upload.go

   1 /*
   2 GoCheese -- Python private package repository and caching proxy
   3 Copyright (C) 2019-2021 Sergey Matveev <stargrave@stargrave.org>
   4               2019-2021 Elena Balakhonova <balakhonova_e@riseup.net>
   5
   6 This program is free software: you can redistribute it and/or modify
   7 it under the terms of the GNU General Public License as published by
   8 the Free Software Foundation, version 3 of the License.
   9
  10 This program is distributed in the hope that it will be useful,
  11 but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 GNU General Public License for more details.
  14
  15 You should have received a copy of the GNU General Public License
  16 along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 */
  18
  19 package main
  20
  21 import (
  22         "bufio"
  23         "bytes"
  24         "crypto/sha256"
  25         "encoding/hex"
  26         "io"
  27         "io/ioutil"
  28         "log"
  29         "net/http"
  30         "os"
  31         "path/filepath"
  32 )
  33
  34 func serveUpload(w http.ResponseWriter, r *http.Request) {
  35         // Authentication
  36         username, password, ok := r.BasicAuth()
  37         if !ok {
  38                 log.Println(r.RemoteAddr, "unauthenticated", username)
  39                 http.Error(w, "unauthenticated", http.StatusUnauthorized)
  40                 return
  41         }
  42         PasswordsM.RLock()
  43         auther, ok := Passwords[username]
  44         PasswordsM.RUnlock()
  45         if !ok || !auther.Auth(password) {
  46                 log.Println(r.RemoteAddr, "unauthenticated", username)
  47                 http.Error(w, "unauthenticated", http.StatusUnauthorized)
  48                 return
  49         }
  50
  51         // Form parsing
  52         var err error
  53         if err = r.ParseMultipartForm(1 << 20); err != nil {
  54                 http.Error(w, err.Error(), http.StatusBadRequest)
  55                 return
  56         }
  57         pkgNames, exists := r.MultipartForm.Value["name"]
  58         if !exists || len(pkgNames) != 1 {
  59                 http.Error(w, "single name is expected in request", http.StatusBadRequest)
  60                 return
  61         }
  62         pkgName := normalizationRe.ReplaceAllString(pkgNames[0], "-")
  63         dirPath := filepath.Join(*root, pkgName)
  64         var digestExpected []byte
  65         if digestExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
  66                 digestExpected, err = hex.DecodeString(digestExpectedHex[0])
  67                 if err != nil {
  68                         http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
  69                         return
  70                 }
  71         }
  72         gpgSigsExpected := make(map[string]struct{})
  73
  74         // Checking is it internal package
  75         if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
  76                 log.Println(r.RemoteAddr, "non-internal package", pkgName)
  77                 http.Error(w, "unknown internal package", http.StatusUnauthorized)
  78                 return
  79         }
  80
  81         for _, file := range r.MultipartForm.File["content"] {
  82                 filename := file.Filename
  83                 gpgSigsExpected[filename+GPGSigExt] = struct{}{}
  84                 log.Println(r.RemoteAddr, "put", filename, "by", username)
  85                 path := filepath.Join(dirPath, filename)
  86                 if _, err = os.Stat(path); err == nil {
  87                         log.Println(r.RemoteAddr, filename, "already exists")
  88                         http.Error(w, "already exists", http.StatusBadRequest)
  89                         return
  90                 }
  91                 if !mkdirForPkg(w, r, pkgName) {
  92                         return
  93                 }
  94                 src, err := file.Open()
  95                 defer src.Close()
  96                 if err != nil {
  97                         log.Println("error", r.RemoteAddr, filename, err)
  98                         http.Error(w, err.Error(), http.StatusInternalServerError)
  99                         return
 100                 }
 101                 dst, err := TempFile(dirPath)
 102                 if err != nil {
 103                         log.Println("error", r.RemoteAddr, filename, err)
 104                         http.Error(w, err.Error(), http.StatusInternalServerError)
 105                         return
 106                 }
 107                 dstBuf := bufio.NewWriter(dst)
 108                 hasher := sha256.New()
 109                 wr := io.MultiWriter(hasher, dst)
 110                 if _, err = io.Copy(wr, src); err != nil {
 111                         log.Println("error", r.RemoteAddr, filename, err)
 112                         os.Remove(dst.Name())
 113                         dst.Close()
 114                         http.Error(w, err.Error(), http.StatusInternalServerError)
 115                         return
 116                 }
 117                 if err = dstBuf.Flush(); err != nil {
 118                         log.Println("error", r.RemoteAddr, filename, err)
 119                         os.Remove(dst.Name())
 120                         dst.Close()
 121                         http.Error(w, err.Error(), http.StatusInternalServerError)
 122                         return
 123                 }
 124                 if err = dst.Sync(); err != nil {
 125                         log.Println("error", r.RemoteAddr, filename, err)
 126                         os.Remove(dst.Name())
 127                         dst.Close()
 128                         http.Error(w, err.Error(), http.StatusInternalServerError)
 129                         return
 130                 }
 131                 dst.Close()
 132                 digest := hasher.Sum(nil)
 133                 if digestExpected != nil {
 134                         if bytes.Compare(digestExpected, digest) == 0 {
 135                                 log.Println(r.RemoteAddr, filename, "good checksum received")
 136                         } else {
 137                                 log.Println(r.RemoteAddr, filename, "bad checksum received")
 138                                 http.Error(w, "bad checksum", http.StatusBadRequest)
 139                                 os.Remove(dst.Name())
 140                                 return
 141                         }
 142                 }
 143                 if err = os.Rename(dst.Name(), path); err != nil {
 144                         log.Println("error", r.RemoteAddr, path, err)
 145                         http.Error(w, err.Error(), http.StatusInternalServerError)
 146                         return
 147                 }
 148                 if err = DirSync(dirPath); err != nil {
 149                         log.Println("error", r.RemoteAddr, dirPath, err)
 150                         http.Error(w, err.Error(), http.StatusInternalServerError)
 151                         return
 152                 }
 153                 if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digest); err != nil {
 154                         log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err)
 155                         http.Error(w, err.Error(), http.StatusInternalServerError)
 156                         return
 157                 }
 158         }
 159         for _, file := range r.MultipartForm.File["gpg_signature"] {
 160                 filename := file.Filename
 161                 if _, exists := gpgSigsExpected[filename]; !exists {
 162                         log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename")
 163                         http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
 164                         return
 165                 }
 166                 delete(gpgSigsExpected, filename)
 167                 log.Println(r.RemoteAddr, "put", filename, "by", username)
 168                 path := filepath.Join(dirPath, filename)
 169                 if _, err = os.Stat(path); err == nil {
 170                         log.Println(r.RemoteAddr, filename, "already exists")
 171                         http.Error(w, "already exists", http.StatusBadRequest)
 172                         return
 173                 }
 174                 src, err := file.Open()
 175                 if err != nil {
 176                         log.Println("error", r.RemoteAddr, filename, err)
 177                         http.Error(w, err.Error(), http.StatusInternalServerError)
 178                         return
 179                 }
 180                 sig, err := ioutil.ReadAll(src)
 181                 src.Close()
 182                 if err != nil {
 183                         log.Println("error", r.RemoteAddr, filename, err)
 184                         http.Error(w, err.Error(), http.StatusInternalServerError)
 185                         return
 186                 }
 187                 if err = WriteFileSync(dirPath, path, sig); err != nil {
 188                         log.Println("error", r.RemoteAddr, path, err)
 189                         http.Error(w, err.Error(), http.StatusInternalServerError)
 190                         return
 191                 }
 192         }
 193 }