Download link for 3.0.0 release

[gocheese.git] / upload.go

/*
GoCheese -- Python private package repository and caching proxy
Copyright (C) 2019-2021 Sergey Matveev <stargrave@stargrave.org>
              2019-2021 Elena Balakhonova <balakhonova_e@riseup.net>

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, version 3 of the License.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package main

import (
        "bufio"
        "bytes"
        "crypto/sha256"
        "encoding/hex"
        "io"
        "io/ioutil"
        "log"
        "net/http"
        "os"
        "path/filepath"
        "regexp"
        "strings"
        "time"

        "go.cypherpunks.ru/recfile"
)

var NormalizationRe = regexp.MustCompilePOSIX("[-_.]+")

func serveUpload(w http.ResponseWriter, r *http.Request) {
        // Authentication
        username, password, ok := r.BasicAuth()
        if !ok {
                log.Println(r.RemoteAddr, "unauthenticated", username)
                http.Error(w, "unauthenticated", http.StatusUnauthorized)
                return
        }
        PasswordsM.RLock()
        auther, ok := Passwords[username]
        PasswordsM.RUnlock()
        if !ok || !auther.Auth(password) {
                log.Println(r.RemoteAddr, "unauthenticated", username)
                http.Error(w, "unauthenticated", http.StatusUnauthorized)
                return
        }

        // Form parsing
        var err error
        if err = r.ParseMultipartForm(1 << 20); err != nil {
                http.Error(w, err.Error(), http.StatusBadRequest)
                return
        }
        pkgNames, exists := r.MultipartForm.Value["name"]
        if !exists || len(pkgNames) != 1 {
                http.Error(w, "single name is expected in request", http.StatusBadRequest)
                return
        }
        pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
        dirPath := filepath.Join(Root, pkgName)
        gpgSigsExpected := make(map[string]struct{})
        now := time.Now().UTC()

        var digestSHA256Expected []byte
        if digestSHA256ExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
                digestSHA256Expected, err = hex.DecodeString(digestSHA256ExpectedHex[0])
                if err != nil {
                        http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
                        return
                }
        }
        var digestBLAKE2b256Expected []byte
        if digestBLAKE2b256ExpectedHex, exists := r.MultipartForm.Value["blake2_256_digest"]; exists {
                digestBLAKE2b256Expected, err = hex.DecodeString(digestBLAKE2b256ExpectedHex[0])
                if err != nil {
                        http.Error(w, "bad blake2_256_digest: "+err.Error(), http.StatusBadRequest)
                        return
                }
        }

        // Checking is it internal package
        if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
                log.Println(r.RemoteAddr, "non-internal package", pkgName)
                http.Error(w, "unknown internal package", http.StatusUnauthorized)
                return
        }

        for _, file := range r.MultipartForm.File["content"] {
                filename := file.Filename
                gpgSigsExpected[filename+GPGSigExt] = struct{}{}
                log.Println(r.RemoteAddr, "put", filename, "by", username)
                path := filepath.Join(dirPath, filename)
                if _, err = os.Stat(path); err == nil {
                        log.Println(r.RemoteAddr, filename, "already exists")
                        http.Error(w, "already exists", http.StatusBadRequest)
                        return
                }
                if !mkdirForPkg(w, r, pkgName) {
                        return
                }
                src, err := file.Open()
                defer src.Close()
                if err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                dst, err := TempFile(dirPath)
                if err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                dstBuf := bufio.NewWriter(dst)
                hasherSHA256 := sha256.New()
                hasherBLAKE2b256 := blake2b256New()
                wr := io.MultiWriter(hasherSHA256, hasherBLAKE2b256, dst)
                if _, err = io.Copy(wr, src); err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        os.Remove(dst.Name())
                        dst.Close()
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if err = dstBuf.Flush(); err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        os.Remove(dst.Name())
                        dst.Close()
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if !NoSync {
                        if err = dst.Sync(); err != nil {
                                log.Println("error", r.RemoteAddr, filename, err)
                                os.Remove(dst.Name())
                                dst.Close()
                                http.Error(w, err.Error(), http.StatusInternalServerError)
                                return
                        }
                }
                dst.Close()

                digestSHA256 := hasherSHA256.Sum(nil)
                digestBLAKE2b256 := hasherBLAKE2b256.Sum(nil)
                if digestSHA256Expected != nil {
                        if bytes.Compare(digestSHA256Expected, digestSHA256) == 0 {
                                log.Println(r.RemoteAddr, filename, "good SHA256 checksum received")
                        } else {
                                log.Println(r.RemoteAddr, filename, "bad SHA256 checksum received")
                                http.Error(w, "bad sha256 checksum", http.StatusBadRequest)
                                os.Remove(dst.Name())
                                return
                        }
                }
                if digestBLAKE2b256Expected != nil {
                        if bytes.Compare(digestBLAKE2b256Expected, digestBLAKE2b256) == 0 {
                                log.Println(r.RemoteAddr, filename, "good BLAKE2b-256 checksum received")
                        } else {
                                log.Println(r.RemoteAddr, filename, "bad BLAKE2b-256 checksum received")
                                http.Error(w, "bad blake2_256 checksum", http.StatusBadRequest)
                                os.Remove(dst.Name())
                                return
                        }
                }

                if err = os.Rename(dst.Name(), path); err != nil {
                        log.Println("error", r.RemoteAddr, path, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if err = DirSync(dirPath); err != nil {
                        log.Println("error", r.RemoteAddr, dirPath, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digestSHA256, now); err != nil {
                        log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if err = WriteFileSync(dirPath, path+"."+HashAlgoBLAKE2b256, digestBLAKE2b256, now); err != nil {
                        log.Println("error", r.RemoteAddr, path+"."+HashAlgoBLAKE2b256, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
        }
        for _, file := range r.MultipartForm.File["gpg_signature"] {
                filename := file.Filename
                if _, exists := gpgSigsExpected[filename]; !exists {
                        log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename")
                        http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
                        return
                }
                delete(gpgSigsExpected, filename)
                log.Println(r.RemoteAddr, "put", filename, "by", username)
                path := filepath.Join(dirPath, filename)
                if _, err = os.Stat(path); err == nil {
                        log.Println(r.RemoteAddr, filename, "already exists")
                        http.Error(w, "already exists", http.StatusBadRequest)
                        return
                }
                src, err := file.Open()
                if err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                sig, err := ioutil.ReadAll(src)
                src.Close()
                if err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if err = WriteFileSync(dirPath, path, sig, now); err != nil {
                        log.Println("error", r.RemoteAddr, path, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
        }

        var buf bytes.Buffer
        wr := recfile.NewWriter(&buf)
        for _, m := range [][2]string{
                {"name", MetadataFieldName},
                {"version", MetadataFieldVersion},
                {"platform", MetadataFieldPlatform},
                {"supported_platform", MetadataFieldSupportedPlatform},
                {"summary", MetadataFieldSummary},
                {"description", MetadataFieldDescription},
                {"description_content_type", MetadataFieldDescriptionContentType},
                {"keywords", MetadataFieldKeywords},
                {"home_page", MetadataFieldHomePage},
                {"author", MetadataFieldAuthor},
                {"author_email", MetadataFieldAuthorEmail},
                {"maintainer", MetadataFieldMaintainer},
                {"maintainer_email", MetadataFieldMaintainerEmail},
                {"license", MetadataFieldLicense},
                {"classifiers", MetadataFieldClassifier},
                {"requires_dist", MetadataFieldRequiresDist},
                {"requires_python", MetadataFieldRequiresPython},
                {"requires_external", MetadataFieldRequiresExternal},
                {"project_url", MetadataFieldProjectURL},
                {"provides_extra", MetadataFieldProvidesExtra},
        } {
                formField, recField := m[0], m[1]
                if vs, exists := r.MultipartForm.Value[formField]; exists {
                        for _, v := range vs {
                                lines := strings.Split(v, "\n")
                                if len(lines) > 1 {
                                        _, err = wr.WriteFieldMultiline(
                                                metadataFieldToRecField(recField),
                                                lines,
                                        )
                                } else {
                                        _, err = wr.WriteFields(recfile.Field{
                                                Name:  metadataFieldToRecField(recField),
                                                Value: lines[0],
                                        })
                                }
                                if err != nil {
                                        log.Fatalln(err)
                                }
                        }
                }
        }
        path := filepath.Join(dirPath, MetadataFile)
        if err = WriteFileSync(dirPath, path, buf.Bytes(), now); err != nil {
                log.Println("error", r.RemoteAddr, path, err)
                http.Error(w, err.Error(), http.StatusInternalServerError)
                return
        }
}