| Colby Ranger | fe04350 | 2012-05-29 14:52:00 -0700 | [diff] [blame] | 1 | // Copyright 2012 Google Inc. All Rights Reserved. |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | package main |
| 16 | |
| 17 | import ( |
| 18 | "fmt" |
| 19 | "log" |
| 20 | "net" |
| 21 | "os" |
| 22 | "path/filepath" |
| 23 | "syscall" |
| 24 | ) |
| 25 | |
| 26 | // A Socket is a wrapper around a Unix socket that verifies directory |
| 27 | // permissions. |
| 28 | type Socket struct { |
| 29 | Dir string |
| 30 | } |
| 31 | |
| 32 | func defaultDir() string { |
| 33 | sockPath := ".git-credential-cache" |
| 34 | if home := os.Getenv("HOME"); home != "" { |
| 35 | return filepath.Join(home, sockPath) |
| 36 | } |
| 37 | log.Printf("socket: cannot find HOME path. using relative directory %q for socket", sockPath) |
| 38 | return sockPath |
| 39 | } |
| 40 | |
| 41 | // DefaultSocket is a Socket in the $HOME/.git-credential-cache directory. |
| 42 | var DefaultSocket = Socket{Dir: defaultDir()} |
| 43 | |
| 44 | // Listen announces the local network address of the unix socket. The |
| 45 | // permissions on the socket directory are verified before attempting |
| 46 | // the actual listen. |
| 47 | func (s Socket) Listen() (net.Listener, error) { |
| 48 | network, addr := "unix", s.Path() |
| 49 | if err := s.mkdir(); err != nil { |
| 50 | return nil, &net.OpError{Op: "listen", Net: network, Addr: &net.UnixAddr{Name: addr, Net: network}, Err: err} |
| 51 | } |
| 52 | return net.Listen(network, addr) |
| 53 | } |
| 54 | |
| 55 | // Dial connects to the unix socket. The permissions on the socket directory |
| 56 | // are verified before attempting the actual dial. |
| 57 | func (s Socket) Dial() (net.Conn, error) { |
| 58 | network, addr := "unix", s.Path() |
| 59 | if err := s.checkPermissions(); err != nil { |
| 60 | return nil, &net.OpError{Op: "dial", Net: network, Addr: &net.UnixAddr{Name: addr, Net: network}, Err: err} |
| 61 | } |
| 62 | return net.Dial(network, addr) |
| 63 | } |
| 64 | |
| 65 | // Path returns the fully specified file name of the unix socket. |
| 66 | func (s Socket) Path() string { |
| 67 | return filepath.Join(s.Dir, "persistent-https-proxy-socket") |
| 68 | } |
| 69 | |
| 70 | func (s Socket) mkdir() error { |
| 71 | if err := s.checkPermissions(); err == nil { |
| 72 | return nil |
| 73 | } else if !os.IsNotExist(err) { |
| 74 | return err |
| 75 | } |
| 76 | if err := os.MkdirAll(s.Dir, 0700); err != nil { |
| 77 | return err |
| 78 | } |
| 79 | return s.checkPermissions() |
| 80 | } |
| 81 | |
| 82 | func (s Socket) checkPermissions() error { |
| 83 | fi, err := os.Stat(s.Dir) |
| 84 | if err != nil { |
| 85 | return err |
| 86 | } |
| 87 | if !fi.IsDir() { |
| 88 | return fmt.Errorf("socket: got file, want directory for %q", s.Dir) |
| 89 | } |
| 90 | if fi.Mode().Perm() != 0700 { |
| 91 | return fmt.Errorf("socket: got perm %o, want 700 for %q", fi.Mode().Perm(), s.Dir) |
| 92 | } |
| 93 | if st := fi.Sys().(*syscall.Stat_t); int(st.Uid) != os.Getuid() { |
| 94 | return fmt.Errorf("socket: got uid %d, want %d for %q", st.Uid, os.Getuid(), s.Dir) |
| 95 | } |
| 96 | return nil |
| 97 | } |
