From 3a294f5b50b2256fb9c137fe4caa0d6b447317e1 Mon Sep 17 00:00:00 2001
From: Tobias Koch <tobias.koch@canonical.com>
Date: Mon, 18 Feb 2019 18:49:47 +0100
Subject: [PATCH] magic-proxy: return 404 when InRelease file cannot be found
 "by hash"

When the magic-proxy script could not find a valid InRelease file for the
configured timestamp, it would fall back to serving the canonical version
of it. This meant that builds would succeed, even though snap-shotting the
repository failed.

This update makes the script return HTTP 404 when an InRelease by-hash
link for a given combination of mirror, suite and timestamp cannot be
found.
---
 debian/changelog | 11 +++++++++
 magic-proxy      | 58 ++++++++++++++++++++++++++----------------------
 2 files changed, 43 insertions(+), 26 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index f59073fe..8e8144cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,19 @@
 livecd-rootfs (2.566) UNRELEASED; urgency=medium
 
+  [ Julian Andres Klode ]
   * Do not mark direct dependencies of ubiquity as auto installed. This caused
     cryptsetup to remain auto on the installed system (LP: #1801629)
 
+  [ Tobias Koch ]
+  * When the magic-proxy script could not find a valid InRelease file for the
+    configured timestamp, it would fall back to serving the canonical version
+    of it. This meant that builds would succeed, even though snap-shotting the
+    repository failed.
+    .
+    This update makes the script return HTTP 404 when an InRelease by-hash
+    link for a given combination of mirror, suite and timestamp cannot be
+    found.
+
  -- Julian Andres Klode <juliank@ubuntu.com>  Fri, 22 Feb 2019 10:58:48 +0100
 
 livecd-rootfs (2.565) disco; urgency=medium
diff --git a/magic-proxy b/magic-proxy
index e20990df..50481e28 100755
--- a/magic-proxy
+++ b/magic-proxy
@@ -771,41 +771,41 @@ class ProxyingHTTPRequestHandler(http.server.BaseHTTPRequestHandler):
 
             index = LPInReleaseIndex(mirror, suite,
                         cache=self.server.inrelease_cache)
+            inrelease = index.get_inrelease_for_timestamp(
+                    self.server.snapshot_stamp)
 
-            try:
-                inrelease = index.get_inrelease_for_timestamp(
-                        self.server.snapshot_stamp)
-            except LPInReleaseIndexError as e:
-                inrelease = None
+            if inrelease is None:
+                self.__send_error(404, "No InRelease file found for given "
+                                       "mirror, suite and timestamp.")
+                return
 
-            if inrelease is not None:
-                if target == "InRelease":
-                    # If target is InRelease, send back contents directly.
-                    data = inrelease.data.encode("utf-8")
+            if target == "InRelease":
+                # If target is InRelease, send back contents directly.
+                data = inrelease.data.encode("utf-8")
 
-                    self.log_message(
-                        "Inject InRelease '{}'".format(inrelease.hash))
+                self.log_message(
+                    "Inject InRelease '{}'".format(inrelease.hash))
 
-                    self.send_response(200)
-                    self.send_header("Content-Length", len(data))
-                    self.end_headers()
+                self.send_response(200)
+                self.send_header("Content-Length", len(data))
+                self.end_headers()
 
-                    if verb == "GET":
-                        self.wfile.write(data)
+                if verb == "GET":
+                    self.wfile.write(data)
 
-                    return
-                else:
-                    # If target hash is listed, then redirect to by-hash URL.
-                    hash_ = inrelease.get_hash_for(target)
+                return
+            else:
+                # If target hash is listed, then redirect to by-hash URL.
+                hash_ = inrelease.get_hash_for(target)
 
-                    if hash_:
-                        self.log_message(
-                            "Inject {} for {}".format(hash_, target))
+                if hash_:
+                    self.log_message(
+                        "Inject {} for {}".format(hash_, target))
 
-                        target_path = target.rsplit("/", 1)[0]
+                    target_path = target.rsplit("/", 1)[0]
 
-                        path = "{}/dists/{}/{}/by-hash/SHA256/{}"\
-                                .format(base, suite, target_path, hash_)
+                    path = "{}/dists/{}/{}/by-hash/SHA256/{}"\
+                            .format(base, suite, target_path, hash_)
 
         try:
             client = http.client.HTTPConnection(host)
@@ -839,6 +839,12 @@ class ProxyingHTTPRequestHandler(http.server.BaseHTTPRequestHandler):
         self.end_headers()
         shutil.copyfileobj(response, self.wfile)
 
+    def __send_error(self, status, message):
+        """Return an HTTP error status and a message in the response body."""
+        self.send_response(status)
+        self.send_header("Content-Type", "text/plain; charset=utf-8")
+        self.wfile.write(message.encode("utf-8"))
+
 
 class MagicHTTPProxy(socketserver.ThreadingMixIn, http.server.HTTPServer):
     """Tiny HTTP server using ProxyingHTTPRequestHandler instances to provide