Updated spec to be clearer about post, and updated lpm to allow for no certificate verification.

4 files changed, 91 insertions, 69 deletions

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 809802b..b00a4e7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,7 +2,7 @@ name: CI
 on: { push: { branches: [master] } }
 env: { VERSION: "0.1" }
 jobs:
-  build:
+  build-linux-windows:
     runs-on: ubuntu-latest
     defaults: { run: { shell: bash } }
     steps:
@@ -40,5 +40,23 @@ jobs:
             gh release delete -y v$RELEASE || true; 
             gh release create -t v$RELEASE v$RELEASE lpm.x86_64-linux lpm.x86_64-windows.exe
           fi
-          
-          
+  build-macos:
+    needs: build-linux-windows
+    runs-on: macos-11
+    env:
+      CC: clang
+    steps:
+       - name: Checkout Code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Clone Submodules
+        run: git submodule update --init --depth=1
+      - name: Build MacOS 
+        run: |
+          SSL_CONFIGURE="no-tests" ./build.sh -DLPM_STATIC -DLPM_VERSION='"'$VERSION-x86_64-darwin-`git rev-parse --short HEAD`'"' && tar -czvf lpm-$VERSION-x86_64-darwin.tar.gz lpm
+          cp lpm lpm.x86_64-darwin
+          if [[ `git tag --points-at HEAD | head -c 4` == "v"* ]]; then
+            export RELEASE=`git tag --points-at HEAD | head -c 4 | sed 's/^v//'`
+            gh release upload v$RELEASE lpm.x86_64-darwin
+          fi
diff --git a/SPEC.md b/SPEC.md
index 6795078..852fb1c 100644
--- a/SPEC.md
+++ b/SPEC.md
@@ -51,6 +51,8 @@ The vast majority of plugins are `singleton` plugins.
 * `tags`:  Optional freeform tags that may describe attributes of the plugin.
 * `path`: Optional path to the plugin. If omitted, will only pull the files in
   `files`. To pull the whole repository, use `"."`.
+* `post`: Optionally a string which represents a command to run. If presented
+  with a dictionary, takes `ARCH` keys, and runs a different command per `ARCH`.
 
 ### Dependencies
 
diff --git a/src/lpm.c b/src/lpm.c
index 556555c..60e1c07 100644
--- a/src/lpm.c
+++ b/src/lpm.c
@@ -352,6 +352,17 @@ static int lpm_init(lua_State* L) {
   return 0;
 }
 
+static int no_verify_ssl = 0;
+static int has_setup_ssl = 0;
+static mbedtls_x509_crt x509_certificate;
+static mbedtls_entropy_context entropy_context;
+static mbedtls_ctr_drbg_context drbg_context;
+static mbedtls_ssl_config ssl_config;
+static mbedtls_ssl_context ssl_context;
+
+static int lpm_git_transport_certificate_check_cb(struct git_cert *cert, int valid, const char *host, void *payload) {
+  return 0;
+}
 
 static int lpm_fetch(lua_State* L) {
   git_repository* repository = luaL_checkgitrepo(L, 1);
@@ -362,6 +373,8 @@ static int lpm_fetch(lua_State* L) {
   }
   git_fetch_options fetch_opts = GIT_FETCH_OPTIONS_INIT;
   fetch_opts.download_tags = GIT_REMOTE_DOWNLOAD_TAGS_ALL;
+  if (no_verify_ssl)
+    fetch_opts.callbacks.certificate_check = lpm_git_transport_certificate_check_cb;
   if (git_remote_fetch(remote, NULL, &fetch_opts, NULL)) {
     git_remote_free(remote);
     git_repository_free(repository);
@@ -372,14 +385,6 @@ static int lpm_fetch(lua_State* L) {
   return 0;
 }
 
-
-static int has_setup_ssl = 0;
-static mbedtls_x509_crt x509_certificate;
-static mbedtls_entropy_context entropy_context;
-static mbedtls_ctr_drbg_context drbg_context;
-static mbedtls_ssl_config ssl_config;
-static mbedtls_ssl_context ssl_context;
-
 static int mbedtls_snprintf(char* buffer, int len, int status, const char* str, ...) {
   char mbed_buffer[128];
   mbedtls_strerror(status, mbed_buffer, sizeof(mbed_buffer));
@@ -415,7 +420,6 @@ static void lpm_tls_debug(void *ctx, int level, const char *file, int line, cons
 
 static int lpm_certs(lua_State* L) {
   const char* type = luaL_checkstring(L, 1);
-  const char* path = luaL_checkstring(L, 2);
   int status;
   if (has_setup_ssl) {
     mbedtls_ssl_config_free(&ssl_config);
@@ -442,61 +446,52 @@ static int lpm_certs(lua_State* L) {
     mbedtls_ssl_conf_dbg(&ssl_config, lpm_tls_debug, NULL);
   #endif
   has_setup_ssl = 1;
-  if (strcmp(type, "dir") == 0) {
-    git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, NULL, path);
+  if (strcmp(type, "noverify") == 0) {
+    no_verify_ssl = 1;
+    mbedtls_ssl_conf_authmode(&ssl_config, MBEDTLS_SSL_VERIFY_OPTIONAL);
   } else {
-    if (strcmp(type, "system") == 0) {
-      #if _WIN32
-        FILE* file = fopen(path, "wb");
-        if (!file)
-          return luaL_error(L, "can't open cert store %s for writing: %s", path, strerror(errno));
-        HCERTSTORE hSystemStore = CertOpenSystemStore(0, TEXT("ROOT"));
-        if (!hSystemStore) {
-          fclose(file);
-          return luaL_error(L, "error getting system certificate store");
-        }
-        PCCERT_CONTEXT pCertContext = NULL;
-        while (1) {
-          pCertContext = CertEnumCertificatesInStore(hSystemStore, pCertContext);
-          if (!pCertContext)
-            break;
-          BYTE keyUsage[2];
-          if (pCertContext->dwCertEncodingType & X509_ASN_ENCODING && (CertGetIntendedKeyUsage(pCertContext->dwCertEncodingType, pCertContext->pCertInfo, keyUsage, sizeof(keyUsage)) && (keyUsage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE))) {
-            DWORD size = 0;
-            CryptBinaryToString(pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, CRYPT_STRING_BASE64HEADER, NULL, &size);
-            char* buffer = malloc(size);
-            CryptBinaryToString(pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, CRYPT_STRING_BASE64HEADER, buffer, &size);
-            fwrite(buffer, sizeof(char), size, file);
-            free(buffer);
+    const char* path = luaL_checkstring(L, 2);
+    if (strcmp(type, "dir") == 0) {
+      git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, NULL, path);
+    } else {
+      if (strcmp(type, "system") == 0) {
+        #if _WIN32
+          FILE* file = fopen(path, "wb");
+          if (!file)
+            return luaL_error(L, "can't open cert store %s for writing: %s", path, strerror(errno));
+          HCERTSTORE hSystemStore = CertOpenSystemStore(0, TEXT("ROOT"));
+          if (!hSystemStore) {
+            fclose(file);
+            return luaL_error(L, "error getting system certificate store");
           }
-        }
-        fclose(file);
-        CertCloseStore(hSystemStore, 0);
-      #elif __APPLE__ // https://developer.apple.com/forums/thread/691009; see also curl
-        /*CFStringRef keys[] = { kSecClass,    kSecMatchLimit,    kSecReturnRef };
-        CFTypeRef values[] = { kSecClassCertificate, kSecMatchLimitAll, kCFBooleanTrue };
-        CFDictionaryRef query = CFDictionaryCreate(
-            NULL,
-            (const void **) keys,
-            values,
-            sizeof(keys) / sizeof(keys[0]),
-            &kCFTypeDictionaryKeyCallBacks,
-            &kCFTypeDictionaryValueCallBacks
-        );
-        CFTypeRef copyResult = NULL;
-        OSStatus err = SecItemCopyMatching(query, &copyResult);
-        if (err == errSecSuccess) {
-          // Try and 
-        }*/
-        return luaL_error(L, "can't use system on mac yet");
-      #else
-        return luaL_error(L, "can't use system certificates except on windows or mac");
-      #endif
+          PCCERT_CONTEXT pCertContext = NULL;
+          while (1) {
+            pCertContext = CertEnumCertificatesInStore(hSystemStore, pCertContext);
+            if (!pCertContext)
+              break;
+            BYTE keyUsage[2];
+            if (pCertContext->dwCertEncodingType & X509_ASN_ENCODING && (CertGetIntendedKeyUsage(pCertContext->dwCertEncodingType, pCertContext->pCertInfo, keyUsage, sizeof(keyUsage)) && (keyUsage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE))) {
+              DWORD size = 0;
+              CryptBinaryToString(pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, CRYPT_STRING_BASE64HEADER, NULL, &size);
+              char* buffer = malloc(size);
+              CryptBinaryToString(pCertContext->pbCertEncoded, pCertContext->cbCertEncoded, CRYPT_STRING_BASE64HEADER, buffer, &size);
+              fwrite(buffer, sizeof(char), size, file);
+              free(buffer);
+            }
+          }
+          fclose(file);
+          CertCloseStore(hSystemStore, 0);
+        #elif __APPLE__ // https://developer.apple.com/forums/thread/691009; see also curl's mac version
+          return luaL_error(L, "can't use system on mac yet");
+        #else
+          return luaL_error(L, "can't use system certificates except on windows or mac");
+        #endif
+      }
+      git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, path, NULL);
+      if ((status = mbedtls_x509_crt_parse_file(&x509_certificate, path)) != 0)
+        return luaL_mbedtls_error(L, status, "mbedtls_x509_crt_parse_file failed to parse CA certificate %s", path);
+      mbedtls_ssl_conf_ca_chain(&ssl_config, &x509_certificate, NULL);
     }
-    git_libgit2_opts(GIT_OPT_SET_SSL_CERT_LOCATIONS, path, NULL);
-    if ((status = mbedtls_x509_crt_parse_file(&x509_certificate, path)) != 0)
-      return luaL_mbedtls_error(L, status, "mbedtls_x509_crt_parse_file failed to parse CA certificate %s", path);
-    mbedtls_ssl_conf_ca_chain(&ssl_config, &x509_certificate, NULL);
   }
   return 0;
 }
@@ -697,7 +692,7 @@ static int lpm_get(lua_State* L) {
       mbedtls_snprintf(err, sizeof(err), status, "can't set hostname %s", hostname); goto cleanup;
     } else if ((status = mbedtls_ssl_handshake(&ssl_context)) != 0) {
       mbedtls_snprintf(err, sizeof(err), status, "can't handshake with %s", hostname); goto cleanup;
-    } else if ((status = mbedtls_ssl_get_verify_result(&ssl_context)) != 0) {
+    } else if (((status = mbedtls_ssl_get_verify_result(&ssl_context)) != 0) && !no_verify_ssl) {
       mbedtls_snprintf(err, sizeof(err), status, "can't verify result for %s", hostname); goto cleanup;
     }
   } else {
diff --git a/src/lpm.lua b/src/lpm.lua
index 16c20f0..55c16d5 100644
--- a/src/lpm.lua
+++ b/src/lpm.lua
@@ -1607,7 +1607,8 @@ Flags have the following effects:
   --mod-version            Sets the mod version of lite-xl to install plugins.
   --version                Returns version information.
   --help                   Displays this help text.
-  --ssl_certs              Sets the SSL certificate store.
+  --ssl_certs              Sets the SSL certificate store. Can be a directory,
+                           or path to a certificate bundle.
   --arch                   Sets the architecture (default: ]] .. _G.ARCH .. [[).
   --assume-yes             Ignores any prompts, and automatically answers yes
                            to all.
@@ -1624,6 +1625,8 @@ in any circumstance unless explicitly supplied.
                            binaries if there is a native compilation step.
   --remotes                Automatically adds any specified remotes in the 
                            repository to the end of the resolution list.
+  --ssl_certs=noverify     Ignores SSL certificate validation. Opens you up to
+                           man-in-the-middle attacks.
 ]]
     )
     return 0
@@ -1652,9 +1655,13 @@ in any circumstance unless explicitly supplied.
   repositories = {}
   if ARGS[2] == "purge" then return lpm_purge() end
   if ARGS["ssl_certs"] then 
-    local stat = system.stat(ARGS["ssl_certs"])
-    if not stat then error("can't find " .. ARGS["ssl_certs"]) end
-    system.certs(stat.type, ARGS["ssl_certs"])
+    if ARGS["ssl_certs"] == "noverify" then
+      system.certs("noverify")
+    else
+      local stat = system.stat(ARGS["ssl_certs"])
+      if not stat then error("can't find " .. ARGS["ssl_certs"]) end
+      system.certs(stat.type, ARGS["ssl_certs"])
+    end
   elseif not os.getenv("SSL_CERT_DIR") and not os.getenv("SSL_CERT_FILE") then
     local paths = { -- https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux#comment1155804_62500
       "/etc/ssl/certs/ca-certificates.crt",                -- Debian/Ubuntu/Gentoo etc.