Table of Contents
It is possible to restrict access to a LPMtool web repository to authorized users only. This is done by assigning an “authorization key” to each user who should have access to a web repository.
An authorization key is a token that consists of two parts:
id:password
The “id” part must contain only characters in the
US-ASCII character set. The following characters may
not appear in id: control characters and whitespace,
the quote character, apostrophe, commas, and the
#,
&,
<,
>,
:,
and
; characters.
The id should really
contain letters and numbers only.
Other punctuation characters might cause problems with external web proxies.
Each authorized user must have a unique id.
id is followed by a colon, and a
“password”.
Characters forbidden in id are also forbidden in
the password, but the
password may also contain character codes
160-255.
For best results,
id should be at least 64 characters long, and
randomly generated using all legal character codes.
The authorization keys are assigned and maintained by whoever maintains the package repository. The authorization keys can be created using whatever mechanism is the most convenient to the maintainer. LPMtool does not interpret the authorization key's contents in any way except as described above. As long as each part of the authorization key meets these specifications, LPMtool does not parse its contents any further.
When a web repository holds more than one platform-specific subdirectory, all platform-specific subdirectories should have the same set of valid authorization keys. It is technically possible to use different sets of valid authorization keys for each platform specific directory, if custom validation software is installed on the package repository's web server.
In the following description “URL” represents the
URL to a platform-specific subdirectory of
a package repository.
For example, if a package repository's URL is
http://www.example.com/private/production, and
LPMtool is running on a “supertux-2.1” platform,
URL in the following examples should be replaced by
http://www.example.com/private/production/supertux-2.1.
All package repositories contain the following files:
URL/VERSIONURL/pgpkeys.txt
These two files remain accessible to everyone, the authorization key is not required. A third file is also present in restricted access repositories. This file is also available without authorization:
URL/TIMESTAMP
TIMESTAMP is a plain text file.
For now, this file contains one line:
TIME=n
n is a single, whole decimal number.
Each time this file gets requested, n gets
replaced by the number of seconds since a fixed epoch, according to the
repository server's internal clock.
Although almost everyone will use the UNIX epoch date
of midnight, January, 1970 GMT, a repository server may
choose any other fixed epoch start.
All other files in the repository require authorization, and must be accessed using the following URL:
URL/path?id=ID&t=N&pw=hash
“ID” is the first portion of the authorization key.
“N” is computed by taking n from the
TIMESTAMP file, and adding the number of
seconds that elapsed since the TIMESTAMP file was
downloaded from the server.
N represents a good guess as to the repository
server's current time.
Finally, “hash” is set to
“sha1-X”,
where “X” is a SHA1 hash of
“path/N/PW”,
in hexadecimal characters.
“path” and “N” are taken from the access request,
and “PW” is the second part of the authorization key.
The base URL of the repository directory is not included in the computation, only the relative pathname of the file in the repository.