1 // 2 // Copyright (C) 2011 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #include "update_engine/omaha_response_handler_action.h" 18 19 #include <string> 20 21 #include <base/logging.h> 22 #include <base/strings/string_number_conversions.h> 23 #include <base/strings/string_util.h> 24 #include <policy/device_policy.h> 25 26 #include "update_engine/common/constants.h" 27 #include "update_engine/common/hardware_interface.h" 28 #include "update_engine/common/prefs_interface.h" 29 #include "update_engine/common/utils.h" 30 #include "update_engine/connection_manager_interface.h" 31 #include "update_engine/omaha_request_params.h" 32 #include "update_engine/payload_consumer/delta_performer.h" 33 #include "update_engine/payload_state_interface.h" 34 #include "update_engine/update_manager/policy.h" 35 #include "update_engine/update_manager/update_manager.h" 36 37 using chromeos_update_manager::Policy; 38 using chromeos_update_manager::UpdateManager; 39 using std::string; 40 41 namespace chromeos_update_engine { 42 43 OmahaResponseHandlerAction::OmahaResponseHandlerAction( 44 SystemState* system_state) 45 : OmahaResponseHandlerAction(system_state, 46 constants::kOmahaResponseDeadlineFile) {} 47 48 OmahaResponseHandlerAction::OmahaResponseHandlerAction( 49 SystemState* system_state, const string& deadline_file) 50 : system_state_(system_state), 51 got_no_update_response_(false), 52 key_path_(constants::kUpdatePayloadPublicKeyPath), 53 deadline_file_(deadline_file) {} 54 55 void OmahaResponseHandlerAction::PerformAction() { 56 CHECK(HasInputObject()); 57 ScopedActionCompleter completer(processor_, this); 58 const OmahaResponse& response = GetInputObject(); 59 if (!response.update_exists) { 60 got_no_update_response_ = true; 61 LOG(INFO) << "There are no updates. Aborting."; 62 return; 63 } 64 65 // All decisions as to which URL should be used have already been done. So, 66 // make the current URL as the download URL. 67 string current_url = system_state_->payload_state()->GetCurrentUrl(); 68 if (current_url.empty()) { 69 // This shouldn't happen as we should always supply the HTTPS backup URL. 70 // Handling this anyway, just in case. 71 LOG(ERROR) << "There are no suitable URLs in the response to use."; 72 completer.set_code(ErrorCode::kOmahaResponseInvalid); 73 return; 74 } 75 76 // This is the url to the first package, not all packages. 77 install_plan_.download_url = current_url; 78 install_plan_.version = response.version; 79 install_plan_.system_version = response.system_version; 80 81 OmahaRequestParams* const params = system_state_->request_params(); 82 PayloadStateInterface* const payload_state = system_state_->payload_state(); 83 84 // If we're using p2p to download and there is a local peer, use it. 85 if (payload_state->GetUsingP2PForDownloading() && 86 !payload_state->GetP2PUrl().empty()) { 87 LOG(INFO) << "Replacing URL " << install_plan_.download_url 88 << " with local URL " << payload_state->GetP2PUrl() 89 << " since p2p is enabled."; 90 install_plan_.download_url = payload_state->GetP2PUrl(); 91 payload_state->SetUsingP2PForDownloading(true); 92 } 93 94 // Fill up the other properties based on the response. 95 string update_check_response_hash; 96 for (const auto& package : response.packages) { 97 brillo::Blob raw_hash; 98 if (!base::HexStringToBytes(package.hash, &raw_hash)) { 99 LOG(ERROR) << "Failed to convert payload hash from hex string to bytes: " 100 << package.hash; 101 completer.set_code(ErrorCode::kOmahaResponseInvalid); 102 return; 103 } 104 install_plan_.payloads.push_back( 105 {.size = package.size, 106 .metadata_size = package.metadata_size, 107 .metadata_signature = package.metadata_signature, 108 .hash = raw_hash, 109 .type = package.is_delta ? InstallPayloadType::kDelta 110 : InstallPayloadType::kFull}); 111 update_check_response_hash += package.hash + ":"; 112 } 113 install_plan_.public_key_rsa = response.public_key_rsa; 114 install_plan_.hash_checks_mandatory = AreHashChecksMandatory(response); 115 install_plan_.is_resume = DeltaPerformer::CanResumeUpdate( 116 system_state_->prefs(), update_check_response_hash); 117 if (install_plan_.is_resume) { 118 payload_state->UpdateResumed(); 119 } else { 120 payload_state->UpdateRestarted(); 121 LOG_IF(WARNING, 122 !DeltaPerformer::ResetUpdateProgress(system_state_->prefs(), false)) 123 << "Unable to reset the update progress."; 124 LOG_IF(WARNING, 125 !system_state_->prefs()->SetString(kPrefsUpdateCheckResponseHash, 126 update_check_response_hash)) 127 << "Unable to save the update check response hash."; 128 } 129 130 install_plan_.source_slot = system_state_->boot_control()->GetCurrentSlot(); 131 install_plan_.target_slot = install_plan_.source_slot == 0 ? 1 : 0; 132 133 // The Omaha response doesn't include the channel name for this image, so we 134 // use the download_channel we used during the request to tag the target slot. 135 // This will be used in the next boot to know the channel the image was 136 // downloaded from. 137 string current_channel_key = 138 kPrefsChannelOnSlotPrefix + std::to_string(install_plan_.target_slot); 139 system_state_->prefs()->SetString(current_channel_key, 140 params->download_channel()); 141 142 if (params->ShouldPowerwash()) 143 install_plan_.powerwash_required = true; 144 145 TEST_AND_RETURN(HasOutputPipe()); 146 if (HasOutputPipe()) 147 SetOutputObject(install_plan_); 148 LOG(INFO) << "Using this install plan:"; 149 install_plan_.Dump(); 150 151 // Send the deadline data (if any) to Chrome through a file. This is a pretty 152 // hacky solution but should be OK for now. 153 // 154 // TODO(petkov): Re-architect this to avoid communication through a 155 // file. Ideally, we would include this information in D-Bus's GetStatus 156 // method and UpdateStatus signal. A potential issue is that update_engine may 157 // be unresponsive during an update download. 158 if (!deadline_file_.empty()) { 159 utils::WriteFile(deadline_file_.c_str(), 160 response.deadline.data(), 161 response.deadline.size()); 162 chmod(deadline_file_.c_str(), S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH); 163 } 164 165 // Check the generated install-plan with the Policy to confirm that 166 // it can be applied at this time (or at all). 167 UpdateManager* const update_manager = system_state_->update_manager(); 168 CHECK(update_manager); 169 auto ec = ErrorCode::kSuccess; 170 update_manager->PolicyRequest( 171 &Policy::UpdateCanBeApplied, &ec, &install_plan_); 172 completer.set_code(ec); 173 } 174 175 bool OmahaResponseHandlerAction::AreHashChecksMandatory( 176 const OmahaResponse& response) { 177 // We sometimes need to waive the hash checks in order to download from 178 // sources that don't provide hashes, such as dev server. 179 // At this point UpdateAttempter::IsAnyUpdateSourceAllowed() has already been 180 // checked, so an unofficial update URL won't get this far unless it's OK to 181 // use without a hash. Additionally, we want to always waive hash checks on 182 // unofficial builds (i.e. dev/test images). 183 // The end result is this: 184 // * Base image: 185 // - Official URLs require a hash. 186 // - Unofficial URLs only get this far if the IsAnyUpdateSourceAllowed() 187 // devmode/debugd checks pass, in which case the hash is waived. 188 // * Dev/test image: 189 // - Any URL is allowed through with no hash checking. 190 if (!system_state_->request_params()->IsUpdateUrlOfficial() || 191 !system_state_->hardware()->IsOfficialBuild()) { 192 // Still do a hash check if a public key is included. 193 if (!response.public_key_rsa.empty()) { 194 // The autoupdate_CatchBadSignatures test checks for this string 195 // in log-files. Keep in sync. 196 LOG(INFO) << "Mandating payload hash checks since Omaha Response " 197 << "for unofficial build includes public RSA key."; 198 return true; 199 } else { 200 LOG(INFO) << "Waiving payload hash checks for unofficial update URL."; 201 return false; 202 } 203 } 204 205 // If we're using p2p, |install_plan_.download_url| may contain a 206 // HTTP URL even if |response.payload_urls| contain only HTTPS URLs. 207 if (!base::StartsWith(install_plan_.download_url, "https://", 208 base::CompareCase::INSENSITIVE_ASCII)) { 209 LOG(INFO) << "Mandating hash checks since download_url is not HTTPS."; 210 return true; 211 } 212 213 // TODO(jaysri): VALIDATION: For official builds, we currently waive hash 214 // checks for HTTPS until we have rolled out at least once and are confident 215 // nothing breaks. chromium-os:37082 tracks turning this on for HTTPS 216 // eventually. 217 218 // Even if there's a single non-HTTPS URL, make the hash checks as 219 // mandatory because we could be downloading the payload from any URL later 220 // on. It's really hard to do book-keeping based on each byte being 221 // downloaded to see whether we only used HTTPS throughout. 222 for (const auto& package : response.packages) { 223 for (const string& payload_url : package.payload_urls) { 224 if (!base::StartsWith( 225 payload_url, "https://", base::CompareCase::INSENSITIVE_ASCII)) { 226 LOG(INFO) << "Mandating payload hash checks since Omaha response " 227 << "contains non-HTTPS URL(s)"; 228 return true; 229 } 230 } 231 } 232 233 LOG(INFO) << "Waiving payload hash checks since Omaha response " 234 << "only has HTTPS URL(s)"; 235 return false; 236 } 237 238 } // namespace chromeos_update_engine 239