syncthing/lib/upgrade/upgrade_supported.go
2019-02-02 11:45:17 +01:00

433 lines
10 KiB
Go

// Copyright (C) 2014 The Syncthing Authors.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
// You can obtain one at https://mozilla.org/MPL/2.0/.
// +build !noupgrade
package upgrade
import (
"archive/tar"
"archive/zip"
"bytes"
"compress/gzip"
"crypto/tls"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"net/http"
"os"
"path"
"path/filepath"
"runtime"
"sort"
"strings"
"time"
"github.com/syncthing/syncthing/lib/dialer"
"github.com/syncthing/syncthing/lib/signature"
)
const DisabledByCompilation = false
const (
// Current binary size hovers around 10 MB. We give it some room to grow
// and say that we never expect the binary to be larger than 64 MB.
maxBinarySize = 64 << 20 // 64 MiB
// The max expected size of the signature file.
maxSignatureSize = 10 << 10 // 10 KiB
// We set the same limit on the archive. The binary will compress and we
// include some other stuff - currently the release archive size is
// around 6 MB.
maxArchiveSize = maxBinarySize
// When looking through the archive for the binary and signature, stop
// looking once we've searched this many files.
maxArchiveMembers = 100
// Archive reads, or metadata checks, that take longer than this will be
// rejected.
readTimeout = 30 * time.Minute
// The limit on the size of metadata that we accept.
maxMetadataSize = 10 << 20 // 10 MiB
)
// This is an HTTP/HTTPS client that does *not* perform certificate
// validation. We do this because some systems where Syncthing runs have
// issues with old or missing CA roots. It doesn't actually matter that we
// load the upgrade insecurely as we verify an ECDSA signature of the actual
// binary contents before accepting the upgrade.
var insecureHTTP = &http.Client{
Timeout: readTimeout,
Transport: &http.Transport{
Dial: dialer.Dial,
Proxy: http.ProxyFromEnvironment,
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true,
},
},
}
func insecureGet(url, version string) (*http.Response, error) {
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return nil, err
}
req.Header.Set("User-Agent", fmt.Sprintf(`syncthing %s (%s %s-%s)`, version, runtime.Version(), runtime.GOOS, runtime.GOARCH))
return insecureHTTP.Do(req)
}
// FetchLatestReleases returns the latest releases. The "current" parameter
// is used for setting the User-Agent only.
func FetchLatestReleases(releasesURL, current string) []Release {
resp, err := insecureGet(releasesURL, current)
if err != nil {
l.Infoln("Couldn't fetch release information:", err)
return nil
}
if resp.StatusCode > 299 {
l.Infoln("API call returned HTTP error:", resp.Status)
return nil
}
var rels []Release
err = json.NewDecoder(io.LimitReader(resp.Body, maxMetadataSize)).Decode(&rels)
if err != nil {
l.Infoln("Fetching release information:", err)
}
resp.Body.Close()
return rels
}
type SortByRelease []Release
func (s SortByRelease) Len() int {
return len(s)
}
func (s SortByRelease) Swap(i, j int) {
s[i], s[j] = s[j], s[i]
}
func (s SortByRelease) Less(i, j int) bool {
return CompareVersions(s[i].Tag, s[j].Tag) > 0
}
func LatestRelease(releasesURL, current string, upgradeToPreReleases bool) (Release, error) {
rels := FetchLatestReleases(releasesURL, current)
return SelectLatestRelease(rels, current, upgradeToPreReleases)
}
func SelectLatestRelease(rels []Release, current string, upgradeToPreReleases bool) (Release, error) {
if len(rels) == 0 {
return Release{}, ErrNoVersionToSelect
}
// Sort the releases, lowest version number first
sort.Sort(sort.Reverse(SortByRelease(rels)))
var selected Release
for _, rel := range rels {
if CompareVersions(rel.Tag, current) == MajorNewer {
// We've found a new major version. That's fine, but if we've
// already found a minor upgrade that is acceptable we should go
// with that one first and then revisit in the future.
if selected.Tag != "" && CompareVersions(selected.Tag, current) == Newer {
return selected, nil
}
}
if rel.Prerelease && !upgradeToPreReleases {
l.Debugln("skipping pre-release", rel.Tag)
continue
}
expectedReleases := releaseNames(rel.Tag)
nextAsset:
for _, asset := range rel.Assets {
assetName := path.Base(asset.Name)
// Check for the architecture
for _, expRel := range expectedReleases {
if strings.HasPrefix(assetName, expRel) {
l.Debugln("selected", rel.Tag)
selected = rel
break nextAsset
}
}
}
}
if selected.Tag == "" {
return Release{}, ErrNoReleaseDownload
}
return selected, nil
}
// Upgrade to the given release, saving the previous binary with a ".old" extension.
func upgradeTo(binary string, rel Release) error {
expectedReleases := releaseNames(rel.Tag)
for _, asset := range rel.Assets {
assetName := path.Base(asset.Name)
l.Debugln("considering release", assetName)
for _, expRel := range expectedReleases {
if strings.HasPrefix(assetName, expRel) {
return upgradeToURL(assetName, binary, asset.URL)
}
}
}
return ErrNoReleaseDownload
}
// Upgrade to the given release, saving the previous binary with a ".old" extension.
func upgradeToURL(archiveName, binary string, url string) error {
fname, err := readRelease(archiveName, filepath.Dir(binary), url)
if err != nil {
return err
}
defer os.Remove(fname)
old := binary + ".old"
os.Remove(old)
err = os.Rename(binary, old)
if err != nil {
return err
}
if err := os.Rename(fname, binary); err != nil {
_ = os.Rename(old, binary)
return err
}
return nil
}
func readRelease(archiveName, dir, url string) (string, error) {
l.Debugf("loading %q", url)
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return "", err
}
req.Header.Add("Accept", "application/octet-stream")
resp, err := insecureHTTP.Do(req)
if err != nil {
return "", err
}
defer resp.Body.Close()
switch runtime.GOOS {
case "windows":
return readZip(archiveName, dir, io.LimitReader(resp.Body, maxArchiveSize))
default:
return readTarGz(archiveName, dir, io.LimitReader(resp.Body, maxArchiveSize))
}
}
func readTarGz(archiveName, dir string, r io.Reader) (string, error) {
gr, err := gzip.NewReader(r)
if err != nil {
return "", err
}
tr := tar.NewReader(gr)
var tempName string
var sig []byte
// Iterate through the files in the archive.
i := 0
for {
if i >= maxArchiveMembers {
break
}
i++
hdr, err := tr.Next()
if err == io.EOF {
// end of tar archive
break
}
if err != nil {
return "", err
}
if hdr.Size > maxBinarySize {
// We don't even want to try processing or skipping over files
// that are too large.
break
}
err = archiveFileVisitor(dir, &tempName, &sig, hdr.Name, tr)
if err != nil {
return "", err
}
if tempName != "" && sig != nil {
break
}
}
if err := verifyUpgrade(archiveName, tempName, sig); err != nil {
return "", err
}
return tempName, nil
}
func readZip(archiveName, dir string, r io.Reader) (string, error) {
body, err := ioutil.ReadAll(r)
if err != nil {
return "", err
}
archive, err := zip.NewReader(bytes.NewReader(body), int64(len(body)))
if err != nil {
return "", err
}
var tempName string
var sig []byte
// Iterate through the files in the archive.
i := 0
for _, file := range archive.File {
if i >= maxArchiveMembers {
break
}
i++
if file.UncompressedSize64 > maxBinarySize {
// We don't even want to try processing or skipping over files
// that are too large.
break
}
inFile, err := file.Open()
if err != nil {
return "", err
}
err = archiveFileVisitor(dir, &tempName, &sig, file.Name, inFile)
inFile.Close()
if err != nil {
return "", err
}
if tempName != "" && sig != nil {
break
}
}
if err := verifyUpgrade(archiveName, tempName, sig); err != nil {
return "", err
}
return tempName, nil
}
// archiveFileVisitor is called for each file in an archive. It may set
// tempFile and signature.
func archiveFileVisitor(dir string, tempFile *string, signature *[]byte, archivePath string, filedata io.Reader) error {
var err error
filename := path.Base(archivePath)
archiveDir := path.Dir(archivePath)
l.Debugf("considering file %s", archivePath)
switch filename {
case "syncthing", "syncthing.exe":
archiveDirs := strings.Split(archiveDir, "/")
if len(archiveDirs) > 1 {
// Don't consider "syncthing" files found too deeply, as they may be
// other things.
return nil
}
l.Debugf("found upgrade binary %s", archivePath)
*tempFile, err = writeBinary(dir, io.LimitReader(filedata, maxBinarySize))
if err != nil {
return err
}
case "release.sig":
l.Debugf("found signature %s", archivePath)
*signature, err = ioutil.ReadAll(io.LimitReader(filedata, maxSignatureSize))
if err != nil {
return err
}
}
return nil
}
func verifyUpgrade(archiveName, tempName string, sig []byte) error {
if tempName == "" {
return fmt.Errorf("no upgrade found")
}
if sig == nil {
return fmt.Errorf("no signature found")
}
l.Debugf("checking signature\n%s", sig)
fd, err := os.Open(tempName)
if err != nil {
return err
}
// Create a new reader that will serve reads from, in order:
//
// - the archive name ("syncthing-linux-amd64-v0.13.0-beta.4.tar.gz")
// followed by a newline
//
// - the temp file contents
//
// We then verify the release signature against the contents of this
// multireader. This ensures that it is not only a bonafide syncthing
// binary, but it is also of exactly the platform and version we expect.
mr := io.MultiReader(bytes.NewBufferString(archiveName+"\n"), fd)
err = signature.Verify(SigningKey, sig, mr)
fd.Close()
if err != nil {
os.Remove(tempName)
return err
}
return nil
}
func writeBinary(dir string, inFile io.Reader) (filename string, err error) {
// Write the binary to a temporary file.
outFile, err := ioutil.TempFile(dir, "syncthing")
if err != nil {
return "", err
}
_, err = io.Copy(outFile, inFile)
if err != nil {
os.Remove(outFile.Name())
return "", err
}
err = outFile.Close()
if err != nil {
os.Remove(outFile.Name())
return "", err
}
err = os.Chmod(outFile.Name(), os.FileMode(0755))
if err != nil {
os.Remove(outFile.Name())
return "", err
}
return outFile.Name(), nil
}