X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=daklib%2Fchecks.py;h=c5a3f35dc6cdad45e3dca0438f9017acfc081283;hb=934c6eaee7864ecaaffaa8a85afa5464f7884268;hp=dce112b878ed77cfeba890f0263d37e2993e3359;hpb=5c903326aaf0db9191d58691d38d7198684f41ce;p=dak.git diff --git a/daklib/checks.py b/daklib/checks.py index dce112b8..c5a3f35d 100644 --- a/daklib/checks.py +++ b/daklib/checks.py @@ -31,11 +31,12 @@ from daklib.regexes import * from daklib.textutils import fix_maintainer, ParseMaintError import daklib.lintian as lintian import daklib.utils as utils -from daklib.upload import InvalidHashException +import daklib.upload import apt_inst import apt_pkg from apt_pkg import version_compare +import datetime import errno import os import subprocess @@ -109,6 +110,16 @@ class Check(object): return False class SignatureAndHashesCheck(Check): + def check_replay(self, upload): + # Use private session as we want to remember having seen the .changes + # in all cases. + session = upload.session + history = SignatureHistory.from_signed_file(upload.changes) + r = history.query(session) + if r is not None: + raise Reject('Signature for changes file was already seen at {0}.\nPlease refresh the signature of the changes file if you want to upload it again.'.format(r.seen)) + return True + """Check signature of changes and dsc file (if included in upload) Make sure the signature is valid and done by a known user. @@ -117,6 +128,7 @@ class SignatureAndHashesCheck(Check): changes = upload.changes if not changes.valid_signature: raise Reject("Signature for .changes not valid.") + self.check_replay(upload) self._check_hashes(upload, changes.filename, changes.files.itervalues()) source = None @@ -149,15 +161,32 @@ class SignatureAndHashesCheck(Check): try: for f in files: f.check(upload.directory) - except IOError as e: - if e.errno == errno.ENOENT: - raise Reject('{0} refers to non-existing file: {1}\n' - 'Perhaps you need to include it in your upload?' - .format(filename, os.path.basename(e.filename))) - raise - except InvalidHashException as e: + except daklib.upload.FileDoesNotExist as e: + raise Reject('{0}: {1}\n' + 'Perhaps you need to include the file in your upload?' + .format(filename, unicode(e))) + except daklib.upload.UploadException as e: raise Reject('{0}: {1}'.format(filename, unicode(e))) +class SignatureTimestampCheck(Check): + """Check timestamp of .changes signature""" + def check(self, upload): + changes = upload.changes + + now = datetime.datetime.utcnow() + timestamp = changes.signature_timestamp + age = now - timestamp + + age_max = datetime.timedelta(days=365) + age_min = datetime.timedelta(days=-7) + + if age > age_max: + raise Reject('{0}: Signature from {1} is too old (maximum age is {2} days)'.format(changes.filename, timestamp, age_max.days)) + if age < age_min: + raise Reject('{0}: Signature from {1} is too far in the future (tolerance is {2} days)'.format(changes.filename, timestamp, abs(age_min.days))) + + return True + class ChangesCheck(Check): """Check changes file for syntax errors.""" def check(self, upload): @@ -271,7 +300,7 @@ class BinaryCheck(Check): fn = binary.hashed_file.filename control = binary.control - for field in ('Package', 'Architecture', 'Version', 'Description'): + for field in ('Package', 'Architecture', 'Version', 'Description', 'Section'): if field not in control: raise Reject('{0}: Missing mandatory field {0}.'.format(fn, field))