Browse files

compounded commit: added third party channel support + turnkey linux …

…channel
  • Loading branch information...
1 parent f5a4dac commit 5751bfe226f51a0c97dc2c628005c597daf9cd48 @alonswartz alonswartz committed Jan 16, 2012
Showing with 100 additions and 112 deletions.
  1. +100 −112 PVE/APLInfo.pm
View
212 PVE/APLInfo.pm
@@ -8,29 +8,27 @@ use LWP::UserAgent;
use PVE::Config;
use POSIX qw(strftime);
-my $logfile = "/var/log/pveam.log";
-
-# Default list of GPG keys allowed to sign aplinfo
-#
-#pub 1024D/5CAC72FE 2004-06-24
-# Key fingerprint = 9ABD 7E02 AD24 3AD3 C2FB BCCC B0C1 CC22 5CAC 72FE
-#uid Proxmox Support Team <support@proxmox.com>
-
-my $valid_keys = {
- '9ABD7E02AD243AD3C2FBBCCCB0C1CC225CAC72FE' => 1, # fingerprint support@proxmox.com
- '25CAC72FE' => 1, # keyid support@proxmox.com
-};
-
-sub import_gpg_keys {
+my @channels = (
+ {'name' => 'proxmox',
+ 'index' => 'http://download.proxmox.com/appliances/aplinfo.dat.gz',
+ 'indexsig' => 'http://download.proxmox.com/appliances/aplinfo.dat.asc',
+ 'keyid' => '5CAC72FE',
+ 'keyserver' => '',
+ 'keyfile' => '/usr/share/doc/pve-manager/support@proxmox.com.pubkey'},
+
+ {'name' => 'turnkeylinux',
+ 'index' => 'http://releases.turnkeylinux.org/pve/aplinfo.dat.gz',
+ 'indexsig' => 'http://releases.turnkeylinux.org/pve/aplinfo.dat.asc',
+ 'keyid' => 'A16EB94D',
+ 'keyserver' => 'hkp://keyserver.ubuntu.com',
+ 'keyfile' => ''},
+);
- my $keyfile = '/usr/share/doc/pve-manager/support@proxmox.com.pubkey';
-
- return system ("/usr/bin/gpg --batch --no-tty --status-fd=1 -q " .
- "--logger-fd=1 --import $keyfile >>$logfile");
-}
+my $logfile = "/var/log/pveam.log";
sub logmsg {
my ($logfd, $msg) = @_;
+ print "debug: $msg\n";
chomp $msg;
@@ -46,127 +44,117 @@ sub url_get {
my $req = HTTP::Request->new(GET => $url);
- logmsg ($logfh, "start download $url");
+ logmsg ($logfh, "url_get: $url");
my $res = $ua->request($req, $file);
if ($res->is_success) {
- logmsg ($logfh, "download finished: " . $res->status_line);
+ logmsg ($logfh, "url_get: " . $res->status_line);
return 0;
}
- logmsg ($logfh, "download failed: " . $res->status_line);
+ logmsg ($logfh, "url_get: " . $res->status_line);
return 1;
}
sub update {
my ($proxy) = @_;
- my $aplurl = "http://download.proxmox.com/appliances";
- my $aplsrcurl = "$aplurl/aplinfo.dat.gz";
- my $aplsigurl = "$aplurl/aplinfo.dat.asc";
-
my $size;
if (($size = (-s $logfile) || 0) > (1024*50)) {
- system ("mv $logfile $logfile.0");
+ system ("mv $logfile $logfile.0");
}
my $logfd = IO::File->new (">>$logfile");
- logmsg ($logfd, "starting update");
+ logmsg ($logfd, "channel updates: initiated");
- import_gpg_keys();
-
- my $tmp = "/tmp/pveam.tmp.$$";
- my $tmpgz = "$tmp.gz";
- my $sigfn = "$tmp.asc";
-
- # this code works for ftp and http
- # always use passive ftp
- local $ENV{FTP_PASSIVE} = 1;
- my $ua = LWP::UserAgent->new;
- $ua->agent("PVE/1.0");
-
- if ($proxy) {
- $ua->proxy(['http'], $proxy);
- } else {
- $ua->env_proxy;
- }
+ my $tmpapl = "/tmp/pveam.apl.tmp.$$";
+ system ("rm -f $tmpapl");
eval {
- if (url_get ($ua, $aplsigurl, $sigfn, $logfd) != 0) {
- die "update failed - no signature\n";
- }
-
- if (url_get ($ua, $aplsrcurl, $tmpgz, $logfd) != 0) {
- die "update failed - no data\n";
- }
-
- if (system ("zcat -f $tmpgz >$tmp 2>/dev/null") != 0) {
- die "update failed: unable to unpack '$tmpgz'\n";
- }
-
- # verify signature
-
- my $cmd = "/usr/bin/gpg --verify --batch --no-tty --status-fd=1 -q " .
- "--logger-fd=1 $sigfn $tmp";
-
- open (CMD, "$cmd|") ||
- die "unable to execute '$cmd': $!\n";
-
- my $line;
- my $signer = '';
- while (defined ($line = <CMD>)) {
- chomp $line;
- logmsg ($logfd, $line);
-
- # code borrowed from SA
- next if $line !~ /^\Q[GNUPG:]\E (?:VALID|GOOD)SIG (\S{8,40})/;
- my $key = $1;
-
- # we want either a keyid (8) or a fingerprint (40)
- if (length $key > 8 && length $key < 40) {
- substr($key, 8) = '';
- }
- # use the longest match we can find
- $signer = $key if (length $key > length $signer) && $valid_keys->{$key};
- }
-
- close (CMD);
-
- die "unable to verify signature\n" if !$signer;
-
- logmsg ($logfd, "signature valid: $signer");
-
- # test syntax
- eval {
- my $fh = IO::File->new ("<$tmp") ||
- die "unable to open file '$tmp' - $!\n";
- PVE::Config::read_aplinfo ($tmp, $fh, 1);
- close ($fh);
- };
- die "update failed: $@" if $@;
+ for (my $i=0; $i < scalar (@channels); $i++) {
+
+ my $name = $channels[$i]{'name'};
+ logmsg ($logfd, "$name: starting...");
+
+ my $tmp = "/tmp/pveam.$name.tmp.$$";
+ my $tmpgz = "$tmp.gz";
+ my $sigfn = "$tmp.asc";
+
+ # setup user-agent, proxy. supports ftp and http.
+ local $ENV{FTP_PASSIVE} = 1;
+ my $ua = LWP::UserAgent->new;
+ $ua->agent("PVE/1.0");
+ if ($proxy) { $ua->proxy(['http'], $proxy);
+ } else { $ua->env_proxy; }
+
+ # pull index and gpg sig
+ logmsg ($logfd, "$name: getting index signature");
+ if (url_get ($ua, $channels[$i]{'indexsig'}, $sigfn, $logfd) != 0) {
+ die "$name: update failed - no signature\n";
+ }
+
+ logmsg ($logfd, "$name: getting index");
+ if (url_get ($ua, $channels[$i]{'index'}, $tmpgz, $logfd) != 0) {
+ die "$name: update failed - no data\n";
+ }
+
+ if (system ("zcat -f $tmpgz >$tmp 2>/dev/null") != 0) {
+ die "$name: update failed: unable to unpack '$tmpgz'\n";
+ }
+
+ # import gpg keys if needed
+ my $keyid = $channels[$i]{'keyid'};
+ my $keyfile = $channels[$i]{'keyfile'};
+ my $keyserver = $channels[$i]{'keyserver'};
+
+ if (system ("/usr/bin/gpg --logger-fd=1 --list-keys $keyid 2>&1 >/dev/null") != 0) {
+ if ( $keyfile ) {
+ logmsg ($logfd, "$name: importing $keyid from $keyfile");
+ system ("/usr/bin/gpg --batch --no-tty --status-fd=1 -q " .
+ "--logger-fd=1 --import $keyfile >>$logfile");
+ }
+ if ( $keyserver ) {
+ logmsg ($logfd, "$name: importing $keyid from $keyserver");
+ system ("/usr/bin/gpg --keyserver $keyserver --recv-keys " .
+ "--logger-fd=1 0x$keyid >>$logfile");
+ }
+ }
+
+ # verify index integrity
+ logmsg ($logfd, "$name: verifying index integrity");
+ if (system ("/usr/bin/gpg --logger-fd=1 --verify $sigfn $tmp 2>&1 >>$logfile") != 0) {
+ die "$name: unable to verify signature\n";
+ }
+
+ # validate index syntax
+ logmsg ($logfd, "$name: validating index syntax");
+ eval {
+ my $fh = IO::File->new ("<$tmp") ||
+ die "unable to open file '$tmp' - $!\n";
+ PVE::Config::read_aplinfo ($tmp, $fh, 1);
+ close ($fh);
+ };
+ die "update failed, invalid syntax: $@" if $@;
+
+ # append channel index to main tmp appliance list
+ system ("cat $tmp >> $tmpapl");
+ logmsg ($logfd, "$name: update complete");
+ }
- if (system ("mv $tmp /var/lib/pve-manager/apl-available 2>/dev/null") != 0) {
+ logmsg ($logfd, "channel updates: finalizing");
+ if (system ("mv $tmpapl /var/lib/pve-manager/apl-available 2>/dev/null") != 0) {
die "update failed: unable to store data\n";
}
- logmsg ($logfd, "update sucessful");
+ logmsg ($logfd, "channel updates: complete");
};
-
my $err = $@;
-
- unlink $tmp;
- unlink $tmpgz;
- unlink $sigfn;
-
if ($err) {
- logmsg ($logfd, $err);
- close ($logfd);
-
- return 0;
- }
-
+ logmsg ($logfd, $err);
+ close ($logfd);
+ return 0;
+ }
close ($logfd);
-
return 1;
}

0 comments on commit 5751bfe

Please sign in to comment.