From b13332c991ce2695626eaca367dd8208b174c9ca Mon Sep 17 00:00:00 2001
From: Karen Arutyunov <karen@codesynthesis.com>
Date: Thu, 14 Apr 2016 17:59:24 +0300
Subject: Add support for repository authentication

---
 bpkg/cfg-fetch.cxx | 52 +++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 39 insertions(+), 13 deletions(-)

(limited to 'bpkg/cfg-fetch.cxx')

diff --git a/bpkg/cfg-fetch.cxx b/bpkg/cfg-fetch.cxx
index d311a21..dfbcc98 100644
--- a/bpkg/cfg-fetch.cxx
+++ b/bpkg/cfg-fetch.cxx
@@ -8,6 +8,7 @@
 
 #include <bpkg/manifest>
 
+#include <bpkg/auth>
 #include <bpkg/fetch>
 #include <bpkg/package>
 #include <bpkg/package-odb>
@@ -20,7 +21,7 @@ using namespace butl;
 namespace bpkg
 {
   static void
-  cfg_fetch (const common_options& co,
+  cfg_fetch (const configuration_options& co,
              transaction& t,
              const shared_ptr<repository>& r,
              const shared_ptr<repository>& root,
@@ -55,25 +56,50 @@ namespace bpkg
 
     r->fetched = true; // Mark as being fetched.
 
-    // Load the 'packages' file. We do this first so that we can get and
-    // verify the checksum of the 'repositories' file which below.
+    // Load the 'repositories' file and use it to populate the prerequisite
+    // and complement repository sets.
     //
-    package_manifests pms (fetch_packages (co, rl, true));
+    pair<repository_manifests, string/*checksum*/> rmc (
+      fetch_repositories (co, rl, true));
 
-    // Load the 'repositories' file and use it to populate the prerequisite and
-    // complement repository sets.
-    //
-    repository_manifests rms;
+    repository_manifests& rms (rmc.first);
+
+    bool a (co.auth () != auth::none &&
+            (co.auth () == auth::all || rl.remote ()));
 
-    try
+    shared_ptr<const certificate> cert;
+
+    if (a)
     {
-      rms = fetch_repositories (co, rl, pms.sha256sum, true);
+      cert = authenticate_certificate (
+        co, &co.directory (), rms.back ().certificate, rl);
+
+      a = !cert->dummy ();
     }
-    catch (const checksum_mismatch&)
-    {
-      fail << "repository files checksum mismatch for "
+
+    // Load the 'packages' file.
+    //
+    pair<package_manifests, string/*checksum*/> pmc (
+      fetch_packages (co, rl, true));
+
+    package_manifests& pms (pmc.first);
+
+    if (rmc.second != pms.sha256sum)
+      fail << "repositories manifest file checksum mismatch for "
            << rl.canonical_name () <<
         info << "try again";
+
+    if (a)
+    {
+      signature_manifest sm (fetch_signature (co, rl, true));
+
+      if (sm.sha256sum != pmc.second)
+        fail << "packages manifest file checksum mismatch for "
+             << rl.canonical_name () <<
+          info << "try again";
+
+      assert (cert != nullptr);
+      authenticate_repository (co, &co.directory (), nullopt, *cert, sm, rl);
     }
 
     for (repository_manifest& rm: rms)
-- 
cgit v1.1