums_job->uncompressed_max = i->sha256sums_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
+ i->sha256sums_job->on_finished = raw_import_sha256sums_job_on_finished;
+ i->sha256sums_job->uncompressed_max = i->sha256sums_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
- r = import_job_begin(i->raw_job);
- if (r < 0)
- return r;
+ r = import_job_begin(i->sha256sums_job);
+ if (r < 0)
+ return r;
+ }
- r = import_job_begin(i->sha256sums_job);
+ r = import_job_begin(i->raw_job);
if (r < 0)
return r;
diff --git a/src/import/import-raw.h b/src/import/import-raw.h
index 9e23142fee..ae2c29991f 100644
--- a/src/import/import-raw.h
+++ b/src/import/import-raw.h
@@ -23,6 +23,7 @@
#include "sd-event.h"
#include "macro.h"
+#include "import-util.h"
typedef struct RawImport RawImport;
@@ -33,4 +34,4 @@ RawImport* raw_import_unref(RawImport *import);
DEFINE_TRIVIAL_CLEANUP_FUNC(RawImport*, raw_import_unref);
-int raw_import_pull(RawImport *import, const char *url, const char *local, bool force_local);
+int raw_import_pull(RawImport *import, const char *url, const char *local, bool force_local, ImportVerify verify);
diff --git a/src/import/import-util.c b/src/import/import-util.c
index 1212025d43..79c60b376d 100644
--- a/src/import/import-util.c
+++ b/src/import/import-util.c
@@ -270,3 +270,11 @@ int import_url_change_last_component(const char *url, const char *suffix, char *
*ret = s;
return 0;
}
+
+static const char* const import_verify_table[_IMPORT_VERIFY_MAX] = {
+ [IMPORT_VERIFY_NO] = "no",
+ [IMPORT_VERIFY_SUM] = "sum",
+ [IMPORT_VERIFY_SIGNATURE] = "signature",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(import_verify, ImportVerify);
diff --git a/src/import/import-util.h b/src/import/import-util.h
index a8a5ca5699..811f3fa6d2 100644
--- a/src/import/import-util.h
+++ b/src/import/import-util.h
@@ -23,6 +23,14 @@
#include <stdbool.h>
+typedef enum ImportVerify {
+ IMPORT_VERIFY_NO,
+ IMPORT_VERIFY_SUM,
+ IMPORT_VERIFY_SIGNATURE,
+ _IMPORT_VERIFY_MAX,
+ _IMPORT_VERIFY_INVALID = -1,
+} ImportVerify;
+
bool http_etag_is_valid(const char *etag);
int import_make_local_copy(const char *final, const char *root, const char *local, bool force_local);
@@ -36,3 +44,6 @@ int import_make_path(const char *url, const char *etag, const char *image_root,
int import_url_last_component(const char *url, char **ret);
int import_url_change_last_component(const char *url, const char *suffix, char **ret);
+
+const char* import_verify_to_string(ImportVerify v) _const_;
+ImportVerify import_verify_from_string(const char *s) _pure_;
diff --git a/src/import/import.c b/src/import/import.c
index 3362f4a9ef..f44d47df9d 100644
--- a/src/import/import.c
+++ b/src/import/import.c
@@ -33,7 +33,7 @@
static bool arg_force = false;
static const char *arg_image_root = "/var/lib/machines";
-
+static ImportVerify arg_verify = IMPORT_VERIFY_SIGNATURE;
static const char* arg_dkr_index_url = DEFAULT_DKR_INDEX_URL;
static void on_tar_finished(TarImport *import, int error, void *userdata) {
@@ -263,7 +263,7 @@ static int pull_raw(int argc, char *argv[], void *userdata) {
if (r < 0)
return log_error_errno(r, "Failed to allocate importer: %m");
- r = raw_import_pull(import, url, local, arg_force);
+ r = raw_import_pull(import, url, local, arg_force, arg_verify);
if (r < 0)
return log_error_errno(r, "Failed to pull image: %m");
@@ -299,6 +299,11 @@ static int pull_dkr(int argc, char *argv[], void *userdata) {
return -EINVAL;
}
+ if (arg_verify != IMPORT_VERIFY_NO) {
+ log_error("Imports from dkr do not support image verification, please pass --verify=no.");
+ return -EINVAL;
+ }
+
tag = strchr(argv[1], ':');
if (tag) {
name = strndupa(argv[1], tag - argv[1]);
@@ -384,6 +389,8 @@ static int help(int argc, char *argv[], void *userdata) {
" -h --help Show this help\n"
" --version Show package version\n"
" --force Force creation of image\n"
+ " --verify= Verify downloaded image, one of: 'no', 'sum'\n"
+ " 'signature'.\n"
" --image-root= Image root directory\n"
" --dkr-index-url=URL Specify index URL to use for downloads\n\n"
"Commands:\n"
@@ -402,6 +409,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_FORCE,
ARG_DKR_INDEX_URL,
ARG_IMAGE_ROOT,
+ ARG_VERIFY,
};
static const struct option options[] = {
@@ -410,6 +418,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "force", no_argument, NULL, ARG_FORCE },
{ "dkr-index-url", required_argument, NULL, ARG_DKR_INDEX_URL },
{ "image-root", required_argument, NULL, ARG_IMAGE_ROOT },
+ { "verify", required_argument, NULL, ARG_VERIFY },
{}
};
@@ -447,6 +456,15 @@ static int parse_argv(int argc, char *argv[]) {
arg_image_root = optarg;
break;
+ case ARG_VERIFY:
+ arg_verify = import_verify_from_string(optarg);
+ if (arg_verify < 0) {
+ log_error("Invalid verification setting '%s'", optarg);
+ return -EINVAL;
+ }
+
+ break;
+
case '?':
return -EINVAL;