upload.go

   1 /*
   2 GoCheese -- Python private package repository and caching proxy
   3 Copyright (C) 2019 Sergey Matveev <stargrave@stargrave.org>
   4               2019 Elena Balakhonova <balakhonova_e@riseup.net>
   5
   6 This program is free software: you can redistribute it and/or modify
   7 it under the terms of the GNU General Public License as published by
   8 the Free Software Foundation, version 3 of the License.
   9
  10 This program is distributed in the hope that it will be useful,
  11 but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 GNU General Public License for more details.
  14
  15 You should have received a copy of the GNU General Public License
  16 along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 */
  18
  19 package main
  20
  21 import (
  22         "bufio"
  23         "bytes"
  24         "crypto/sha256"
  25         "encoding/hex"
  26         "io"
  27         "io/ioutil"
  28         "log"
  29         "net/http"
  30         "os"
  31         "path/filepath"
  32 )
  33
  34 func serveUpload(w http.ResponseWriter, r *http.Request) {
  35         // Authentication
  36         username, password, ok := r.BasicAuth()
  37         if !ok {
  38                 log.Println(r.RemoteAddr, "unauthenticated", username)
  39                 http.Error(w, "unauthenticated", http.StatusUnauthorized)
  40                 return
  41         }
  42         auther, ok := passwords[username]
  43         if !ok || !auther.Auth(password) {
  44                 log.Println(r.RemoteAddr, "unauthenticated", username)
  45                 http.Error(w, "unauthenticated", http.StatusUnauthorized)
  46                 return
  47         }
  48
  49         // Form parsing
  50         var err error
  51         if err = r.ParseMultipartForm(1 << 20); err != nil {
  52                 http.Error(w, err.Error(), http.StatusBadRequest)
  53                 return
  54         }
  55         pkgNames, exists := r.MultipartForm.Value["name"]
  56         if !exists || len(pkgNames) != 1 {
  57                 http.Error(w, "single name is expected in request", http.StatusBadRequest)
  58                 return
  59         }
  60         pkgName := normalizationRe.ReplaceAllString(pkgNames[0], "-")
  61         dirPath := filepath.Join(*root, pkgName)
  62         var digestExpected []byte
  63         if digestExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
  64                 digestExpected, err = hex.DecodeString(digestExpectedHex[0])
  65                 if err != nil {
  66                         http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
  67                         return
  68                 }
  69         }
  70         gpgSigsExpected := make(map[string]struct{})
  71
  72         // Checking is it internal package
  73         if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
  74                 log.Println(r.RemoteAddr, "non-internal package", pkgName)
  75                 http.Error(w, "unknown internal package", http.StatusUnauthorized)
  76                 return
  77         }
  78
  79         for _, file := range r.MultipartForm.File["content"] {
  80                 filename := file.Filename
  81                 gpgSigsExpected[filename+GPGSigExt] = struct{}{}
  82                 log.Println(r.RemoteAddr, "put", filename, "by", username)
  83                 path := filepath.Join(dirPath, filename)
  84                 if _, err = os.Stat(path); err == nil {
  85                         log.Println(r.RemoteAddr, "already exists", filename)
  86                         http.Error(w, "already exists", http.StatusBadRequest)
  87                         return
  88                 }
  89                 if !mkdirForPkg(w, r, pkgName) {
  90                         return
  91                 }
  92                 src, err := file.Open()
  93                 defer src.Close()
  94                 if err != nil {
  95                         http.Error(w, err.Error(), http.StatusInternalServerError)
  96                         return
  97                 }
  98                 dst, err := TempFile(dirPath)
  99                 if err != nil {
 100                         http.Error(w, err.Error(), http.StatusInternalServerError)
 101                         return
 102                 }
 103                 dstBuf := bufio.NewWriter(dst)
 104                 hasher := sha256.New()
 105                 wr := io.MultiWriter(hasher, dst)
 106                 if _, err = io.Copy(wr, src); err != nil {
 107                         os.Remove(dst.Name())
 108                         dst.Close()
 109                         http.Error(w, err.Error(), http.StatusInternalServerError)
 110                         return
 111                 }
 112                 if err = dstBuf.Flush(); err != nil {
 113                         os.Remove(dst.Name())
 114                         dst.Close()
 115                         http.Error(w, err.Error(), http.StatusInternalServerError)
 116                         return
 117                 }
 118                 if err = dst.Sync(); err != nil {
 119                         os.Remove(dst.Name())
 120                         dst.Close()
 121                         http.Error(w, err.Error(), http.StatusInternalServerError)
 122                         return
 123                 }
 124                 dst.Close()
 125                 digest := hasher.Sum(nil)
 126                 if digestExpected != nil {
 127                         if bytes.Compare(digestExpected, digest) == 0 {
 128                                 log.Println(r.RemoteAddr, filename, "good checksum received")
 129                         } else {
 130                                 log.Println(r.RemoteAddr, filename, "bad checksum received")
 131                                 http.Error(w, "bad checksum", http.StatusBadRequest)
 132                                 os.Remove(dst.Name())
 133                                 return
 134                         }
 135                 }
 136                 if err = os.Rename(dst.Name(), path); err != nil {
 137                         http.Error(w, err.Error(), http.StatusInternalServerError)
 138                         return
 139                 }
 140                 if err = DirSync(dirPath); err != nil {
 141                         http.Error(w, err.Error(), http.StatusInternalServerError)
 142                         return
 143                 }
 144                 if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digest); err != nil {
 145                         http.Error(w, err.Error(), http.StatusInternalServerError)
 146                         return
 147                 }
 148         }
 149         for _, file := range r.MultipartForm.File["gpg_signature"] {
 150                 filename := file.Filename
 151                 if _, exists := gpgSigsExpected[filename]; !exists {
 152                         http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
 153                         return
 154                 }
 155                 delete(gpgSigsExpected, filename)
 156                 log.Println(r.RemoteAddr, "put", filename, "by", username)
 157                 path := filepath.Join(dirPath, filename)
 158                 if _, err = os.Stat(path); err == nil {
 159                         log.Println(r.RemoteAddr, "already exists", filename)
 160                         http.Error(w, "already exists", http.StatusBadRequest)
 161                         return
 162                 }
 163                 src, err := file.Open()
 164                 if err != nil {
 165                         http.Error(w, err.Error(), http.StatusInternalServerError)
 166                         return
 167                 }
 168                 sig, err := ioutil.ReadAll(src)
 169                 src.Close()
 170                 if err != nil {
 171                         http.Error(w, err.Error(), http.StatusInternalServerError)
 172                         return
 173                 }
 174                 if err = WriteFileSync(dirPath, path, sig); err != nil {
 175                         http.Error(w, err.Error(), http.StatusInternalServerError)
 176                         return
 177                 }
 178         }
 179 }