mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-11-14 02:50:12 +01:00
332 lines
14 KiB
Python
Executable File
332 lines
14 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
|
|
#
|
|
# command which created the keystore used in this test case:
|
|
#
|
|
# $ for ALIAS in repokey a163ec9b d2d51ff2 dc3b169e 78688a0f; \
|
|
# do keytool -genkey -keystore dummy-keystore.jks \
|
|
# -alias $ALIAS -keyalg 'RSA' -keysize '2048' \
|
|
# -validity '10000' -storepass 123456 -storetype jks \
|
|
# -keypass 123456 -dname 'CN=test, OU=F-Droid'; done
|
|
#
|
|
|
|
import inspect
|
|
import json
|
|
import logging
|
|
import optparse
|
|
import os
|
|
import shutil
|
|
import sys
|
|
import unittest
|
|
import tempfile
|
|
import textwrap
|
|
from unittest import mock
|
|
|
|
localmodule = os.path.realpath(
|
|
os.path.join(os.path.dirname(inspect.getfile(inspect.currentframe())), '..'))
|
|
print('localmodule: ' + localmodule)
|
|
if localmodule not in sys.path:
|
|
sys.path.insert(0, localmodule)
|
|
|
|
from fdroidserver import publish
|
|
from fdroidserver import common
|
|
from fdroidserver import metadata
|
|
from fdroidserver import signatures
|
|
from fdroidserver.exception import FDroidException
|
|
|
|
|
|
class PublishTest(unittest.TestCase):
|
|
'''fdroidserver/publish.py'''
|
|
|
|
def setUp(self):
|
|
logging.basicConfig(level=logging.DEBUG)
|
|
self.basedir = os.path.join(localmodule, 'tests')
|
|
self.tmpdir = os.path.abspath(os.path.join(self.basedir, '..', '.testfiles'))
|
|
if not os.path.exists(self.tmpdir):
|
|
os.makedirs(self.tmpdir)
|
|
os.chdir(self.basedir)
|
|
|
|
def test_key_alias(self):
|
|
publish.config = {}
|
|
self.assertEqual('a163ec9b', publish.key_alias('com.example.app'))
|
|
self.assertEqual('d2d51ff2', publish.key_alias('com.example.anotherapp'))
|
|
self.assertEqual('dc3b169e', publish.key_alias('org.test.testy'))
|
|
self.assertEqual('78688a0f', publish.key_alias('org.org.org'))
|
|
|
|
self.assertEqual('ee8807d2', publish.key_alias("org.schabi.newpipe"))
|
|
self.assertEqual('b53c7e11', publish.key_alias("de.grobox.liberario"))
|
|
|
|
publish.config = {'keyaliases': {'yep.app': '@org.org.org',
|
|
'com.example.app': '1a2b3c4d'}}
|
|
self.assertEqual('78688a0f', publish.key_alias('yep.app'))
|
|
self.assertEqual('1a2b3c4d', publish.key_alias('com.example.app'))
|
|
|
|
def test_read_fingerprints_from_keystore(self):
|
|
common.config = {}
|
|
common.fill_config_defaults(common.config)
|
|
publish.config = common.config
|
|
publish.config['keystorepass'] = '123456'
|
|
publish.config['keypass'] = '123456'
|
|
publish.config['keystore'] = 'dummy-keystore.jks'
|
|
|
|
expected = {'78688a0f': '277655a6235bc6b0ef2d824396c51ba947f5ebc738c293d887e7083ff338af82',
|
|
'd2d51ff2': 'fa3f6a017541ee7fe797be084b1bcfbf92418a7589ef1f7fdeb46741b6d2e9c3',
|
|
'dc3b169e': '6ae5355157a47ddcc3834a71f57f6fb5a8c2621c8e0dc739e9ddf59f865e497c',
|
|
'a163ec9b': 'd34f678afbaa8f2fa6cc0edd6f0c2d1d2e2e9eb08bea521b24c740806016bff4',
|
|
'repokey': 'c58460800c7b250a619c30c13b07b7359a43e5af71a4352d86c58ae18c9f6d41'}
|
|
result = publish.read_fingerprints_from_keystore()
|
|
self.maxDiff = None
|
|
self.assertEqual(expected, result)
|
|
|
|
def test_store_and_load_fdroid_signing_key_fingerprints(self):
|
|
common.config = {}
|
|
common.fill_config_defaults(common.config)
|
|
publish.config = common.config
|
|
publish.config['keystorepass'] = '123456'
|
|
publish.config['keypass'] = '123456'
|
|
publish.config['keystore'] = os.path.join(os.getcwd(),
|
|
'dummy-keystore.jks')
|
|
publish.config['repo_keyalias'] = 'repokey'
|
|
|
|
appids = ['com.example.app',
|
|
'net.unavailable',
|
|
'org.test.testy',
|
|
'com.example.anotherapp',
|
|
'org.org.org']
|
|
|
|
testdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir)
|
|
os.chdir(testdir)
|
|
with open('config.py', 'w') as f:
|
|
pass
|
|
|
|
publish.store_stats_fdroid_signing_key_fingerprints(appids, indent=2)
|
|
|
|
self.maxDiff = None
|
|
expected = {
|
|
"com.example.anotherapp": {
|
|
"signer": "fa3f6a017541ee7fe797be084b1bcfbf92418a7589ef1f7fdeb46741b6d2e9c3"
|
|
},
|
|
"com.example.app": {
|
|
"signer": "d34f678afbaa8f2fa6cc0edd6f0c2d1d2e2e9eb08bea521b24c740806016bff4"
|
|
},
|
|
"org.org.org": {
|
|
"signer": "277655a6235bc6b0ef2d824396c51ba947f5ebc738c293d887e7083ff338af82"
|
|
},
|
|
"org.test.testy": {
|
|
"signer": "6ae5355157a47ddcc3834a71f57f6fb5a8c2621c8e0dc739e9ddf59f865e497c"
|
|
}
|
|
}
|
|
self.assertEqual(expected, common.load_stats_fdroid_signing_key_fingerprints())
|
|
|
|
with open('config.py', 'r') as f:
|
|
self.assertEqual(textwrap.dedent('''\
|
|
|
|
repo_key_sha256 = "c58460800c7b250a619c30c13b07b7359a43e5af71a4352d86c58ae18c9f6d41"
|
|
'''), f.read())
|
|
|
|
def test_store_and_load_fdroid_signing_key_fingerprints_with_missmatch(self):
|
|
common.config = {}
|
|
common.fill_config_defaults(common.config)
|
|
publish.config = common.config
|
|
publish.config['keystorepass'] = '123456'
|
|
publish.config['keypass'] = '123456'
|
|
publish.config['keystore'] = os.path.join(os.getcwd(),
|
|
'dummy-keystore.jks')
|
|
publish.config['repo_keyalias'] = 'repokey'
|
|
publish.config['repo_key_sha256'] = 'bad bad bad bad bad bad bad bad bad bad bad bad'
|
|
|
|
testdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir)
|
|
os.chdir(testdir)
|
|
publish.store_stats_fdroid_signing_key_fingerprints({}, indent=2)
|
|
with self.assertRaises(FDroidException):
|
|
common.load_stats_fdroid_signing_key_fingerprints()
|
|
|
|
def test_reproducible_binaries_process(self):
|
|
common.config = {}
|
|
common.fill_config_defaults(common.config)
|
|
publish.config = common.config
|
|
publish.config['keystore'] = 'keystore.jks'
|
|
publish.config['repo_keyalias'] = 'sova'
|
|
publish.config['keystorepass'] = 'r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI='
|
|
publish.config['keypass'] = 'r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI='
|
|
testdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir)
|
|
|
|
shutil.copy('keystore.jks', testdir)
|
|
os.mkdir(os.path.join(testdir, 'repo'))
|
|
metadata_dir = os.path.join(testdir, 'metadata')
|
|
os.mkdir(metadata_dir)
|
|
shutil.copy(os.path.join('metadata', 'com.politedroid.yml'), metadata_dir)
|
|
with open(os.path.join(metadata_dir, 'com.politedroid.yml'), 'a') as fp:
|
|
fp.write('\nBinaries: https://placeholder/foo%v.apk\n')
|
|
os.mkdir(os.path.join(testdir, 'unsigned'))
|
|
shutil.copy('repo/com.politedroid_6.apk', os.path.join(testdir, 'unsigned'))
|
|
os.mkdir(os.path.join(testdir, 'unsigned', 'binaries'))
|
|
shutil.copy('repo/com.politedroid_6.apk',
|
|
os.path.join(testdir, 'unsigned', 'binaries', 'com.politedroid_6.binary.apk'))
|
|
|
|
os.chdir(testdir)
|
|
with mock.patch.object(sys, 'argv', ['fdroid fakesubcommand']):
|
|
publish.main()
|
|
|
|
def test_check_for_key_collisions(self):
|
|
from fdroidserver.metadata import App
|
|
common.config = {}
|
|
common.fill_config_defaults(common.config)
|
|
publish.config = common.config
|
|
|
|
randomappids = [
|
|
"org.fdroid.fdroid",
|
|
"a.b.c",
|
|
"u.v.w.x.y.z",
|
|
"lpzpkgqwyevnmzvrlaazhgardbyiyoybyicpmifkyrxkobljoz",
|
|
"vuslsm.jlrevavz.qnbsenmizhur.lprwbjiujtu.ekiho",
|
|
"w.g.g.w.p.v.f.v.gvhyz",
|
|
"nlozuqer.ufiinmrbjqboogsjgmpfks.dywtpcpnyssjmqz",
|
|
]
|
|
allapps = {}
|
|
for appid in randomappids:
|
|
allapps[appid] = App()
|
|
allaliases = publish.check_for_key_collisions(allapps)
|
|
self.assertEqual(len(randomappids), len(allaliases))
|
|
|
|
allapps = {'tof.cv.mpp': App(), 'j6mX276h': App()}
|
|
self.assertEqual(publish.key_alias('tof.cv.mpp'), publish.key_alias('j6mX276h'))
|
|
self.assertRaises(SystemExit, publish.check_for_key_collisions, allapps)
|
|
|
|
def test_create_key_if_not_existing(self):
|
|
try:
|
|
import jks
|
|
import jks.util
|
|
except ImportError:
|
|
self.skipTest("pyjks not installed")
|
|
common.config = {}
|
|
common.fill_config_defaults(common.config)
|
|
publish.config = common.config
|
|
publish.config['keystorepass'] = '123456'
|
|
publish.config['keypass'] = '654321'
|
|
publish.config['keystore'] = "keystore.jks"
|
|
publish.config['keydname'] = 'CN=Birdman, OU=Cell, O=Alcatraz, L=Alcatraz, S=California, C=US'
|
|
testdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir)
|
|
os.chdir(testdir)
|
|
keystore = jks.KeyStore.new("jks", [])
|
|
keystore.save(publish.config['keystore'], publish.config['keystorepass'])
|
|
|
|
self.assertTrue(publish.create_key_if_not_existing("newalias"))
|
|
# The second time we try that, a new key should not be created
|
|
self.assertFalse(publish.create_key_if_not_existing("newalias"))
|
|
self.assertTrue(publish.create_key_if_not_existing("anotheralias"))
|
|
|
|
keystore = jks.KeyStore.load(publish.config['keystore'], publish.config['keystorepass'])
|
|
self.assertCountEqual(keystore.private_keys, ["newalias", "anotheralias"])
|
|
for alias, pk in keystore.private_keys.items():
|
|
self.assertFalse(pk.is_decrypted())
|
|
pk.decrypt(publish.config['keypass'])
|
|
self.assertTrue(pk.is_decrypted())
|
|
self.assertEqual(jks.util.RSA_ENCRYPTION_OID, pk.algorithm_oid)
|
|
|
|
def test_status_update_json(self):
|
|
common.config = {}
|
|
publish.config = {}
|
|
with tempfile.TemporaryDirectory() as tmpdir:
|
|
os.chdir(tmpdir)
|
|
with mock.patch('sys.argv', ['fdroid publish', '']):
|
|
publish.status_update_json([], [])
|
|
with open('repo/status/publish.json') as fp:
|
|
data = json.load(fp)
|
|
self.assertTrue('apksigner' in data)
|
|
|
|
publish.config = {
|
|
'apksigner': 'apksigner',
|
|
}
|
|
publish.status_update_json([], [])
|
|
with open('repo/status/publish.json') as fp:
|
|
data = json.load(fp)
|
|
self.assertEqual(shutil.which(publish.config['apksigner']), data['apksigner'])
|
|
|
|
publish.config = {}
|
|
common.fill_config_defaults(publish.config)
|
|
publish.status_update_json([], [])
|
|
with open('repo/status/publish.json') as fp:
|
|
data = json.load(fp)
|
|
self.assertEqual(publish.config.get('apksigner'), data['apksigner'])
|
|
self.assertEqual(publish.config['jarsigner'], data['jarsigner'])
|
|
self.assertEqual(publish.config['keytool'], data['keytool'])
|
|
|
|
def test_sign_then_implant_signature(self):
|
|
|
|
class Options:
|
|
verbose = False
|
|
|
|
testdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=self.tmpdir)
|
|
os.chdir(testdir)
|
|
|
|
config = common.read_config(Options)
|
|
if 'apksigner' not in config:
|
|
self.skipTest('SKIPPING test_sign_then_implant_signature, apksigner not installed!')
|
|
config['repo_keyalias'] = 'sova'
|
|
config['keystorepass'] = 'r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI='
|
|
config['keypass'] = 'r9aquRHYoI8+dYz6jKrLntQ5/NJNASFBacJh7Jv2BlI='
|
|
shutil.copy(os.path.join(self.basedir, 'keystore.jks'), testdir)
|
|
config['keystore'] = 'keystore.jks'
|
|
config['keydname'] = 'CN=Birdman, OU=Cell, O=Alcatraz, L=Alcatraz, S=California, C=US'
|
|
publish.config = config
|
|
common.config = config
|
|
|
|
app = metadata.App()
|
|
app.id = 'org.fdroid.ci'
|
|
versionCode = 1
|
|
build = metadata.Build(
|
|
{
|
|
'versionCode': versionCode,
|
|
'versionName': '1.0',
|
|
}
|
|
)
|
|
app.Builds = [build]
|
|
os.mkdir('metadata')
|
|
metadata.write_metadata(os.path.join('metadata', '%s.yml' % app.id), app)
|
|
|
|
os.mkdir('unsigned')
|
|
testapk = os.path.join(self.basedir, 'no_targetsdk_minsdk1_unsigned.apk')
|
|
unsigned = os.path.join('unsigned', common.get_release_filename(app, build))
|
|
signed = os.path.join('repo', common.get_release_filename(app, build))
|
|
shutil.copy(testapk, unsigned)
|
|
|
|
# sign the unsigned APK
|
|
self.assertTrue(os.path.exists(unsigned))
|
|
self.assertFalse(os.path.exists(signed))
|
|
with mock.patch('sys.argv', ['fdroid publish', '%s:%d' % (app.id, versionCode)]):
|
|
publish.main()
|
|
self.assertFalse(os.path.exists(unsigned))
|
|
self.assertTrue(os.path.exists(signed))
|
|
|
|
with mock.patch('sys.argv', ['fdroid signatures', signed]):
|
|
signatures.main()
|
|
self.assertTrue(
|
|
os.path.exists(
|
|
os.path.join('metadata', 'org.fdroid.ci', 'signatures', '1', 'MANIFEST.MF')
|
|
)
|
|
)
|
|
os.remove(signed)
|
|
|
|
# implant the signature into the unsigned APK
|
|
shutil.copy(testapk, unsigned)
|
|
self.assertTrue(os.path.exists(unsigned))
|
|
self.assertFalse(os.path.exists(signed))
|
|
with mock.patch('sys.argv', ['fdroid publish', '%s:%d' % (app.id, versionCode)]):
|
|
publish.main()
|
|
self.assertFalse(os.path.exists(unsigned))
|
|
self.assertTrue(os.path.exists(signed))
|
|
|
|
|
|
if __name__ == "__main__":
|
|
os.chdir(os.path.dirname(__file__))
|
|
|
|
parser = optparse.OptionParser()
|
|
parser.add_option("-v", "--verbose", action="store_true", default=False,
|
|
help="Spew out even more information than normal")
|
|
(common.options, args) = parser.parse_args(['--verbose'])
|
|
|
|
newSuite = unittest.TestSuite()
|
|
newSuite.addTest(unittest.makeSuite(PublishTest))
|
|
unittest.main(failfast=False)
|