Fossil

** admin user. This can be overridden using the -A|--admin-user
** parameter.
**
** Options:
**
**    --admin-user|-A USERNAME    Make USERNAME the administrator
**    --private                   Also clone private branches 
**    --certbundle NAME           Use certificate bundle NAME for https
**                                connections
**
*/
void clone_cmd(void){
  char *zPassword;
  const char *zDefaultUser;   /* Optional name of the default user */
  int nErr = 0;
  int bPrivate;               /* Also clone private branches */

  bPrivate = find_option("private",0,0)!=0;
  g.urlCertBundle = find_option("certbundle",0,1);
  url_proxy_options();
  if( g.argc < 4 ){
    usage("?OPTIONS? FILE-OR-URL NEW-REPOSITORY");
  }
  db_open_config(0);
  if( file_size(g.argv[3])>0 ){
    fossil_panic("file already exists: %s", g.argv[3]);

    N -= got;
    pContent = (void*)&((char*)pContent)[got];
  }
  return total;
}

/*
** If a certbundle has been specified on the command line, then use it to look
** up certificates and keys, and then store the URL-certbundle association in
** the global database. If no certbundle has been specified on the command
** line, see if there's an entry for the url in global_config, and use it if
** applicable.
*/
void ssl_load_client_authfiles(void){
  char *zBundleName = NULL;
  char *cafile;
  char *capath;
  char *certfile;
  char *keyfile;

  if( g.urlCertBundle ){
    char *zName;
    zName = mprintf("certbundle:%s", g.urlName);
    db_set(zName, g.urlCertBundle, 1);
    free(zName);
    zBundleName = strdup(g.urlCertBundle);
  }else{
    db_swap_connections();
    zBundleName = db_text(0, "SELECT value FROM global_config"
                            " WHERE name='certbundle:%q'", g.urlName);
    db_swap_connections();
  }
  if( !zBundleName ){
    /* No cert bundle specified on command line or found cached for URL */
    return;
  }

  db_swap_connections();
  create_cert_table_if_not_exist();
  cafile = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
                      " AND type='cafile'", zBundleName);
  capath = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
                      " AND type='capath'", zBundleName);
  db_swap_connections();

  if( cafile || capath ){
    /* The OpenSSL documentation warns that if several CA certificates match
    ** the same name, key identifier and serial number conditions, only the
    ** first will be examined. The caveat situation occurs when one stores an
    ** expired CA certificate among the valid ones.
    ** Simply put: Do not mix expired and valid certificates.
    */
    if( SSL_CTX_load_verify_locations(sslCtx, cafile, capath)==0 ){
      fossil_fatal("SSL: Unable to load CA verification file/path");
    }
  }

  db_swap_connections();
  keyfile = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
                       " AND type='ckey'", zBundleName);
  certfile = db_text(0, "SELECT filepath FROM certs WHERE name=%Q"
                        " AND type='ccert'", zBundleName);
  db_swap_connections();

  if( SSL_CTX_use_certificate_file(sslCtx, certfile, SSL_FILETYPE_PEM)<=0 ){
    fossil_fatal("SSL: Unable to open client certificate in %s.", certfile);
  }
  if( SSL_CTX_use_PrivateKey_file(sslCtx, keyfile, SSL_FILETYPE_PEM)<=0 ){
    fossil_fatal("SSL: Unable to open client key in %s.", keyfile);

/*
** COMMAND: cert
**
** Usage: %fossil cert SUBCOMMAND ...
**
** Manage/bundle PKI client keys/certificates and CA certificates for SSL
** certificate chain verifications.
**
**    %fossil cert add NAME ?--key KEYFILE? ?--cert CERTFILE?
**           ?--cafile CAFILE? ?--capath CAPATH?
**
**        Create a certificate bundle NAME with the associated
**        certificates/keys. If a client certificate is specified but no
**        key, it is assumed that the key is located in the client
**        certificate file.
**        The file formats must be PEM.
**
**    %fossil cert list
**
**        List all certificate bundles, their values and their URL
**        associations.
**
**    %fossil cert disassociate URL
**
**        Disassociate URL from any certificate bundle.
**
**    %fossil cert delete NAME
**
**        Remove the certificate bundle NAME and all its URL associations.

**
*/
void cert_cmd(void){
  int n;
  const char *zCmd = "list";	/* Default sub-command */
  if( g.argc>=3 ){
    zCmd = g.argv[2];
  }
  n = strlen(zCmd);
  if( strncmp(zCmd, "add", n)==0 ){
    const char *zContainer;
    const char *zCKey;
    const char *zCCert;
    const char *zCAFile;
    const char *zCAPath;
    if( g.argc<5 ){
      usage("add NAME ?--key KEYFILE? ?--cert CERTFILE? ?--cafile CAFILE? "
          "?--capath CAPATH?");
    }
    zContainer = g.argv[3];
    zCKey = find_option("key",0,1);
    zCCert = find_option("cert",0,1);
    zCAFile = find_option("cafile",0,1);
    zCAPath = find_option("capath",0,1);

    /* If a client certificate was specified, but a key was not, assume the
    ** key is stored in the same file as the certificate.
    */
    if( !zCKey && zCCert ){
      zCKey = zCCert;
    }

    db_open_config(0);
    db_swap_connections();
    create_cert_table_if_not_exist();
    db_begin_transaction();
    if( db_exists("SELECT 1 FROM certs WHERE name='%q'", zContainer)!=0 ){
      db_end_transaction(0);
      fossil_fatal("certificate bundle \"%s\" already exists", zContainer);
    }
    if( zCKey ){
      db_multi_exec("INSERT INTO certs (name,type,filepath) "
          "VALUES(%Q,'ckey',%Q)",
          zContainer, zCKey);
    }
    if( zCCert ){

          "VALUES(%Q,'capath',%Q)",
          zContainer, zCAPath);
    }
    db_end_transaction(0);
    db_swap_connections();
  }else if(strncmp(zCmd, "list", n)==0){
    Stmt q;
    char *bndl = NULL;

    db_open_config(0);
    db_swap_connections();
    create_cert_table_if_not_exist();

    db_prepare(&q, "SELECT name,type,filepath FROM certs"
                   " WHERE type NOT IN ('server')"
                   " ORDER BY name,type");
    while( db_step(&q)==SQLITE_ROW ){
      const char *zCont = db_column_text(&q, 0);
      const char *zType = db_column_text(&q, 1);
      const char *zFilePath = db_column_text(&q, 2);
      if( fossil_strcmp(zCont, bndl)!=0 ){
        free(bndl);
        bndl = strdup(zCont);
        puts(zCont);
      }
      printf("\t%s=%s\n", zType, zFilePath);
    }
    db_finalize(&q);

    /* List the URL associations. */
    db_prepare(&q, "SELECT name FROM global_config"
                   " WHERE name LIKE 'certbundle:%%' AND value=%Q"
                   " ORDER BY name", bndl);
    free(bndl);

    while( db_step(&q)==SQLITE_ROW ){
      const char *zName = db_column_text(&q, 0);
      static int first = 1;
      if( first ) {
        puts("\tAssociations");
        first = 0;
      }
      printf("\t\t%s\n", zName+11);
    }

    db_swap_connections();
  }else if(strncmp(zCmd, "disassociate", n)==0){
    const char *zURL;
    if( g.argc<4 ){
      usage("disassociate URL");
    }
    zURL = g.argv[3];

    db_open_config(0);
    db_swap_connections();
    db_begin_transaction();
    db_multi_exec("DELETE FROM global_config WHERE name='certbundle:%q'",
        zURL);
    if( db_changes() == 0 ){
      fossil_warning("No certificate bundle associated with URL \"%s\".",
          zURL);
    }else{
      printf("%s disassociated from its certificate bundle.\n", zURL);
    }
    db_end_transaction(0);
    db_swap_connections();

  }else if(strncmp(zCmd, "delete", n)==0){
    const char *zContainer;
    if( g.argc<4 ){
      usage("delete NAME");
    }
    zContainer = g.argv[3];

    db_open_config(0);
    db_swap_connections();
    create_cert_table_if_not_exist();
    db_begin_transaction();
    db_multi_exec("DELETE FROM certs WHERE name=%Q", zContainer);
    if( db_changes() == 0 ){
      fossil_warning("No certificate bundle named \"%s\" found",
          zContainer);
    }else{
      printf("%d entries removed\n", db_changes());
    }
    db_multi_exec("DELETE FROM global_config WHERE name LIKE 'certbundle:%%'"
        " AND value=%Q", zContainer);
    if( db_changes() > 0 ){
      printf("%d associations removed\n", db_changes());
    }
    db_end_transaction(0);
    db_swap_connections();
  }else{
    fossil_panic("cert subcommand should be one of: "
                 "add list disassociate delete");
  }
}

  char *urlPath;          /* Pathname for http: */
  char *urlUser;          /* User id for http: */
  char *urlPasswd;        /* Password for http: */
  char *urlCanonical;     /* Canonical representation of the URL */
  char *urlProxyAuth;     /* Proxy-Authorizer: string */
  char *urlFossil;        /* The path of the ?fossil=path suffix on ssh: */
  int dontKeepUrl;        /* Do not persist the URL */
  const char *urlCertBundle; /* Which ceritificate bundle to use for URL */

  const char *zLogin;     /* Login name.  "" if not logged in. */
  int useLocalauth;       /* No login required if from 127.0.0.1 */
  int noPswd;             /* Logged in without password (on 127.0.0.1) */
  int userUid;            /* Integer user id */

  /* Information used to populate the RCVFROM table */

static void process_sync_args(int *pConfigSync, int *pPrivate){
  const char *zUrl = 0;
  const char *zPw = 0;
  int configSync = 0;
  int urlOptional = find_option("autourl",0,0)!=0;
  g.dontKeepUrl = find_option("once",0,0)!=0;
  *pPrivate = find_option("private",0,0)!=0;
  g.urlCertBundle = find_option("certbundle",0,1);
  url_proxy_options();
  db_find_and_open_repository(0, 0);
  db_open_config(0);
  if( g.argc==2 ){
    zUrl = db_get("last-sync-url", 0);
    zPw = unobscure(db_get("last-sync-pw", 0));
    if( db_get_boolean("auto-sync",1) ) configSync = CONFIGSET_SHUN;

** subsequent push, pull, and sync operations.  However, the "--once"
** command-line option makes the URL a one-time-use URL that is not
** saved.
**
** Use the --private option to pull private branches from the
** remote repository.
**
** Use the "--certbundle NAME" option to specify the name of the
** certificate/key bundle to use for https connections. If this option
** is not specified, a cached value associated with the URL will be
** used if it exists.
**
** See also: cert, clone, push, sync, remote-url
*/
void pull_cmd(void){

** subsequent push, pull, and sync operations.  However, the "--once"
** command-line option makes the URL a one-time-use URL that is not
** saved.
**
** Use the --private option to push private branches to the
** remote repository.
**
** Use the "--certbundle NAME" option to specify the name of the
** certificate/key bundle to use for https connections. If this option
** is not specified, a cached value associated with the URL will be
** used if it exists.
**
** See also: cert, clone, pull, sync, remote-url
*/
void push_cmd(void){

** subsequent push, pull, and sync operations.  However, the "--once"
** command-line option makes the URL a one-time-use URL that is not
** saved.
**
** Use the --private option to sync private branches with the
** remote repository.
**
** Use the "--certbundle NAME" option to specify the name of the
** certificate/key bundle to use for https connections. If this option
** is not specified, a cached value associated with the URL will be
** used if it exists.
**
** See also: cert, clone, push, pull, remote-url
*/
void sync_cmd(void){