2 GoCheese -- Python private package repository and caching proxy
3 Copyright (C) 2019-2021 Sergey Matveev <stargrave@stargrave.org>
4 2019-2021 Elena Balakhonova <balakhonova_e@riseup.net>
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, version 3 of the License.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
34 func serveUpload(w http.ResponseWriter, r *http.Request) {
36 username, password, ok := r.BasicAuth()
38 log.Println(r.RemoteAddr, "unauthenticated", username)
39 http.Error(w, "unauthenticated", http.StatusUnauthorized)
43 auther, ok := Passwords[username]
45 if !ok || !auther.Auth(password) {
46 log.Println(r.RemoteAddr, "unauthenticated", username)
47 http.Error(w, "unauthenticated", http.StatusUnauthorized)
53 if err = r.ParseMultipartForm(1 << 20); err != nil {
54 http.Error(w, err.Error(), http.StatusBadRequest)
57 pkgNames, exists := r.MultipartForm.Value["name"]
58 if !exists || len(pkgNames) != 1 {
59 http.Error(w, "single name is expected in request", http.StatusBadRequest)
62 pkgName := normalizationRe.ReplaceAllString(pkgNames[0], "-")
63 dirPath := filepath.Join(*root, pkgName)
64 var digestExpected []byte
65 if digestExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
66 digestExpected, err = hex.DecodeString(digestExpectedHex[0])
68 http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
72 gpgSigsExpected := make(map[string]struct{})
74 // Checking is it internal package
75 if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
76 log.Println(r.RemoteAddr, "non-internal package", pkgName)
77 http.Error(w, "unknown internal package", http.StatusUnauthorized)
81 for _, file := range r.MultipartForm.File["content"] {
82 filename := file.Filename
83 gpgSigsExpected[filename+GPGSigExt] = struct{}{}
84 log.Println(r.RemoteAddr, "put", filename, "by", username)
85 path := filepath.Join(dirPath, filename)
86 if _, err = os.Stat(path); err == nil {
87 log.Println(r.RemoteAddr, filename, "already exists")
88 http.Error(w, "already exists", http.StatusBadRequest)
91 if !mkdirForPkg(w, r, pkgName) {
94 src, err := file.Open()
97 log.Println("error", r.RemoteAddr, filename, err)
98 http.Error(w, err.Error(), http.StatusInternalServerError)
101 dst, err := TempFile(dirPath)
103 log.Println("error", r.RemoteAddr, filename, err)
104 http.Error(w, err.Error(), http.StatusInternalServerError)
107 dstBuf := bufio.NewWriter(dst)
108 hasher := sha256.New()
109 wr := io.MultiWriter(hasher, dst)
110 if _, err = io.Copy(wr, src); err != nil {
111 log.Println("error", r.RemoteAddr, filename, err)
112 os.Remove(dst.Name())
114 http.Error(w, err.Error(), http.StatusInternalServerError)
117 if err = dstBuf.Flush(); err != nil {
118 log.Println("error", r.RemoteAddr, filename, err)
119 os.Remove(dst.Name())
121 http.Error(w, err.Error(), http.StatusInternalServerError)
125 if err = dst.Sync(); err != nil {
126 log.Println("error", r.RemoteAddr, filename, err)
127 os.Remove(dst.Name())
129 http.Error(w, err.Error(), http.StatusInternalServerError)
134 digest := hasher.Sum(nil)
135 if digestExpected != nil {
136 if bytes.Compare(digestExpected, digest) == 0 {
137 log.Println(r.RemoteAddr, filename, "good checksum received")
139 log.Println(r.RemoteAddr, filename, "bad checksum received")
140 http.Error(w, "bad checksum", http.StatusBadRequest)
141 os.Remove(dst.Name())
145 if err = os.Rename(dst.Name(), path); err != nil {
146 log.Println("error", r.RemoteAddr, path, err)
147 http.Error(w, err.Error(), http.StatusInternalServerError)
150 if err = DirSync(dirPath); err != nil {
151 log.Println("error", r.RemoteAddr, dirPath, err)
152 http.Error(w, err.Error(), http.StatusInternalServerError)
155 if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digest); err != nil {
156 log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err)
157 http.Error(w, err.Error(), http.StatusInternalServerError)
161 for _, file := range r.MultipartForm.File["gpg_signature"] {
162 filename := file.Filename
163 if _, exists := gpgSigsExpected[filename]; !exists {
164 log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename")
165 http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
168 delete(gpgSigsExpected, filename)
169 log.Println(r.RemoteAddr, "put", filename, "by", username)
170 path := filepath.Join(dirPath, filename)
171 if _, err = os.Stat(path); err == nil {
172 log.Println(r.RemoteAddr, filename, "already exists")
173 http.Error(w, "already exists", http.StatusBadRequest)
176 src, err := file.Open()
178 log.Println("error", r.RemoteAddr, filename, err)
179 http.Error(w, err.Error(), http.StatusInternalServerError)
182 sig, err := ioutil.ReadAll(src)
185 log.Println("error", r.RemoteAddr, filename, err)
186 http.Error(w, err.Error(), http.StatusInternalServerError)
189 if err = WriteFileSync(dirPath, path, sig); err != nil {
190 log.Println("error", r.RemoteAddr, path, err)
191 http.Error(w, err.Error(), http.StatusInternalServerError)