X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=gocheese.go;h=cc30de23dfc84596f7980a2fef81fc370827521c;hb=cc8232897ceab7f8dcfb7fce13de6ca75f1bdb74;hp=9b7a80d81208eaf4494e1a353463cb1afcf34049;hpb=5f74f27dba4c477281305586ef96a39b4751851e;p=gocheese.git diff --git a/gocheese.go b/gocheese.go index 9b7a80d..cc30de2 100644 --- a/gocheese.go +++ b/gocheese.go @@ -1,7 +1,7 @@ /* GoCheese -- Python private package repository and caching proxy -Copyright (C) 2019 Sergey Matveev - 2019 Elena Balakhonova +Copyright (C) 2019-2021 Sergey Matveev + 2019-2021 Elena Balakhonova This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -22,7 +22,10 @@ package main import ( "bytes" "context" + "crypto/sha256" + "crypto/tls" "encoding/hex" + "errors" "flag" "fmt" "io/ioutil" @@ -43,6 +46,7 @@ import ( ) const ( + Version = "3.0.0" HTMLBegin = ` @@ -68,15 +72,18 @@ You should have received a copy of the GNU General Public License along with this program. If not, see .` ) +const ( + HashAlgoSHA256 = "sha256" + HashAlgoBLAKE2b256 = "blake2_256" + HashAlgoSHA512 = "sha512" + HashAlgoMD5 = "md5" +) + var ( pkgPyPI = regexp.MustCompile(`^.*]*>(.+)
.*$`) normalizationRe = regexp.MustCompilePOSIX("[-_.]+") - HashAlgoSHA256 = "sha256" - HashAlgoBLAKE2b256 = "blake2_256" - HashAlgoSHA512 = "sha512" - HashAlgoMD5 = "md5" - knownHashAlgos []string = []string{ + knownHashAlgos []string = []string{ HashAlgoSHA256, HashAlgoBLAKE2b256, HashAlgoSHA512, @@ -90,15 +97,16 @@ var ( norefreshURLPath = flag.String("norefresh", "/norefresh/", "Non-refreshing URL path") refreshURLPath = flag.String("refresh", "/simple/", "Auto-refreshing URL path") gpgUpdateURLPath = flag.String("gpgupdate", "/gpgupdate/", "GPG forceful refreshing URL path") - pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL") - passwdPath = flag.String("passwd", "passwd", "Path to file with authenticators") - passwdCheck = flag.Bool("passwd-check", false, "Test the -passwd file for syntax errors and exit") - fsck = flag.Bool("fsck", false, "Check integrity of all packages") + pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream (PyPI) URL") + pypiCertHash = flag.String("pypi-cert-hash", "", "Authenticate upstream by its X.509 certificate's SPKI SHA256 hash") + logTimestamped = flag.Bool("log-timestamped", false, "Prepend timestmap to log messages") + passwdPath = flag.String("passwd", "", "Path to FIFO for upload authentication") + passwdCheck = flag.Bool("passwd-check", false, "Run password checker") + fsck = flag.Bool("fsck", false, "Check integrity of all packages (errors are in stderr)") maxClients = flag.Int("maxclients", 128, "Maximal amount of simultaneous clients") version = flag.Bool("version", false, "Print version information") warranty = flag.Bool("warranty", false, "Print warranty information") - Version string = "UNKNOWN" killed bool pypiURLParsed *url.URL ) @@ -165,7 +173,7 @@ func listDir( var result bytes.Buffer result.WriteString(fmt.Sprintf(HTMLBegin, pkgName)) for _, algo := range knownHashAlgos { - for fn, _ := range files { + for fn := range files { if killed { // Skip expensive I/O when shutting down http.Error(w, "shutting down", http.StatusInternalServerError) @@ -261,31 +269,76 @@ func main() { return } if *version { - fmt.Println("GoCheese version " + Version + " built with " + runtime.Version()) + fmt.Println("GoCheese", Version, "built with", runtime.Version()) return } + + if *logTimestamped { + log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile) + } else { + log.SetFlags(log.Lshortfile) + } + log.SetOutput(os.Stdout) + if *fsck { if !goodIntegrity() { os.Exit(1) } return } + if *passwdCheck { - refreshPasswd() - return + if passwdReader(os.Stdin) { + os.Exit(0) + } else { + os.Exit(1) + } } + + if *passwdPath != "" { + go func() { + for { + fd, err := os.OpenFile(*passwdPath, os.O_RDONLY, os.FileMode(0666)) + if err != nil { + log.Fatalln(err) + } + passwdReader(fd) + fd.Close() + } + }() + } + if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") { log.Fatalln("Both -tls-cert and -tls-key are required") } + var err error pypiURLParsed, err = url.Parse(*pypiURL) if err != nil { log.Fatalln(err) } - refreshPasswd() - log.Println("root:", *root) - log.Println("bind:", *bind) - log.Println("pypi:", *pypiURL) + tlsConfig := tls.Config{ + ClientSessionCache: tls.NewLRUClientSessionCache(16), + NextProtos: []string{"h2", "http/1.1"}, + } + pypiHTTPTransport = http.Transport{ + ForceAttemptHTTP2: true, + TLSClientConfig: &tlsConfig, + } + if *pypiCertHash != "" { + ourDgst, err := hex.DecodeString(*pypiCertHash) + if err != nil { + log.Fatalln(err) + } + tlsConfig.VerifyConnection = func(s tls.ConnectionState) error { + spki := s.VerifiedChains[0][0].RawSubjectPublicKeyInfo + theirDgst := sha256.Sum256(spki) + if bytes.Compare(ourDgst, theirDgst[:]) != 0 { + return errors.New("certificate's SPKI digest mismatch") + } + return nil + } + } ln, err := net.Listen("tcp", *bind) if err != nil { @@ -302,17 +355,9 @@ func main() { http.HandleFunc(*gpgUpdateURLPath, handler) } - needsRefreshPasswd := make(chan os.Signal, 0) needsShutdown := make(chan os.Signal, 0) exitErr := make(chan error, 0) - signal.Notify(needsRefreshPasswd, syscall.SIGHUP) signal.Notify(needsShutdown, syscall.SIGTERM, syscall.SIGINT) - go func() { - for range needsRefreshPasswd { - log.Println("refreshing passwords") - refreshPasswd() - } - }() go func(s *http.Server) { <-needsShutdown killed = true @@ -322,6 +367,12 @@ func main() { cancel() }(server) + log.Println( + "GoCheese", Version, "listens:", + "root:", *root, + "bind:", *bind, + "pypi:", *pypiURL, + ) if *tlsCert == "" { err = server.Serve(ln) } else {