aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--main.go70
-rw-r--r--sumdb/client.go73
2 files changed, 55 insertions, 88 deletions
diff --git a/main.go b/main.go
index 9a62ac3..f1d200b 100644
--- a/main.go
+++ b/main.go
@@ -2,6 +2,7 @@ package main
import (
"log"
+ "sync"
"time"
"git.sr.ht/~benburwell/gosumdbaudit/sumdb"
@@ -18,23 +19,62 @@ func main() {
pollInterval: 10 * time.Second,
},
}
+ var wg sync.WaitGroup
+ wg.Add(len(dbs))
for _, db := range dbs {
- client := sumdb.NewClient(db)
- // lines, err := client.Lookup("golang.org/x/text", "v0.3.0")
- lines, err := client.Lookup("github.com/influxdata/influxdb", "v0.0.0-20190908081120-80e3efa37a3a")
- if err != nil {
- log.Printf("could not lookup: %v", err)
- } else {
- for _, line := range lines {
- log.Printf("got: %s", line)
+ go func(db *database) {
+ defer wg.Done()
+ if err := monitor(db); err != nil {
+ log.Printf("AUDIT FAILED: %s", err.Error())
+ return
}
- }
- // log.Printf("config: %s", string(db.config["sum.golang.org/latest"]))
- // if err := d.monitor(); err != nil {
- // log.Printf("AUDIT FAIL (%s): %s", d.host, err.Error())
- // }
- // if err := audit(d); err != nil {
- // log.Printf("AUDIT FAIL (%s): %s", d.host, err.Error())
+ }(db)
+ }
+ wg.Wait()
+}
+
+func monitor(db *database) error {
+ log.Printf("starting monitor for %s", db.host)
+
+ client := sumdb.NewClient(db)
+
+ lines, err := client.Lookup("golang.org/x/text", "v0.3.0")
+ if err != nil {
+ return err
+ }
+ log.Printf("got lines: %s", lines)
+
+ // fetch & verify current STH
+ // latest, err := client.Latest()
+ // if err != nil {
+ // return err
+ // }
+
+ // fetch all entries in the tree according to the STH
+ // entries := client.Entries(nil, latest)
+
+ // confirm the tree made from the entries produces the same hash as the STH
+ // IF NOT: the server has signed invalid data
+
+ // prev := latest
+ for {
+ // await a new STH
+ // prev = latest
+ time.Sleep(db.pollInterval)
+ log.Printf("checking %s for new STH...", db.host)
+ // awaitNewSTH()
+
+ // latest, err := client.Latest()
+ // if err != nil {
+ // return err
// }
+
+ // fetch all NEW entries between prev and latest
+ // if unavailable for an extended period, this should be viewed as misbehavior
+ // entries := client.Entries(prev, latest)
+
+ // fetch a consistency proof for the new STH with the previous STH
+ // verify consistency proof
+ // verify the new entries generate the corresponding elements in the consistency proof
}
}
diff --git a/sumdb/client.go b/sumdb/client.go
index 70dd56f..e4552ae 100644
--- a/sumdb/client.go
+++ b/sumdb/client.go
@@ -8,7 +8,6 @@ import (
"bytes"
"errors"
"fmt"
- "path"
"strings"
"sync"
"sync/atomic"
@@ -172,84 +171,12 @@ func (c *Client) SetTileHeight(height int) {
c.tileHeight = height
}
-// SetGONOSUMDB sets the list of comma-separated GONOSUMDB patterns for the Client.
-// For any module path matching one of the patterns,
-// Lookup will return ErrGONOSUMDB.
-// SetGONOSUMDB can be called at most once,
-// and if so it must be called before the first call to Lookup.
-func (c *Client) SetGONOSUMDB(list string) {
- if atomic.LoadUint32(&c.didLookup) != 0 {
- panic("SetGONOSUMDB used after Lookup")
- }
- if c.nosumdb != "" {
- panic("multiple calls to SetGONOSUMDB")
- }
- c.nosumdb = list
-}
-
-// ErrGONOSUMDB is returned by Lookup for paths that match
-// a pattern listed in the GONOSUMDB list (set by SetGONOSUMDB,
-// usually from the environment variable).
-var ErrGONOSUMDB = errors.New("skipped (listed in GONOSUMDB)")
-
-func (c *Client) skip(target string) bool {
- return globsMatchPath(c.nosumdb, target)
-}
-
-// globsMatchPath reports whether any path prefix of target
-// matches one of the glob patterns (as defined by path.Match)
-// in the comma-separated globs list.
-// It ignores any empty or malformed patterns in the list.
-func globsMatchPath(globs, target string) bool {
- for globs != "" {
- // Extract next non-empty glob in comma-separated list.
- var glob string
- if i := strings.Index(globs, ","); i >= 0 {
- glob, globs = globs[:i], globs[i+1:]
- } else {
- glob, globs = globs, ""
- }
- if glob == "" {
- continue
- }
-
- // A glob with N+1 path elements (N slashes) needs to be matched
- // against the first N+1 path elements of target,
- // which end just before the N+1'th slash.
- n := strings.Count(glob, "/")
- prefix := target
- // Walk target, counting slashes, truncating at the N+1'th slash.
- for i := 0; i < len(target); i++ {
- if target[i] == '/' {
- if n == 0 {
- prefix = target[:i]
- break
- }
- n--
- }
- }
- if n > 0 {
- // Not enough prefix elements.
- continue
- }
- matched, _ := path.Match(glob, prefix)
- if matched {
- return true
- }
- }
- return false
-}
-
// Lookup returns the go.sum lines for the given module path and version.
// The version may end in a /go.mod suffix, in which case Lookup returns
// the go.sum lines for the module's go.mod-only hash.
func (c *Client) Lookup(path, vers string) (lines []string, err error) {
atomic.StoreUint32(&c.didLookup, 1)
- if c.skip(path) {
- return nil, ErrGONOSUMDB
- }
-
defer func() {
if err != nil {
err = fmt.Errorf("%s@%s: %v", path, vers, err)