/*
GoCheese -- Python private package repository and caching proxy
-Copyright (C) 2019 Sergey Matveev <stargrave@stargrave.org>
- 2019 Elena Balakhonova <balakhonova_e@riseup.net>
+Copyright (C) 2019-2021 Sergey Matveev <stargrave@stargrave.org>
+ 2019-2021 Elena Balakhonova <balakhonova_e@riseup.net>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
import (
"bytes"
"context"
+ "crypto/sha256"
+ "crypto/tls"
"encoding/hex"
+ "errors"
"flag"
"fmt"
"io/ioutil"
)
const (
+ Version = "2.6.0"
HTMLBegin = `<!DOCTYPE html>
<html>
<head>
along with this program. If not, see <http://www.gnu.org/licenses/>.`
)
+const (
+ HashAlgoSHA256 = "sha256"
+ HashAlgoBLAKE2b256 = "blake2_256"
+ HashAlgoSHA512 = "sha512"
+ HashAlgoMD5 = "md5"
+)
+
var (
pkgPyPI = regexp.MustCompile(`^.*<a href="([^"]+)"[^>]*>(.+)</a><br/>.*$`)
normalizationRe = regexp.MustCompilePOSIX("[-_.]+")
- HashAlgoSHA256 = "sha256"
- HashAlgoBLAKE2b256 = "blake2_256"
- HashAlgoSHA512 = "sha512"
- HashAlgoMD5 = "md5"
- knownHashAlgos []string = []string{
+ knownHashAlgos []string = []string{
HashAlgoSHA256,
HashAlgoBLAKE2b256,
HashAlgoSHA512,
refreshURLPath = flag.String("refresh", "/simple/", "Auto-refreshing URL path")
gpgUpdateURLPath = flag.String("gpgupdate", "/gpgupdate/", "GPG forceful refreshing URL path")
pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL")
+ pypiCertHash = flag.String("pypi-cert-hash", "", "Authenticate PyPI by its X.509 certificate's SHA256 hash")
passwdPath = flag.String("passwd", "passwd", "Path to file with authenticators")
+ logTimestamped = flag.Bool("log-timestamped", false, "Prepend timestmap to log messages")
passwdCheck = flag.Bool("passwd-check", false, "Test the -passwd file for syntax errors and exit")
- fsck = flag.Bool("fsck", false, "Check integrity of all packages")
+ fsck = flag.Bool("fsck", false, "Check integrity of all packages (errors are in stderr)")
maxClients = flag.Int("maxclients", 128, "Maximal amount of simultaneous clients")
version = flag.Bool("version", false, "Print version information")
warranty = flag.Bool("warranty", false, "Print warranty information")
- Version string = "UNKNOWN"
killed bool
pypiURLParsed *url.URL
)
-func mkdirForPkg(w http.ResponseWriter, r *http.Request, dir string) bool {
- path := filepath.Join(*root, dir)
+func mkdirForPkg(w http.ResponseWriter, r *http.Request, pkgName string) bool {
+ path := filepath.Join(*root, pkgName)
if _, err := os.Stat(path); os.IsNotExist(err) {
if err = os.Mkdir(path, os.FileMode(0777)); err != nil {
+ log.Println("error", r.RemoteAddr, "mkdir", pkgName, err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return false
}
- log.Println(r.RemoteAddr, "mkdir", dir)
+ log.Println(r.RemoteAddr, "mkdir", pkgName)
}
return true
}
func listRoot(w http.ResponseWriter, r *http.Request) {
files, err := ioutil.ReadDir(*root)
if err != nil {
+ log.Println("error", r.RemoteAddr, "root", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
func listDir(
w http.ResponseWriter,
r *http.Request,
- dir string,
- autorefresh,
- gpgUpdate bool,
+ pkgName string,
+ autorefresh, gpgUpdate bool,
) {
- dirPath := filepath.Join(*root, dir)
+ dirPath := filepath.Join(*root, pkgName)
if autorefresh {
- if !refreshDir(w, r, dir, "", gpgUpdate) {
+ if !refreshDir(w, r, pkgName, "", gpgUpdate) {
return
}
- } else if _, err := os.Stat(dirPath); os.IsNotExist(err) && !refreshDir(w, r, dir, "", false) {
+ } else if _, err := os.Stat(dirPath); os.IsNotExist(err) && !refreshDir(w, r, pkgName, "", false) {
return
}
fis, err := ioutil.ReadDir(dirPath)
if err != nil {
+ log.Println("error", r.RemoteAddr, "list", pkgName, err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
files[fi.Name()] = struct{}{}
}
var result bytes.Buffer
- result.WriteString(fmt.Sprintf(HTMLBegin, dir))
+ result.WriteString(fmt.Sprintf(HTMLBegin, pkgName))
for _, algo := range knownHashAlgos {
- for fn, _ := range files {
+ for fn := range files {
if killed {
// Skip expensive I/O when shutting down
http.Error(w, "shutting down", http.StatusInternalServerError)
delete(files, fn)
digest, err := ioutil.ReadFile(filepath.Join(dirPath, fn))
if err != nil {
+ log.Println("error", r.RemoteAddr, "list", fn, err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
result.WriteString(fmt.Sprintf(
HTMLElement,
strings.Join([]string{
- *refreshURLPath, dir, "/", fnClean,
+ *refreshURLPath, pkgName, "/", fnClean,
"#", algo, "=", hex.EncodeToString(digest),
}, ""),
gpgSigAttr,
w.Write(result.Bytes())
}
-func servePkg(w http.ResponseWriter, r *http.Request, dir, filename string) {
+func servePkg(w http.ResponseWriter, r *http.Request, pkgName, filename string) {
log.Println(r.RemoteAddr, "get", filename)
- path := filepath.Join(*root, dir, filename)
+ path := filepath.Join(*root, pkgName, filename)
if _, err := os.Stat(path); os.IsNotExist(err) {
- if !refreshDir(w, r, dir, filename, false) {
+ if !refreshDir(w, r, pkgName, filename, false) {
return
}
}
return
}
if *version {
- fmt.Println("GoCheese version " + Version + " built with " + runtime.Version())
+ fmt.Println("GoCheese", Version, "built with", runtime.Version())
return
}
+
+ if *logTimestamped {
+ log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile)
+ } else {
+ log.SetFlags(log.Lshortfile)
+ }
+ log.SetOutput(os.Stdout)
+
if *fsck {
if !goodIntegrity() {
os.Exit(1)
}
return
}
+
if *passwdCheck {
refreshPasswd()
return
}
+
if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") {
log.Fatalln("Both -tls-cert and -tls-key are required")
}
+
var err error
pypiURLParsed, err = url.Parse(*pypiURL)
if err != nil {
log.Fatalln(err)
}
refreshPasswd()
- log.Println("root:", *root, "bind:", *bind)
+ if *pypiCertHash == "" {
+ pypiHTTPTransport = http.Transport{}
+ } else {
+ ourDgst, err := hex.DecodeString(*pypiCertHash)
+ if err != nil {
+ log.Fatalln(err)
+ }
+ pypiHTTPTransport = http.Transport{
+ TLSClientConfig: &tls.Config{
+ VerifyConnection: func(s tls.ConnectionState) error {
+ spki := s.VerifiedChains[0][0].RawSubjectPublicKeyInfo
+ theirDgst := sha256.Sum256(spki)
+ if bytes.Compare(ourDgst, theirDgst[:]) != 0 {
+ return errors.New("certificate's digest mismatch")
+ }
+ return nil
+ }},
+ }
+ }
ln, err := net.Listen("tcp", *bind)
if err != nil {
signal.Notify(needsShutdown, syscall.SIGTERM, syscall.SIGINT)
go func() {
for range needsRefreshPasswd {
- log.Println("Refreshing passwords")
+ log.Println("refreshing passwords")
refreshPasswd()
}
}()
go func(s *http.Server) {
<-needsShutdown
killed = true
- log.Println("Shutting down")
+ log.Println("shutting down")
ctx, cancel := context.WithTimeout(context.TODO(), time.Minute)
exitErr <- s.Shutdown(ctx)
cancel()
}(server)
+ log.Println(
+ "GoCheese", Version, "listens:",
+ "root:", *root,
+ "bind:", *bind,
+ "pypi:", *pypiURL,
+ )
if *tlsCert == "" {
err = server.Serve(ln)
} else {