2016-03-29 14:29:50 +02:00
|
|
|
#include "command.hh"
|
|
|
|
#include "shared.hh"
|
|
|
|
#include "store-api.hh"
|
|
|
|
#include "sync.hh"
|
|
|
|
#include "thread-pool.hh"
|
2018-03-30 00:56:13 +02:00
|
|
|
#include "references.hh"
|
2016-03-29 14:29:50 +02:00
|
|
|
|
|
|
|
#include <atomic>
|
|
|
|
|
|
|
|
using namespace nix;
|
|
|
|
|
2016-04-14 21:14:29 +02:00
|
|
|
struct CmdVerify : StorePathsCommand
|
2016-03-29 14:29:50 +02:00
|
|
|
{
|
|
|
|
bool noContents = false;
|
2016-04-07 15:14:12 +02:00
|
|
|
bool noTrust = false;
|
2016-03-30 11:18:54 +02:00
|
|
|
Strings substituterUris;
|
2019-10-10 15:03:01 +02:00
|
|
|
size_t sigsNeeded = 0;
|
2016-03-29 14:29:50 +02:00
|
|
|
|
2016-04-14 21:14:29 +02:00
|
|
|
CmdVerify()
|
2016-03-29 14:29:50 +02:00
|
|
|
{
|
2021-01-13 14:18:04 +01:00
|
|
|
mkFlag(0, "no-contents", "Do not verify the contents of each store path.", &noContents);
|
|
|
|
mkFlag(0, "no-trust", "Do not verify whether each store path is trusted.", &noTrust);
|
2021-01-08 10:44:55 +01:00
|
|
|
|
2020-05-04 22:40:19 +02:00
|
|
|
addFlag({
|
|
|
|
.longName = "substituter",
|
|
|
|
.shortName = 's',
|
2021-01-13 14:18:04 +01:00
|
|
|
.description = "Use signatures from the specified store.",
|
2020-05-04 22:40:19 +02:00
|
|
|
.labels = {"store-uri"},
|
|
|
|
.handler = {[&](std::string s) { substituterUris.push_back(s); }}
|
|
|
|
});
|
2021-01-08 10:44:55 +01:00
|
|
|
|
|
|
|
addFlag({
|
|
|
|
.longName = "sigs-needed",
|
|
|
|
.shortName = 'n',
|
2021-01-13 14:18:04 +01:00
|
|
|
.description = "Require that each path has at least *n* valid signatures.",
|
2021-01-08 10:44:55 +01:00
|
|
|
.labels = {"n"},
|
|
|
|
.handler = {&sigsNeeded}
|
|
|
|
});
|
2016-03-29 14:29:50 +02:00
|
|
|
}
|
|
|
|
|
2016-04-14 21:14:29 +02:00
|
|
|
std::string description() override
|
|
|
|
{
|
|
|
|
return "verify the integrity of store paths";
|
|
|
|
}
|
|
|
|
|
2020-12-09 23:45:06 +01:00
|
|
|
std::string doc() override
|
2016-04-21 14:58:32 +02:00
|
|
|
{
|
2020-12-09 23:45:06 +01:00
|
|
|
return
|
|
|
|
#include "verify.md"
|
|
|
|
;
|
2016-04-21 14:58:32 +02:00
|
|
|
}
|
|
|
|
|
2019-12-05 19:11:09 +01:00
|
|
|
void run(ref<Store> store, StorePaths storePaths) override
|
2016-03-29 14:29:50 +02:00
|
|
|
{
|
2016-03-30 11:18:54 +02:00
|
|
|
std::vector<ref<Store>> substituters;
|
|
|
|
for (auto & s : substituterUris)
|
2016-09-02 12:35:48 +02:00
|
|
|
substituters.push_back(openStore(s));
|
2016-03-30 11:18:54 +02:00
|
|
|
|
2016-03-29 14:29:50 +02:00
|
|
|
auto publicKeys = getDefaultPublicKeys();
|
|
|
|
|
2020-06-19 00:09:22 +02:00
|
|
|
Activity act(*logger, actVerifyPaths);
|
2017-08-16 19:23:46 +02:00
|
|
|
|
2016-04-25 15:26:07 +02:00
|
|
|
std::atomic<size_t> done{0};
|
2016-03-29 14:29:50 +02:00
|
|
|
std::atomic<size_t> untrusted{0};
|
|
|
|
std::atomic<size_t> corrupted{0};
|
|
|
|
std::atomic<size_t> failed{0};
|
2017-08-16 19:23:46 +02:00
|
|
|
std::atomic<size_t> active{0};
|
2016-03-29 14:29:50 +02:00
|
|
|
|
2017-08-16 19:23:46 +02:00
|
|
|
auto update = [&]() {
|
|
|
|
act.progress(done, storePaths.size(), active, failed);
|
|
|
|
};
|
2016-03-29 14:29:50 +02:00
|
|
|
|
|
|
|
ThreadPool pool;
|
|
|
|
|
|
|
|
auto doPath = [&](const Path & storePath) {
|
|
|
|
try {
|
2016-03-30 11:18:54 +02:00
|
|
|
checkInterrupt();
|
|
|
|
|
2017-08-16 19:23:46 +02:00
|
|
|
MaintainCount<std::atomic<size_t>> mcActive(active);
|
|
|
|
update();
|
2016-03-29 14:29:50 +02:00
|
|
|
|
2019-12-05 19:11:09 +01:00
|
|
|
auto info = store->queryPathInfo(store->parseStorePath(storePath));
|
2016-03-29 14:29:50 +02:00
|
|
|
|
2020-07-13 20:12:44 +02:00
|
|
|
// Note: info->path can be different from storePath
|
|
|
|
// for binary cache stores when using --all (since we
|
|
|
|
// can't enumerate names efficiently).
|
|
|
|
Activity act2(*logger, lvlInfo, actUnknown, fmt("checking '%s'", store->printStorePath(info->path)));
|
|
|
|
|
2016-03-29 14:29:50 +02:00
|
|
|
if (!noContents) {
|
|
|
|
|
2018-03-30 00:56:13 +02:00
|
|
|
std::unique_ptr<AbstractHashSink> hashSink;
|
2020-06-02 18:47:18 +02:00
|
|
|
if (!info->ca)
|
2020-08-05 20:42:48 +02:00
|
|
|
hashSink = std::make_unique<HashSink>(info->narHash.type);
|
2018-03-30 00:56:13 +02:00
|
|
|
else
|
2020-08-05 20:42:48 +02:00
|
|
|
hashSink = std::make_unique<HashModuloSink>(info->narHash.type, std::string(info->path.hashPart()));
|
2016-03-29 14:29:50 +02:00
|
|
|
|
2018-03-30 00:56:13 +02:00
|
|
|
store->narFromPath(info->path, *hashSink);
|
|
|
|
|
|
|
|
auto hash = hashSink->finish();
|
2016-03-29 14:29:50 +02:00
|
|
|
|
2020-08-05 20:42:48 +02:00
|
|
|
if (hash.first != info->narHash) {
|
2017-08-16 19:23:46 +02:00
|
|
|
corrupted++;
|
2020-06-19 00:09:22 +02:00
|
|
|
act2.result(resCorruptedPath, store->printStorePath(info->path));
|
2021-01-21 00:27:36 +01:00
|
|
|
printError("path '%s' was modified! expected hash '%s', got '%s'",
|
|
|
|
store->printStorePath(info->path),
|
|
|
|
info->narHash.to_string(Base32, true),
|
|
|
|
hash.first.to_string(Base32, true));
|
2016-03-29 14:29:50 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-04-07 15:14:12 +02:00
|
|
|
if (!noTrust) {
|
2016-03-29 14:29:50 +02:00
|
|
|
|
2016-03-30 11:18:54 +02:00
|
|
|
bool good = false;
|
|
|
|
|
2016-04-19 18:50:15 +02:00
|
|
|
if (info->ultimate && !sigsNeeded)
|
2016-03-30 11:18:54 +02:00
|
|
|
good = true;
|
|
|
|
|
2016-04-07 15:14:12 +02:00
|
|
|
else {
|
|
|
|
|
|
|
|
StringSet sigsSeen;
|
2019-10-10 15:03:01 +02:00
|
|
|
size_t actualSigsNeeded = std::max(sigsNeeded, (size_t) 1);
|
2016-04-07 15:14:12 +02:00
|
|
|
size_t validSigs = 0;
|
|
|
|
|
|
|
|
auto doSigs = [&](StringSet sigs) {
|
|
|
|
for (auto sig : sigs) {
|
2019-10-09 15:51:52 +02:00
|
|
|
if (!sigsSeen.insert(sig).second) continue;
|
2019-12-05 19:11:09 +01:00
|
|
|
if (validSigs < ValidPathInfo::maxSigs && info->checkSignature(*store, publicKeys, sig))
|
2016-04-07 15:14:12 +02:00
|
|
|
validSigs++;
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
2016-08-03 13:17:11 +02:00
|
|
|
if (info->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
|
|
|
|
|
2016-04-19 18:50:15 +02:00
|
|
|
doSigs(info->sigs);
|
2016-03-30 11:18:54 +02:00
|
|
|
|
|
|
|
for (auto & store2 : substituters) {
|
2016-04-07 15:14:12 +02:00
|
|
|
if (validSigs >= actualSigsNeeded) break;
|
|
|
|
try {
|
2016-08-03 13:17:11 +02:00
|
|
|
auto info2 = store2->queryPathInfo(info->path);
|
|
|
|
if (info2->isContentAddressed(*store)) validSigs = ValidPathInfo::maxSigs;
|
|
|
|
doSigs(info2->sigs);
|
2016-04-19 18:50:15 +02:00
|
|
|
} catch (InvalidPath &) {
|
2016-04-07 15:14:12 +02:00
|
|
|
} catch (Error & e) {
|
2020-05-01 00:31:47 +02:00
|
|
|
logError(e.info());
|
2016-03-30 11:18:54 +02:00
|
|
|
}
|
|
|
|
}
|
2016-04-07 15:14:12 +02:00
|
|
|
|
|
|
|
if (validSigs >= actualSigsNeeded)
|
|
|
|
good = true;
|
2016-03-30 11:18:54 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!good) {
|
2016-03-29 14:29:50 +02:00
|
|
|
untrusted++;
|
2020-06-19 00:09:22 +02:00
|
|
|
act2.result(resUntrustedPath, store->printStorePath(info->path));
|
2021-01-21 00:27:36 +01:00
|
|
|
printError("path '%s' is untrusted", store->printStorePath(info->path));
|
2016-03-29 14:29:50 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
done++;
|
|
|
|
|
|
|
|
} catch (Error & e) {
|
2020-05-01 00:31:47 +02:00
|
|
|
logError(e.info());
|
2016-03-29 14:29:50 +02:00
|
|
|
failed++;
|
|
|
|
}
|
2017-08-16 19:23:46 +02:00
|
|
|
|
|
|
|
update();
|
2016-03-29 14:29:50 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
for (auto & storePath : storePaths)
|
2019-12-05 19:11:09 +01:00
|
|
|
pool.enqueue(std::bind(doPath, store->printStorePath(storePath)));
|
2016-03-29 14:29:50 +02:00
|
|
|
|
|
|
|
pool.process();
|
|
|
|
|
|
|
|
throw Exit(
|
|
|
|
(corrupted ? 1 : 0) |
|
|
|
|
(untrusted ? 2 : 0) |
|
|
|
|
(failed ? 4 : 0));
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
2020-07-24 20:38:56 +02:00
|
|
|
static auto rCmdVerify = registerCommand2<CmdVerify>({"store", "verify"});
|