From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.ebner@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id BFD3861C1F
 for <pve-devel@lists.proxmox.com>; Tue, 18 Jan 2022 13:49:00 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id AD19029EC0
 for <pve-devel@lists.proxmox.com>; Tue, 18 Jan 2022 13:48:30 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id A8C5129EB7
 for <pve-devel@lists.proxmox.com>; Tue, 18 Jan 2022 13:48:29 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 7D2E5460E0
 for <pve-devel@lists.proxmox.com>; Tue, 18 Jan 2022 13:48:29 +0100 (CET)
From: Fabian Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Tue, 18 Jan 2022 13:48:22 +0100
Message-Id: <20220118124822.87502-3-f.ebner@proxmox.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20220118124822.87502-1-f.ebner@proxmox.com>
References: <20220118124822.87502-1-f.ebner@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.136 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [file.rs, repositories.rs]
Subject: [pve-devel] [PATCH proxmox-apt 3/3] check suites: add special check
 for Debian security repository
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2022 12:49:00 -0000

since the suffix was changed with Debian Bullseye.

Suggested-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Fabian Ebner <f.ebner@proxmox.com>
---
 src/repositories/file.rs                      | 31 +++++++++++++++++--
 tests/repositories.rs                         | 31 +++++++++++++++++++
 .../sources.list.d.expected/bad-security.list |  4 +++
 tests/sources.list.d/bad-security.list        |  4 +++
 4 files changed, 67 insertions(+), 3 deletions(-)
 create mode 100644 tests/sources.list.d.expected/bad-security.list
 create mode 100644 tests/sources.list.d/bad-security.list

diff --git a/src/repositories/file.rs b/src/repositories/file.rs
index 3e975fc..1b3ac85 100644
--- a/src/repositories/file.rs
+++ b/src/repositories/file.rs
@@ -297,8 +297,8 @@ impl APTRepositoryFile {
         Ok(())
     }
 
-    /// Checks if old or unstable suites are configured and also that the
-    /// `stable` keyword is not used.
+    /// Checks if old or unstable suites are configured and that the Debian security repository
+    /// has the correct suite. Also checks that the `stable` keyword is not used.
     pub fn check_suites(&self, current_codename: DebianCodename) -> Vec<APTRepositoryInfo> {
         let mut infos = vec![];
 
@@ -307,6 +307,22 @@ impl APTRepositoryFile {
                 continue;
             }
 
+            let is_security_repo = repo.uris.iter().any(|uri| {
+                let uri = uri.trim_end_matches('/');
+                let uri = uri.strip_suffix("debian-security").unwrap_or(uri);
+                let uri = uri.trim_end_matches('/');
+                matches!(
+                    uri,
+                    "http://security.debian.org" | "https://security.debian.org",
+                )
+            });
+
+            let require_suffix = match is_security_repo {
+                true if current_codename >= DebianCodename::Bullseye => Some("-security"),
+                true => Some("/updates"),
+                false => None,
+            };
+
             let mut add_info = |kind: &str, message| {
                 infos.push(APTRepositoryInfo {
                     path: self.path.clone(),
@@ -323,7 +339,7 @@ impl APTRepositoryFile {
             let message_stable = "use the name of the stable distribution instead of 'stable'!";
 
             for suite in repo.suites.iter() {
-                let base_suite = suite_variant(suite).0;
+                let (base_suite, suffix) = suite_variant(suite);
 
                 match base_suite {
                     "oldoldstable" | "oldstable" => {
@@ -352,6 +368,15 @@ impl APTRepositoryFile {
                 } else if codename > current_codename {
                     add_info("warning", message_new(base_suite));
                 }
+
+                if let Some(require_suffix) = require_suffix {
+                    if suffix != require_suffix {
+                        add_info(
+                            "warning",
+                            format!("expected suite '{}{}'", current_codename, require_suffix),
+                        );
+                    }
+                }
             }
         }
 
diff --git a/tests/repositories.rs b/tests/repositories.rs
index d79ea72..c6dd351 100644
--- a/tests/repositories.rs
+++ b/tests/repositories.rs
@@ -283,6 +283,37 @@ fn test_check_repositories() -> Result<(), Error> {
 
     assert_eq!(infos, expected_infos);
 
+    let bad_security = read_dir.join("bad-security.list");
+    let mut file = APTRepositoryFile::new(&bad_security)?.unwrap();
+    file.parse()?;
+
+    let path_string = bad_security.into_os_string().into_string().unwrap();
+
+    let mut expected_infos = vec![];
+    for n in 0..=1 {
+        expected_infos.push(APTRepositoryInfo {
+            path: path_string.clone(),
+            index: n,
+            property: Some("Suites".to_string()),
+            kind: "warning".to_string(),
+            message: "expected suite 'bullseye-security'".to_string(),
+        });
+    }
+    for n in 0..=1 {
+        expected_infos.push(APTRepositoryInfo {
+            path: path_string.clone(),
+            index: n,
+            property: None,
+            kind: "origin".to_string(),
+            message: "Debian".to_string(),
+        });
+    }
+    expected_infos.sort();
+
+    let mut infos = check_repositories(&vec![file], DebianCodename::Bullseye);
+    infos.sort();
+
+    assert_eq!(infos, expected_infos);
     Ok(())
 }
 
diff --git a/tests/sources.list.d.expected/bad-security.list b/tests/sources.list.d.expected/bad-security.list
new file mode 100644
index 0000000..3f64ffa
--- /dev/null
+++ b/tests/sources.list.d.expected/bad-security.list
@@ -0,0 +1,4 @@
+deb http://security.debian.org/debian-security/ bullseye/updates main contrib
+
+deb https://security.debian.org bullseye/updates main contrib
+
diff --git a/tests/sources.list.d/bad-security.list b/tests/sources.list.d/bad-security.list
new file mode 100644
index 0000000..3f64ffa
--- /dev/null
+++ b/tests/sources.list.d/bad-security.list
@@ -0,0 +1,4 @@
+deb http://security.debian.org/debian-security/ bullseye/updates main contrib
+
+deb https://security.debian.org bullseye/updates main contrib
+
-- 
2.30.2