When updating on a user ticket, check for system tickets

chrome/tools/build/mac/keystone_install.sh

 #!/bin/bash
 
 # Copyright (c) 2009 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 # Called by the Keystone system to update the installed application with a new
 # version from a disk image.
 
 # Return values:
 # 0  Happiness
 # 1  Unknown failure
-# 2  Basic sanity check destination failure (e.g. ticket points to nothing)
-# 3  Could not prepare existing installed version to receive update
-# 4  rsync failed (could not assure presence of Versions directory)
-# 5  rsync failed (could not copy new versioned directory to Versions)
-# 6  rsync failed (could not update outer .app bundle)
-# 7  Could not get the version, update URL, or channel after update
-# 8  Updated application does not have the version number from the update
-# 9  ksadmin failure
-# 10 Basic sanity check source failure (e.g. no app on disk image)
+# 2  Basic sanity check source failure (e.g. no app on disk image)
+# 3  Basic sanity check destination failure (e.g. ticket points to nothing)
+# 4  Update driven by user ticket when a system ticket is also present
+# 5  Could not prepare existing installed version to receive update
+# 6  rsync failed (could not assure presence of Versions directory)
+# 7  rsync failed (could not copy new versioned directory to Versions)
+# 8  rsync failed (could not update outer .app bundle)
+# 9  Could not get the version, update URL, or channel after update
+# 10 Updated application does not have the version number from the update
+# 11 ksadmin failure
 
 set -e
 
 # Returns 0 (true) if the parameter exists, is a symbolic link, and appears
 # writable on the basis of its POSIX permissions.  This is used to determine
 # writeability like test's -w primary, but -w resolves symbolic links and this
 # function does not.
 function is_writable_symlink() {
   SYMLINK=${1}
   LINKMODE=$(stat -f %Sp "${SYMLINK}" 2> /dev/null || true)
@@ skipping 78 matching lines @@
         chmod -h 755 "${TEMPLINK}" && \
         mv -f "${TEMPLINK}" "${SYMLINKDIR}") || true
     rm -rf "${TEMPLINKDIR}"
   fi
 
   return 0
 }
 
 # The argument should be the disk image path.  Make sure it exists.
 if [ $# -lt 1 ] || [ ! -d "${1}" ]; then
-  exit 10
+  exit 2
 fi
 
 # Who we are.
 PRODUCT_NAME="Google Chrome"
 APP_DIR="${PRODUCT_NAME}.app"
 FRAMEWORK_NAME="${PRODUCT_NAME} Framework"
 FRAMEWORK_DIR="${FRAMEWORK_NAME}.framework"
 SRC="${1}/${APP_DIR}"
 
 # Make sure that there's something to copy from, and that it's an absolute
 # path.
 if [ -z "${SRC}" ] || [ "${SRC:0:1}" != "/" ] || [ ! -d "${SRC}" ] ; then
-  exit 10
+  exit 2
 fi
 
 # Figure out where we're going.  Determine the application version to be
 # installed, use that to locate the framework, and then look inside the
 # framework for the Keystone product ID.
 APP_VERSION_KEY="CFBundleShortVersionString"
 UPD_VERSION_APP=$(defaults read "${SRC}/Contents/Info" "${APP_VERSION_KEY}" ||
-                  exit 10)
+                  exit 2)
 UPD_KS_PLIST="${SRC}/Contents/Versions/${UPD_VERSION_APP}/${FRAMEWORK_DIR}/Resources/Info"
 KS_VERSION_KEY="KSVersion"
-UPD_VERSION_KS=$(defaults read "${UPD_KS_PLIST}" "${KS_VERSION_KEY}" || exit 10)
-PRODUCT_ID=$(defaults read "${UPD_KS_PLIST}" KSProductID || exit 10)
+UPD_VERSION_KS=$(defaults read "${UPD_KS_PLIST}" "${KS_VERSION_KEY}" || exit 2)
+PRODUCT_ID=$(defaults read "${UPD_KS_PLIST}" KSProductID || exit 2)
 if [ -z "${UPD_VERSION_KS}" ] || [ -z "${PRODUCT_ID}" ] ; then
-  exit 2
+  exit 3
 fi
 DEST=$(ksadmin -pP "${PRODUCT_ID}" |
        sed -Ene \
            's%^[[:space:]]+xc=<KSPathExistenceChecker:.* path=(/.+)>$%\1%p')
 
 # More sanity checking.
 if [ -z "${DEST}" ] || [ ! -d "${DEST}" ]; then
-  exit 2
+  exit 3
+fi
+
+# If this script is not running as root, it's being driven by a user ticket.
+# If a system ticket is also present, there's a potential for the two to
+# collide.  Both ticket types might be present if another user on the system
+# promoted the ticket to system: the other user could not have removed this
+# user's user ticket.  Handle that case here by deleting the user ticket and
+# exiting early with a discrete exit status.
+#
+# Current versions of ksadmin will exit 1 (false) when asked to print tickets
+# and given a specific product ID to print.  Older versions of ksadmin would
+# exit 0 (true), but those same versions did not support -S (meaning to check
+# the system ticket store) and would exit 1 (false) with this invocation due
+# to not understanding the question.  Therefore, the usage here will only
+# delete the existing user ticket when running as non-root with access to a
+# sufficiently recent ksadmin.  Older ksadmins are tolerated: the update will
+# likely fail for another reason and the user ticket will hang around until
+# something is eventually able to remove it.
+if [ ${EUID} -ne 0 ] &&
+   ksadmin -S --print-tickets -P "${PRODUCT_ID}" >& /dev/null ; then
+  ksadmin --delete -P "${PRODUCT_ID}" || true
+  exit 4
 fi
 
 # Figure out what the existing version is using for its versioned directory.
 # This will be used later, to avoid removing the currently-installed version's
 # versioned directory in case anything is still using it.
 OLD_VERSION_APP=$(defaults read "${DEST}/Contents/Info" "${APP_VERSION_KEY}" ||
                   true)
 OLD_VERSIONED_DIR="${DEST}/Contents/Versions/${OLD_VERSION_APP}"
 
 # See if the timestamp of what's currently on disk is newer than the update's
@@ skipping 76 matching lines @@
 # directory, otherwise, this directory would be the only one in the entire
 # update exempt from getting its permissions copied over.  A simple mkdir
 # wouldn't copy mode bits.  This is done even if ${DEST}/Contents/Versions
 # already does exist to ensure that the mode bits come from the update.
 #
 # ${DEST} is guaranteed to exist at this point, but ${DEST}/Contents may not
 # if things are severely broken or if this update is actually an initial
 # installation from a Keystone skeleton bootstrap.  The mkdir creates
 # ${DEST}/Contents if it doesn't exist; its mode bits will be fixed up in a
 # subsequent rsync.
-mkdir -p "${DEST}/Contents" || exit 3
+mkdir -p "${DEST}/Contents" || exit 5
 rsync ${RSYNC_FLAGS} --exclude "*" "${SRC}/Contents/Versions/" \
-                                   "${DEST}/Contents/Versions" || exit 4
+                                   "${DEST}/Contents/Versions" || exit 6
 
 # Copy the versioned directory.  The new versioned directory will have a
 # different name than any existing one, so this won't harm anything already
 # present in Contents/Versions, including the versioned directory being used
 # by any running processes.  If this step is interrupted, there will be an
 # incomplete versioned directory left behind, but it won't interfere with
 # anything, and it will be replaced or removed during a future update attempt.
 NEW_VERSIONED_DIR="${DEST}/Contents/Versions/${UPD_VERSION_APP}"
 rsync ${RSYNC_FLAGS} --delete-before \
     "${SRC}/Contents/Versions/${UPD_VERSION_APP}/" \
-    "${NEW_VERSIONED_DIR}" || exit 5
+    "${NEW_VERSIONED_DIR}" || exit 7
 
 # Copy the unversioned files into place, leaving everything in
 # Contents/Versions alone.  If this step is interrupted, the application will
 # at least remain in a usable state, although it may not pass signature
 # validation.  Depending on when this step is interrupted, the application
 # will either launch the old or the new version.  The critical point is when
 # the main executable is replaced.  There isn't very much to copy in this step,
 # because most of the application is in the versioned directory.  This step
 # only accounts for around 50 files, most of which are small localized
 # InfoPlist.strings files.
 rsync ${RSYNC_FLAGS} --delete-after --exclude /Contents/Versions \
-    "${SRC}/" "${DEST}" || exit 6
+    "${SRC}/" "${DEST}" || exit 8
 
 # If necessary, touch the outermost .app so that it appears to the outside
 # world that something was done to the bundle.  This will cause LaunchServices
 # to invalidate the information it has cached about the bundle even if
 # lsregister does not run.  This is not done if rsync already updated the
 # timestamp to something newer than what had been on disk.  This is not
 # considered a critical step, and if it fails, this script will not exit.
 if [ -n "${NEEDS_TOUCH}" ] ; then
   touch -cf "${DEST}" || true
 fi
 
 # Read the new values (e.g. version).  Get the installed application version
 # to get the path to the framework, where the Keystone keys are stored.
 NEW_VERSION_APP=$(defaults read "${DEST}/Contents/Info" "${APP_VERSION_KEY}" ||
-                  exit 7)
+                  exit 9)
 NEW_KS_PLIST="${DEST}/Contents/Versions/${NEW_VERSION_APP}/${FRAMEWORK_DIR}/Resources/Info"
-NEW_VERSION_KS=$(defaults read "${NEW_KS_PLIST}" "${KS_VERSION_KEY}" || exit 7)
-URL=$(defaults read "${NEW_KS_PLIST}" KSUpdateURL || exit 7)
+NEW_VERSION_KS=$(defaults read "${NEW_KS_PLIST}" "${KS_VERSION_KEY}" || exit 9)
+URL=$(defaults read "${NEW_KS_PLIST}" KSUpdateURL || exit 9)
 # The channel ID is optional.  Suppress stderr to prevent Keystone from seeing
 # possible error output.
 CHANNEL_ID=$(defaults read "${NEW_KS_PLIST}" KSChannelID 2>/dev/null || true)
 
 # Make sure that the update was successful by comparing the version found in
 # the update with the version now on disk.
 if [ "${NEW_VERSION_KS}" != "${UPD_VERSION_KS}" ]; then
-  exit 8
+  exit 10
 fi
 
 # Notify LaunchServices.  This is not considered a critical step, and
 # lsregister's exit codes shouldn't be confused with this script's own.
 /System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister "${DEST}" || true
 
 # Notify Keystone.
 KSADMIN_VERSION=$(ksadmin --ksadmin-version || true)
 if [ -n "${KSADMIN_VERSION}" ] ; then
   # If ksadmin recognizes --ksadmin-version, it will recognize --tag.
   ksadmin --register \
           -P "${PRODUCT_ID}" \
           --version "${NEW_VERSION_KS}" \
           --xcpath "${DEST}" \
           --url "${URL}" \
-          --tag "${CHANNEL_ID}" || exit 9
+          --tag "${CHANNEL_ID}" || exit 11
 else
   # Older versions of ksadmin don't recognize --tag.  The application will
   # set the tag when it runs.
   ksadmin --register \
           -P "${PRODUCT_ID}" \
           --version "${NEW_VERSION_KS}" \
           --xcpath "${DEST}" \
-          --url "${URL}" || exit 9
+          --url "${URL}" || exit 11
 fi
 
 # The remaining steps are not considered critical.
 set +e
 
 # Try to clean up old versions that are not in use.  The strategy is to keep
 # the versioned directory corresponding to the update just applied
 # (obviously) and the version that was just replaced, and to use ps and lsof
 # to see if it looks like any processes are currently using any other old
 # directories.  Directories not in use are removed.  Old versioned directories
@@ skipping 136 matching lines @@
    ([ ${OS_MAJOR} -eq 10 ] && [ ${OS_MINOR} -ge 6 ]) ; then
   # On 10.6, xattr supports -r for recursive operation.
   xattr -d -r "${QUARANTINE_ATTR}" "${DEST}" >& /dev/null
 else
   # On earlier systems, xattr doesn't support -r, so run xattr via find.
   find "${DEST}" -exec xattr -d "${QUARANTINE_ATTR}" {} + >& /dev/null
 fi
 
 # Great success!
 exit 0