// Package client retrieves data over Gemini and implements a TOFU system. package client import ( "errors" "io/ioutil" "net" "net/url" "strings" "sync" "time" "github.com/makeworld-the-better-one/go-gemini" "github.com/mitchellh/go-homedir" "github.com/spf13/viper" ) // Simple key for certCache map and others, instead of a full URL // Only uses the part of the URL relevant to matching certs to a URL type certMapKey struct { host string path string } var ( // [auth] section of config put into maps confCerts = make(map[certMapKey]string) confKeys = make(map[certMapKey]string) // Cache the cert and key assigned to different URLs certCache = make(map[certMapKey][][]byte) certCacheMu = &sync.RWMutex{} fetchClient *gemini.Client ) func Init() error { fetchClient = &gemini.Client{ ConnectTimeout: 10 * time.Second, // Default is 15 ReadTimeout: time.Duration(viper.GetInt("a-general.page_max_time")) * time.Second, } // Populate config maps certsViper := viper.Sub("auth.certs") for _, certURL := range certsViper.AllKeys() { // Normalize URL so that it can be matched no matter how it was written // in the config pu, _ := normalizeURL(FixUserURL(certURL)) if pu == nil { //nolint:goerr113 return errors.New("[auth.certs]: couldn't normalize URL: " + certURL) } confCerts[certMapKey{pu.Host, pu.Path}] = certsViper.GetString(certURL) } keysViper := viper.Sub("auth.keys") for _, keyURL := range keysViper.AllKeys() { pu, _ := normalizeURL(FixUserURL(keyURL)) if pu == nil { //nolint:goerr113 return errors.New("[auth.keys]: couldn't normalize URL: " + keyURL) } confKeys[certMapKey{pu.Host, pu.Path}] = keysViper.GetString(keyURL) } return nil } // getCertPath returns the path of the cert from the config. // It returns "" if no config value exists. func getCertPath(host string, path string) string { for k, v := range confCerts { if k.host == host && (k.path == path || strings.HasPrefix(path, k.path)) { // Either exact match to what's in config, or a subpath return v } } // No matches return "" } // getKeyPath returns the path of the key from the config. // It returns "" if no config value exists. func getKeyPath(host string, path string) string { for k, v := range confKeys { if k.host == host && (k.path == path || strings.HasPrefix(path, k.path)) { // Either exact match to what's in config, or a subpath return v } } // No matches return "" } func clientCert(host string, path string) ([]byte, []byte) { mkey := certMapKey{host, path} certCacheMu.RLock() pair, ok := certCache[mkey] certCacheMu.RUnlock() if ok { return pair[0], pair[1] } ogCertPath := getCertPath(host, path) // Expand paths starting with ~/ certPath, err := homedir.Expand(ogCertPath) if err != nil { certPath = ogCertPath } ogKeyPath := getKeyPath(host, path) keyPath, err := homedir.Expand(ogKeyPath) if err != nil { keyPath = ogKeyPath } if certPath == "" && keyPath == "" { certCacheMu.Lock() certCache[mkey] = [][]byte{nil, nil} certCacheMu.Unlock() return nil, nil } cert, err := ioutil.ReadFile(certPath) if err != nil { certCacheMu.Lock() certCache[mkey] = [][]byte{nil, nil} certCacheMu.Unlock() return nil, nil } key, err := ioutil.ReadFile(keyPath) if err != nil { certCacheMu.Lock() certCache[mkey] = [][]byte{nil, nil} certCacheMu.Unlock() return nil, nil } certCacheMu.Lock() certCache[mkey] = [][]byte{cert, key} certCacheMu.Unlock() return cert, key } // HasClientCert returns whether or not a client certificate exists for a host and path. func HasClientCert(host string, path string) bool { cert, _ := clientCert(host, path) return cert != nil } func fetch(u string, c *gemini.Client) (*gemini.Response, error) { parsed, _ := url.Parse(u) cert, key := clientCert(parsed.Host, parsed.Path) var res *gemini.Response var err error if cert != nil { res, err = c.FetchWithCert(u, cert, key) } else { res, err = c.Fetch(u) } if err != nil { return nil, err } ok := handleTofu(parsed.Hostname(), parsed.Port(), res.Cert) if !ok { return res, ErrTofu } return res, err } // Fetch returns response data and an error. // The error text is human friendly and should be displayed. func Fetch(u string) (*gemini.Response, error) { return fetch(u, fetchClient) } func fetchWithProxy(proxyHostname, proxyPort, u string, c *gemini.Client) (*gemini.Response, error) { parsed, _ := url.Parse(u) cert, key := clientCert(parsed.Host, parsed.Path) var res *gemini.Response var err error if cert != nil { res, err = c.FetchWithHostAndCert(net.JoinHostPort(proxyHostname, proxyPort), u, cert, key) } else { res, err = c.FetchWithHost(net.JoinHostPort(proxyHostname, proxyPort), u) } if err != nil { return nil, err } // Only associate the returned cert with the proxy ok := handleTofu(proxyHostname, proxyPort, res.Cert) if !ok { return res, ErrTofu } return res, nil } // FetchWithProxy is the same as Fetch, but uses a proxy. func FetchWithProxy(proxyHostname, proxyPort, u string) (*gemini.Response, error) { return fetchWithProxy(proxyHostname, proxyPort, u, fetchClient) }