X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=blobdiff_plain;f=gocheese.go;h=63854169f549e0e301fd72a2af488b74e77196a7;hp=70573b8f0085451ca716cb0b62e594697bb95481;hb=0f9f81e55a5db0fa50b539554b078ae4ffdb29bd;hpb=d3f2ebfa80e9b514ed94a0f4fc76c6bef7e71006 diff --git a/gocheese.go b/gocheese.go index 70573b8..6385416 100644 --- a/gocheese.go +++ b/gocheese.go @@ -1,7 +1,7 @@ /* GoCheese -- Python private package repository and caching proxy -Copyright (C) 2019-2020 Sergey Matveev - 2019-2020 Elena Balakhonova +Copyright (C) 2019-2021 Sergey Matveev + 2019-2021 Elena Balakhonova This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -22,7 +22,10 @@ package main import ( "bytes" "context" + "crypto/sha256" + "crypto/tls" "encoding/hex" + "errors" "flag" "fmt" "io/ioutil" @@ -43,6 +46,7 @@ import ( ) const ( + Version = "2.6.0" HTMLBegin = ` @@ -68,15 +72,18 @@ You should have received a copy of the GNU General Public License along with this program. If not, see .` ) +const ( + HashAlgoSHA256 = "sha256" + HashAlgoBLAKE2b256 = "blake2_256" + HashAlgoSHA512 = "sha512" + HashAlgoMD5 = "md5" +) + var ( pkgPyPI = regexp.MustCompile(`^.*]*>(.+)
.*$`) normalizationRe = regexp.MustCompilePOSIX("[-_.]+") - HashAlgoSHA256 = "sha256" - HashAlgoBLAKE2b256 = "blake2_256" - HashAlgoSHA512 = "sha512" - HashAlgoMD5 = "md5" - knownHashAlgos []string = []string{ + knownHashAlgos []string = []string{ HashAlgoSHA256, HashAlgoBLAKE2b256, HashAlgoSHA512, @@ -91,14 +98,15 @@ var ( refreshURLPath = flag.String("refresh", "/simple/", "Auto-refreshing URL path") gpgUpdateURLPath = flag.String("gpgupdate", "/gpgupdate/", "GPG forceful refreshing URL path") pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL") + pypiCertHash = flag.String("pypi-cert-hash", "", "Authenticate PyPI by its X.509 certificate's SHA256 hash") passwdPath = flag.String("passwd", "passwd", "Path to file with authenticators") + logTimestamped = flag.Bool("log-timestamped", false, "Prepend timestmap to log messages") passwdCheck = flag.Bool("passwd-check", false, "Test the -passwd file for syntax errors and exit") fsck = flag.Bool("fsck", false, "Check integrity of all packages (errors are in stderr)") maxClients = flag.Int("maxclients", 128, "Maximal amount of simultaneous clients") version = flag.Bool("version", false, "Print version information") warranty = flag.Bool("warranty", false, "Print warranty information") - Version string = "UNKNOWN" killed bool pypiURLParsed *url.URL ) @@ -165,7 +173,7 @@ func listDir( var result bytes.Buffer result.WriteString(fmt.Sprintf(HTMLBegin, pkgName)) for _, algo := range knownHashAlgos { - for fn, _ := range files { + for fn := range files { if killed { // Skip expensive I/O when shutting down http.Error(w, "shutting down", http.StatusInternalServerError) @@ -261,31 +269,58 @@ func main() { return } if *version { - fmt.Println("GoCheese version " + Version + " built with " + runtime.Version()) + fmt.Println("GoCheese", Version, "built with", runtime.Version()) return } + + if *logTimestamped { + log.SetFlags(log.Ldate | log.Lmicroseconds | log.Lshortfile) + } else { + log.SetFlags(log.Lshortfile) + } + log.SetOutput(os.Stdout) + if *fsck { if !goodIntegrity() { os.Exit(1) } return } + if *passwdCheck { refreshPasswd() return } + if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") { log.Fatalln("Both -tls-cert and -tls-key are required") } + var err error pypiURLParsed, err = url.Parse(*pypiURL) if err != nil { log.Fatalln(err) } refreshPasswd() - log.Println("root:", *root) - log.Println("bind:", *bind) - log.Println("pypi:", *pypiURL) + if *pypiCertHash == "" { + pypiHTTPTransport = http.Transport{} + } else { + ourDgst, err := hex.DecodeString(*pypiCertHash) + if err != nil { + log.Fatalln(err) + } + pypiHTTPTransport = http.Transport{ + TLSClientConfig: &tls.Config{ + VerifyConnection: func(s tls.ConnectionState) error { + spki := s.VerifiedChains[0][0].RawSubjectPublicKeyInfo + theirDgst := sha256.Sum256(spki) + if bytes.Compare(ourDgst, theirDgst[:]) != 0 { + return errors.New("certificate's digest mismatch") + } + return nil + }}, + } + } ln, err := net.Listen("tcp", *bind) if err != nil { @@ -322,6 +357,12 @@ func main() { cancel() }(server) + log.Println( + "GoCheese", Version, "listens:", + "root:", *root, + "bind:", *bind, + "pypi:", *pypiURL, + ) if *tlsCert == "" { err = server.Serve(ln) } else {