OpenPKG Specs: openpkg/license.lua@a2c6460cfb16 (annotated)

openpkg/license.lua@a2c6460cfb16 (annotated)

openpkg/license.lua

Mon, 28 Jan 2013 17:37:18 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Mon, 28 Jan 2013 17:37:18 +0100
changeset 758: a2c6460cfb16
permissions: -rw-r--r--

Correct socket error reporting improvement with IPv6 portable code,
after helpful recommendation by Saúl Ibarra Corretgé on OSips devlist.

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 - --
 - --  OpenPKG Framework License Processor
 - --  Copyright (c) 2000-2012 OpenPKG GmbH <http://openpkg.com/>
 - --
 - --  This software is property of the OpenPKG GmbH, DE MUC HRB 160208.
 - --  All rights reserved. Licenses which grant limited permission to use,
 - --  copy, modify and distribute this software are available from the
 - --  OpenPKG GmbH.
 - --
 - --  THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED
 - --  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 - --  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 - --  IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
 - --  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 - --  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 - --  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 - --  USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 - --  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 - --  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 - --  OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 - --  SUCH DAMAGE.
 - --
 - --  This is the RPM run-time integrity processor of the OpenPKG
 - --  Framework. It currently checks the OpenPKG Framework run-time
 - --  license only. The following grammar specifies and documents all
 - --  currently supported license parameters.
 - --
 - --  license ::= "Assertion-MinProcVersion:" version
 - --              # require a minimum version of the license integrity processor
 - --
 - --              | "Assertion-ErrorToWarning:" yes-no
 - --              # allow all fatal integrity checking errors to be
 - --              # converted to non-fatal warnings
 - --
 - --              | "Assertion-OnlineApproval:" url
 - --              # require an online approval by receiving an "OK" from
 - --              # specified remote service
 - --
 - --              | "Assertion-OnlineReporting:" url
 - --              # perform an asynchronous online reporting to
 - --              # specified remote service
 - --
 - --              | "Assertion-Prefix:" path
 - --              # require %{l_prefix} to match specified path
 - --
 - --              | "Assertion-User:" user
 - --              # require %{l_musr} to match specified username
 - --
 - --              | "Assertion-Group:" group
 - --              # require %{l_mgrp} to match specified groupname
 - --
 - --              | "Assertion-Domain:" domain
 - --              # require domain of host to match specified domain name
 - --
 - --              | "Assertion-LifeTime:" iso-date.":".iso-date
 - --              # require current real-time to be within specified
 - --              # begin and end date
 - --
 - --              | "Assertion-GrantTime:" iso-date.":".iso-date
 - --              # require current OpenPKG Framework %{RELEASE}
 - --              # (release time) to be within specified begin and end
 - --              # date
 - --
 - --              | "Assertion-InstanceAge:" duration
 - --              # require current OpenPKG Framework %{ORIGINTIME}
 - --              # (first install time) to be within specified begin
 - --              # and end date
 - --
 - --              | "Assertion-FromSourceOnTarget:" yes-no
 - --              # require either (if "yes") that all package
 - --              # %{BUILDHOST} are equal the host name or (if "no")
 - --              # that all package %{BUILDHOST} are not equal the host
 - --              # name
 - --
 - --              | "Assertion-PackageNames:"
 - --                ("!"?.mode-regex.":"."!"?.package-regex)+
 - --              # require all package %{NAME} to (not) match the
 - --              # specified regex while the current RPM run-time mode
 - --              # has to (not) match the specified regex. RPM run-time
 - --              # modes are: query, verify, checksig, resign, install,
 - --              # erase, build rebuild, recompile, tarbuild, initdb,
 - --              # rebuilddb and verifydb.
 - --
 - --              | "Assertion-PackageReleaseAge:"
 - --                percent.":".duration.":".dist-regex ((package-name|"*").":".release)+
 - --              # require that for at least the specified amount (in
 - --              # percent) of packages, which %{DISTRIBUTION} matches
 - --              # the specified regex, the %{RELEASE} is at least as
 - --              # old as the specified release or at least not older
 - --              # than the specified duration.
 - --
 - --              | "Assertion-Expression:" expression
 - --              # evaluates the Lua boolean expression after expanding
 - --              # RPM macros %{VARNAME} and expanding the construct
 - --              # "<string>" ~~ /<regex>/ into the corresponding PCRE
 - --              # based regular expression match.
 - --
 - --  version       ::= /^\d+\.\d+\.\d+$/
 - --  yes-no        ::= /^yes|no$/
 - --  url           ::= /^https?:\/\/.+$/
 - --  path          ::= /^\/.+$/
 - --  user          ::= /^[a-z][a-zA-Z0-9_]*$/
 - --  group         ::= /^[a-z][a-zA-Z0-9_]*$/
 - --  domain        ::= /^(?:[^.]+\.)+[^.]+$/
 - --  mode-regex    ::= /^.+$/
 - --  package-regex ::= /^.+$/
 - --  package-name  ::= /^[a-z][a-zA-Z0-9-]*$/
 - --  percent       ::= /^\d+%$/
 - --  duration      ::= /^\d+[smhdw]?$/
 - --  release       ::= /^\d{8}$/
 - --  iso-date      ::= /^\d{4}-\d{2}-\d{2}$/
 - --  expression    ::= /^.+$/
 - --  integrity processor version
 integrity.version = "1.0.0"
 - --  integrity processor validation callback function
 function integrity.validate(ctx, cfg)
     integrity.util.debug(1, "OpenPKG run-time license integrity validation")
     integrity.util.debug(4, function (ctx) return "dump: ctx = " .. util.dump(ctx) end, ctx)
     integrity.util.debug(4, function (cfg) return "dump: cfg = " .. util.dump(cfg) end, cfg)
     --  process "Assertion-OnlineApproval" constraint
     if os.getenv("OPENPKG_LICENSE_EXCEPTION") ~= nil then
         --  support explicitly requested license exception
         cfg["Assertion-OnlineApproval"] = "http://openpkg.com/go/framework-license-exception"
     end
     if cfg["Assertion-OnlineApproval"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-OnlineApproval: \"%s\"", cfg["Assertion-OnlineApproval"])
         local uuids = integrity.util.uuids()
         if  uuids["UUID_REGISTRY"] == "" then
             uuids["UUID_REGISTRY"] = "unknown"
         end
         if  uuids["UUID_INSTANCE"] == "" then
             uuids["UUID_INSTANCE"] = "unknown"
         end
         if  uuids["UUID_PLATFORM"] == "" then
             uuids["UUID_PLATFORM"] = "unknown"
         end
         local request = cfg["Assertion-OnlineApproval"]
         request = request .. "?UUID_REGISTRY=" .. uuids["UUID_REGISTRY"]
         request = request .. "&UUID_INSTANCE=" .. uuids["UUID_INSTANCE"]
         request = request .. "&UUID_PLATFORM=" .. uuids["UUID_PLATFORM"]
         integrity.util.debug(3, "info: remote request \"%s\"", request)
         local response = rpm.expand("%(%{l_prefix}/bin/openpkg curl -s -L -R '" .. request .. "')")
         integrity.util.debug(3, "info: remote response \"%s\"", response)
         if util.rmatch(response, "(?s)^\\s*OK\\s*$") then
             --  approved
             if os.getenv("OPENPKG_LICENSE_EXCEPTION") ~= nil then
                 --  support explicitly requested license exception
                 cfg["Assertion-ErrorToWarning"] = "yes"
             end
         else
             --  rejected
             cfg["Assertion-ErrorToWarning"] = "no"
             return integrity.util.error(ctx, cfg,
                 "license requires online approval but we failed to get " ..
                 "an \"OK\" response from the online service")
         end
     end
     --  process "Assertion-MinProcVersion" constraint
     integrity.util.debug(2, "checking: Assertion-MinProcVersion: \"%s\"", cfg["Assertion-MinProcVersion"])
     if cfg["Assertion-MinProcVersion"] == nil then
         return integrity.util.error(ctx, cfg,
             "license configuration is missing required \"Assertion-MinProcVersion\" parameter")
     end
     integrity.util.debug(3, "require: %s <= %s", cfg["Assertion-MinProcVersion"], integrity.version)
     if rpm.vercmp(cfg["Assertion-MinProcVersion"], integrity.version) > 0 then
         return integrity.util.error(ctx, cfg,
             "license configuration requires a license processor of " ..
             "at least version \"" .. cfg["Assertion-MinProcVersion"] .. "\"")
     end
     --  process "Assertion-OnlineReporting" constraint
     if cfg["Assertion-OnlineReporting"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-OnlineReporting: \"%s\"", cfg["Assertion-OnlineReporting"])
         local uuids = integrity.util.uuids()
         if  uuids["UUID_REGISTRY"] == "" then
             uuids["UUID_REGISTRY"] = "unknown"
         end
         if  uuids["UUID_INSTANCE"] == "" then
             uuids["UUID_INSTANCE"] = "unknown"
         end
         if  uuids["UUID_PLATFORM"] == "" then
             uuids["UUID_PLATFORM"] = "unknown"
         end
         local request = cfg["Assertion-OnlineReporting"]
         request = request .. "?UUID_REGISTRY=" .. uuids["UUID_REGISTRY"]
         request = request .. "&UUID_INSTANCE=" .. uuids["UUID_INSTANCE"]
         request = request .. "&UUID_PLATFORM=" .. uuids["UUID_PLATFORM"]
         integrity.util.debug(3, "info: remote request \"%s\"", request)
         rpm.expand("%(nohup %{l_prefix}/bin/openpkg curl -s -L -R '" .. request .. "' >/dev/null 2>&1 &)")
         integrity.util.debug(3, "response: (ignored, because asynchronous operation)")
     end
     --  process "Assertion-Prefix" constraint
     if cfg["Assertion-Prefix"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-Prefix: \"%s\"", cfg["Assertion-Prefix"])
         local prefix = rpm.expand("%{l_prefix}")
         integrity.util.debug(3, "require: \"%s\" == \"%s\"", cfg["Assertion-Prefix"], prefix)
         if cfg["Assertion-Prefix"] ~= prefix then
             return integrity.util.error(ctx, cfg,
                 "instance prefix \"" .. prefix .. "\" " ..
                 "does not match value \"" .. cfg["Assertion-Prefix"] .. "\" of " ..
                 "license configuration parameter \"Assertion-Prefix\"")
         end
     end
     --  process "Assertion-User" constraint
     if cfg["Assertion-User"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-User: \"%s\"", cfg["Assertion-User"])
         local user = rpm.expand("%{l_musr}")
         integrity.util.debug(3, "require: \"%s\" == \"%s\"", cfg["Assertion-User"], user)
         if cfg["Assertion-User"] ~= user then
             return integrity.util.error(ctx, cfg,
                 "instance management user \"" .. user .. "\" " ..
                 "does not match value \"" .. cfg["Assertion-User"] .. "\" of " ..
                 "license configuration parameter \"Assertion-User\"")
         end
     end
     --  process "Assertion-Group" constraint
     if cfg["Assertion-Group"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-Group: \"%s\"", cfg["Assertion-Group"])
         local group = rpm.expand("%{l_mgrp}")
         integrity.util.debug(3, "require: \"%s\" == \"%s\"", cfg["Assertion-Group"], group)
         if cfg["Assertion-Group"] ~= group then
             return integrity.util.error(ctx, cfg,
                 "instance management group \"" .. group .. "\" " ..
                 "does not match value \"" .. cfg["Assertion-Group"] .. "\" of " ..
                 "license configuration parameter \"Assertion-Group\"")
         end
     end
     --  process "Assertion-Domain" constraint
     if cfg["Assertion-Domain"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-Domain: \"%s\"", cfg["Assertion-Domain"])
         local domain = rpm.expand("%(%{l_shtool} echo -n -e '%d')")
         integrity.util.debug(3, "require: \"%s\" ~~ /(?s)^.*%s$/", domain, cfg["Assertion-Domain"])
         local s, _, m = util.rmatch(domain, "(?s)^.*" .. cfg["Assertion-Domain"] .. "$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "host domain \"" .. domain .. "\" " ..
                 "does not end in pattern \"" .. cfg["Assertion-Domain"] .. "\") " ..
                 "of license configuration parameter \"Assertion-Domain\"")
         end
     end
     --  process "Assertion-LifeTime" constraint
     if cfg["Assertion-LifeTime"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-LifeTime: \"%s\"", cfg["Assertion-LifeTime"])
         --  determine lifetime begin and end
         local lifetime = cfg["Assertion-LifeTime"]
         local s, _, m = util.rmatch(lifetime, "^(?s)(\\d{4})-(\\d{2})-(\\d{2})\\s*:\\s*(\\d{4})-(\\d{2})-(\\d{2})$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "failed to extract time information from " ..
                 "license configuration parameter \"Assertion-LifeTime\"")
         end
         local lifetime_begin = os.time({
             year  = tonumber(m[1]),
             month = tonumber(m[2]),
             day   = tonumber(m[3]),
             hour  = 0,
             min   = 0,
             sec   = 0
         })
         local lifetime_end = os.time({
             year  = tonumber(m[4]),
             month = tonumber(m[5]),
             day   = tonumber(m[6]),
             hour  = 23,
             min   = 59,
             sec   = 59
         })
         --  check whether current run-time is within lifetime
         local t_now = os.time()
         integrity.util.debug(3, "require: %d <= %d <= %d", lifetime_begin, t_now, lifetime_end)
         if not (lifetime_begin <= t_now and t_now <= lifetime_end) then
             return integrity.util.error(ctx, cfg,
                 "current time \"" .. os.date("!%Y-%m-%d %H:%M:%S UTC", t_now) .. "\" " ..
                 "is not within the timerange \"" .. cfg["Assertion-LifeTime"] .. "\" " ..
                 "of license configuration parameter \"Assertion-LifeTime\"")
         end
     end
     --  process "Assertion-GrantTime" constraint
     if cfg["Assertion-GrantTime"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-GrantTime: \"%s\"", cfg["Assertion-GrantTime"])
         --  determine granttime begin and end
         local granttime = cfg["Assertion-GrantTime"]
         local s, _, m = util.rmatch(granttime, "^(?s)(\\d{4})-(\\d{2})-(\\d{2})\\s*:\\s*(\\d{4})-(\\d{2})-(\\d{2})$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "failed to extract time information from " ..
                 "license configuration parameter \"Assertion-GrantTime\"")
         end
         local granttime_begin = os.time({
             year  = tonumber(m[1]),
             month = tonumber(m[2]),
             day   = tonumber(m[3]),
             hour  = 0,
             min   = 0,
             sec   = 0
         })
         local granttime_end = os.time({
             year  = tonumber(m[4]),
             month = tonumber(m[5]),
             day   = tonumber(m[6]),
             hour  = 23,
             min   = 59,
             sec   = 59
         })
         --  determine OpenPKG Framework release time
         --  (allow openpkg.spec:%pre to override with a higher value for pre-checking)
         local t_release = 0
         local result = {}
         for _, line in ipairs(rpm.query("Q:%{RELEASE}", false, "openpkg")) do
             local s, _, m = util.rmatch(line, "(?s)^Q:(.+)$")
             if s ~= nil then
                 table.insert(result, m[1])
             end
         end
         if result[1] ~= nil then
             local s, _, m = util.rmatch(result[1], "^(?s)(\\d{4})(\\d{2})(\\d{2})$")
             if s ~= nil then
                 t_release = os.time({
                     year  = tonumber(m[1]),
                     month = tonumber(m[2]),
                     day   = tonumber(m[3]),
                     hour  = 0,
                     min   = 0,
                     sec   = 0
                 })
             end
         end
         if t_release == 0 then
             return integrity.util.error(ctx, cfg,
                 "failed to determine OpenPKG Framework release time")
         end
         local override = os.getenv("OPENPKG_FRAMEWORK_RELEASE")
         if override ~= nil then
             local s, _, m = util.rmatch(override, "^(?s)(\\d{4})(\\d{2})(\\d{2})$")
             if s ~= nil then
                 local t_override = os.time({
                     year  = tonumber(m[1]),
                     month = tonumber(m[2]),
                     day   = tonumber(m[3]),
                     hour  = 0,
                     min   = 0,
                     sec   = 0
                 })
                 if t_release < t_override then
                     t_release = t_override
                 end
             end
         end
         --  check whether current OpenPKG Framework release time is within granttime
         integrity.util.debug(3, "require: %d <= %d <= %d", granttime_begin, t_release, granttime_end)
         if not (granttime_begin <= t_release and t_release <= granttime_end) then
             return integrity.util.error(ctx, cfg,
                 "current OpenPKG Framework release time \"" .. os.date("%Y-%m-%d", t_release) .. "\" " ..
                 "is not within the timerange \"" .. cfg["Assertion-GrantTime"] .. "\" " ..
                 "of license configuration parameter \"Assertion-GrantTime\"")
         end
     end
     --  process "Assertion-InstanceAge" constraint
     if cfg["Assertion-InstanceAge"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-InstanceAge: \"%s\"", cfg["Assertion-InstanceAge"])
         --  determine maximum instance age in seconds
         local t_diff_max = cfg["Assertion-InstanceAge"]
         t_diff_max = 0 + util.rsubst(t_diff_max, "^(\\d+)([smhdw])$", function (t, unit)
             if     unit == "s" then t = t * 1
             elseif unit == "m" then t = t * 60
             elseif unit == "h" then t = t * 60 * 60
             elseif unit == "d" then t = t * 60 * 60 * 24
             elseif unit == "w" then t = t * 60 * 60 * 24 * 7
             end
             return t
         end)
         --  approach 1: determine install time via timestamp of UUID_REGISTRY
         local uuids = integrity.util.uuids()
         if uuids["UUID_REGISTRY"] == "" then
             return integrity.util.error(ctx, cfg,
                 "failed to load UUID_REGISTRY")
         end
         txt = uuid.describe(uuids["UUID_REGISTRY"])
         if txt == nil then
             return integrity.util.error(ctx, cfg,
                 "failed to parse extracted UUID_REGISTRY string \"" .. uuids["UUID_REGISTRY"] .. "\" as an UUID")
         end
         local s, _, m = util.rmatch(txt, "(?s)^.*time:\\s+(\\d{4})-(\\d{2})-(\\d{2})\\s+(\\d{2}):(\\d{2}):(\\d{2}).*$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "failed to extract timestamp from UUID_REGISTRY \"" .. uuids["UUID_REGISTRY"] .. "\"")
         end
         local t_install = os.time({
             year  = tonumber(m[1]),
             month = tonumber(m[2]),
             day   = tonumber(m[3]),
             hour  = tonumber(m[4]),
             min   = tonumber(m[5]),
             sec   = tonumber(m[6])
         })
         --  approach 2: determine install time via first install time of "openpkg" package
         local result = {}
         for _, line in ipairs(rpm.query(
             "Q:%|ORIGINTIME?{" ..
                 "%{ORIGINTIME}" ..       -- regular case: RPM 5 installed/updated with RPM 5
             "}:{" ..
                 "%|INSTALLTIME?{" ..
                     "%{INSTALLTIME}" ..  -- special case: RPM 5 installed initially with RPM 4
                 "}:{" ..
                 "}|" ..
             "}|", false, "openpkg"
         )) do
             local s, _, m = util.rmatch(line, "(?s)^Q:(.+)$")
             if s ~= nil then
                 table.insert(result, m[1])
             end
         end
         if result[1] ~= nil then
             local n = tonumber(result[1])
             if n > 0 then
                 t_install = n
             end
         end
         --  check time difference
         local t_now = os.time()
         local t_diff = os.difftime(t_now, t_install)
         integrity.util.debug(3, "calc: %d - %d = %d", t_now, t_install, t_diff)
         if t_diff < 0 then
             return integrity.util.error(ctx, cfg,
                 "current system time \"" .. t_now .. "\" is lower than " ..
                 "instance installation time \"" .. t_install .. "\"")
         end
         integrity.util.debug(3, "require: %d <= %d", t_diff, t_diff_max)
         if t_diff > t_diff_max then
             return integrity.util.error(ctx, cfg,
                 "instance age \"" .. t_diff .. "\" " ..
                 "is greater than value \"" .. t_diff_max .. "\" (\"" .. cfg["Assertion-InstanceAge"] .. "\") " ..
                 "of license configuration parameter \"Assertion-InstanceAge\"")
         end
     end
     --  process "Assertion-FromSourceOnTarget" constraint
     if cfg["Assertion-FromSourceOnTarget"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-FromSourceOnTarget: \"%s\"", cfg["Assertion-FromSourceOnTarget"])
         local hostname = rpm.hostname()
         for _, line in ipairs(rpm.query("Q:%{NAME}:%{BUILDHOST}", true, "*")) do
             local s, _, m = util.rmatch(line, "(?s)^Q:([^:]+):(.+)$")
             if s ~= nil then
                 local name = m[1]
                 local buildhost = m[2]
                 integrity.util.debug(4, "info: name \"%s\", buildhost \"%s\"", name, buildhost)
                 if not util.rmatch(name, "(?s)^gpg-.+$") and buildhost ~= "localhost" then
                     if cfg["Assertion-FromSourceOnTarget"] == "yes" and buildhost ~= hostname then
                         return integrity.util.error(ctx, cfg,
                             "license-required \"build from source on target system only\" situation not met because " ..
                             "package build host \"" .. buildhost .. "\" is not(!) equal to the package install host \"" .. hostname .. "\".")
                     end
                     if cfg["Assertion-FromSourceOnTarget"] == "no" and buildhost == hostname then
                         return integrity.util.error(ctx, cfg,
                             "license-required \"build binaries on separate build-host only\" situation not met because " ..
                             "package build host \"" .. buildhost .. "\" is equal to the package install host \"" .. hostname .. "\".")
                     end
                 end
             end
         end
     end
     --  process "Assertion-PackageNames" constraints
     if cfg["Assertion-PackageNames"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-PackageNames: \"%s\"", cfg["Assertion-PackageNames"])
         --  query RPMDB for names of all installed packages
         local packages = {}
         for _, line in ipairs(rpm.query("Q:%{NAME}", true, "*")) do
             local s, _, m = util.rmatch(line, "(?s)^Q:(.+)$")
             if s ~= nil then
                 table.insert(packages, m[1])
             end
         end
         --  iterate over all constraints
         for _, constraint in
             ipairs(
                 util.rsplit(
                     util.rsubst(
                         cfg["Assertion-PackageNames"],
                         "(?s)^\\s*(.+?)\\s*$", "%1"
                     ),
                     "(?s)\\s+"
                 )
             ) do
             --  parse constraint
             local s, _, m = util.rmatch(constraint, "(?s)^(!?)([^:]+):(!?)(.+)$")
             if s == nil then
                 return integrity.util.error(ctx, cfg,
                     "invalid syntax in license configuration \"Assertion-PackageNames\" " ..
                     "parameter: \"" ..  constraint .. "\"")
             end
             local mode_negate    = m[1] ~= ""
             local mode_regex     = m[2]
             local package_negate = m[3] ~= ""
             local package_regex  = m[4]
             --  apply the mode filter
             local mode_matches, _, _ = util.rmatch(ctx.rpm.mode, mode_regex);
             if     (not mode_negate and mode_matches ~= nil)
                 or (    mode_negate and mode_matches == nil) then
                 --  apply the package filter to names of all installed packages
                 for _, package in ipairs(packages) do
                     if package_negate then
                         integrity.util.debug(3, "require: \"%s\" !~ /%s/", package, package_regex)
                     else
                         integrity.util.debug(3, "require: \"%s\" ~~ /%s/", package, package_regex)
                     end
                     local package_matches, _, _ = util.rmatch(package, package_regex)
                     if  not (   (not package_negate and package_matches ~= nil)
                              or (    package_negate and package_matches == nil)) then
                         --  indicate integrity validation error
                         return integrity.util.error(ctx, cfg,
                             "installed package \"" .. package .. "\" " ..
                             "under RPM run-time mode \"" .. ctx.rpm.mode .. "\" " ..
                             "not covered by pattern \"" .. package_regex .. "\" " ..
                             "of license configuration parameter \"Assertion-PackageNames\"")
                     end
                 end
             end
         end
     end
     --  process "Assertion-PackageReleaseAge"
     if cfg["Assertion-PackageReleaseAge"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-PackageReleaseAge: \"%s[...]\"", string.sub(cfg["Assertion-PackageReleaseAge"], 1, 20))
         --  parse constraint
         local constraint = cfg["Assertion-PackageReleaseAge"]
         local s, _, m = util.rmatch(constraint, "(?s)^([^:]+)%:([^:]+):([^\\s]+)\\s+(.+)$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "invalid syntax in license configuration \"Assertion-PackageReleaseAge\" parameter")
         end
         local percent   = m[1] / 100
         local offset    = m[2]
         local distregex = m[3]
         local spec      = m[4]
         --  determine maximum release time difference (in seconds)
         local t_diff_max = 0 + util.rsubst(offset, "^(\\d+)([smhdw])$", function (t, unit)
             if     unit == "s" then t = t * 1
             elseif unit == "m" then t = t * 60
             elseif unit == "h" then t = t * 60 * 60
             elseif unit == "d" then t = t * 60 * 60 * 24
             elseif unit == "w" then t = t * 60 * 60 * 24 * 7
             end
             return t
         end)
         --  iterate over all package specifications to build release map
         local releases = {}
         for _, constraint in
             ipairs(
                 util.rsplit(
                     util.rsubst(
                         spec,
                         "(?s)^\\s*(.+?)\\s*$", "%1"
                     ),
                     "(?s)\\s+"
                 )
             ) do
             --  parse specification into package name and release constraint
             local s, _, m = util.rmatch(constraint, "(?s)^([^:]+):(.+)$")
             if s == nil then
                 return integrity.util.error(ctx, cfg,
                     "invalid syntax in license configuration \"Assertion-PackageReleaseAge\" " ..
                     "parameter: \"" ..  constraint .. "\"")
             end
             -- store result into release map
             releases[m[1]] = m[2]
         end
         --  query RPMDB for releases of all installed packages and decide
         --  whether the release time is inside or outside our constraint window
         local release_window_inside  = 0
         local release_window_outside = 0
         local release_window_foreign = 0
         local release_window_unknown = 0
         for _, line in ipairs(rpm.query("Q:%{NAME}:%{RELEASE}:%{DISTRIBUTION}", true, "*")) do
             local s, _, m = util.rmatch(line, "(?s)^Q:([^:]+):(\\d\\d\\d\\d)(\\d\\d)(\\d\\d):(.+)$")
             if s ~= nil then
                 --  parse query results
                 local name = m[1]
                 local t_release = os.time({
                     year  = tonumber(m[2]),
                     month = tonumber(m[3]),
                     day   = tonumber(m[4]),
                     hour  = 23,
                     min   = 59,
                     sec   = 59
                 })
                 local dist = m[5]
                 --  only check files of the constrained distribution(s)
                 if util.rmatch(dist, "(?s)" .. distregex) then
                     --  determine minimum release constraint
                     local t_release_min = releases[name]
                     if t_release_min == nil then
                         t_release_min = releases["*"]
                     end
                     if t_release_min == nil then
                         t_release_min = os.time()
                     else
                         local s, _, m = util.rmatch(t_release_min, "^(?s)(\\d{4})(\\d{2})(\\d{2})$")
                         t_release_min = os.time({
                             year  = tonumber(m[1]),
                             month = tonumber(m[2]),
                             day   = tonumber(m[3]),
                             hour  = 0,
                             min   = 0,
                             sec   = 0
                         })
                     end
                     --  check time difference of package release
                     local t_diff = os.difftime(t_release_min, t_release)
                     integrity.util.debug(4, "calc: %d - %d = %d", t_release_min, t_release, t_diff)
                     integrity.util.debug(4, "require: %d <= 0 or (%d > 0 and %d < %d)", t_diff, t_diff, t_diff, t_diff_max)
                     if t_diff <= 0 or (t_diff > 0 and t_diff < t_diff_max) then
                         release_window_inside  = release_window_inside  + 1
                     else
                         release_window_outside = release_window_outside + 1
                     end
                 else
                     release_window_foreign = release_window_foreign + 1
                 end
             else
                 release_window_unknown = release_window_unknown + 1
             end
         end
         integrity.util.debug(3, "info: inside %d, outside %d, foreign %d, unknown %d",
             release_window_inside, release_window_outside, release_window_foreign, release_window_unknown)
         --  check validity of overall constraint
         local percent_inside =
             (release_window_inside / (release_window_inside + release_window_outside))
         integrity.util.debug(3, "require: %d >= %d", percent_inside, percent)
         if percent_inside < percent then
             return integrity.util.error(ctx, cfg,
                 "there are only " .. math.floor(percent_inside * 100) .. "% " ..
                 "packages inside the release date constraint " ..
                 "(expected a minimum of " .. math.floor(percent * 100) .. "%)")
         end
     end
     --  process "Assertion-Expression" constraint
     if cfg["Assertion-Expression"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-Expression: \"%s\"", cfg["Assertion-Expression"])
         --  expand special consytructs in expression
         local expr = cfg["Assertion-Expression"]
         expr = util.rsubst(expr, "(%\{[a-zA-Z_][a-zA-Z0-9_]+\})", function (str)
             return rpm.expand(str)
         end)
         expr = util.rsubst(expr, "\"((?:\\\\.|[^\"])+)\"\\s*~~\\s*/((?:\\\\.|[^/])+)/", function (str, regex)
             if util.rmatch(str, "(?s)" .. regex) ~= nil then
                 return "true"
             else
                 return "false"
             end
         end)
         --  evaluate expression
         integrity.util.debug(3, "evaluate: %s", expr)
         result = assert(loadstring(expr))()
         if type(result) ~= "boolean" then
             result = false
         end
         if not result then
             return integrity.util.error(ctx, cfg,
                 "expression \"" .. cfg["Assertion-Expression"] .. "\" " ..
                 "of license configuration parameter \"Assertion-Expression\"" ..
                 "evaluated to false")
         end
     end
     --  indicate license integrity validation success
     return "OK"
 end
 - --  integrity processor utilities namespace
 integrity.util = {}
 - --  write debug information to stderr
 function integrity.util.debug(level_this, msg, ...)
     local level_min = os.getenv("OPENPKG_LICENSE_DEBUG")
     if level_min ~= nil then
         if type(level_min) == "string" then
             level_min = tonumber(level_min)
         end
         if type(level_min) ~= "number" then
             level_min = 0
         end
         if level_this <= level_min then
             local output
             if type(msg) == "function" then
                 output = msg(...)
             else
                 output = string.format(msg, ...)
             end
             local prefix = ""
             local i = 1
             while (i < level_this) do
                 prefix = prefix .. "    "
                 i = i + 1
             end
             io.stderr:write("rpm: DEBUG: " .. prefix .. output .. "\n")
         end
     end
 end
 - --  load OpenPKG instance UUIDs
 function integrity.util.uuids()
     local uuids = {
         UUID_REGISTRY = "",
         UUID_INSTANCE = "",
         UUID_PLATFORM = ""
     }
     local filename = rpm.expand("%{l_prefix}/etc/openpkg/uuid")
     local txt = rpm.slurp(filename)
     if txt ~= nil then
         for name, _ in pairs(uuids) do
             local s, _, m = util.rmatch(txt, "(?s)^.*" .. name .. "=\"([^\"\"]+)\".*$")
             if s ~= nil then
                 uuids[name] = m[1]
             end
         end
     end
     return uuids
 end
 - --  report validation warning
 function integrity.util.warning(ctx, cfg, warning)
     --  return prominent warning message
     return
         "WARNING: OpenPKG run-time license check failed -- continue processing\n" ..
         "+-----------------------------------------------------------------------------+\n" ..
         "| Attention, the OpenPKG RPM run-time integrity checking facility encountered a\n" ..
         "| non-fatal problem during license checking, but allows processing to continue.\n" ..
         "| The particular warning reported by the OpenPKG license processor is:\n" ..
         "|\n" ..
         util.textwrap("|   ", warning, 60, 70) ..
         "|\n" ..
         "| Notice: Operation of the OpenPKG Framework requires a valid license.\n" ..
         "| Go to http://openpkg.com/go/framework-license for more details, please.\n" ..
         "+-----------------------------------------------------------------------------+"
 end
 - --  report validation error
 function integrity.util.error(ctx, cfg, error)
     --  support conversion of errors into warnings
     if cfg["Assertion-ErrorToWarning"] ~= nil then
         if cfg["Assertion-ErrorToWarning"] == "yes" then
             return integrity.util.warning(ctx, cfg, error)
         end
     end
     --  return prominent error message
     return
         "ERROR: OpenPKG run-time license check failed -- stopping processing\n" ..
         "+-----------------------------------------------------------------------------+\n" ..
         "| Sorry, the OpenPKG RPM run-time integrity checking facility encountered a\n" ..
         "| fatal problem during license checking and stops processing immediately.\n" ..
         "| The particular error reported by the OpenPKG license processor is:\n" ..
         "|\n" ..
         util.textwrap("|   ", error, 60, 70) ..
         "|\n" ..
         "| Notice: Operation of the OpenPKG Framework requires a valid license.\n" ..
         "| Go to http://openpkg.com/go/framework-license for more details, please.\n" ..
         "| Run \"openpkg man license\" for details about local license management.\n" ..
         "+-----------------------------------------------------------------------------+"
 end
 -----BEGIN PGP SIGNATURE-----
 Comment: OpenPKG GmbH <openpkg@openpkg.com>
 iEYEARECAAYFAk8BelcACgkQZwQuyWG3rjTL6QCeLTLVj4PTnd/E7mf+Sv4mgbZj
 J0AoMXrO4EimPSSCZSJ1TLW8f8GP+B5
 =AVpf
 -----END PGP SIGNATURE-----

OpenPKG Specs / annotate

openpkg/license.lua@a2c6460cfb16 (annotated)

openpkg/license.lua