X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=gocheese.go;h=d6a1a70ba708b63911e02b5bfc55f5d79290aa84;hb=11d218004e3a2668985a6d9b2628cb4b3fdc0051;hp=c2a4d0b8028bd99367d8153a4a3f47d716c0a2ee;hpb=14a6f9c7e18e3698ecf7e0c8b28680d6615db3bd;p=gocheese.git diff --git a/gocheese.go b/gocheese.go index c2a4d0b..d6a1a70 100644 --- a/gocheese.go +++ b/gocheese.go @@ -20,12 +20,16 @@ along with this program. If not, see . package main import ( + "bufio" "bytes" "context" + "crypto/md5" "crypto/sha256" + "crypto/sha512" "encoding/hex" "flag" "fmt" + "hash" "io" "io/ioutil" "log" @@ -41,6 +45,7 @@ import ( "syscall" "time" + "golang.org/x/crypto/blake2b" "golang.org/x/net/netutil" ) @@ -54,11 +59,8 @@ const ( ` HTMLEnd = " \n\n" HTMLElement = " %s
\n" - SHA256Prefix = "sha256=" - SHA256Ext = ".sha256" InternalFlag = ".internal" GPGSigExt = ".asc" - GPGSigAttr = " data-gpg-sig=true" Warranty = `This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -74,8 +76,19 @@ along with this program. If not, see .` ) var ( - pkgPyPI = regexp.MustCompile(`^.*]*>(.+)
.*$`) - Version string = "UNKNOWN" + pkgPyPI = regexp.MustCompile(`^.*]*>(.+)
.*$`) + normalizationRe = regexp.MustCompilePOSIX("[-_.]+") + + HashAlgoSHA256 = "sha256" + HashAlgoBLAKE2b256 = "blake2_256" + HashAlgoSHA512 = "sha512" + HashAlgoMD5 = "md5" + knownHashAlgos []string = []string{ + HashAlgoSHA256, + HashAlgoBLAKE2b256, + HashAlgoSHA512, + HashAlgoMD5, + } root = flag.String("root", "./packages", "Path to packages directory") bind = flag.String("bind", "[::]:8080", "Address to bind to") @@ -92,9 +105,9 @@ var ( version = flag.Bool("version", false, "Print version information") warranty = flag.Bool("warranty", false, "Print warranty information") - killed bool - - normalizationRe *regexp.Regexp = regexp.MustCompilePOSIX("[-_.]+") + Version string = "UNKNOWN" + killed bool + pypiURLParsed *url.URL ) func mkdirForPkg(w http.ResponseWriter, r *http.Request, dir string) bool { @@ -109,6 +122,14 @@ func mkdirForPkg(w http.ResponseWriter, r *http.Request, dir string) bool { return true } +func blake2b256New() hash.Hash { + h, err := blake2b.New256(nil) + if err != nil { + panic(err) + } + return h +} + func refreshDir( w http.ResponseWriter, r *http.Request, @@ -134,39 +155,76 @@ func refreshDir( return false } dirPath := filepath.Join(*root, dir) - var submatches []string - var uri string - var filename string - var path string - var pkgURL *url.URL - var digest []byte for _, lineRaw := range bytes.Split(body, []byte("\n")) { - submatches = pkgPyPI.FindStringSubmatch(string(lineRaw)) + submatches := pkgPyPI.FindStringSubmatch(string(lineRaw)) if len(submatches) == 0 { continue } - uri = submatches[1] - filename = submatches[2] - if pkgURL, err = url.Parse(uri); err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) + uri := submatches[1] + filename := submatches[2] + pkgURL, err := url.Parse(uri) + if err != nil { + http.Error(w, err.Error(), http.StatusBadGateway) + return false + } + + if pkgURL.Fragment == "" { + log.Println(r.RemoteAddr, "pypi", filename, "no digest provided") + http.Error(w, "no digest provided", http.StatusBadGateway) return false } - if !strings.HasPrefix(pkgURL.Fragment, SHA256Prefix) { - log.Println(r.RemoteAddr, "pypi", filename, "no SHA256 digest provided") - http.Error(w, "no SHA256 digest provided", http.StatusBadGateway) + digestInfo := strings.Split(pkgURL.Fragment, "=") + if len(digestInfo) == 1 { + // Ancient non PEP-0503 PyPIs, assume MD5 + digestInfo = []string{"md5", digestInfo[0]} + } else if len(digestInfo) != 2 { + log.Println(r.RemoteAddr, "pypi", filename, "invalid digest provided") + http.Error(w, "invalid digest provided", http.StatusBadGateway) return false } - digest, err = hex.DecodeString(strings.TrimPrefix(pkgURL.Fragment, SHA256Prefix)) + digest, err := hex.DecodeString(digestInfo[1]) if err != nil { http.Error(w, err.Error(), http.StatusBadGateway) return false } + hashAlgo := digestInfo[0] + var hasherNew func() hash.Hash + var hashSize int + switch hashAlgo { + case HashAlgoMD5: + hasherNew = md5.New + hashSize = md5.Size + case HashAlgoSHA256: + hasherNew = sha256.New + hashSize = sha256.Size + case HashAlgoSHA512: + hasherNew = sha512.New + hashSize = sha512.Size + case HashAlgoBLAKE2b256: + hasherNew = blake2b256New + hashSize = blake2b.Size256 + default: + log.Println( + r.RemoteAddr, "pypi", filename, + "unknown digest algorithm", hashAlgo, + ) + http.Error(w, "unknown digest algorithm", http.StatusBadGateway) + return false + } + if len(digest) != hashSize { + log.Println(r.RemoteAddr, "pypi", filename, "invalid digest length") + http.Error(w, "invalid digest length", http.StatusBadGateway) + return false + } + pkgURL.Fragment = "" - uri = pkgURL.String() if pkgURL.Host == "" { - uri = *pypiURL + strings.TrimPrefix(uri, "/") + uri = pypiURLParsed.ResolveReference(pkgURL).String() + } else { + uri = pkgURL.String() } - path = filepath.Join(dirPath, filename) + + path := filepath.Join(dirPath, filename) if filename == filenameGet { if killed { // Skip heavy remote call, when shutting down @@ -181,19 +239,31 @@ func refreshDir( return false } defer resp.Body.Close() - hasher := sha256.New() + hasher := hasherNew() + hasherSHA256 := sha256.New() dst, err := TempFile(dirPath) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return false } - wr := io.MultiWriter(hasher, dst) + dstBuf := bufio.NewWriter(dst) + wrs := []io.Writer{hasher, dstBuf} + if hashAlgo != HashAlgoSHA256 { + wrs = append(wrs, hasherSHA256) + } + wr := io.MultiWriter(wrs...) if _, err = io.Copy(wr, resp.Body); err != nil { os.Remove(dst.Name()) dst.Close() http.Error(w, err.Error(), http.StatusInternalServerError) return false } + if err = dstBuf.Flush(); err != nil { + os.Remove(dst.Name()) + dst.Close() + http.Error(w, err.Error(), http.StatusInternalServerError) + return false + } if bytes.Compare(hasher.Sum(nil), digest) != 0 { log.Println(r.RemoteAddr, "pypi", filename, "digest mismatch") os.Remove(dst.Name()) @@ -207,7 +277,10 @@ func refreshDir( http.Error(w, err.Error(), http.StatusInternalServerError) return false } - dst.Close() + if err = dst.Close(); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return false + } if err = os.Rename(dst.Name(), path); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return false @@ -216,6 +289,13 @@ func refreshDir( http.Error(w, err.Error(), http.StatusInternalServerError) return false } + if hashAlgo != HashAlgoSHA256 { + hashAlgo = HashAlgoSHA256 + digest = hasherSHA256.Sum(nil) + for _, algo := range knownHashAlgos[1:] { + os.Remove(path + "." + algo) + } + } } if filename == filenameGet || gpgUpdate { if _, err = os.Stat(path); err != nil { @@ -234,6 +314,10 @@ func refreshDir( if err != nil { goto GPGSigSkip } + if !bytes.HasPrefix(sig, []byte("-----BEGIN PGP SIGNATURE-----")) { + log.Println(r.RemoteAddr, "pypi non PGP signature", filename) + goto GPGSigSkip + } if err = WriteFileSync(dirPath, path+GPGSigExt, sig); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return false @@ -241,7 +325,7 @@ func refreshDir( log.Println(r.RemoteAddr, "pypi downloaded signature", filename) } GPGSigSkip: - path = path + SHA256Ext + path = path + "." + hashAlgo _, err = os.Stat(path) if err == nil { continue @@ -295,45 +379,50 @@ func listDir( } else if _, err := os.Stat(dirPath); os.IsNotExist(err) && !refreshDir(w, r, dir, "", false) { return } - files, err := ioutil.ReadDir(dirPath) + fis, err := ioutil.ReadDir(dirPath) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } + files := make(map[string]struct{}, len(fis)/2) + for _, fi := range fis { + files[fi.Name()] = struct{}{} + } var result bytes.Buffer result.WriteString(fmt.Sprintf(HTMLBegin, dir)) - var data []byte - var gpgSigAttr string - var filenameClean string - for _, file := range files { - if !strings.HasSuffix(file.Name(), SHA256Ext) { - continue - } - if killed { - // Skip expensive I/O when shutting down - http.Error(w, "shutting down", http.StatusInternalServerError) - return - } - data, err = ioutil.ReadFile(filepath.Join(dirPath, file.Name())) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return + for _, algo := range knownHashAlgos { + for fn, _ := range files { + if killed { + // Skip expensive I/O when shutting down + http.Error(w, "shutting down", http.StatusInternalServerError) + return + } + if !strings.HasSuffix(fn, "."+algo) { + continue + } + delete(files, fn) + digest, err := ioutil.ReadFile(filepath.Join(dirPath, fn)) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + fnClean := strings.TrimSuffix(fn, "."+algo) + delete(files, fnClean) + gpgSigAttr := "" + if _, err = os.Stat(filepath.Join(dirPath, fnClean+GPGSigExt)); err == nil { + gpgSigAttr = " data-gpg-sig=true" + delete(files, fnClean+GPGSigExt) + } + result.WriteString(fmt.Sprintf( + HTMLElement, + strings.Join([]string{ + *refreshURLPath, dir, "/", fnClean, + "#", algo, "=", hex.EncodeToString(digest), + }, ""), + gpgSigAttr, + fnClean, + )) } - filenameClean = strings.TrimSuffix(file.Name(), SHA256Ext) - if _, err = os.Stat(filepath.Join(dirPath, filenameClean+GPGSigExt)); os.IsNotExist(err) { - gpgSigAttr = "" - } else { - gpgSigAttr = GPGSigAttr - } - result.WriteString(fmt.Sprintf( - HTMLElement, - strings.Join([]string{ - *refreshURLPath, dir, "/", - filenameClean, "#", SHA256Prefix, hex.EncodeToString(data), - }, ""), - gpgSigAttr, - filenameClean, - )) } result.WriteString(HTMLEnd) w.Write(result.Bytes()) @@ -376,8 +465,8 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, "single name is expected in request", http.StatusBadRequest) return } - dir := normalizationRe.ReplaceAllString(pkgNames[0], "-") - dirPath := filepath.Join(*root, dir) + pkgName := normalizationRe.ReplaceAllString(pkgNames[0], "-") + dirPath := filepath.Join(*root, pkgName) var digestExpected []byte if digestExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists { digestExpected, err = hex.DecodeString(digestExpectedHex[0]) @@ -390,7 +479,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { // Checking is it internal package if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil { - log.Println(r.RemoteAddr, "non-internal package", dir) + log.Println(r.RemoteAddr, "non-internal package", pkgName) http.Error(w, "unknown internal package", http.StatusUnauthorized) return } @@ -405,7 +494,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, "already exists", http.StatusBadRequest) return } - if !mkdirForPkg(w, r, dir) { + if !mkdirForPkg(w, r, pkgName) { return } src, err := file.Open() @@ -419,6 +508,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, err.Error(), http.StatusInternalServerError) return } + dstBuf := bufio.NewWriter(dst) hasher := sha256.New() wr := io.MultiWriter(hasher, dst) if _, err = io.Copy(wr, src); err != nil { @@ -427,6 +517,12 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, err.Error(), http.StatusInternalServerError) return } + if err = dstBuf.Flush(); err != nil { + os.Remove(dst.Name()) + dst.Close() + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } if err = dst.Sync(); err != nil { os.Remove(dst.Name()) dst.Close() @@ -453,7 +549,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, err.Error(), http.StatusInternalServerError) return } - if err = WriteFileSync(dirPath, path+SHA256Ext, digest); err != nil { + if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digest); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } @@ -530,50 +626,6 @@ func handler(w http.ResponseWriter, r *http.Request) { } } -func goodIntegrity() bool { - dirs, err := ioutil.ReadDir(*root) - if err != nil { - log.Fatal(err) - } - hasher := sha256.New() - digest := make([]byte, sha256.Size) - isGood := true - var data []byte - var pkgName string - for _, dir := range dirs { - files, err := ioutil.ReadDir(filepath.Join(*root, dir.Name())) - if err != nil { - log.Fatal(err) - } - for _, file := range files { - if !strings.HasSuffix(file.Name(), SHA256Ext) { - continue - } - pkgName = strings.TrimSuffix(file.Name(), SHA256Ext) - data, err = ioutil.ReadFile(filepath.Join(*root, dir.Name(), pkgName)) - if err != nil { - if os.IsNotExist(err) { - continue - } - log.Fatal(err) - } - hasher.Write(data) - data, err = ioutil.ReadFile(filepath.Join(*root, dir.Name(), file.Name())) - if err != nil { - log.Fatal(err) - } - if bytes.Compare(hasher.Sum(digest[:0]), data) == 0 { - fmt.Println(pkgName, "GOOD") - } else { - isGood = false - fmt.Println(pkgName, "BAD") - } - hasher.Reset() - } - } - return isGood -} - func main() { flag.Parse() if *warranty { @@ -597,6 +649,11 @@ func main() { if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") { log.Fatalln("Both -tls-cert and -tls-key are required") } + var err error + pypiURLParsed, err = url.Parse(*pypiURL) + if err != nil { + log.Fatalln(err) + } refreshPasswd() log.Println("root:", *root, "bind:", *bind) @@ -611,7 +668,9 @@ func main() { } http.HandleFunc(*norefreshURLPath, handler) http.HandleFunc(*refreshURLPath, handler) - http.HandleFunc(*gpgUpdateURLPath, handler) + if *gpgUpdateURLPath != "" { + http.HandleFunc(*gpgUpdateURLPath, handler) + } needsRefreshPasswd := make(chan os.Signal, 0) needsShutdown := make(chan os.Signal, 0)