From d24ae56378dc9e503cb4ef9ecab779fa23205d1b Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 15 May 2022 15:29:30 +0200 Subject: [PATCH 1/6] gluon-core: check-site: support checking "custom" values The new "value" helper can be used to turn a Lua value into a path that can be passed to need_*() etc. --- .luacheckrc | 1 + .../luasrc/lib/gluon/check-site.lua | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/.luacheckrc b/.luacheckrc index b308748c..e0a64b54 100644 --- a/.luacheckrc +++ b/.luacheckrc @@ -25,6 +25,7 @@ files["package/**/check_site.lua"] = { "extend", "in_domain", "in_site", + "value", "need", "need_alphanumeric_key", "need_array", diff --git a/package/gluon-core/luasrc/lib/gluon/check-site.lua b/package/gluon-core/luasrc/lib/gluon/check-site.lua index 6861d8cb..148f4968 100644 --- a/package/gluon-core/luasrc/lib/gluon/check-site.lua +++ b/package/gluon-core/luasrc/lib/gluon/check-site.lua @@ -57,6 +57,10 @@ end local function path_to_string(path) + if path.is_value then + return path.label + end + return table.concat(path, '.') end @@ -96,6 +100,10 @@ local function domain_src() end local function conf_src(path) + if path.is_value then + return 'Configuration' + end + local src if has_domains then @@ -138,6 +146,14 @@ function M.in_domain(path) return path end +function M.value(label, value) + return { + is_value = true, + label = label, + value = value, + } +end + function M.this_domain() return domain_code end @@ -171,6 +187,10 @@ function loadpath(path, base, c, ...) end local function loadvar(path) + if path.is_value then + return path.value + end + return loadpath({}, conf, unpack(path)) end From db48b6b6931d5b9df7be3d761b163519a887095e Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 15 May 2022 02:39:36 +0200 Subject: [PATCH 2/6] gluon-autoupdater: check default branch name Check the default branch (both from site.conf and GLUON_AUTOUPDATER_BRANCH) against the list of configured branch names to avoid misconfiguration. --- package/gluon-autoupdater/check_site.lua | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/package/gluon-autoupdater/check_site.lua b/package/gluon-autoupdater/check_site.lua index eaabf285..04c88a13 100644 --- a/package/gluon-autoupdater/check_site.lua +++ b/package/gluon-autoupdater/check_site.lua @@ -1,6 +1,4 @@ -need_string(in_site({'autoupdater', 'branch'}), false) - -need_table({'autoupdater', 'branches'}, function(branch) +local branches = table_keys(need_table({'autoupdater', 'branches'}, function(branch) need_alphanumeric_key(branch) need_string(in_site(extend(branch, {'name'}))) @@ -8,4 +6,15 @@ need_table({'autoupdater', 'branches'}, function(branch) need_number(in_site(extend(branch, {'good_signatures'}))) need_string_array_match(in_site(extend(branch, {'pubkeys'})), '^%x+$') obsolete(in_site(extend(branch, {'probability'})), 'Use GLUON_PRIORITY in site.mk instead.') -end) +end)) + +need_one_of(in_site({'autoupdater', 'branch'}), branches, false) + +-- Check GLUON_AUTOUPDATER_BRANCH +local default_branch +local f = io.open((os.getenv('IPKG_INSTROOT') or '') .. '/lib/gluon/autoupdater/default_branch') +if f then + default_branch = f:read('*line') + f:close() +end +need_one_of(value('GLUON_AUTOUPDATER_BRANCH', default_branch), branches, false) From 2c65f0834b959a09295052359000eca007f6195d Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 15 May 2022 11:58:13 +0200 Subject: [PATCH 3/6] gluon-autoupdater: factor out default_branch() function Make the code clearer and prepare for invalid branch fixup. --- .../luasrc/lib/gluon/upgrade/500-autoupdater | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/package/gluon-autoupdater/luasrc/lib/gluon/upgrade/500-autoupdater b/package/gluon-autoupdater/luasrc/lib/gluon/upgrade/500-autoupdater index 6ccd3072..10f6197f 100755 --- a/package/gluon-autoupdater/luasrc/lib/gluon/upgrade/500-autoupdater +++ b/package/gluon-autoupdater/luasrc/lib/gluon/upgrade/500-autoupdater @@ -21,16 +21,21 @@ for name, config in pairs(site.autoupdater.branches()) do end end +local function default_branch() + local f = io.open('/lib/gluon/autoupdater/default_branch') + if f then + local ret = f:read('*line') + f:close() + return ret + end + + return site.autoupdater.branch(min_branch) +end + if not uci:get('autoupdater', 'settings') then local enabled = unistd.access('/lib/gluon/autoupdater/default_enabled') ~= nil - local branch = site.autoupdater.branch(min_branch) - local f = io.open('/lib/gluon/autoupdater/default_branch') - if f then - branch = f:read('*line') - f:close() - end - + local branch = default_branch() if not branch then enabled = false end From 53cf8796c753029e88749a698eb7d6df9b695254 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Sun, 15 May 2022 11:59:51 +0200 Subject: [PATCH 4/6] gluon-autoupdater: revert to default branch when configured branch is invalid An invalid branch may be set for various reasons: - Previous firmware had an invalid default branch - Branch list has changed and old UCI branch config was removed by a site-specific upgrade script - Manual UCI configuration --- .../luasrc/lib/gluon/upgrade/500-autoupdater | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/package/gluon-autoupdater/luasrc/lib/gluon/upgrade/500-autoupdater b/package/gluon-autoupdater/luasrc/lib/gluon/upgrade/500-autoupdater index 10f6197f..351c8e04 100755 --- a/package/gluon-autoupdater/luasrc/lib/gluon/upgrade/500-autoupdater +++ b/package/gluon-autoupdater/luasrc/lib/gluon/upgrade/500-autoupdater @@ -32,20 +32,24 @@ local function default_branch() return site.autoupdater.branch(min_branch) end +local enabled, branch if not uci:get('autoupdater', 'settings') then - local enabled = unistd.access('/lib/gluon/autoupdater/default_enabled') ~= nil + enabled = unistd.access('/lib/gluon/autoupdater/default_enabled') ~= nil +end - local branch = default_branch() +local old_branch = uci:get('autoupdater', 'settings', 'branch') +if not old_branch or not uci:get('autoupdater', old_branch) then + branch = default_branch() if not branch then enabled = false end - - uci:section('autoupdater', 'autoupdater', 'settings', { - enabled = enabled, - branch = branch, - }) end +uci:section('autoupdater', 'autoupdater', 'settings', { + enabled = enabled, + branch = branch, +}) + uci:set('autoupdater', 'settings', 'version_file', '/lib/gluon/release') uci:save('autoupdater') From 3a893f67ce6bfabf0bfb0cac5947a11a1d46c56f Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Fri, 27 May 2022 12:11:20 +0200 Subject: [PATCH 5/6] ci: minimal-site: set good_signatures to 0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do not fail the new check that good_signatures ≤ #pubkeys. --- contrib/ci/minimal-site/site.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/ci/minimal-site/site.conf b/contrib/ci/minimal-site/site.conf index 62a5bc3a..a2fdbd39 100644 --- a/contrib/ci/minimal-site/site.conf +++ b/contrib/ci/minimal-site/site.conf @@ -145,7 +145,7 @@ -- Have multiple maintainers sign your build and only -- accept it when a sufficient number of them have -- signed it. - good_signatures = 2, + good_signatures = 0, -- List of public keys of maintainers. pubkeys = { From 92a6b81e8ae603fde73485b5394e49f58723e24b Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Thu, 26 May 2022 22:26:19 +0200 Subject: [PATCH 6/6] gluon-autoupdater: check that good_signatures does not exceed number of provided pubkeys --- package/gluon-autoupdater/check_site.lua | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/package/gluon-autoupdater/check_site.lua b/package/gluon-autoupdater/check_site.lua index 04c88a13..aaf1763c 100644 --- a/package/gluon-autoupdater/check_site.lua +++ b/package/gluon-autoupdater/check_site.lua @@ -3,8 +3,13 @@ local branches = table_keys(need_table({'autoupdater', 'branches'}, function(bra need_string(in_site(extend(branch, {'name'}))) need_string_array_match(extend(branch, {'mirrors'}), '^http://') + + local pubkeys = need_string_array_match(in_site(extend(branch, {'pubkeys'})), '^%x+$') need_number(in_site(extend(branch, {'good_signatures'}))) - need_string_array_match(in_site(extend(branch, {'pubkeys'})), '^%x+$') + need(in_site(extend(branch, {'good_signatures'})), function(good_signatures) + return good_signatures <= #pubkeys + end, nil, string.format('be less than or equal to the number of public keys (%d)', #pubkeys)) + obsolete(in_site(extend(branch, {'probability'})), 'Use GLUON_PRIORITY in site.mk instead.') end))