From d81b21e46f325d0c12df3054fe08aa29bb1061f3 Mon Sep 17 00:00:00 2001 From: Karen Arutyunov Date: Tue, 18 Apr 2017 12:16:10 +0300 Subject: Add support for task manifest trust value --- bbot/manifest | 31 +++++++++++++++++++------------ bbot/manifest.cxx | 34 ++++++++++++++++++++++++++++++++++ tests/manifest/task.test | 22 ++++++++++++++++++++++ 3 files changed, 75 insertions(+), 12 deletions(-) diff --git a/bbot/manifest b/bbot/manifest index 4a5561a..7e14b7d 100644 --- a/bbot/manifest +++ b/bbot/manifest @@ -88,6 +88,11 @@ namespace bbot std::string name; bpkg::version version; bpkg::repository_location repository; // Remote or absolute. + + // The SHA256 repositories certificates fingerprints to trust. The special + // 'yes' value can be specified instead of fingerprint (in which case all + // repositories will be trusted without authentication). + // strings trust; // Build machine to use for building the package. @@ -103,18 +108,20 @@ namespace bbot // variables config; - task_manifest (std::string n, - bpkg::version v, - bpkg::repository_location r, - std::string m, - butl::optional t, - variables c) - : name (std::move (n)), - version (std::move (v)), - repository (std::move (r)), - machine (std::move (m)), - target (std::move (t)), - config (std::move (c)) {} + task_manifest (std::string nm, + bpkg::version vr, + bpkg::repository_location rl, + strings tr, + std::string mn, + butl::optional tg, + variables cf) + : name (std::move (nm)), + version (std::move (vr)), + repository (std::move (rl)), + trust (tr), + machine (std::move (mn)), + target (std::move (tg)), + config (std::move (cf)) {} public: task_manifest () = default; // VC export. diff --git a/bbot/manifest.cxx b/bbot/manifest.cxx index b183596..9aedcea 100644 --- a/bbot/manifest.cxx +++ b/bbot/manifest.cxx @@ -6,6 +6,7 @@ #include #include +#include // isxdigit() #include #include #include // size_t @@ -78,6 +79,28 @@ namespace bbot return true; } + inline static bool + valid_fingerprint (const string& f) noexcept + { + size_t n (f.size ()); + if (n != 32 * 3 - 1) + return false; + + for (size_t i (0); i < n; ++i) + { + char c (f[i]); + if ((i + 1) % 3 == 0) + { + if (c != ':') + return false; + } + else if (!isxdigit (c)) + return false; + } + + return true; + } + // machine_header_manifest // machine_header_manifest:: @@ -366,6 +389,13 @@ namespace bbot bad_value (string ("invalid task repository: ") + e.what ()); } } + else if (n == "trust") + { + if (v != "yes" && !valid_fingerprint (v)) + bad_value ("invalid repository certificate fingerprint"); + + trust.emplace_back (move (v)); + } else if (n == "machine") { if (!machine.empty ()) @@ -462,6 +492,10 @@ namespace bbot s.next ("name", name); s.next ("version", version.string ()); s.next ("repository", repository.string ()); + + for (const auto& v: trust) + s.next ("trust", v); + s.next ("machine", machine); if (target) diff --git a/tests/manifest/task.test b/tests/manifest/task.test index 09777b1..cbb4598 100644 --- a/tests/manifest/task.test +++ b/tests/manifest/task.test @@ -16,6 +16,8 @@ test.options += -t name: libfoo version: 1.0 repository: http://pkg.example.org/1/math + trust: AB:0D:3F:C1:B0:13:E4:0E:AD:4A:08:06:AE:F3:85:DB:E2:27:5F:83:11:47:A2:7\ + 8:64:3C:73:60:F8:66:3A:A4 machine: windows_10-msvc_14 target: x86_64-microsoft-win32-msvc14.0 config: config.cc.coptions=/Z7 config.cc.loptions=/DEBUG @@ -68,6 +70,19 @@ test.options += -t config: abc='a "b '"d\e x y=" EOF } + + : trust-yes + : + $* <>EOF + : 1 + name: libfoo + version: 1.0 + repository: http://pkg.example.org/1/math + trust: yes + machine: windows_10-msvc_14 + target: x86_64-microsoft-win32-msvc14.0 + config: config.cc.coptions=/Z7 config.cc.loptions=/DEBUG + EOF } : redefinition @@ -210,6 +225,13 @@ test.options += -t EOI } } + + : trust + : + $* <'stdin:2:8: error: invalid repository certificate fingerprint' == 1 + : 1 + trust: abc + EOI } : unknown-name -- cgit v1.1