Delete cached file if the signature verified fail

Mattia Bertorello · Mattia Bertorello · commit 5b2b47a2d425 · 2019-07-12T13:00:48.000+02:00
diff --git a/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java b/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
@@ -126,7 +126,7 @@ public void download(URL url, File tmpFile, Progress progress, String statusText
   }
 
   public void download(URL url, File tmpFile, Progress progress, String statusText, ProgressListener progressListener, boolean noResume, boolean allowCache) throws Exception {
-    FileDownloader downloader = new FileDownloader(url, tmpFile, allowCache);
+    final FileDownloader downloader = new FileDownloader(url, tmpFile, allowCache);
     downloader.addObserver((o, arg) -> {
       FileDownloader me = (FileDownloader) o;
       String msg = "";
@@ -148,22 +148,24 @@ public void download(URL url, File tmpFile, Progress progress, String statusText
   public void downloadIndexAndSignature(MultiStepProgress progress, URL packageIndexUrl, ProgressListener progressListener, SignatureVerifier signatureVerifier) throws Exception {
 
     // Extract the file name from the url
-    String indexFileName = FilenameUtils.getName(packageIndexUrl.getPath());
-    File packageIndex = BaseNoGui.indexer.getIndexFile(indexFileName);
+    final String indexFileName = FilenameUtils.getName(packageIndexUrl.getPath());
+    final File packageIndex = BaseNoGui.indexer.getIndexFile(indexFileName);
 
     final String statusText = tr("Downloading platforms index...");
 
     // Create temp files
-    File packageIndexTemp = File.createTempFile(indexFileName, ".tmp");
+    final File packageIndexTemp = File.createTempFile(indexFileName, ".tmp");
     try {
       // Download package index
       download(packageIndexUrl, packageIndexTemp, progress, statusText, progressListener, true, true);
+      final URL signatureUrl = new URL(packageIndexUrl.toString() + ".sig");
 
       if (verifyDomain(packageIndexUrl)) {
-        URL signatureUrl = new URL(packageIndexUrl.toString() + ".sig");
-
         if (checkSignature(progress, signatureUrl, progressListener, signatureVerifier, statusText, packageIndexTemp)) {
           Files.move(packageIndexTemp.toPath(), packageIndex.toPath(), StandardCopyOption.REPLACE_EXISTING);
+        } else {
+          log.info("The cached files have been removed. {} {}", packageIndexUrl, signatureUrl);
+          FileDownloader.invalidateFiles(packageIndexUrl, signatureUrl);
         }
       } else {
         // Move the package index to the destination when the signature is not necessary
@@ -196,18 +198,25 @@ public boolean verifyDomain(URL url) {
 
   public boolean checkSignature(MultiStepProgress progress, URL signatureUrl, ProgressListener progressListener, SignatureVerifier signatureVerifier, String statusText, File fileToVerify) throws Exception {
 
+    final boolean allowInsecurePackages =
+      PreferencesData.getBoolean("allow_insecure_packages", false);
+    if (allowInsecurePackages) {
+      log.info("Allow insecure packages is true the signature will be skip and return always verified");
+      return true;
+    }
+
     // Signature file name
-    String signatureFileName = FilenameUtils.getName(signatureUrl.getPath());
-    File packageIndexSignature = BaseNoGui.indexer.getIndexFile(signatureFileName);
-    File packageIndexSignatureTemp = File.createTempFile(signatureFileName, ".tmp");
+    final String signatureFileName = FilenameUtils.getName(signatureUrl.getPath());
+    final File packageIndexSignature = BaseNoGui.indexer.getIndexFile(signatureFileName);
+    final File packageIndexSignatureTemp = File.createTempFile(signatureFileName, ".tmp");
 
 
     try {
       // Download signature
       download(signatureUrl, packageIndexSignatureTemp, progress, statusText, progressListener, true);
 
       // Verify the signature before move the files
-      boolean signatureVerified = signatureVerifier.isSigned(fileToVerify, packageIndexSignatureTemp);
+      final boolean signatureVerified = signatureVerifier.isSigned(fileToVerify, packageIndexSignatureTemp);
       if (signatureVerified) {
         log.info("Signature verified. url={}, signature url={}, file to verify={}, signature file={}", signatureUrl, signatureUrl, fileToVerify, packageIndexSignatureTemp);
         // Move if the signature is ok
diff --git a/arduino-core/src/cc/arduino/contributions/libraries/LibraryInstaller.java b/arduino-core/src/cc/arduino/contributions/libraries/LibraryInstaller.java
@@ -36,6 +36,7 @@
 import cc.arduino.contributions.ProgressListener;
 import cc.arduino.utils.ArchiveExtractor;
 import cc.arduino.utils.MultiStepProgress;
+import cc.arduino.utils.network.FileDownloader;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -74,9 +75,10 @@ public synchronized void updateIndex(ProgressListener progressListener) throws E
     String signatureFileName = FilenameUtils.getName(new URL(Constants.LIBRARY_INDEX_URL).getPath());
     File libraryIndexTemp = File.createTempFile(signatureFileName, ".tmp");
     final URL libraryURL = new URL(Constants.LIBRARY_INDEX_URL);
+    final URL libraryGzURL = new URL(Constants.LIBRARY_INDEX_URL_GZ);
     final String statusText = tr("Downloading libraries index...");
     try {
-      GZippedJsonDownloader gZippedJsonDownloader = new GZippedJsonDownloader(downloader, libraryURL, new URL(Constants.LIBRARY_INDEX_URL_GZ));
+      GZippedJsonDownloader gZippedJsonDownloader = new GZippedJsonDownloader(downloader, libraryURL, libraryGzURL);
       gZippedJsonDownloader.download(libraryIndexTemp, progress, statusText, progressListener, true);
     } catch (InterruptedException e) {
       // Download interrupted... just exit
@@ -98,7 +100,8 @@ public synchronized void updateIndex(ProgressListener progressListener) throws E
         // Step 3: Rescan index
         rescanLibraryIndex(progress, progressListener);
       } else {
-        log.error("Fail to verify the signature of {}", libraryURL);
+        FileDownloader.invalidateFiles(libraryGzURL, libraryURL, signatureUrl);
+        log.error("Fail to verify the signature of {} the cached files have been removed", libraryURL);
       }
     } else {
       log.info("The domain is not selected to verify the signature. library index: {}", signatureUrl);
diff --git a/arduino-core/src/cc/arduino/utils/network/FileDownloader.java b/arduino-core/src/cc/arduino/utils/network/FileDownloader.java
@@ -34,15 +34,18 @@
 import org.apache.logging.log4j.Logger;
 import processing.app.helpers.FileUtils;
 
+import javax.script.ScriptException;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.RandomAccessFile;
 import java.net.HttpURLConnection;
 import java.net.SocketTimeoutException;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.util.Arrays;
 import java.util.Observable;
 import java.util.Optional;
 
@@ -137,26 +140,49 @@ private void saveLocalFile() {
     }
   }
 
+  public static void invalidateFiles(URL... filesUrl) {
+    // For each file delete the file cached if exist
+    Arrays.stream(filesUrl).forEach(url -> {
+      try {
+        FileDownloaderCache.getFileCached(url).ifPresent(fileCached -> {
+          try {
+            log.info("Invalidate this file {} that comes from {}", fileCached.getLocalPath(), fileCached.getRemoteURL());
+            fileCached.invalidateCache();
+          } catch (Exception e) {
+            log.warn("Fail to invalidate cache", e);
+          }
+        });
+      } catch (URISyntaxException | NoSuchMethodException | ScriptException | IOException e) {
+        log.warn("Fail to get the file cached during the file invalidation", e);
+      }
+    });
+
+  }
+
   private void downloadFile(boolean noResume) throws InterruptedException {
 
     try {
       setStatus(Status.CONNECTING);
 
-      final Optional<FileDownloaderCache.FileCached> fileCached = FileDownloaderCache.getFileCached(downloadUrl);
-      if (fileCached.isPresent() && fileCached.get().isNotChange()) {
-        final Optional<File> fileFromCache = getFileCached(fileCached.get());
-        if (fileFromCache.isPresent()) {
+      final Optional<FileDownloaderCache.FileCached> fileCachedOpt = FileDownloaderCache.getFileCached(downloadUrl);
+      if (fileCachedOpt.isPresent()) {
+        final FileDownloaderCache.FileCached fileCached = fileCachedOpt.get();
+
+        final Optional<File> fileFromCache = getFileCached(fileCached);
+        if (fileCached.isNotChange() && fileFromCache.isPresent()) {
           // Copy the cached file in the destination file
           FileUtils.copyFile(fileFromCache.get(), outputFile);
         } else {
           openConnectionAndFillTheFile(noResume);
 
           if (allowCache) {
-            fileCached.get().updateCacheFile(outputFile);
+            fileCached.updateCacheFile(outputFile);
           } else {
             log.info("The file {} was not cached because allow cache is false", downloadUrl);
           }
         }
+      } else {
+        openConnectionAndFillTheFile(noResume);
       }
       setStatus(Status.COMPLETE);
 
diff --git a/arduino-core/src/cc/arduino/utils/network/FileDownloaderCache.java b/arduino-core/src/cc/arduino/utils/network/FileDownloaderCache.java
@@ -117,7 +117,7 @@ public class FileDownloaderCache {
     }
   }
 
-  public static Optional<FileCached> getFileCached(final URL remoteURL)
+  static Optional<FileCached> getFileCached(final URL remoteURL)
     throws URISyntaxException, NoSuchMethodException, ScriptException,
     IOException {
     // Return always and empty file if the cache is not enable
@@ -268,7 +268,8 @@ public FileCached(String remoteURL, String localPath, String eTag, String lastET
     @JsonIgnore
     public boolean isExpire() {
       // Check if the file is expire
-      return this.getExpiresTime().isBefore(LocalDateTime.now());
+      final LocalDateTime now = LocalDateTime.now();
+      return this.getExpiresTime().isBefore(now) || this.getExpiresTime().isEqual(now);
     }
 
     @JsonIgnore
@@ -298,15 +299,15 @@ public boolean exists() {
     }
 
     @JsonIgnore
-    public Optional<File> getFileFromCache() {
+    Optional<File> getFileFromCache() {
       if (md5Check()) {
         return Optional.of(Paths.get(localPath).toFile());
       }
       return Optional.empty();
 
     }
 
-    public synchronized void updateCacheFile(File fileToCache) throws Exception {
+    synchronized void updateCacheFile(File fileToCache) throws Exception {
       Path cacheFilePath = Paths.get(localPath);
 
       // If the cache directory does not exist create it
@@ -336,6 +337,11 @@ public synchronized void updateCacheFile(File fileToCache) throws Exception {
 
     }
 
+    synchronized void invalidateCache() throws IOException {
+      cachedFiles.remove(remoteURL);
+      Files.deleteIfExists(Paths.get(localPath));
+    }
+
     private String calculateMD5() throws IOException, NoSuchAlgorithmException {
       if (exists()) {
         return FileHash.hash(Paths.get(localPath).toFile(), "MD5");
@@ -344,7 +350,7 @@ private String calculateMD5() throws IOException, NoSuchAlgorithmException {
     }
 
     @JsonIgnore
-    public boolean md5Check() {
+    boolean md5Check() {
       try {
         return !Objects.isNull(getMD5()) && Objects.equals(calculateMD5(), getMD5());
       } catch (Exception e) {
@@ -354,7 +360,7 @@ public boolean md5Check() {
     }
 
     @JsonIgnore
-    public LocalDateTime getExpiresTime() {
+    LocalDateTime getExpiresTime() {
       final int maxAge;
       if (cacheControl != null) {
         maxAge = cacheControl.getMaxAge();
