diff --git a/PERL_MODULES b/PERL_MODULES index 120b784..0ba654b 100644 --- a/PERL_MODULES +++ b/PERL_MODULES @@ -1 +1,2 @@ Data::Processor +Crypt::OpenSSL::X509 diff --git a/etc/pkgmgr.conf.dist b/etc/pkgmgr.conf.dist index 581f954..1347e83 100644 --- a/etc/pkgmgr.conf.dist +++ b/etc/pkgmgr.conf.dist @@ -39,6 +39,14 @@ "dst_repo" : "", "publisher" : "extra.omnios", "release" : "r151023" + }, + "security" : { + "signing" : "yes", + "restricted" : "yes", + "src_repo" : "", + "dst_repo" : "", + "publisher" : "omnios", + "release" : "r151028" } } } diff --git a/lib/PkgMgr.pm b/lib/PkgMgr.pm index a37a800..efe1b72 100644 --- a/lib/PkgMgr.pm +++ b/lib/PkgMgr.pm @@ -115,7 +115,11 @@ sub fetchPackages { my $repoPath = $self->getRepoPath($config, $repo, $opts); - my @cmd = ($PKGREPO, qw(list -F json -s), $repoPath, @$fmri); + my @cert = $config->{REPOS}->{$repo}->{restricted} ne 'yes' ? () + : ('--key', $config->{GENERAL}->{key_file}, + '--cert', $config->{GENERAL}->{cert_file}); + + my @cmd = ($PKGREPO, qw(list -F json -s), $repoPath, @cert, @$fmri); open my $cmd, '-|', @cmd or die "ERROR: executing '$PKGREPO': $!\n"; my ($release, $publisher) = $getReleasePublisher->($config, $repo); @@ -124,7 +128,7 @@ sub fetchPackages { grep { $_->{branch} =~ /^(?:$release\.\d+|\d+\.$release)$/ && $extractPublisher->($_) eq $publisher && $getEpoch->($_->{timestamp}) > $epoch - } @{JSON::PP->new->decode(<$cmd>)} + } @{JSON::PP->new->decode(<$cmd> // '[]')} ]; if ($opts->{long}) { @@ -241,6 +245,10 @@ sub publishPackages { : ('--dkey', $config->{GENERAL}->{key_file}, '--dcert', $config->{GENERAL}->{cert_file}); + push @cert, $config->{REPOS}->{$repo}->{restricted} ne 'yes' ? () + : ('--key', $config->{GENERAL}->{key_file}, + '--cert', $config->{GENERAL}->{cert_file}); + # set timeout env variables $ENV{PKG_CLIENT_CONNECT_TIMEOUT} = $config->{GENERAL}->{connect_timeout}; $ENV{PKG_CLIENT_LOWSPEED_TIMEOUT} = $config->{GENERAL}->{lowspeed_timeout}; @@ -328,7 +336,7 @@ __END__ =head1 COPYRIGHT -Copyright 2018 OmniOS Community Edition (OmniOSce) Association. +Copyright 2019 OmniOS Community Edition (OmniOSce) Association. =head1 LICENSE diff --git a/lib/PkgMgr/Config.pm b/lib/PkgMgr/Config.pm index a36c9a1..af99c2c 100644 --- a/lib/PkgMgr/Config.pm +++ b/lib/PkgMgr/Config.pm @@ -22,7 +22,7 @@ my $SCHEMA = sub { cert_file => { description => 'path to certificate file', example => '"cert_file" : "/omniosorg/ssl/certs/ooce_cert.pem"', - validator => $sv->file('<', 'Cannot open file'), + validator => $sv->x509Cert, }, key_file => { description => 'path to certificate key file', @@ -107,6 +107,13 @@ my $SCHEMA = sub { }, }, }, + restricted => { + optional => 1, + description => 'restricted repository; authentication needed (yes/no)', + example => '"restricted" : "no"', + default => 'no', + validator => $sv->elemOf(qw(yes no)), + }, }, }, }, @@ -150,7 +157,7 @@ __END__ =head1 COPYRIGHT -Copyright 2017 OmniOS Community Edition (OmniOSce) Association. +Copyright 2019 OmniOS Community Edition (OmniOSce) Association. =head1 LICENSE diff --git a/lib/PkgMgr/Utils.pm b/lib/PkgMgr/Utils.pm index 23646e8..5507cc5 100644 --- a/lib/PkgMgr/Utils.pm +++ b/lib/PkgMgr/Utils.pm @@ -4,6 +4,8 @@ use strict; use warnings; use POSIX qw(isatty); +use Crypt::OpenSSL::X509; +use Time::Seconds qw(ONE_MONTH); my @RSYNC = qw(/usr/bin/rsync -ahh --stats --delete-after); @@ -54,6 +56,24 @@ sub elemOf { } } +sub x509Cert { + my $self = shift; + + return sub { + local $@; + my $x509 = eval { + local $SIG{__DIE__}; + Crypt::OpenSSL::X509->new_from_file(shift); + }; + return $@ if $@; + + print STDERR "\n*** WARNING: your certificate will expire on " . $x509->notAfter . "! ***\n\n" + if $x509->checkend(ONE_MONTH); + + return undef; + } +} + sub isaTTY { my $self = shift; return isatty(*STDIN); @@ -88,7 +108,7 @@ __END__ =head1 COPYRIGHT -Copyright 2017 OmniOS Community Edition (OmniOSce) Association. +Copyright 2019 OmniOS Community Edition (OmniOSce) Association. =head1 LICENSE