From d81b21e46f325d0c12df3054fe08aa29bb1061f3 Mon Sep 17 00:00:00 2001
From: Karen Arutyunov <karen@codesynthesis.com>
Date: Tue, 18 Apr 2017 12:16:10 +0300
Subject: Add support for task manifest trust value

---
 bbot/manifest     | 31 +++++++++++++++++++------------
 bbot/manifest.cxx | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 12 deletions(-)

(limited to 'bbot')

diff --git a/bbot/manifest b/bbot/manifest
index 4a5561a..7e14b7d 100644
--- a/bbot/manifest
+++ b/bbot/manifest
@@ -88,6 +88,11 @@ namespace bbot
     std::string name;
     bpkg::version version;
     bpkg::repository_location repository; // Remote or absolute.
+
+    // The SHA256 repositories certificates fingerprints to trust. The special
+    // 'yes' value can be specified instead of fingerprint (in which case all
+    // repositories will be trusted without authentication).
+    //
     strings trust;
 
     // Build machine to use for building the package.
@@ -103,18 +108,20 @@ namespace bbot
     //
     variables config;
 
-    task_manifest (std::string n,
-                   bpkg::version v,
-                   bpkg::repository_location r,
-                   std::string m,
-                   butl::optional<butl::target_triplet> t,
-                   variables c)
-        : name (std::move (n)),
-          version (std::move (v)),
-          repository (std::move (r)),
-          machine (std::move (m)),
-          target (std::move (t)),
-          config (std::move (c)) {}
+    task_manifest (std::string nm,
+                   bpkg::version vr,
+                   bpkg::repository_location rl,
+                   strings tr,
+                   std::string mn,
+                   butl::optional<butl::target_triplet> tg,
+                   variables cf)
+        : name (std::move (nm)),
+          version (std::move (vr)),
+          repository (std::move (rl)),
+          trust (tr),
+          machine (std::move (mn)),
+          target (std::move (tg)),
+          config (std::move (cf)) {}
 
   public:
     task_manifest () = default; // VC export.
diff --git a/bbot/manifest.cxx b/bbot/manifest.cxx
index b183596..9aedcea 100644
--- a/bbot/manifest.cxx
+++ b/bbot/manifest.cxx
@@ -6,6 +6,7 @@
 
 #include <vector>
 #include <string>
+#include <cctype>    // isxdigit()
 #include <cassert>
 #include <sstream>
 #include <cstddef>   // size_t
@@ -78,6 +79,28 @@ namespace bbot
     return true;
   }
 
+  inline static bool
+  valid_fingerprint (const string& f) noexcept
+  {
+    size_t n (f.size ());
+    if (n != 32 * 3 - 1)
+      return false;
+
+    for (size_t i (0); i < n; ++i)
+    {
+      char c (f[i]);
+      if ((i + 1) % 3 == 0)
+      {
+        if (c != ':')
+          return false;
+      }
+      else if (!isxdigit (c))
+        return false;
+    }
+
+    return true;
+  }
+
   // machine_header_manifest
   //
   machine_header_manifest::
@@ -366,6 +389,13 @@ namespace bbot
           bad_value (string ("invalid task repository: ") + e.what ());
         }
       }
+      else if (n == "trust")
+      {
+        if (v != "yes" && !valid_fingerprint (v))
+          bad_value ("invalid repository certificate fingerprint");
+
+        trust.emplace_back (move (v));
+      }
       else if (n == "machine")
       {
         if (!machine.empty ())
@@ -462,6 +492,10 @@ namespace bbot
     s.next ("name", name);
     s.next ("version", version.string ());
     s.next ("repository", repository.string ());
+
+    for (const auto& v: trust)
+      s.next ("trust", v);
+
     s.next ("machine", machine);
 
     if (target)
-- 
cgit v1.1