[glsa] Fix handling ranges in GLSAs

Fix the following issues in GLSA range handling:

- rgt with -r0 is perfectly valid (it matches -r1+),

- rle with -r0 is =, not ~,

- the glob code does not handle le, lt, gt, ge, so reject those.

2 files changed, 23 insertions, 8 deletions

diff --git a/pkgcore/pkgsets/glsa.py b/pkgcore/pkgsets/glsa.py
index c55faab86..8d40e09a9 100644
--- a/pkgcore/pkgsets/glsa.py
+++ b/pkgcore/pkgsets/glsa.py
@@ -154,23 +154,27 @@ class GlsaDirSet(object):
             base = base[:-1]
         base = cpv.versioned_CPV("cat/pkg-%s" % base)
         restrict = self.op_translate[op.lstrip("r")]
-        if op.startswith("r"):
-            if glob:
+        if glob:
+            if op != "eq":
                 raise ValueError("glob cannot be used with %s ops" % op)
-            elif not base.revision:
-                if '=' not in restrict:
+            return packages.PackageRestriction(
+                "fullver", values.StrGlobMatch(base.fullver))
+        if op.startswith("r"):
+            if not base.revision:
+                if op == "rlt": # rlt -r0 can never match
                     # this is a non-range.
                     raise ValueError(
                         "range %s version %s is a guaranteed empty set" %
                         (op, str(node.text.strip())))
-                return atom_restricts.VersionMatch("~", base.version, negate=negate)
+                elif op == "rle": # rle -r0 -> = -r0
+                    return atom_restricts.VersionMatch("=", base.version, negate=negate)
+                elif op == "rge": # rge -r0 -> ~
+                    return atom_restricts.VersionMatch("~", base.version, negate=negate)
+                # rgt -r0 passes through to regular ~ + >
             return packages.AndRestriction(
                 atom_restricts.VersionMatch("~", base.version),
                 atom_restricts.VersionMatch(restrict, base.version, rev=base.revision),
                 negate=negate)
-        if glob:
-            return packages.PackageRestriction(
-                "fullver", values.StrGlobMatch(base.fullver))
         return atom_restricts.VersionMatch(
             restrict, base.version, rev=base.revision, negate=negate)
 
diff --git a/pkgcore/test/pkgsets/test_glsa.py b/pkgcore/test/pkgsets/test_glsa.py
index 6c5fef79a..d336e0ccc 100644
--- a/pkgcore/test/pkgsets/test_glsa.py
+++ b/pkgcore/test/pkgsets/test_glsa.py
@@ -8,6 +8,7 @@ from snakeoil.test.mixins import TempDirMixin
 from pkgcore.ebuild import cpv
 from pkgcore.pkgsets import glsa
 from pkgcore.restrictions.packages import OrRestriction
+from pkgcore.restrictions.restriction import AlwaysBool
 from pkgcore.test import TestCase
 
 # misc setup code for generating glsas for testing
@@ -103,6 +104,8 @@ class TestGlsaDirSet(TempDirMixin, TestCase):
     def check_range(self, vuln_range, ver_matches, ver_nonmatches):
         self.mk_glsa([("dev-util/diffball", ([], [vuln_range]))])
         restrict = list(OrRestriction(*tuple(glsa.GlsaDirSet(self.dir))))
+        if len(restrict) == 0: # exception thrown
+            restrict.append(AlwaysBool(negate=False))
         self.assertEqual(len(restrict), 1)
         restrict = restrict[0]
         for ver in ver_matches:
@@ -137,6 +140,14 @@ class TestGlsaDirSet(TempDirMixin, TestCase):
         ["1-r2", "1", "1-r1"], ["2", "0.9", "1-r3"])
     test_range_rlt = post_curry(check_range, "~<1-r2",
         ["1", "1-r1"], ["2", "0.9", "1-r2"])
+    test_range_rge_r0 = post_curry(check_range, "~>=2",
+        ["2", "2-r1"], ["1", "2_p1", "2.1", "3"])
+    test_range_rgt_r0 = post_curry(check_range, "~>2",
+        ["2-r1", "2-r2"], ["1", "2", "2_p1", "2.1"])
+    test_range_rle_r0 = post_curry(check_range, "~<=2",
+        ["2"], ["1", "2-r1", "2_p1", "3"])
+    test_range_rlt_r0 = post_curry(check_range, "~<2",
+        [], ["1", "2", "2-r1", "2.1", "3"])
 
     def test_iter(self):
         self.mk_glsa(pkgs_set)