X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=blobdiff_plain;f=gocheese.go;h=63854169f549e0e301fd72a2af488b74e77196a7;hp=432fb6f76e1ca0f1468baa9fea2c97814fe4439a;hb=0f9f81e55a5db0fa50b539554b078ae4ffdb29bd;hpb=3020e814c1e4e23baf281f4ff7a1121dd54f8fe3 diff --git a/gocheese.go b/gocheese.go index 432fb6f..6385416 100644 --- a/gocheese.go +++ b/gocheese.go @@ -1,7 +1,7 @@ /* GoCheese -- Python private package repository and caching proxy -Copyright (C) 2019-2020 Sergey Matveev - 2019-2020 Elena Balakhonova +Copyright (C) 2019-2021 Sergey Matveev + 2019-2021 Elena Balakhonova This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -22,7 +22,10 @@ package main import ( "bytes" "context" + "crypto/sha256" + "crypto/tls" "encoding/hex" + "errors" "flag" "fmt" "io/ioutil" @@ -43,7 +46,7 @@ import ( ) const ( - Version = "2.4.1" + Version = "2.6.0" HTMLBegin = ` @@ -95,7 +98,9 @@ var ( refreshURLPath = flag.String("refresh", "/simple/", "Auto-refreshing URL path") gpgUpdateURLPath = flag.String("gpgupdate", "/gpgupdate/", "GPG forceful refreshing URL path") pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL") + pypiCertHash = flag.String("pypi-cert-hash", "", "Authenticate PyPI by its X.509 certificate's SHA256 hash") passwdPath = flag.String("passwd", "passwd", "Path to file with authenticators") + logTimestamped = flag.Bool("log-timestamped", false, "Prepend timestmap to log messages") passwdCheck = flag.Bool("passwd-check", false, "Test the -passwd file for syntax errors and exit") fsck = flag.Bool("fsck", false, "Check integrity of all packages (errors are in stderr)") maxClients = flag.Int("maxclients", 128, "Maximal amount of simultaneous clients") @@ -168,7 +173,7 @@ func listDir( var result bytes.Buffer result.WriteString(fmt.Sprintf(HTMLBegin, pkgName)) for _, algo := range knownHashAlgos { - for fn, _ := range files { + for fn := range files { if killed { // Skip expensive I/O when shutting down http.Error(w, "shutting down", http.StatusInternalServerError) @@ -264,31 +269,58 @@ func main() { return } if *version { - fmt.Println("GoCheese version", Version, "built with", runtime.Version()) + fmt.Println("GoCheese", Version, "built with", runtime.Version()) return } + + if *logTimestamped { + log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile) + } else { + log.SetFlags(log.Lshortfile) + } + log.SetOutput(os.Stdout) + if *fsck { if !goodIntegrity() { os.Exit(1) } return } + if *passwdCheck { refreshPasswd() return } + if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") { log.Fatalln("Both -tls-cert and -tls-key are required") } + var err error pypiURLParsed, err = url.Parse(*pypiURL) if err != nil { log.Fatalln(err) } refreshPasswd() - log.Println("root:", *root) - log.Println("bind:", *bind) - log.Println("pypi:", *pypiURL) + if *pypiCertHash == "" { + pypiHTTPTransport = http.Transport{} + } else { + ourDgst, err := hex.DecodeString(*pypiCertHash) + if err != nil { + log.Fatalln(err) + } + pypiHTTPTransport = http.Transport{ + TLSClientConfig: &tls.Config{ + VerifyConnection: func(s tls.ConnectionState) error { + spki := s.VerifiedChains[0][0].RawSubjectPublicKeyInfo + theirDgst := sha256.Sum256(spki) + if bytes.Compare(ourDgst, theirDgst[:]) != 0 { + return errors.New("certificate's digest mismatch") + } + return nil + }}, + } + } ln, err := net.Listen("tcp", *bind) if err != nil { @@ -325,6 +357,12 @@ func main() { cancel() }(server) + log.Println( + "GoCheese", Version, "listens:", + "root:", *root, + "bind:", *bind, + "pypi:", *pypiURL, + ) if *tlsCert == "" { err = server.Serve(ln) } else {