From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id +CedGqCG819mfwAA0tVLHw (envelope-from ) for ; Mon, 04 Jan 2021 21:20:32 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id uLhuFqCG81/8fgAA1q6Kng (envelope-from ) for ; Mon, 04 Jan 2021 21:20:32 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CF47D940484 for ; Mon, 4 Jan 2021 21:20:31 +0000 (UTC) Received: from localhost ([::1]:55858 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kwXHC-0003vr-Nl for larch@yhetil.org; Mon, 04 Jan 2021 16:20:30 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:60970) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kwXGk-0003se-TQ for guix-patches@gnu.org; Mon, 04 Jan 2021 16:20:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:48902) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kwXGk-0007id-Mm for guix-patches@gnu.org; Mon, 04 Jan 2021 16:20:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kwXGk-0006IJ-IW for guix-patches@gnu.org; Mon, 04 Jan 2021 16:20:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#45409] [PATCH v3 1/3] substitute: Untangle skipping authentication from valid-narinfo?. References: <87y2hn9l8j.fsf@cbaines.net> In-Reply-To: <87y2hn9l8j.fsf@cbaines.net> Resent-From: Christopher Baines Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 04 Jan 2021 21:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 45409 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 45409@debbugs.gnu.org Received: via spool by 45409-submit@debbugs.gnu.org id=B45409.160979517324138 (code B ref 45409); Mon, 04 Jan 2021 21:20:02 +0000 Received: (at 45409) by debbugs.gnu.org; 4 Jan 2021 21:19:33 +0000 Received: from localhost ([127.0.0.1]:60444 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kwXGG-0006HE-TS for submit@debbugs.gnu.org; Mon, 04 Jan 2021 16:19:33 -0500 Received: from mira.cbaines.net ([212.71.252.8]:34162) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kwXGE-0006Gy-Lr for 45409@debbugs.gnu.org; Mon, 04 Jan 2021 16:19:31 -0500 Received: from localhost (188.28.108.198.threembb.co.uk [188.28.108.198]) by mira.cbaines.net (Postfix) with ESMTPSA id C05D127BC0B for <45409@debbugs.gnu.org>; Mon, 4 Jan 2021 21:19:29 +0000 (GMT) Received: from localhost (localhost [local]) by localhost (OpenSMTPD) with ESMTPA id f7664b32 for <45409@debbugs.gnu.org>; Mon, 4 Jan 2021 21:19:27 +0000 (UTC) From: Christopher Baines Date: Mon, 4 Jan 2021 21:19:25 +0000 Message-Id: <20210104211927.14959-1-mail@cbaines.net> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.33 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: CF47D940484 X-Spam-Score: -1.33 X-Migadu-Scanner: scn1.migadu.com X-TUID: zjji/3dkho1y Rather than having valid-narinfo? evaluate to #t if %allow-unauthenticated-substitutes? is set to #t, just use (const #t) for valid-narinfo? when %allow-unauthenticated-substitutes? is set to #t. This will allow moving valid-narinfo? in to a (guix substitutes) module. * guix/scripts/substitute.scm (process-query, process-substitution): Change the authorized? argument to lookup-narinfo and lookup-narinfos/diverse based on %allow-unauthenticated-substitutes?. (valid-narinfo?): Remove use of %allow-unauthenticated-substitutes?. --- guix/scripts/substitute.scm | 77 ++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 36 deletions(-) diff --git a/guix/scripts/substitute.scm b/guix/scripts/substitute.scm index e53de8c304..14fb848880 100755 --- a/guix/scripts/substitute.scm +++ b/guix/scripts/substitute.scm @@ -2,6 +2,7 @@ ;;; Copyright © 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès ;;; Copyright © 2014 Nikita Karetnikov ;;; Copyright © 2018 Kyle Meyer +;;; Copyright © 2020 Christopher Baines ;;; ;;; This file is part of GNU Guix. ;;; @@ -375,38 +376,37 @@ No authentication and authorization checks are performed here!" (define* (valid-narinfo? narinfo #:optional (acl (current-acl)) #:key verbose?) "Return #t if NARINFO's signature is not valid." - (or (%allow-unauthenticated-substitutes?) - (let ((hash (narinfo-sha256 narinfo)) - (signature (narinfo-signature narinfo)) - (uri (uri->string (first (narinfo-uris narinfo))))) - (and hash signature - (signature-case (signature hash acl) - (valid-signature #t) - (invalid-signature - (when verbose? - (format (current-error-port) - "invalid signature for substitute at '~a'~%" - uri)) - #f) - (hash-mismatch - (when verbose? - (format (current-error-port) - "hash mismatch for substitute at '~a'~%" - uri)) - #f) - (unauthorized-key - (when verbose? - (format (current-error-port) - "substitute at '~a' is signed by an \ + (let ((hash (narinfo-sha256 narinfo)) + (signature (narinfo-signature narinfo)) + (uri (uri->string (first (narinfo-uris narinfo))))) + (and hash signature + (signature-case (signature hash acl) + (valid-signature #t) + (invalid-signature + (when verbose? + (format (current-error-port) + "invalid signature for substitute at '~a'~%" + uri)) + #f) + (hash-mismatch + (when verbose? + (format (current-error-port) + "hash mismatch for substitute at '~a'~%" + uri)) + #f) + (unauthorized-key + (when verbose? + (format (current-error-port) + "substitute at '~a' is signed by an \ unauthorized party~%" - uri)) - #f) - (corrupt-signature - (when verbose? - (format (current-error-port) - "corrupt signature for substitute at '~a'~%" - uri)) - #f)))))) + uri)) + #f) + (corrupt-signature + (when verbose? + (format (current-error-port) + "corrupt signature for substitute at '~a'~%" + uri)) + #f))))) (define (write-narinfo narinfo port) "Write NARINFO to PORT." @@ -918,11 +918,14 @@ expected by the daemon." "Reply to COMMAND, a query as written by the daemon to this process's standard input. Use ACL as the access-control list against which to check authorized substitutes." - (define (valid? obj) - (valid-narinfo? obj acl)) + (define valid? + (if (%allow-unauthenticated-substitutes?) + (begin + (warn-about-missing-authentication) - (when (%allow-unauthenticated-substitutes?) - (warn-about-missing-authentication)) + (const #t)) + (lambda (obj) + (valid-narinfo? obj acl)))) (match (string-tokenize command) (("have" paths ..1) @@ -1079,7 +1082,9 @@ DESTINATION is in the store, deduplicate its files. Print a status line on the current output port." (define narinfo (lookup-narinfo cache-urls store-item - (cut valid-narinfo? <> acl))) + (if (%allow-unauthenticated-substitutes?) + (const #t) + (cut valid-narinfo? <> acl)))) (define destination-in-store? (string-prefix? (string-append (%store-prefix) "/") -- 2.29.2