X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=gocheese.go;h=ff76c870c3183a6b81e462ee131caa9ad679934f;hb=e396b31d6baa52055648be298dbb33ca91bdf33d;hp=25a1b562918b1a6b35f7e48c663cfc38faa21829;hpb=48325fb9a20dcc7fab91c6f3c86618e19057254e;p=gocheese.git diff --git a/gocheese.go b/gocheese.go index 25a1b56..ff76c87 100644 --- a/gocheese.go +++ b/gocheese.go @@ -20,12 +20,16 @@ along with this program. If not, see . package main import ( + "bufio" "bytes" "context" + "crypto/md5" "crypto/sha256" + "crypto/sha512" "encoding/hex" "flag" "fmt" + "hash" "io" "io/ioutil" "log" @@ -54,8 +58,6 @@ const ( ` HTMLEnd = " \n\n" HTMLElement = " %s
\n" - SHA256Prefix = "sha256=" - SHA256Ext = ".sha256" InternalFlag = ".internal" GPGSigExt = ".asc" GPGSigAttr = " data-gpg-sig=true" @@ -94,6 +96,7 @@ var ( killed bool + pypiURLParsed *url.URL normalizationRe *regexp.Regexp = regexp.MustCompilePOSIX("[-_.]+") ) @@ -148,15 +151,65 @@ func refreshDir( uri = submatches[1] filename = submatches[2] if pkgURL, err = url.Parse(uri); err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) + http.Error(w, err.Error(), http.StatusBadGateway) + return false + } + + if pkgURL.Fragment == "" { + log.Println(r.RemoteAddr, "pypi", filename, "no digest provided") + http.Error(w, "no digest provided", http.StatusBadGateway) return false } - digest, err = hex.DecodeString(strings.TrimPrefix(pkgURL.Fragment, SHA256Prefix)) + digestInfo := strings.Split(pkgURL.Fragment, "=") + if len(digestInfo) == 1 { + // Ancient non PEP-0503 PyPIs, assume MD5 + digestInfo = []string{"md5", digestInfo[0]} + } else if len(digestInfo) != 2 { + log.Println(r.RemoteAddr, "pypi", filename, "invalid digest provided") + http.Error(w, "invalid digest provided", http.StatusBadGateway) + return false + } + digest, err = hex.DecodeString(digestInfo[1]) if err != nil { http.Error(w, err.Error(), http.StatusBadGateway) return false } + var hasherNew func() hash.Hash + var hashExt string + var hashSize int + switch digestInfo[0] { + case "md5": + hashExt = ".md5" + hasherNew = md5.New + hashSize = md5.Size + case "sha256": + hashExt = ".sha256" + hasherNew = sha256.New + hashSize = sha256.Size + case "sha512": + hashExt = ".sha512" + hasherNew = sha512.New + hashSize = sha512.Size + default: + log.Println( + r.RemoteAddr, "pypi", filename, + "unknown digest algorithm", digestInfo[0], + ) + http.Error(w, "unknown digest algorithm", http.StatusBadGateway) + return false + } + if len(digest) != hashSize { + log.Println(r.RemoteAddr, "pypi", filename, "invalid digest length") + http.Error(w, "invalid digest length", http.StatusBadGateway) + return false + } + pkgURL.Fragment = "" + if pkgURL.Host == "" { + uri = pypiURLParsed.ResolveReference(pkgURL).String() + } else { + uri = pkgURL.String() + } path = filepath.Join(dirPath, filename) if filename == filenameGet { if killed { @@ -165,30 +218,43 @@ func refreshDir( return false } log.Println(r.RemoteAddr, "pypi download", filename) - resp, err = http.Get(pkgURL.String()) + resp, err = http.Get(uri) if err != nil { + log.Println(r.RemoteAddr, "pypi download error:", err.Error()) http.Error(w, err.Error(), http.StatusBadGateway) return false } defer resp.Body.Close() - hasher := sha256.New() + hasher := hasherNew() + hasherOur := sha256.New() dst, err := TempFile(dirPath) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return false } - wr := io.MultiWriter(hasher, dst) + dstBuf := bufio.NewWriter(dst) + wrs := []io.Writer{hasher, dstBuf} + if hashExt != ".sha256" { + wrs = append(wrs, hasherOur) + } + wr := io.MultiWriter(wrs...) if _, err = io.Copy(wr, resp.Body); err != nil { os.Remove(dst.Name()) dst.Close() http.Error(w, err.Error(), http.StatusInternalServerError) return false } + if err = dstBuf.Flush(); err != nil { + os.Remove(dst.Name()) + dst.Close() + http.Error(w, err.Error(), http.StatusInternalServerError) + return false + } if bytes.Compare(hasher.Sum(nil), digest) != 0 { log.Println(r.RemoteAddr, "pypi", filename, "digest mismatch") os.Remove(dst.Name()) dst.Close() - http.Error(w, err.Error(), http.StatusBadGateway) + http.Error(w, "digest mismatch", http.StatusBadGateway) return false } if err = dst.Sync(); err != nil { @@ -197,28 +263,48 @@ func refreshDir( http.Error(w, err.Error(), http.StatusInternalServerError) return false } - dst.Close() + if err = dst.Close(); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return false + } if err = os.Rename(dst.Name(), path); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return false } + if err = DirSync(dirPath); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return false + } + if hashExt != ".sha256" { + hashExt = ".sha256" + digest = hasherOur.Sum(nil) + } } if filename == filenameGet || gpgUpdate { - if _, err = os.Stat(path); err == nil { - if resp, err := http.Get(pkgURL.String() + GPGSigExt); err == nil { - sig, err := ioutil.ReadAll(resp.Body) - resp.Body.Close() - if err == nil { - if err = WriteFileSync(dirPath, path+GPGSigExt, sig); err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return false - } - log.Println(r.RemoteAddr, "pypi downloaded signature", filename) - } - } + if _, err = os.Stat(path); err != nil { + goto GPGSigSkip + } + resp, err := http.Get(uri + GPGSigExt) + if err != nil { + goto GPGSigSkip + } + if resp.StatusCode != http.StatusOK { + resp.Body.Close() + goto GPGSigSkip } + sig, err := ioutil.ReadAll(resp.Body) + resp.Body.Close() + if err != nil { + goto GPGSigSkip + } + if err = WriteFileSync(dirPath, path+GPGSigExt, sig); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return false + } + log.Println(r.RemoteAddr, "pypi downloaded signature", filename) } - path = path + SHA256Ext + GPGSigSkip: + path = path + hashExt _, err = os.Stat(path) if err == nil { continue @@ -272,45 +358,60 @@ func listDir( } else if _, err := os.Stat(dirPath); os.IsNotExist(err) && !refreshDir(w, r, dir, "", false) { return } - files, err := ioutil.ReadDir(dirPath) + fis, err := ioutil.ReadDir(dirPath) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } var result bytes.Buffer result.WriteString(fmt.Sprintf(HTMLBegin, dir)) - var data []byte + var digest []byte var gpgSigAttr string - var filenameClean string - for _, file := range files { - if !strings.HasSuffix(file.Name(), SHA256Ext) { - continue - } - if killed { - // Skip expensive I/O when shutting down - http.Error(w, "shutting down", http.StatusInternalServerError) - return - } - data, err = ioutil.ReadFile(filepath.Join(dirPath, file.Name())) - if err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return + var fnClean string + files := make(map[string]struct{}, len(fis)/2) + for _, fi := range fis { + files[fi.Name()] = struct{}{} + } + for _, algoExt := range []string{".sha256", ".sha512", ".md5"} { + for fn, _ := range files { + if killed { + // Skip expensive I/O when shutting down + http.Error(w, "shutting down", http.StatusInternalServerError) + return + } + if !strings.HasSuffix(fn, algoExt) { + continue + } + digest, err = ioutil.ReadFile(filepath.Join(dirPath, fn)) + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + fnClean = strings.TrimSuffix(fn, algoExt) + if _, err = os.Stat(filepath.Join(dirPath, fnClean+GPGSigExt)); os.IsNotExist(err) { + gpgSigAttr = "" + } else { + gpgSigAttr = GPGSigAttr + } + result.WriteString(fmt.Sprintf( + HTMLElement, + strings.Join([]string{ + *refreshURLPath, dir, "/", fnClean, + "#", algoExt[1:], "=", hex.EncodeToString(digest), + }, ""), + gpgSigAttr, + fnClean, + )) + for _, n := range []string{ + fnClean, + fnClean + GPGSigExt, + fnClean + ".sha256", + fnClean + ".sha512", + fnClean + ".md5", + } { + delete(files, n) + } } - filenameClean = strings.TrimSuffix(file.Name(), SHA256Ext) - if _, err = os.Stat(filepath.Join(dirPath, filenameClean+GPGSigExt)); os.IsNotExist(err) { - gpgSigAttr = "" - } else { - gpgSigAttr = GPGSigAttr - } - result.WriteString(fmt.Sprintf( - HTMLElement, - strings.Join([]string{ - *refreshURLPath, dir, "/", - filenameClean, "#", SHA256Prefix, hex.EncodeToString(data), - }, ""), - gpgSigAttr, - filenameClean, - )) } result.WriteString(HTMLEnd) w.Write(result.Bytes()) @@ -328,6 +429,7 @@ func servePkg(w http.ResponseWriter, r *http.Request, dir, filename string) { } func serveUpload(w http.ResponseWriter, r *http.Request) { + // Authentication username, password, ok := r.BasicAuth() if !ok { log.Println(r.RemoteAddr, "unauthenticated", username) @@ -340,6 +442,8 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, "unauthenticated", http.StatusUnauthorized) return } + + // Form parsing var err error if err = r.ParseMultipartForm(1 << 20); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) @@ -347,7 +451,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { } pkgNames, exists := r.MultipartForm.Value["name"] if !exists || len(pkgNames) != 1 { - http.Error(w, "name is expected in request", http.StatusBadRequest) + http.Error(w, "single name is expected in request", http.StatusBadRequest) return } dir := normalizationRe.ReplaceAllString(pkgNames[0], "-") @@ -361,6 +465,14 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { } } gpgSigsExpected := make(map[string]struct{}) + + // Checking is it internal package + if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil { + log.Println(r.RemoteAddr, "non-internal package", dir) + http.Error(w, "unknown internal package", http.StatusUnauthorized) + return + } + for _, file := range r.MultipartForm.File["content"] { filename := file.Filename gpgSigsExpected[filename+GPGSigExt] = struct{}{} @@ -368,32 +480,24 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { path := filepath.Join(dirPath, filename) if _, err = os.Stat(path); err == nil { log.Println(r.RemoteAddr, "already exists", filename) - http.Error(w, "Already exists", http.StatusBadRequest) + http.Error(w, "already exists", http.StatusBadRequest) return } if !mkdirForPkg(w, r, dir) { return } - internalPath := filepath.Join(dirPath, InternalFlag) - var dst *os.File - if _, err = os.Stat(internalPath); os.IsNotExist(err) { - if dst, err = os.Create(internalPath); err != nil { - http.Error(w, err.Error(), http.StatusInternalServerError) - return - } - dst.Close() - } src, err := file.Open() defer src.Close() if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } - dst, err = TempFile(dirPath) + dst, err := TempFile(dirPath) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } + dstBuf := bufio.NewWriter(dst) hasher := sha256.New() wr := io.MultiWriter(hasher, dst) if _, err = io.Copy(wr, src); err != nil { @@ -402,6 +506,12 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, err.Error(), http.StatusInternalServerError) return } + if err = dstBuf.Flush(); err != nil { + os.Remove(dst.Name()) + dst.Close() + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } if err = dst.Sync(); err != nil { os.Remove(dst.Name()) dst.Close() @@ -424,7 +534,11 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, err.Error(), http.StatusInternalServerError) return } - if err = WriteFileSync(dirPath, path+SHA256Ext, digest); err != nil { + if err = DirSync(dirPath); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + if err = WriteFileSync(dirPath, path+".sha256", digest); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } @@ -440,7 +554,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { path := filepath.Join(dirPath, filename) if _, err = os.Stat(path); err == nil { log.Println(r.RemoteAddr, "already exists", filename) - http.Error(w, "Already exists", http.StatusBadRequest) + http.Error(w, "already exists", http.StatusBadRequest) return } src, err := file.Open() @@ -517,10 +631,10 @@ func goodIntegrity() bool { log.Fatal(err) } for _, file := range files { - if !strings.HasSuffix(file.Name(), SHA256Ext) { + if !strings.HasSuffix(file.Name(), ".sha256") { continue } - pkgName = strings.TrimSuffix(file.Name(), SHA256Ext) + pkgName = strings.TrimSuffix(file.Name(), ".sha256") data, err = ioutil.ReadFile(filepath.Join(*root, dir.Name(), pkgName)) if err != nil { if os.IsNotExist(err) { @@ -534,10 +648,10 @@ func goodIntegrity() bool { log.Fatal(err) } if bytes.Compare(hasher.Sum(digest[:0]), data) == 0 { - log.Println(pkgName, "GOOD") + fmt.Println(pkgName, "GOOD") } else { isGood = false - log.Println(pkgName, "BAD") + fmt.Println(pkgName, "BAD") } hasher.Reset() } @@ -568,6 +682,11 @@ func main() { if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") { log.Fatalln("Both -tls-cert and -tls-key are required") } + var err error + pypiURLParsed, err = url.Parse(*pypiURL) + if err != nil { + log.Fatalln(err) + } refreshPasswd() log.Println("root:", *root, "bind:", *bind)