2021-02-09 21:03:27 +00:00
|
|
|
{- verification
|
|
|
|
-
|
2022-05-09 17:18:47 +00:00
|
|
|
- Copyright 2010-2022 Joey Hess <id@joeyh.name>
|
2021-02-09 21:03:27 +00:00
|
|
|
-
|
|
|
|
- Licensed under the GNU AGPL version 3 or higher.
|
|
|
|
-}
|
|
|
|
|
2021-08-12 18:36:56 +00:00
|
|
|
{-# LANGUAGE CPP #-}
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
{-# LANGUAGE OverloadedStrings #-}
|
2021-08-12 18:36:56 +00:00
|
|
|
|
2021-07-27 18:07:23 +00:00
|
|
|
module Annex.Verify (
|
|
|
|
shouldVerify,
|
2021-07-29 17:36:19 +00:00
|
|
|
verifyKeyContentPostRetrieval,
|
2021-07-27 18:07:23 +00:00
|
|
|
verifyKeyContent,
|
|
|
|
Verification(..),
|
|
|
|
unVerified,
|
|
|
|
warnUnverifiableInsecure,
|
|
|
|
isVerifiable,
|
|
|
|
startVerifyKeyContentIncrementally,
|
2021-08-18 17:35:53 +00:00
|
|
|
finishVerifyKeyContentIncrementally,
|
2022-05-09 17:18:47 +00:00
|
|
|
verifyKeyContentIncrementally,
|
2021-07-27 18:07:23 +00:00
|
|
|
IncrementalVerifier(..),
|
2021-08-12 18:36:56 +00:00
|
|
|
tailVerify,
|
2021-07-27 18:07:23 +00:00
|
|
|
) where
|
2021-02-09 21:03:27 +00:00
|
|
|
|
|
|
|
import Annex.Common
|
|
|
|
import qualified Annex
|
|
|
|
import qualified Types.Remote
|
2021-08-17 16:41:36 +00:00
|
|
|
import Types.Remote (VerifyConfigA(..))
|
2021-07-27 18:07:23 +00:00
|
|
|
import qualified Types.Backend
|
|
|
|
import qualified Backend
|
|
|
|
import Types.Remote (unVerified, Verification(..), RetrievalSecurityPolicy(..))
|
2021-08-18 17:19:02 +00:00
|
|
|
import Utility.Hash (IncrementalVerifier(..))
|
2021-07-27 18:07:23 +00:00
|
|
|
import Annex.WorkerPool
|
|
|
|
import Types.WorkerPool
|
|
|
|
import Types.Key
|
2021-02-09 21:03:27 +00:00
|
|
|
|
2021-08-13 20:36:33 +00:00
|
|
|
import Control.Concurrent.STM
|
2022-05-09 17:18:47 +00:00
|
|
|
import Control.Concurrent.Async
|
2021-08-18 20:35:26 +00:00
|
|
|
import qualified Data.ByteString as S
|
2021-08-12 18:36:56 +00:00
|
|
|
#if WITH_INOTIFY
|
|
|
|
import qualified System.INotify as INotify
|
2021-08-13 17:39:02 +00:00
|
|
|
import qualified System.FilePath.ByteString as P
|
2021-08-12 18:36:56 +00:00
|
|
|
#endif
|
|
|
|
|
2021-02-09 21:03:27 +00:00
|
|
|
shouldVerify :: VerifyConfig -> Annex Bool
|
|
|
|
shouldVerify AlwaysVerify = return True
|
|
|
|
shouldVerify NoVerify = return False
|
|
|
|
shouldVerify DefaultVerify = annexVerify <$> Annex.getGitConfig
|
|
|
|
shouldVerify (RemoteVerify r) =
|
|
|
|
(shouldVerify DefaultVerify
|
|
|
|
<&&> pure (remoteAnnexVerify (Types.Remote.gitconfig r)))
|
|
|
|
-- Export remotes are not key/value stores, so always verify
|
|
|
|
-- content from them even when verification is disabled.
|
|
|
|
<||> Types.Remote.isExportSupported r
|
2021-07-27 18:07:23 +00:00
|
|
|
|
|
|
|
{- Verifies that a file is the expected content of a key.
|
|
|
|
-
|
|
|
|
- Configuration can prevent verification, for either a
|
|
|
|
- particular remote or always, unless the RetrievalSecurityPolicy
|
|
|
|
- requires verification.
|
|
|
|
-
|
|
|
|
- Most keys have a known size, and if so, the file size is checked.
|
|
|
|
-
|
|
|
|
- When the key's backend allows verifying the content (via checksum),
|
|
|
|
- it is checked.
|
|
|
|
-
|
|
|
|
- If the RetrievalSecurityPolicy requires verification and the key's
|
|
|
|
- backend doesn't support it, the verification will fail.
|
|
|
|
-}
|
2021-07-29 17:36:19 +00:00
|
|
|
verifyKeyContentPostRetrieval :: RetrievalSecurityPolicy -> VerifyConfig -> Verification -> Key -> RawFilePath -> Annex Bool
|
|
|
|
verifyKeyContentPostRetrieval rsp v verification k f = case (rsp, verification) of
|
2021-07-27 18:07:23 +00:00
|
|
|
(_, Verified) -> return True
|
|
|
|
(RetrievalVerifiableKeysSecure, _) -> ifM (isVerifiable k)
|
|
|
|
( verify
|
|
|
|
, ifM (annexAllowUnverifiedDownloads <$> Annex.getGitConfig)
|
|
|
|
( verify
|
|
|
|
, warnUnverifiableInsecure k >> return False
|
|
|
|
)
|
|
|
|
)
|
|
|
|
(_, UnVerified) -> ifM (shouldVerify v)
|
|
|
|
( verify
|
|
|
|
, return True
|
|
|
|
)
|
2021-08-16 18:50:21 +00:00
|
|
|
(_, IncompleteVerify _) -> ifM (shouldVerify v)
|
|
|
|
( verify
|
|
|
|
, return True
|
|
|
|
)
|
2022-05-09 16:25:04 +00:00
|
|
|
(_, MustVerify) -> verify
|
|
|
|
(_, MustFinishIncompleteVerify _) -> verify
|
2021-07-27 18:07:23 +00:00
|
|
|
where
|
2021-08-16 18:50:21 +00:00
|
|
|
verify = enteringStage VerifyStage $
|
|
|
|
case verification of
|
2022-05-09 16:25:04 +00:00
|
|
|
IncompleteVerify iv ->
|
|
|
|
resumeVerifyKeyContent k f iv
|
|
|
|
MustFinishIncompleteVerify iv ->
|
|
|
|
resumeVerifyKeyContent k f iv
|
2021-08-16 18:50:21 +00:00
|
|
|
_ -> verifyKeyContent k f
|
2021-07-29 17:36:19 +00:00
|
|
|
|
|
|
|
verifyKeyContent :: Key -> RawFilePath -> Annex Bool
|
2021-08-16 18:50:21 +00:00
|
|
|
verifyKeyContent k f = verifyKeySize k f <&&> verifyKeyContent' k f
|
|
|
|
|
|
|
|
verifyKeyContent' :: Key -> RawFilePath -> Annex Bool
|
|
|
|
verifyKeyContent' k f =
|
|
|
|
Backend.maybeLookupBackendVariety (fromKey keyVariety k) >>= \case
|
2021-07-27 18:07:23 +00:00
|
|
|
Nothing -> return True
|
|
|
|
Just b -> case Types.Backend.verifyKeyContent b of
|
|
|
|
Nothing -> return True
|
|
|
|
Just verifier -> verifier k f
|
|
|
|
|
2021-08-16 18:50:21 +00:00
|
|
|
resumeVerifyKeyContent :: Key -> RawFilePath -> IncrementalVerifier -> Annex Bool
|
2021-11-09 16:29:09 +00:00
|
|
|
resumeVerifyKeyContent k f iv = liftIO (positionIncrementalVerifier iv) >>= \case
|
2021-08-16 18:50:21 +00:00
|
|
|
Nothing -> fallback
|
|
|
|
Just endpos -> do
|
|
|
|
fsz <- liftIO $ catchDefaultIO 0 $ getFileSize f
|
|
|
|
if fsz < endpos
|
|
|
|
then fallback
|
|
|
|
else case fromKey keySize k of
|
|
|
|
Just size | fsz /= size -> return False
|
2021-08-18 17:54:40 +00:00
|
|
|
_ -> go fsz endpos >>= \case
|
|
|
|
Just v -> return v
|
|
|
|
Nothing -> fallback
|
2021-08-16 18:50:21 +00:00
|
|
|
where
|
|
|
|
fallback = verifyKeyContent k f
|
|
|
|
|
|
|
|
go fsz endpos
|
|
|
|
| fsz == endpos =
|
2021-08-18 17:54:40 +00:00
|
|
|
liftIO $ catchDefaultIO (Just False) $
|
2021-11-09 16:29:09 +00:00
|
|
|
finalizeIncrementalVerifier iv
|
2021-08-16 18:50:21 +00:00
|
|
|
| otherwise = do
|
2023-04-10 21:03:41 +00:00
|
|
|
showAction (UnquotedString (descIncrementalVerifier iv))
|
2021-08-18 17:54:40 +00:00
|
|
|
liftIO $ catchDefaultIO (Just False) $
|
2021-08-16 18:50:21 +00:00
|
|
|
withBinaryFile (fromRawFilePath f) ReadMode $ \h -> do
|
|
|
|
hSeek h AbsoluteSeek endpos
|
|
|
|
feedincremental h
|
2021-11-09 16:29:09 +00:00
|
|
|
finalizeIncrementalVerifier iv
|
2021-08-16 18:50:21 +00:00
|
|
|
|
|
|
|
feedincremental h = do
|
|
|
|
b <- S.hGetSome h chunk
|
|
|
|
if S.null b
|
|
|
|
then return ()
|
|
|
|
else do
|
2021-11-09 16:29:09 +00:00
|
|
|
updateIncrementalVerifier iv b
|
2021-08-16 18:50:21 +00:00
|
|
|
feedincremental h
|
|
|
|
|
|
|
|
chunk = 65536
|
|
|
|
|
|
|
|
verifyKeySize :: Key -> RawFilePath -> Annex Bool
|
|
|
|
verifyKeySize k f = case fromKey keySize k of
|
|
|
|
Just size -> do
|
|
|
|
size' <- liftIO $ catchDefaultIO 0 $ getFileSize f
|
|
|
|
return (size' == size)
|
|
|
|
Nothing -> return True
|
|
|
|
|
2021-07-27 18:07:23 +00:00
|
|
|
warnUnverifiableInsecure :: Key -> Annex ()
|
filter out control characters in warning messages
Converted warning and similar to use StringContainingQuotedPath. Most
warnings are static strings, some do refer to filepaths that need to be
quoted, and others don't need quoting.
Note that, since quote filters out control characters of even
UnquotedString, this makes all warnings safe, even when an attacker
sneaks in a control character in some other way.
When json is being output, no quoting is done, since json gets its own
quoting.
This does, as a side effect, make warning messages in json output not
be indented. The indentation is only needed to offset warning messages
underneath the display of the file they apply to, so that's ok.
Sponsored-by: Brett Eisenberg on Patreon
2023-04-10 18:47:32 +00:00
|
|
|
warnUnverifiableInsecure k = warning $ UnquotedString $ unwords
|
2021-07-27 18:07:23 +00:00
|
|
|
[ "Getting " ++ kv ++ " keys with this remote is not secure;"
|
|
|
|
, "the content cannot be verified to be correct."
|
|
|
|
, "(Use annex.security.allow-unverified-downloads to bypass"
|
|
|
|
, "this safety check.)"
|
|
|
|
]
|
|
|
|
where
|
|
|
|
kv = decodeBS (formatKeyVariety (fromKey keyVariety k))
|
|
|
|
|
|
|
|
isVerifiable :: Key -> Annex Bool
|
|
|
|
isVerifiable k = maybe False (isJust . Types.Backend.verifyKeyContent)
|
|
|
|
<$> Backend.maybeLookupBackendVariety (fromKey keyVariety k)
|
|
|
|
|
|
|
|
startVerifyKeyContentIncrementally :: VerifyConfig -> Key -> Annex (Maybe IncrementalVerifier)
|
|
|
|
startVerifyKeyContentIncrementally verifyconfig k =
|
|
|
|
ifM (shouldVerify verifyconfig)
|
|
|
|
( Backend.maybeLookupBackendVariety (fromKey keyVariety k) >>= \case
|
|
|
|
Just b -> case Types.Backend.verifyKeyContentIncrementally b of
|
|
|
|
Just v -> Just <$> v k
|
|
|
|
Nothing -> return Nothing
|
|
|
|
Nothing -> return Nothing
|
|
|
|
, return Nothing
|
|
|
|
)
|
2021-08-12 18:36:56 +00:00
|
|
|
|
2021-08-18 17:35:53 +00:00
|
|
|
finishVerifyKeyContentIncrementally :: Maybe IncrementalVerifier -> Annex (Bool, Verification)
|
|
|
|
finishVerifyKeyContentIncrementally Nothing =
|
|
|
|
return (True, UnVerified)
|
|
|
|
finishVerifyKeyContentIncrementally (Just iv) =
|
2021-11-09 16:29:09 +00:00
|
|
|
liftIO (finalizeIncrementalVerifier iv) >>= \case
|
2021-08-18 17:54:40 +00:00
|
|
|
Just True -> return (True, Verified)
|
|
|
|
Just False -> do
|
2021-08-18 17:35:53 +00:00
|
|
|
warning "verification of content failed"
|
|
|
|
return (False, UnVerified)
|
2021-08-18 17:54:40 +00:00
|
|
|
-- Incremental verification was not able to be done.
|
|
|
|
Nothing -> return (True, UnVerified)
|
2021-08-18 17:35:53 +00:00
|
|
|
|
2022-05-09 17:18:47 +00:00
|
|
|
verifyKeyContentIncrementally :: VerifyConfig -> Key -> (Maybe IncrementalVerifier -> Annex ()) -> Annex Verification
|
|
|
|
verifyKeyContentIncrementally verifyconfig k a = do
|
|
|
|
miv <- startVerifyKeyContentIncrementally verifyconfig k
|
|
|
|
a miv
|
|
|
|
snd <$> finishVerifyKeyContentIncrementally miv
|
|
|
|
|
|
|
|
-- | Runs a writer action that retrieves to a file. In another thread,
|
|
|
|
-- reads the file as it grows, and feeds it to the incremental verifier.
|
2021-08-12 18:36:56 +00:00
|
|
|
--
|
2022-05-09 17:18:47 +00:00
|
|
|
-- Once the writer finishes, this returns quickly. It may not feed
|
|
|
|
-- the entire content of the file to the incremental verifier.
|
2021-08-12 18:36:56 +00:00
|
|
|
--
|
|
|
|
-- The file does not need to exist yet when this is called. It will wait
|
|
|
|
-- for the file to appear before opening it and starting verification.
|
|
|
|
--
|
2021-08-13 17:39:02 +00:00
|
|
|
-- This is not supported for all OSs, and on OS's where it is not
|
2021-08-18 17:54:40 +00:00
|
|
|
-- supported, verification will not happen.
|
2021-08-13 16:32:01 +00:00
|
|
|
--
|
2021-08-16 19:01:28 +00:00
|
|
|
-- The writer probably needs to be another process. If the file is being
|
|
|
|
-- written directly by git-annex, the haskell RTS will prevent opening it
|
2021-08-18 17:54:40 +00:00
|
|
|
-- for read at the same time, and verification will not happen.
|
2021-08-16 19:01:28 +00:00
|
|
|
--
|
2021-08-12 18:36:56 +00:00
|
|
|
-- Note that there are situations where the file may fail to verify despite
|
|
|
|
-- having the correct content. For example, when the file is written out
|
|
|
|
-- of order, or gets replaced part way through. To deal with such cases,
|
2021-08-13 17:39:02 +00:00
|
|
|
-- when verification fails, it should not be treated as if the file's
|
2021-08-12 18:36:56 +00:00
|
|
|
-- content is known to be incorrect, but instead as an indication that the
|
|
|
|
-- file should be verified again, once it's done being written to.
|
|
|
|
--
|
2021-08-13 16:32:01 +00:00
|
|
|
-- (It is also possible, in theory, for a file to verify despite having
|
|
|
|
-- incorrect content. For that to happen, the file would need to have
|
|
|
|
-- the right content when this checks it, but then the content gets
|
|
|
|
-- changed later by whatever is writing to the file.)
|
2021-08-12 18:36:56 +00:00
|
|
|
--
|
|
|
|
-- This should be fairly efficient, reading from the disk cache,
|
|
|
|
-- as long as the writer does not get very far ahead of it. However,
|
|
|
|
-- there are situations where it would be much less expensive to verify
|
|
|
|
-- chunks as they are being written. For example, when resuming with
|
|
|
|
-- a lot of content in the file, all that content needs to be read,
|
|
|
|
-- and if the disk is slow, the reader may never catch up to the writer,
|
|
|
|
-- and the disk cache may never speed up reads. So this should only be
|
|
|
|
-- used when there's not a better way to incrementally verify.
|
2022-05-09 17:18:47 +00:00
|
|
|
tailVerify :: Maybe IncrementalVerifier -> RawFilePath -> Annex a -> Annex a
|
|
|
|
tailVerify (Just iv) f writer = do
|
|
|
|
finished <- liftIO newEmptyTMVarIO
|
|
|
|
t <- liftIO $ async $ tailVerify' iv f finished
|
|
|
|
let finishtail = do
|
|
|
|
liftIO $ atomically $ putTMVar finished ()
|
|
|
|
liftIO (wait t)
|
|
|
|
writer `finally` finishtail
|
|
|
|
tailVerify Nothing _ writer = writer
|
|
|
|
|
|
|
|
tailVerify' :: IncrementalVerifier -> RawFilePath -> TMVar () -> IO ()
|
2021-08-12 18:36:56 +00:00
|
|
|
#if WITH_INOTIFY
|
2022-05-09 17:18:47 +00:00
|
|
|
tailVerify' iv f finished =
|
2021-08-13 20:16:46 +00:00
|
|
|
tryNonAsync go >>= \case
|
2021-08-13 17:39:02 +00:00
|
|
|
Right r -> return r
|
2021-11-09 16:29:09 +00:00
|
|
|
Left _ -> unableIncrementalVerifier iv
|
2021-08-12 18:36:56 +00:00
|
|
|
where
|
2021-08-16 16:42:44 +00:00
|
|
|
-- Watch the directory containing the file, and wait for
|
|
|
|
-- the file to be modified. It's possible that the file already
|
|
|
|
-- exists before the downloader starts, but it replaces it instead
|
|
|
|
-- of resuming, and waiting for modification deals with such
|
|
|
|
-- situations.
|
|
|
|
inotifydirchange i cont =
|
|
|
|
INotify.addWatch i [INotify.Modify] dir $ \case
|
|
|
|
-- Ignore changes to other files in the directory.
|
|
|
|
INotify.Modified { INotify.maybeFilePath = fn }
|
|
|
|
| fn == Just basef -> cont
|
|
|
|
_ -> noop
|
2021-08-12 18:36:56 +00:00
|
|
|
where
|
2021-08-16 16:42:44 +00:00
|
|
|
(dir, basef) = P.splitFileName f
|
2021-08-12 18:36:56 +00:00
|
|
|
|
2021-08-16 16:42:44 +00:00
|
|
|
inotifyfilechange i = INotify.addWatch i [INotify.Modify] f . const
|
|
|
|
|
2021-08-13 17:39:02 +00:00
|
|
|
go = INotify.withINotify $ \i -> do
|
2021-08-12 18:36:56 +00:00
|
|
|
modified <- newEmptyTMVarIO
|
2021-08-16 16:42:44 +00:00
|
|
|
let signalmodified = atomically $ void $ tryPutTMVar modified ()
|
|
|
|
wd <- inotifydirchange i signalmodified
|
|
|
|
let cleanup = void . tryNonAsync . INotify.removeWatch
|
|
|
|
let stop w = do
|
|
|
|
cleanup w
|
2021-11-09 16:29:09 +00:00
|
|
|
unableIncrementalVerifier iv
|
2021-08-16 16:42:44 +00:00
|
|
|
waitopen modified >>= \case
|
|
|
|
Nothing -> stop wd
|
|
|
|
Just h -> do
|
|
|
|
cleanup wd
|
|
|
|
wf <- inotifyfilechange i signalmodified
|
|
|
|
tryNonAsync (follow h modified) >>= \case
|
2021-08-16 18:50:21 +00:00
|
|
|
Left _ -> stop wf
|
|
|
|
Right () -> cleanup wf
|
|
|
|
hClose h
|
2021-08-13 19:35:18 +00:00
|
|
|
|
2021-08-16 16:42:44 +00:00
|
|
|
waitopen modified = do
|
|
|
|
v <- atomically $
|
|
|
|
(Just <$> takeTMVar modified)
|
|
|
|
`orElse`
|
|
|
|
((const Nothing) <$> takeTMVar finished)
|
|
|
|
case v of
|
2021-08-16 19:01:28 +00:00
|
|
|
Just () -> do
|
|
|
|
r <- tryNonAsync $
|
|
|
|
tryWhenExists (openBinaryFile (fromRawFilePath f) ReadMode) >>= \case
|
|
|
|
Just h -> return (Just h)
|
|
|
|
-- File does not exist, must have been
|
|
|
|
-- deleted. Wait for next modification
|
|
|
|
-- and try again.
|
|
|
|
Nothing -> waitopen modified
|
|
|
|
case r of
|
|
|
|
Right r' -> return r'
|
|
|
|
-- Permission error prevents
|
|
|
|
-- reading, or this same process
|
|
|
|
-- is writing to the file,
|
|
|
|
-- and it cannot be read at the
|
|
|
|
-- same time.
|
|
|
|
Left _ -> return Nothing
|
2021-08-16 16:42:44 +00:00
|
|
|
-- finished without the file being modified
|
|
|
|
Nothing -> return Nothing
|
2021-08-12 18:36:56 +00:00
|
|
|
|
|
|
|
follow h modified = do
|
|
|
|
b <- S.hGetNonBlocking h chunk
|
|
|
|
if S.null b
|
|
|
|
then do
|
|
|
|
-- We've caught up to the writer.
|
|
|
|
-- Wait for the file to get modified again,
|
|
|
|
-- or until we're told it is done being
|
|
|
|
-- written.
|
|
|
|
cont <- atomically $
|
2021-08-16 18:50:21 +00:00
|
|
|
(const (follow h modified)
|
2021-08-12 18:36:56 +00:00
|
|
|
<$> takeTMVar modified)
|
|
|
|
`orElse`
|
2021-08-16 18:50:21 +00:00
|
|
|
(const (return ())
|
2021-08-13 16:32:01 +00:00
|
|
|
<$> takeTMVar finished)
|
2021-08-12 18:36:56 +00:00
|
|
|
cont
|
|
|
|
else do
|
2021-11-09 16:29:09 +00:00
|
|
|
updateIncrementalVerifier iv b
|
2021-08-13 16:32:01 +00:00
|
|
|
atomically (tryTakeTMVar finished) >>= \case
|
|
|
|
Nothing -> follow h modified
|
2021-08-16 18:50:21 +00:00
|
|
|
Just () -> return ()
|
2021-08-12 18:36:56 +00:00
|
|
|
|
|
|
|
chunk = 65536
|
|
|
|
#else
|
2022-05-09 17:18:47 +00:00
|
|
|
tailVerify' iv _ _ = unableIncrementalVerifier iv
|
2021-08-12 18:36:56 +00:00
|
|
|
#endif
|