Commit d824edaf authored by Brian R. Bondy's avatar Brian R. Bondy Committed by Georg Koppen
Browse files

Bug 973933 - New updater-xpcshell binary for updater tests. r=rstrong 

This is a rollup of recent work. Changes include:
- Creating an xpcshell only updater binary. This binary has an embedded xpcshell only cert for verifying test only mars.  It is only used by tests and is not signed w/ authenticode certs.
- Modifying tests to use that new binary
- Adding a check-cert option to the maintenance service
- Using that new cert-check option in new tests to test the authenticode path
- No longer doing an authenticode check during service updater tests on the xpcshell binary.
- Enables more tests for other platforms

--HG--
rename : toolkit/mozapps/update/updater/moz.build => toolkit/mozapps/update/updater/updater-common.build

Conflicts:
	toolkit/mozapps/update/tests/data/xpcshellUtilsAUS.js
	toolkit/mozapps/update/tests/unit_base_updater/xpcshell.ini
parent 7c40d127

toolkit/components/maintenanceservice/maintenanceservice.cpp

+5 −0
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ 
#include "workmonitor.h"

#include "uachelper.h"

#include "updatehelper.h"

#include "registrycertificates.h"



// Link w/ subsystem window so we don't get a console when executing

// this binary through the installer.
@@ -102,6 +103,10 @@ wmain(int argc, WCHAR **argv) 
    return 0;

  }



  if (!lstrcmpi(argv[1], L"check-cert") && argc > 2) {

    return DoesBinaryMatchAllowedCertificates(argv[2], argv[3], FALSE) ? 0 : 1;

  }



  SERVICE_TABLE_ENTRYW DispatchTable[] = { 

    { SVC_NAME, (LPSERVICE_MAIN_FUNCTIONW) SvcMain }, 

    { nullptr, nullptr }

toolkit/components/maintenanceservice/registrycertificates.cpp

+13 −1
Original line number Diff line number Diff line
@@ -17,10 +17,17 @@ 
 * Verifies if the file path matches any certificate stored in the registry.

 *

 * @param  filePath The file path of the application to check if allowed.

 * @param  allowFallbackKeySkip when this is TRUE the fallback registry key will

 *   be used to skip the certificate check.  This is the default since the

 *   fallback registry key is located under HKEY_LOCAL_MACHINE which can't be

 *   written to by a low integrity process.

 *   Note: the maintenance service binary can be used to perform this check for

 *   testing or troubleshooting.

 * @return TRUE if the binary matches any of the allowed certificates.

 */

BOOL

DoesBinaryMatchAllowedCertificates(LPCWSTR basePathForUpdate, LPCWSTR filePath)

DoesBinaryMatchAllowedCertificates(LPCWSTR basePathForUpdate, LPCWSTR filePath,

                                   BOOL allowFallbackKeySkip)

{ 

  WCHAR maintenanceServiceKey[MAX_PATH + 1];

  if (!CalculateRegistryPathFromFilePath(basePathForUpdate,
@@ -49,6 +56,11 @@ DoesBinaryMatchAllowedCertificates(LPCWSTR basePathForUpdate, LPCWSTR filePath) 
    if (retCode != ERROR_SUCCESS) {

      LOG_WARN(("Could not open fallback key.  (%d)", retCode));

      return FALSE;

    } else if (allowFallbackKeySkip) {

      LOG_WARN(("Fallback key present, skipping VerifyCertificateTrustForFile "

                "check and the certificate attribute registry matching "

                "check."));

      return TRUE;

    }

  }

  nsAutoRegKey baseKey(baseKeyRaw);

toolkit/components/maintenanceservice/registrycertificates.h

+2 −1
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ 
#include "certificatecheck.h"



BOOL DoesBinaryMatchAllowedCertificates(LPCWSTR basePathForUpdate,

                                        LPCWSTR filePath);

                                        LPCWSTR filePath,

                                        BOOL allowFallbackKeySkip = TRUE);



#endif

toolkit/mozapps/update/tests/unit_aus_update/head_update.js

+25 −12
Original line number Diff line number Diff line
@@ -1245,12 +1245,15 @@ function getTestDirPath() { 
 *          The relative path to the file or directory to get from the root of

 *          the test's data directory. If not specified the test's data

 *          directory will be returned.

 * @param   aAllowNonExists (optional)

 *          Whether or not to throw an error if the path exists.

 *          If not specified, then false is used.

 * @return  The nsIFile for the file in the test data directory.

 * @throws  If the file or directory does not exist.

 */

function getTestDirFile(aRelPath) {

function getTestDirFile(aRelPath, aAllowNonExists) {

  let relpath = getTestDirPath() + (aRelPath ? aRelPath : "");

  return do_get_file(relpath, false);

  return do_get_file(relpath, !!aAllowNonExists);

}



#ifdef XP_WIN
@@ -1471,11 +1474,9 @@ if (IS_WIN) { 
function runUpdate(aExpectedExitValue, aExpectedStatus, aCallback) {

  // Copy the updater binary to the updates directory.

  let binDir = gGREBinDirOrig.clone();

  let updater = binDir.clone();

  updater.append("updater.app");

  let updater = getTestDirFile("updater.app", true);

  if (!updater.exists()) {

    updater = binDir.clone();

    updater.append(FILE_UPDATER_BIN);

    updater = getTestDirFile(FILE_UPDATER_BIN);

    if (!updater.exists()) {

      do_throw("Unable to find updater binary!");

    }
@@ -1748,8 +1749,6 @@ function setupAppFiles() { 
  // dependentlibs.list file.

  let appFiles = [ { relPath  : FILE_APP_BIN,

                     inGreDir : false },

                   { relPath  : FILE_UPDATER_BIN,

                     inGreDir : false },

                   { relPath  : FILE_APPLICATION_INI,

                     inGreDir : true },

                   { relPath  : "dependentlibs.list",
@@ -1784,6 +1783,17 @@ function setupAppFiles() { 
    copyFileToTestAppDir(aAppFile.relPath, aAppFile.inGreDir);

  });



  // Copy the xpcshell updater binary

  let updater = getTestDirFile("updater.app", true);

  if (!updater.exists()) {

    updater = getTestDirFile(FILE_UPDATER_BIN);

    if (!updater.exists()) {

      do_throw("Unable to find updater binary!");

    }

  } 

  let testBinDir = getGREBinDir() 

  updater.copyToFollowingLinks(testBinDir, updater.leafName);



  logTestInfo("finish - copying or creating symlinks to application files " +

              "for the test");

}
@@ -2103,10 +2113,13 @@ function runUpdateUsingService(aInitialStatus, aExpectedStatus, aCheckSvcLog) { 


  setEnvironment();



  // There is a security check done by the service to make sure the updater

  // we are executing is the same as the one in the apply-to dir.

  // To make sure they match from tests we copy updater.exe to the apply-to dir.

  copyFileToTestAppDir(FILE_UPDATER_BIN, false);

  let updater = getTestDirFile(FILE_UPDATER_BIN);

  if (!updater.exists()) {

    do_throw("Unable to find updater binary!");

  }

  let testBinDir = getGREBinDir()

  updater.copyToFollowingLinks(testBinDir, updater.leafName);

  updater.copyToFollowingLinks(updatesDir, updater.leafName);



  // The service will execute maintenanceservice_installer.exe and

  // will copy maintenanceservice.exe out of the same directory from

toolkit/mozapps/update/tests/unit_base_updater/xpcshell.ini

+2 −2
Original line number Diff line number Diff line
@@ -20,9 +20,9 @@ skip-if = toolkit == 'gonk' 
reason = bug 820380

[marStageSuccessPartial.js]

[marVersionDowngrade.js]

run-if = os == 'win'

skip-if = os != 'win' && os != 'mac' && os != 'linux'

[marWrongChannel.js]

run-if = os == 'win'

skip-if = os != 'win' && os != 'mac' && os != 'linux'

[marStageFailurePartial.js]

[marCallbackAppSuccessComplete_win.js]

run-if = os == 'win'