OpenPKG Specs: openpkg/license.lua@c10fb90893b9 (annotated)

openpkg/license.lua@c10fb90893b9 (annotated)

openpkg/license.lua

Thu, 04 Oct 2012 20:30:05 +0200

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 04 Oct 2012 20:30:05 +0200
changeset 715: c10fb90893b9
permissions: -rw-r--r--

Correct out of date build configuration, porting to Solaris 11 network
link infrastructure and new libpcap logic. This additionally allows for
device drivers in subdirectories of /dev. Correct packaged nmap
personalities and signatures to work out of the box. Finally, hack
arpd logic to properly close sockets and quit on TERM by repeating
signaling in the run command script. Sadly, all this fails to correct
the run time behaviour of honeyd which fails to bind to the IP layer.

 -----BEGIN PGP SIGNED MESSAGE-----
 Hash: SHA1
 - --
 - --  OpenPKG Framework License Processor
 - --  Copyright (c) 2000-2012 OpenPKG GmbH <http://openpkg.com/>
 - --
 - --  This software is property of the OpenPKG GmbH, DE MUC HRB 160208.
 - --  All rights reserved. Licenses which grant limited permission to use,
 - --  copy, modify and distribute this software are available from the
 - --  OpenPKG GmbH.
 - --
 - --  THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESSED OR IMPLIED
 - --  WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 - --  MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 - --  IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR
 - --  CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 - --  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 - --  LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
 - --  USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
 - --  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 - --  OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
 - --  OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 - --  SUCH DAMAGE.
 - --
 - --  This is the RPM run-time integrity processor of the OpenPKG
 - --  Framework. It currently checks the OpenPKG Framework run-time
 - --  license only. The following grammar specifies and documents all
 - --  currently supported license parameters.
 - --
 - --  license ::= "Assertion-MinProcVersion:" version
 - --              # require a minimum version of the license integrity processor
 - --
 - --              | "Assertion-ErrorToWarning:" yes-no
 - --              # allow all fatal integrity checking errors to be
 - --              # converted to non-fatal warnings
 - --
 - --              | "Assertion-OnlineApproval:" url
 - --              # require an online approval by receiving an "OK" from
 - --              # specified remote service
 - --
 - --              | "Assertion-OnlineReporting:" url
 - --              # perform an asynchronous online reporting to
 - --              # specified remote service
 - --
 - --              | "Assertion-Prefix:" path
 - --              # require %{l_prefix} to match specified path
 - --
 - --              | "Assertion-User:" user
 - --              # require %{l_musr} to match specified username
 - --
 - --              | "Assertion-Group:" group
 - --              # require %{l_mgrp} to match specified groupname
 - --
 - --              | "Assertion-Domain:" domain
 - --              # require domain of host to match specified domain name
 - --
 - --              | "Assertion-LifeTime:" iso-date.":".iso-date
 - --              # require current real-time to be within specified
 - --              # begin and end date
 - --
 - --              | "Assertion-GrantTime:" iso-date.":".iso-date
 - --              # require current OpenPKG Framework %{RELEASE}
 - --              # (release time) to be within specified begin and end
 - --              # date
 - --
 - --              | "Assertion-InstanceAge:" duration
 - --              # require current OpenPKG Framework %{ORIGINTIME}
 - --              # (first install time) to be within specified begin
 - --              # and end date
 - --
 - --              | "Assertion-FromSourceOnTarget:" yes-no
 - --              # require either (if "yes") that all package
 - --              # %{BUILDHOST} are equal the host name or (if "no")
 - --              # that all package %{BUILDHOST} are not equal the host
 - --              # name
 - --
 - --              | "Assertion-PackageNames:"
 - --                ("!"?.mode-regex.":"."!"?.package-regex)+
 - --              # require all package %{NAME} to (not) match the
 - --              # specified regex while the current RPM run-time mode
 - --              # has to (not) match the specified regex. RPM run-time
 - --              # modes are: query, verify, checksig, resign, install,
 - --              # erase, build rebuild, recompile, tarbuild, initdb,
 - --              # rebuilddb and verifydb.
 - --
 - --              | "Assertion-PackageReleaseAge:"
 - --                percent.":".duration.":".dist-regex ((package-name|"*").":".release)+
 - --              # require that for at least the specified amount (in
 - --              # percent) of packages, which %{DISTRIBUTION} matches
 - --              # the specified regex, the %{RELEASE} is at least as
 - --              # old as the specified release or at least not older
 - --              # than the specified duration.
 - --
 - --              | "Assertion-Expression:" expression
 - --              # evaluates the Lua boolean expression after expanding
 - --              # RPM macros %{VARNAME} and expanding the construct
 - --              # "<string>" ~~ /<regex>/ into the corresponding PCRE
 - --              # based regular expression match.
 - --
 - --  version       ::= /^\d+\.\d+\.\d+$/
 - --  yes-no        ::= /^yes|no$/
 - --  url           ::= /^https?:\/\/.+$/
 - --  path          ::= /^\/.+$/
 - --  user          ::= /^[a-z][a-zA-Z0-9_]*$/
 - --  group         ::= /^[a-z][a-zA-Z0-9_]*$/
 - --  domain        ::= /^(?:[^.]+\.)+[^.]+$/
 - --  mode-regex    ::= /^.+$/
 - --  package-regex ::= /^.+$/
 - --  package-name  ::= /^[a-z][a-zA-Z0-9-]*$/
 - --  percent       ::= /^\d+%$/
 - --  duration      ::= /^\d+[smhdw]?$/
 - --  release       ::= /^\d{8}$/
 - --  iso-date      ::= /^\d{4}-\d{2}-\d{2}$/
 - --  expression    ::= /^.+$/
 - --  integrity processor version
 integrity.version = "1.0.0"
 - --  integrity processor validation callback function
 function integrity.validate(ctx, cfg)
     integrity.util.debug(1, "OpenPKG run-time license integrity validation")
     integrity.util.debug(4, function (ctx) return "dump: ctx = " .. util.dump(ctx) end, ctx)
     integrity.util.debug(4, function (cfg) return "dump: cfg = " .. util.dump(cfg) end, cfg)
     --  process "Assertion-OnlineApproval" constraint
     if os.getenv("OPENPKG_LICENSE_EXCEPTION") ~= nil then
         --  support explicitly requested license exception
         cfg["Assertion-OnlineApproval"] = "http://openpkg.com/go/framework-license-exception"
     end
     if cfg["Assertion-OnlineApproval"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-OnlineApproval: \"%s\"", cfg["Assertion-OnlineApproval"])
         local uuids = integrity.util.uuids()
         if  uuids["UUID_REGISTRY"] == "" then
             uuids["UUID_REGISTRY"] = "unknown"
         end
         if  uuids["UUID_INSTANCE"] == "" then
             uuids["UUID_INSTANCE"] = "unknown"
         end
         if  uuids["UUID_PLATFORM"] == "" then
             uuids["UUID_PLATFORM"] = "unknown"
         end
         local request = cfg["Assertion-OnlineApproval"]
         request = request .. "?UUID_REGISTRY=" .. uuids["UUID_REGISTRY"]
         request = request .. "&UUID_INSTANCE=" .. uuids["UUID_INSTANCE"]
         request = request .. "&UUID_PLATFORM=" .. uuids["UUID_PLATFORM"]
         integrity.util.debug(3, "info: remote request \"%s\"", request)
         local response = rpm.expand("%(%{l_prefix}/bin/openpkg curl -s -L -R '" .. request .. "')")
         integrity.util.debug(3, "info: remote response \"%s\"", response)
         if util.rmatch(response, "(?s)^\\s*OK\\s*$") then
             --  approved
             if os.getenv("OPENPKG_LICENSE_EXCEPTION") ~= nil then
                 --  support explicitly requested license exception
                 cfg["Assertion-ErrorToWarning"] = "yes"
             end
         else
             --  rejected
             cfg["Assertion-ErrorToWarning"] = "no"
             return integrity.util.error(ctx, cfg,
                 "license requires online approval but we failed to get " ..
                 "an \"OK\" response from the online service")
         end
     end
     --  process "Assertion-MinProcVersion" constraint
     integrity.util.debug(2, "checking: Assertion-MinProcVersion: \"%s\"", cfg["Assertion-MinProcVersion"])
     if cfg["Assertion-MinProcVersion"] == nil then
         return integrity.util.error(ctx, cfg,
             "license configuration is missing required \"Assertion-MinProcVersion\" parameter")
     end
     integrity.util.debug(3, "require: %s <= %s", cfg["Assertion-MinProcVersion"], integrity.version)
     if rpm.vercmp(cfg["Assertion-MinProcVersion"], integrity.version) > 0 then
         return integrity.util.error(ctx, cfg,
             "license configuration requires a license processor of " ..
             "at least version \"" .. cfg["Assertion-MinProcVersion"] .. "\"")
     end
     --  process "Assertion-OnlineReporting" constraint
     if cfg["Assertion-OnlineReporting"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-OnlineReporting: \"%s\"", cfg["Assertion-OnlineReporting"])
         local uuids = integrity.util.uuids()
         if  uuids["UUID_REGISTRY"] == "" then
             uuids["UUID_REGISTRY"] = "unknown"
         end
         if  uuids["UUID_INSTANCE"] == "" then
             uuids["UUID_INSTANCE"] = "unknown"
         end
         if  uuids["UUID_PLATFORM"] == "" then
             uuids["UUID_PLATFORM"] = "unknown"
         end
         local request = cfg["Assertion-OnlineReporting"]
         request = request .. "?UUID_REGISTRY=" .. uuids["UUID_REGISTRY"]
         request = request .. "&UUID_INSTANCE=" .. uuids["UUID_INSTANCE"]
         request = request .. "&UUID_PLATFORM=" .. uuids["UUID_PLATFORM"]
         integrity.util.debug(3, "info: remote request \"%s\"", request)
         rpm.expand("%(nohup %{l_prefix}/bin/openpkg curl -s -L -R '" .. request .. "' >/dev/null 2>&1 &)")
         integrity.util.debug(3, "response: (ignored, because asynchronous operation)")
     end
     --  process "Assertion-Prefix" constraint
     if cfg["Assertion-Prefix"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-Prefix: \"%s\"", cfg["Assertion-Prefix"])
         local prefix = rpm.expand("%{l_prefix}")
         integrity.util.debug(3, "require: \"%s\" == \"%s\"", cfg["Assertion-Prefix"], prefix)
         if cfg["Assertion-Prefix"] ~= prefix then
             return integrity.util.error(ctx, cfg,
                 "instance prefix \"" .. prefix .. "\" " ..
                 "does not match value \"" .. cfg["Assertion-Prefix"] .. "\" of " ..
                 "license configuration parameter \"Assertion-Prefix\"")
         end
     end
     --  process "Assertion-User" constraint
     if cfg["Assertion-User"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-User: \"%s\"", cfg["Assertion-User"])
         local user = rpm.expand("%{l_musr}")
         integrity.util.debug(3, "require: \"%s\" == \"%s\"", cfg["Assertion-User"], user)
         if cfg["Assertion-User"] ~= user then
             return integrity.util.error(ctx, cfg,
                 "instance management user \"" .. user .. "\" " ..
                 "does not match value \"" .. cfg["Assertion-User"] .. "\" of " ..
                 "license configuration parameter \"Assertion-User\"")
         end
     end
     --  process "Assertion-Group" constraint
     if cfg["Assertion-Group"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-Group: \"%s\"", cfg["Assertion-Group"])
         local group = rpm.expand("%{l_mgrp}")
         integrity.util.debug(3, "require: \"%s\" == \"%s\"", cfg["Assertion-Group"], group)
         if cfg["Assertion-Group"] ~= group then
             return integrity.util.error(ctx, cfg,
                 "instance management group \"" .. group .. "\" " ..
                 "does not match value \"" .. cfg["Assertion-Group"] .. "\" of " ..
                 "license configuration parameter \"Assertion-Group\"")
         end
     end
     --  process "Assertion-Domain" constraint
     if cfg["Assertion-Domain"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-Domain: \"%s\"", cfg["Assertion-Domain"])
         local domain = rpm.expand("%(%{l_shtool} echo -n -e '%d')")
         integrity.util.debug(3, "require: \"%s\" ~~ /(?s)^.*%s$/", domain, cfg["Assertion-Domain"])
         local s, _, m = util.rmatch(domain, "(?s)^.*" .. cfg["Assertion-Domain"] .. "$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "host domain \"" .. domain .. "\" " ..
                 "does not end in pattern \"" .. cfg["Assertion-Domain"] .. "\") " ..
                 "of license configuration parameter \"Assertion-Domain\"")
         end
     end
     --  process "Assertion-LifeTime" constraint
     if cfg["Assertion-LifeTime"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-LifeTime: \"%s\"", cfg["Assertion-LifeTime"])
         --  determine lifetime begin and end
         local lifetime = cfg["Assertion-LifeTime"]
         local s, _, m = util.rmatch(lifetime, "^(?s)(\\d{4})-(\\d{2})-(\\d{2})\\s*:\\s*(\\d{4})-(\\d{2})-(\\d{2})$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "failed to extract time information from " ..
                 "license configuration parameter \"Assertion-LifeTime\"")
         end
         local lifetime_begin = os.time({
             year  = tonumber(m[1]),
             month = tonumber(m[2]),
             day   = tonumber(m[3]),
             hour  = 0,
             min   = 0,
             sec   = 0
         })
         local lifetime_end = os.time({
             year  = tonumber(m[4]),
             month = tonumber(m[5]),
             day   = tonumber(m[6]),
             hour  = 23,
             min   = 59,
             sec   = 59
         })
         --  check whether current run-time is within lifetime
         local t_now = os.time()
         integrity.util.debug(3, "require: %d <= %d <= %d", lifetime_begin, t_now, lifetime_end)
         if not (lifetime_begin <= t_now and t_now <= lifetime_end) then
             return integrity.util.error(ctx, cfg,
                 "current time \"" .. os.date("!%Y-%m-%d %H:%M:%S UTC", t_now) .. "\" " ..
                 "is not within the timerange \"" .. cfg["Assertion-LifeTime"] .. "\" " ..
                 "of license configuration parameter \"Assertion-LifeTime\"")
         end
     end
     --  process "Assertion-GrantTime" constraint
     if cfg["Assertion-GrantTime"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-GrantTime: \"%s\"", cfg["Assertion-GrantTime"])
         --  determine granttime begin and end
         local granttime = cfg["Assertion-GrantTime"]
         local s, _, m = util.rmatch(granttime, "^(?s)(\\d{4})-(\\d{2})-(\\d{2})\\s*:\\s*(\\d{4})-(\\d{2})-(\\d{2})$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "failed to extract time information from " ..
                 "license configuration parameter \"Assertion-GrantTime\"")
         end
         local granttime_begin = os.time({
             year  = tonumber(m[1]),
             month = tonumber(m[2]),
             day   = tonumber(m[3]),
             hour  = 0,
             min   = 0,
             sec   = 0
         })
         local granttime_end = os.time({
             year  = tonumber(m[4]),
             month = tonumber(m[5]),
             day   = tonumber(m[6]),
             hour  = 23,
             min   = 59,
             sec   = 59
         })
         --  determine OpenPKG Framework release time
         --  (allow openpkg.spec:%pre to override with a higher value for pre-checking)
         local t_release = 0
         local result = {}
         for _, line in ipairs(rpm.query("Q:%{RELEASE}", false, "openpkg")) do
             local s, _, m = util.rmatch(line, "(?s)^Q:(.+)$")
             if s ~= nil then
                 table.insert(result, m[1])
             end
         end
         if result[1] ~= nil then
             local s, _, m = util.rmatch(result[1], "^(?s)(\\d{4})(\\d{2})(\\d{2})$")
             if s ~= nil then
                 t_release = os.time({
                     year  = tonumber(m[1]),
                     month = tonumber(m[2]),
                     day   = tonumber(m[3]),
                     hour  = 0,
                     min   = 0,
                     sec   = 0
                 })
             end
         end
         if t_release == 0 then
             return integrity.util.error(ctx, cfg,
                 "failed to determine OpenPKG Framework release time")
         end
         local override = os.getenv("OPENPKG_FRAMEWORK_RELEASE")
         if override ~= nil then
             local s, _, m = util.rmatch(override, "^(?s)(\\d{4})(\\d{2})(\\d{2})$")
             if s ~= nil then
                 local t_override = os.time({
                     year  = tonumber(m[1]),
                     month = tonumber(m[2]),
                     day   = tonumber(m[3]),
                     hour  = 0,
                     min   = 0,
                     sec   = 0
                 })
                 if t_release < t_override then
                     t_release = t_override
                 end
             end
         end
         --  check whether current OpenPKG Framework release time is within granttime
         integrity.util.debug(3, "require: %d <= %d <= %d", granttime_begin, t_release, granttime_end)
         if not (granttime_begin <= t_release and t_release <= granttime_end) then
             return integrity.util.error(ctx, cfg,
                 "current OpenPKG Framework release time \"" .. os.date("%Y-%m-%d", t_release) .. "\" " ..
                 "is not within the timerange \"" .. cfg["Assertion-GrantTime"] .. "\" " ..
                 "of license configuration parameter \"Assertion-GrantTime\"")
         end
     end
     --  process "Assertion-InstanceAge" constraint
     if cfg["Assertion-InstanceAge"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-InstanceAge: \"%s\"", cfg["Assertion-InstanceAge"])
         --  determine maximum instance age in seconds
         local t_diff_max = cfg["Assertion-InstanceAge"]
         t_diff_max = 0 + util.rsubst(t_diff_max, "^(\\d+)([smhdw])$", function (t, unit)
             if     unit == "s" then t = t * 1
             elseif unit == "m" then t = t * 60
             elseif unit == "h" then t = t * 60 * 60
             elseif unit == "d" then t = t * 60 * 60 * 24
             elseif unit == "w" then t = t * 60 * 60 * 24 * 7
             end
             return t
         end)
         --  approach 1: determine install time via timestamp of UUID_REGISTRY
         local uuids = integrity.util.uuids()
         if uuids["UUID_REGISTRY"] == "" then
             return integrity.util.error(ctx, cfg,
                 "failed to load UUID_REGISTRY")
         end
         txt = uuid.describe(uuids["UUID_REGISTRY"])
         if txt == nil then
             return integrity.util.error(ctx, cfg,
                 "failed to parse extracted UUID_REGISTRY string \"" .. uuids["UUID_REGISTRY"] .. "\" as an UUID")
         end
         local s, _, m = util.rmatch(txt, "(?s)^.*time:\\s+(\\d{4})-(\\d{2})-(\\d{2})\\s+(\\d{2}):(\\d{2}):(\\d{2}).*$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "failed to extract timestamp from UUID_REGISTRY \"" .. uuids["UUID_REGISTRY"] .. "\"")
         end
         local t_install = os.time({
             year  = tonumber(m[1]),
             month = tonumber(m[2]),
             day   = tonumber(m[3]),
             hour  = tonumber(m[4]),
             min   = tonumber(m[5]),
             sec   = tonumber(m[6])
         })
         --  approach 2: determine install time via first install time of "openpkg" package
         local result = {}
         for _, line in ipairs(rpm.query(
             "Q:%|ORIGINTIME?{" ..
                 "%{ORIGINTIME}" ..       -- regular case: RPM 5 installed/updated with RPM 5
             "}:{" ..
                 "%|INSTALLTIME?{" ..
                     "%{INSTALLTIME}" ..  -- special case: RPM 5 installed initially with RPM 4
                 "}:{" ..
                 "}|" ..
             "}|", false, "openpkg"
         )) do
             local s, _, m = util.rmatch(line, "(?s)^Q:(.+)$")
             if s ~= nil then
                 table.insert(result, m[1])
             end
         end
         if result[1] ~= nil then
             local n = tonumber(result[1])
             if n > 0 then
                 t_install = n
             end
         end
         --  check time difference
         local t_now = os.time()
         local t_diff = os.difftime(t_now, t_install)
         integrity.util.debug(3, "calc: %d - %d = %d", t_now, t_install, t_diff)
         if t_diff < 0 then
             return integrity.util.error(ctx, cfg,
                 "current system time \"" .. t_now .. "\" is lower than " ..
                 "instance installation time \"" .. t_install .. "\"")
         end
         integrity.util.debug(3, "require: %d <= %d", t_diff, t_diff_max)
         if t_diff > t_diff_max then
             return integrity.util.error(ctx, cfg,
                 "instance age \"" .. t_diff .. "\" " ..
                 "is greater than value \"" .. t_diff_max .. "\" (\"" .. cfg["Assertion-InstanceAge"] .. "\") " ..
                 "of license configuration parameter \"Assertion-InstanceAge\"")
         end
     end
     --  process "Assertion-FromSourceOnTarget" constraint
     if cfg["Assertion-FromSourceOnTarget"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-FromSourceOnTarget: \"%s\"", cfg["Assertion-FromSourceOnTarget"])
         local hostname = rpm.hostname()
         for _, line in ipairs(rpm.query("Q:%{NAME}:%{BUILDHOST}", true, "*")) do
             local s, _, m = util.rmatch(line, "(?s)^Q:([^:]+):(.+)$")
             if s ~= nil then
                 local name = m[1]
                 local buildhost = m[2]
                 integrity.util.debug(4, "info: name \"%s\", buildhost \"%s\"", name, buildhost)
                 if not util.rmatch(name, "(?s)^gpg-.+$") and buildhost ~= "localhost" then
                     if cfg["Assertion-FromSourceOnTarget"] == "yes" and buildhost ~= hostname then
                         return integrity.util.error(ctx, cfg,
                             "license-required \"build from source on target system only\" situation not met because " ..
                             "package build host \"" .. buildhost .. "\" is not(!) equal to the package install host \"" .. hostname .. "\".")
                     end
                     if cfg["Assertion-FromSourceOnTarget"] == "no" and buildhost == hostname then
                         return integrity.util.error(ctx, cfg,
                             "license-required \"build binaries on separate build-host only\" situation not met because " ..
                             "package build host \"" .. buildhost .. "\" is equal to the package install host \"" .. hostname .. "\".")
                     end
                 end
             end
         end
     end
     --  process "Assertion-PackageNames" constraints
     if cfg["Assertion-PackageNames"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-PackageNames: \"%s\"", cfg["Assertion-PackageNames"])
         --  query RPMDB for names of all installed packages
         local packages = {}
         for _, line in ipairs(rpm.query("Q:%{NAME}", true, "*")) do
             local s, _, m = util.rmatch(line, "(?s)^Q:(.+)$")
             if s ~= nil then
                 table.insert(packages, m[1])
             end
         end
         --  iterate over all constraints
         for _, constraint in
             ipairs(
                 util.rsplit(
                     util.rsubst(
                         cfg["Assertion-PackageNames"],
                         "(?s)^\\s*(.+?)\\s*$", "%1"
                     ),
                     "(?s)\\s+"
                 )
             ) do
             --  parse constraint
             local s, _, m = util.rmatch(constraint, "(?s)^(!?)([^:]+):(!?)(.+)$")
             if s == nil then
                 return integrity.util.error(ctx, cfg,
                     "invalid syntax in license configuration \"Assertion-PackageNames\" " ..
                     "parameter: \"" ..  constraint .. "\"")
             end
             local mode_negate    = m[1] ~= ""
             local mode_regex     = m[2]
             local package_negate = m[3] ~= ""
             local package_regex  = m[4]
             --  apply the mode filter
             local mode_matches, _, _ = util.rmatch(ctx.rpm.mode, mode_regex);
             if     (not mode_negate and mode_matches ~= nil)
                 or (    mode_negate and mode_matches == nil) then
                 --  apply the package filter to names of all installed packages
                 for _, package in ipairs(packages) do
                     if package_negate then
                         integrity.util.debug(3, "require: \"%s\" !~ /%s/", package, package_regex)
                     else
                         integrity.util.debug(3, "require: \"%s\" ~~ /%s/", package, package_regex)
                     end
                     local package_matches, _, _ = util.rmatch(package, package_regex)
                     if  not (   (not package_negate and package_matches ~= nil)
                              or (    package_negate and package_matches == nil)) then
                         --  indicate integrity validation error
                         return integrity.util.error(ctx, cfg,
                             "installed package \"" .. package .. "\" " ..
                             "under RPM run-time mode \"" .. ctx.rpm.mode .. "\" " ..
                             "not covered by pattern \"" .. package_regex .. "\" " ..
                             "of license configuration parameter \"Assertion-PackageNames\"")
                     end
                 end
             end
         end
     end
     --  process "Assertion-PackageReleaseAge"
     if cfg["Assertion-PackageReleaseAge"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-PackageReleaseAge: \"%s[...]\"", string.sub(cfg["Assertion-PackageReleaseAge"], 1, 20))
         --  parse constraint
         local constraint = cfg["Assertion-PackageReleaseAge"]
         local s, _, m = util.rmatch(constraint, "(?s)^([^:]+)%:([^:]+):([^\\s]+)\\s+(.+)$")
         if s == nil then
             return integrity.util.error(ctx, cfg,
                 "invalid syntax in license configuration \"Assertion-PackageReleaseAge\" parameter")
         end
         local percent   = m[1] / 100
         local offset    = m[2]
         local distregex = m[3]
         local spec      = m[4]
         --  determine maximum release time difference (in seconds)
         local t_diff_max = 0 + util.rsubst(offset, "^(\\d+)([smhdw])$", function (t, unit)
             if     unit == "s" then t = t * 1
             elseif unit == "m" then t = t * 60
             elseif unit == "h" then t = t * 60 * 60
             elseif unit == "d" then t = t * 60 * 60 * 24
             elseif unit == "w" then t = t * 60 * 60 * 24 * 7
             end
             return t
         end)
         --  iterate over all package specifications to build release map
         local releases = {}
         for _, constraint in
             ipairs(
                 util.rsplit(
                     util.rsubst(
                         spec,
                         "(?s)^\\s*(.+?)\\s*$", "%1"
                     ),
                     "(?s)\\s+"
                 )
             ) do
             --  parse specification into package name and release constraint
             local s, _, m = util.rmatch(constraint, "(?s)^([^:]+):(.+)$")
             if s == nil then
                 return integrity.util.error(ctx, cfg,
                     "invalid syntax in license configuration \"Assertion-PackageReleaseAge\" " ..
                     "parameter: \"" ..  constraint .. "\"")
             end
             -- store result into release map
             releases[m[1]] = m[2]
         end
         --  query RPMDB for releases of all installed packages and decide
         --  whether the release time is inside or outside our constraint window
         local release_window_inside  = 0
         local release_window_outside = 0
         local release_window_foreign = 0
         local release_window_unknown = 0
         for _, line in ipairs(rpm.query("Q:%{NAME}:%{RELEASE}:%{DISTRIBUTION}", true, "*")) do
             local s, _, m = util.rmatch(line, "(?s)^Q:([^:]+):(\\d\\d\\d\\d)(\\d\\d)(\\d\\d):(.+)$")
             if s ~= nil then
                 --  parse query results
                 local name = m[1]
                 local t_release = os.time({
                     year  = tonumber(m[2]),
                     month = tonumber(m[3]),
                     day   = tonumber(m[4]),
                     hour  = 23,
                     min   = 59,
                     sec   = 59
                 })
                 local dist = m[5]
                 --  only check files of the constrained distribution(s)
                 if util.rmatch(dist, "(?s)" .. distregex) then
                     --  determine minimum release constraint
                     local t_release_min = releases[name]
                     if t_release_min == nil then
                         t_release_min = releases["*"]
                     end
                     if t_release_min == nil then
                         t_release_min = os.time()
                     else
                         local s, _, m = util.rmatch(t_release_min, "^(?s)(\\d{4})(\\d{2})(\\d{2})$")
                         t_release_min = os.time({
                             year  = tonumber(m[1]),
                             month = tonumber(m[2]),
                             day   = tonumber(m[3]),
                             hour  = 0,
                             min   = 0,
                             sec   = 0
                         })
                     end
                     --  check time difference of package release
                     local t_diff = os.difftime(t_release_min, t_release)
                     integrity.util.debug(4, "calc: %d - %d = %d", t_release_min, t_release, t_diff)
                     integrity.util.debug(4, "require: %d <= 0 or (%d > 0 and %d < %d)", t_diff, t_diff, t_diff, t_diff_max)
                     if t_diff <= 0 or (t_diff > 0 and t_diff < t_diff_max) then
                         release_window_inside  = release_window_inside  + 1
                     else
                         release_window_outside = release_window_outside + 1
                     end
                 else
                     release_window_foreign = release_window_foreign + 1
                 end
             else
                 release_window_unknown = release_window_unknown + 1
             end
         end
         integrity.util.debug(3, "info: inside %d, outside %d, foreign %d, unknown %d",
             release_window_inside, release_window_outside, release_window_foreign, release_window_unknown)
         --  check validity of overall constraint
         local percent_inside =
             (release_window_inside / (release_window_inside + release_window_outside))
         integrity.util.debug(3, "require: %d >= %d", percent_inside, percent)
         if percent_inside < percent then
             return integrity.util.error(ctx, cfg,
                 "there are only " .. math.floor(percent_inside * 100) .. "% " ..
                 "packages inside the release date constraint " ..
                 "(expected a minimum of " .. math.floor(percent * 100) .. "%)")
         end
     end
     --  process "Assertion-Expression" constraint
     if cfg["Assertion-Expression"] ~= nil then
         integrity.util.debug(2, "checking: Assertion-Expression: \"%s\"", cfg["Assertion-Expression"])
         --  expand special consytructs in expression
         local expr = cfg["Assertion-Expression"]
         expr = util.rsubst(expr, "(%\{[a-zA-Z_][a-zA-Z0-9_]+\})", function (str)
             return rpm.expand(str)
         end)
         expr = util.rsubst(expr, "\"((?:\\\\.|[^\"])+)\"\\s*~~\\s*/((?:\\\\.|[^/])+)/", function (str, regex)
             if util.rmatch(str, "(?s)" .. regex) ~= nil then
                 return "true"
             else
                 return "false"
             end
         end)
         --  evaluate expression
         integrity.util.debug(3, "evaluate: %s", expr)
         result = assert(loadstring(expr))()
         if type(result) ~= "boolean" then
             result = false
         end
         if not result then
             return integrity.util.error(ctx, cfg,
                 "expression \"" .. cfg["Assertion-Expression"] .. "\" " ..
                 "of license configuration parameter \"Assertion-Expression\"" ..
                 "evaluated to false")
         end
     end
     --  indicate license integrity validation success
     return "OK"
 end
 - --  integrity processor utilities namespace
 integrity.util = {}
 - --  write debug information to stderr
 function integrity.util.debug(level_this, msg, ...)
     local level_min = os.getenv("OPENPKG_LICENSE_DEBUG")
     if level_min ~= nil then
         if type(level_min) == "string" then
             level_min = tonumber(level_min)
         end
         if type(level_min) ~= "number" then
             level_min = 0
         end
         if level_this <= level_min then
             local output
             if type(msg) == "function" then
                 output = msg(...)
             else
                 output = string.format(msg, ...)
             end
             local prefix = ""
             local i = 1
             while (i < level_this) do
                 prefix = prefix .. "    "
                 i = i + 1
             end
             io.stderr:write("rpm: DEBUG: " .. prefix .. output .. "\n")
         end
     end
 end
 - --  load OpenPKG instance UUIDs
 function integrity.util.uuids()
     local uuids = {
         UUID_REGISTRY = "",
         UUID_INSTANCE = "",
         UUID_PLATFORM = ""
     }
     local filename = rpm.expand("%{l_prefix}/etc/openpkg/uuid")
     local txt = rpm.slurp(filename)
     if txt ~= nil then
         for name, _ in pairs(uuids) do
             local s, _, m = util.rmatch(txt, "(?s)^.*" .. name .. "=\"([^\"\"]+)\".*$")
             if s ~= nil then
                 uuids[name] = m[1]
             end
         end
     end
     return uuids
 end
 - --  report validation warning
 function integrity.util.warning(ctx, cfg, warning)
     --  return prominent warning message
     return
         "WARNING: OpenPKG run-time license check failed -- continue processing\n" ..
         "+-----------------------------------------------------------------------------+\n" ..
         "| Attention, the OpenPKG RPM run-time integrity checking facility encountered a\n" ..
         "| non-fatal problem during license checking, but allows processing to continue.\n" ..
         "| The particular warning reported by the OpenPKG license processor is:\n" ..
         "|\n" ..
         util.textwrap("|   ", warning, 60, 70) ..
         "|\n" ..
         "| Notice: Operation of the OpenPKG Framework requires a valid license.\n" ..
         "| Go to http://openpkg.com/go/framework-license for more details, please.\n" ..
         "+-----------------------------------------------------------------------------+"
 end
 - --  report validation error
 function integrity.util.error(ctx, cfg, error)
     --  support conversion of errors into warnings
     if cfg["Assertion-ErrorToWarning"] ~= nil then
         if cfg["Assertion-ErrorToWarning"] == "yes" then
             return integrity.util.warning(ctx, cfg, error)
         end
     end
     --  return prominent error message
     return
         "ERROR: OpenPKG run-time license check failed -- stopping processing\n" ..
         "+-----------------------------------------------------------------------------+\n" ..
         "| Sorry, the OpenPKG RPM run-time integrity checking facility encountered a\n" ..
         "| fatal problem during license checking and stops processing immediately.\n" ..
         "| The particular error reported by the OpenPKG license processor is:\n" ..
         "|\n" ..
         util.textwrap("|   ", error, 60, 70) ..
         "|\n" ..
         "| Notice: Operation of the OpenPKG Framework requires a valid license.\n" ..
         "| Go to http://openpkg.com/go/framework-license for more details, please.\n" ..
         "| Run \"openpkg man license\" for details about local license management.\n" ..
         "+-----------------------------------------------------------------------------+"
 end
 -----BEGIN PGP SIGNATURE-----
 Comment: OpenPKG GmbH <openpkg@openpkg.com>
 iEYEARECAAYFAk8BelcACgkQZwQuyWG3rjTL6QCeLTLVj4PTnd/E7mf+Sv4mgbZj
 J0AoMXrO4EimPSSCZSJ1TLW8f8GP+B5
 =AVpf
 -----END PGP SIGNATURE-----

OpenPKG Specs / annotate

openpkg/license.lua@c10fb90893b9 (annotated)

openpkg/license.lua