X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=blobdiff_plain;f=gocheese.go;h=63854169f549e0e301fd72a2af488b74e77196a7;hp=67e7829497683cf08f76dd8b6934985b51c11aa6;hb=0f9f81e55a5db0fa50b539554b078ae4ffdb29bd;hpb=11cbb2df8a7cab908182a382e02a23460110dcdf diff --git a/gocheese.go b/gocheese.go index 67e7829..6385416 100644 --- a/gocheese.go +++ b/gocheese.go @@ -1,7 +1,7 @@ /* GoCheese -- Python private package repository and caching proxy -Copyright (C) 2019 Sergey Matveev - 2019 Elena Balakhonova +Copyright (C) 2019-2021 Sergey Matveev + 2019-2021 Elena Balakhonova This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -22,7 +22,10 @@ package main import ( "bytes" "context" + "crypto/sha256" + "crypto/tls" "encoding/hex" + "errors" "flag" "fmt" "io/ioutil" @@ -43,6 +46,7 @@ import ( ) const ( + Version = "2.6.0" HTMLBegin = ` @@ -68,15 +72,18 @@ You should have received a copy of the GNU General Public License along with this program. If not, see .` ) +const ( + HashAlgoSHA256 = "sha256" + HashAlgoBLAKE2b256 = "blake2_256" + HashAlgoSHA512 = "sha512" + HashAlgoMD5 = "md5" +) + var ( pkgPyPI = regexp.MustCompile(`^.*]*>(.+)
.*$`) normalizationRe = regexp.MustCompilePOSIX("[-_.]+") - HashAlgoSHA256 = "sha256" - HashAlgoBLAKE2b256 = "blake2_256" - HashAlgoSHA512 = "sha512" - HashAlgoMD5 = "md5" - knownHashAlgos []string = []string{ + knownHashAlgos []string = []string{ HashAlgoSHA256, HashAlgoBLAKE2b256, HashAlgoSHA512, @@ -91,26 +98,28 @@ var ( refreshURLPath = flag.String("refresh", "/simple/", "Auto-refreshing URL path") gpgUpdateURLPath = flag.String("gpgupdate", "/gpgupdate/", "GPG forceful refreshing URL path") pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL") + pypiCertHash = flag.String("pypi-cert-hash", "", "Authenticate PyPI by its X.509 certificate's SHA256 hash") passwdPath = flag.String("passwd", "passwd", "Path to file with authenticators") + logTimestamped = flag.Bool("log-timestamped", false, "Prepend timestmap to log messages") passwdCheck = flag.Bool("passwd-check", false, "Test the -passwd file for syntax errors and exit") - fsck = flag.Bool("fsck", false, "Check integrity of all packages") + fsck = flag.Bool("fsck", false, "Check integrity of all packages (errors are in stderr)") maxClients = flag.Int("maxclients", 128, "Maximal amount of simultaneous clients") version = flag.Bool("version", false, "Print version information") warranty = flag.Bool("warranty", false, "Print warranty information") - Version string = "UNKNOWN" killed bool pypiURLParsed *url.URL ) -func mkdirForPkg(w http.ResponseWriter, r *http.Request, dir string) bool { - path := filepath.Join(*root, dir) +func mkdirForPkg(w http.ResponseWriter, r *http.Request, pkgName string) bool { + path := filepath.Join(*root, pkgName) if _, err := os.Stat(path); os.IsNotExist(err) { if err = os.Mkdir(path, os.FileMode(0777)); err != nil { + log.Println("error", r.RemoteAddr, "mkdir", pkgName, err) http.Error(w, err.Error(), http.StatusInternalServerError) return false } - log.Println(r.RemoteAddr, "mkdir", dir) + log.Println(r.RemoteAddr, "mkdir", pkgName) } return true } @@ -118,6 +127,7 @@ func mkdirForPkg(w http.ResponseWriter, r *http.Request, dir string) bool { func listRoot(w http.ResponseWriter, r *http.Request) { files, err := ioutil.ReadDir(*root) if err != nil { + log.Println("error", r.RemoteAddr, "root", err) http.Error(w, err.Error(), http.StatusInternalServerError) return } @@ -139,20 +149,20 @@ func listRoot(w http.ResponseWriter, r *http.Request) { func listDir( w http.ResponseWriter, r *http.Request, - dir string, - autorefresh, - gpgUpdate bool, + pkgName string, + autorefresh, gpgUpdate bool, ) { - dirPath := filepath.Join(*root, dir) + dirPath := filepath.Join(*root, pkgName) if autorefresh { - if !refreshDir(w, r, dir, "", gpgUpdate) { + if !refreshDir(w, r, pkgName, "", gpgUpdate) { return } - } else if _, err := os.Stat(dirPath); os.IsNotExist(err) && !refreshDir(w, r, dir, "", false) { + } else if _, err := os.Stat(dirPath); os.IsNotExist(err) && !refreshDir(w, r, pkgName, "", false) { return } fis, err := ioutil.ReadDir(dirPath) if err != nil { + log.Println("error", r.RemoteAddr, "list", pkgName, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } @@ -161,9 +171,9 @@ func listDir( files[fi.Name()] = struct{}{} } var result bytes.Buffer - result.WriteString(fmt.Sprintf(HTMLBegin, dir)) + result.WriteString(fmt.Sprintf(HTMLBegin, pkgName)) for _, algo := range knownHashAlgos { - for fn, _ := range files { + for fn := range files { if killed { // Skip expensive I/O when shutting down http.Error(w, "shutting down", http.StatusInternalServerError) @@ -175,6 +185,7 @@ func listDir( delete(files, fn) digest, err := ioutil.ReadFile(filepath.Join(dirPath, fn)) if err != nil { + log.Println("error", r.RemoteAddr, "list", fn, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } @@ -188,7 +199,7 @@ func listDir( result.WriteString(fmt.Sprintf( HTMLElement, strings.Join([]string{ - *refreshURLPath, dir, "/", fnClean, + *refreshURLPath, pkgName, "/", fnClean, "#", algo, "=", hex.EncodeToString(digest), }, ""), gpgSigAttr, @@ -200,11 +211,11 @@ func listDir( w.Write(result.Bytes()) } -func servePkg(w http.ResponseWriter, r *http.Request, dir, filename string) { +func servePkg(w http.ResponseWriter, r *http.Request, pkgName, filename string) { log.Println(r.RemoteAddr, "get", filename) - path := filepath.Join(*root, dir, filename) + path := filepath.Join(*root, pkgName, filename) if _, err := os.Stat(path); os.IsNotExist(err) { - if !refreshDir(w, r, dir, filename, false) { + if !refreshDir(w, r, pkgName, filename, false) { return } } @@ -258,29 +269,58 @@ func main() { return } if *version { - fmt.Println("GoCheese version " + Version + " built with " + runtime.Version()) + fmt.Println("GoCheese", Version, "built with", runtime.Version()) return } + + if *logTimestamped { + log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile) + } else { + log.SetFlags(log.Lshortfile) + } + log.SetOutput(os.Stdout) + if *fsck { if !goodIntegrity() { os.Exit(1) } return } + if *passwdCheck { refreshPasswd() return } + if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") { log.Fatalln("Both -tls-cert and -tls-key are required") } + var err error pypiURLParsed, err = url.Parse(*pypiURL) if err != nil { log.Fatalln(err) } refreshPasswd() - log.Println("root:", *root, "bind:", *bind) + if *pypiCertHash == "" { + pypiHTTPTransport = http.Transport{} + } else { + ourDgst, err := hex.DecodeString(*pypiCertHash) + if err != nil { + log.Fatalln(err) + } + pypiHTTPTransport = http.Transport{ + TLSClientConfig: &tls.Config{ + VerifyConnection: func(s tls.ConnectionState) error { + spki := s.VerifiedChains[0][0].RawSubjectPublicKeyInfo + theirDgst := sha256.Sum256(spki) + if bytes.Compare(ourDgst, theirDgst[:]) != 0 { + return errors.New("certificate's digest mismatch") + } + return nil + }}, + } + } ln, err := net.Listen("tcp", *bind) if err != nil { @@ -304,19 +344,25 @@ func main() { signal.Notify(needsShutdown, syscall.SIGTERM, syscall.SIGINT) go func() { for range needsRefreshPasswd { - log.Println("Refreshing passwords") + log.Println("refreshing passwords") refreshPasswd() } }() go func(s *http.Server) { <-needsShutdown killed = true - log.Println("Shutting down") + log.Println("shutting down") ctx, cancel := context.WithTimeout(context.TODO(), time.Minute) exitErr <- s.Shutdown(ctx) cancel() }(server) + log.Println( + "GoCheese", Version, "listens:", + "root:", *root, + "bind:", *bind, + "pypi:", *pypiURL, + ) if *tlsCert == "" { err = server.Serve(ln) } else {