Merge pull request #19 from hadfl/check_cert

enhancements

PERL_MODULES

@@ -1 +1,2 @@
 Data::Processor
+Crypt::OpenSSL::X509

etc/pkgmgr.conf.dist

@@ -39,6 +39,14 @@
             "dst_repo"     : "<path/URL>",
             "publisher"    : "extra.omnios",
             "release"      : "r151023"
+        },
+        "security" : {
+            "signing"      : "yes",
+            "restricted"   : "yes",
+            "src_repo"     : "<path/URL>",
+            "dst_repo"     : "<path/URL>",
+            "publisher"    : "omnios",
+            "release"      : "r151028"
         }
     }
 }

lib/PkgMgr.pm

@@ -115,7 +115,11 @@ sub fetchPackages {
 
     my $repoPath = $self->getRepoPath($config, $repo, $opts);
 
-    my @cmd = ($PKGREPO, qw(list -F json -s), $repoPath, @$fmri);
+    my @cert = $config->{REPOS}->{$repo}->{restricted} ne 'yes' ? ()
+        : ('--key',  $config->{GENERAL}->{key_file},
+           '--cert', $config->{GENERAL}->{cert_file});
+
+    my @cmd = ($PKGREPO, qw(list -F json -s), $repoPath, @cert, @$fmri);
     open my $cmd, '-|', @cmd or die "ERROR: executing '$PKGREPO': $!\n";
 
     my ($release, $publisher) = $getReleasePublisher->($config, $repo);
@@ -124,7 +128,7 @@ sub fetchPackages {
         grep { $_->{branch} =~ /^(?:$release\.\d+|\d+\.$release)$/
             && $extractPublisher->($_) eq $publisher
             && $getEpoch->($_->{timestamp}) > $epoch
-        } @{JSON::PP->new->decode(<$cmd>)}
+        } @{JSON::PP->new->decode(<$cmd> // '[]')}
     ];
 
     if ($opts->{long}) {
@@ -241,6 +245,10 @@ sub publishPackages {
         : ('--dkey',  $config->{GENERAL}->{key_file},
            '--dcert', $config->{GENERAL}->{cert_file});
 
+    push @cert, $config->{REPOS}->{$repo}->{restricted} ne 'yes' ? ()
+        : ('--key',  $config->{GENERAL}->{key_file},
+           '--cert', $config->{GENERAL}->{cert_file});
+
     # set timeout env variables
     $ENV{PKG_CLIENT_CONNECT_TIMEOUT}  = $config->{GENERAL}->{connect_timeout};
     $ENV{PKG_CLIENT_LOWSPEED_TIMEOUT} = $config->{GENERAL}->{lowspeed_timeout};
@@ -328,7 +336,7 @@ __END__
 
 =head1 COPYRIGHT
 
-Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
+Copyright 2019 OmniOS Community Edition (OmniOSce) Association.
 
 =head1 LICENSE
 

lib/PkgMgr/Config.pm

@@ -22,7 +22,7 @@ my $SCHEMA = sub {
             cert_file        => {
                 description  => 'path to certificate file',
                 example      => '"cert_file" : "/omniosorg/ssl/certs/ooce_cert.pem"',
-                validator    => $sv->file('<', 'Cannot open file'),
+                validator    => $sv->x509Cert,
             },
             key_file         => {
                 description  => 'path to certificate key file',
@@ -107,6 +107,13 @@ my $SCHEMA = sub {
                             },
                         },
                     },
+                    restricted => {
+                        optional    => 1,
+                        description => 'restricted repository; authentication needed (yes/no)',
+                        example     => '"restricted" : "no"',
+                        default     => 'no',
+                        validator   => $sv->elemOf(qw(yes no)),
+                    },
                 },
             },
         },
@@ -150,7 +157,7 @@ __END__
 
 =head1 COPYRIGHT
 
-Copyright 2017 OmniOS Community Edition (OmniOSce) Association.
+Copyright 2019 OmniOS Community Edition (OmniOSce) Association.
 
 =head1 LICENSE
 

lib/PkgMgr/Utils.pm

@@ -4,6 +4,8 @@ use strict;
 use warnings;
 
 use POSIX qw(isatty);
+use Crypt::OpenSSL::X509;
+use Time::Seconds qw(ONE_MONTH);
 
 my @RSYNC = qw(/usr/bin/rsync -ahh --stats --delete-after);
 
@@ -54,6 +56,24 @@ sub elemOf {
     }
 }
 
+sub x509Cert {
+    my $self = shift;
+
+    return sub {
+        local $@;
+        my $x509 = eval {
+            local $SIG{__DIE__};
+            Crypt::OpenSSL::X509->new_from_file(shift);
+        };
+        return $@ if $@;
+
+        print STDERR "\n*** WARNING: your certificate will expire on " . $x509->notAfter . "! ***\n\n"
+            if $x509->checkend(ONE_MONTH);
+
+        return undef;
+    }
+}
+
 sub isaTTY {
     my $self = shift;
     return isatty(*STDIN);
@@ -88,7 +108,7 @@ __END__
 
 =head1 COPYRIGHT
 
-Copyright 2017 OmniOS Community Edition (OmniOSce) Association.
+Copyright 2019 OmniOS Community Edition (OmniOSce) Association.
 
 =head1 LICENSE