-auth-required option and optional :ro per-user attribute

[gocheese.git] / upload.go

// GoCheese -- Python private package repository and caching proxy
// Copyright (C) 2019-2024 Sergey Matveev <stargrave@stargrave.org>
//               2019-2024 Elena Balakhonova <balakhonova_e@riseup.net>
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, version 3 of the License.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package main

import (
        "bufio"
        "bytes"
        "crypto/sha256"
        "encoding/hex"
        "io"
        "log"
        "net/http"
        "os"
        "path/filepath"
        "regexp"
        "strings"
        "time"

        "go.cypherpunks.ru/recfile"
)

var NormalizationRe = regexp.MustCompilePOSIX("[-_.]+")

func serveUpload(w http.ResponseWriter, r *http.Request) {
        user := r.Context().Value(CtxUserKey).(*User)
        if user == nil {
                log.Println(r.RemoteAddr, "unauthorised")
                http.Error(w, "unauthorised", http.StatusUnauthorized)
                return
        }
        if user.ro {
                log.Println(r.RemoteAddr, "ro user", user.name)
                http.Error(w, "unauthorised", http.StatusUnauthorized)
                return
        }

        // Form parsing
        var err error
        if err = r.ParseMultipartForm(1 << 20); err != nil {
                http.Error(w, err.Error(), http.StatusBadRequest)
                return
        }
        pkgNames, exists := r.MultipartForm.Value["name"]
        if !exists || len(pkgNames) != 1 {
                http.Error(w, "single name is expected in request", http.StatusBadRequest)
                return
        }
        pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
        dirPath := filepath.Join(Root, pkgName)
        now := time.Now().UTC()

        var digestSHA256Expected []byte
        if digestSHA256ExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
                digestSHA256Expected, err = hex.DecodeString(digestSHA256ExpectedHex[0])
                if err != nil {
                        http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
                        return
                }
        }
        var digestBLAKE2b256Expected []byte
        if digestBLAKE2b256ExpectedHex, exists := r.MultipartForm.Value["blake2_256_digest"]; exists {
                digestBLAKE2b256Expected, err = hex.DecodeString(digestBLAKE2b256ExpectedHex[0])
                if err != nil {
                        http.Error(w, "bad blake2_256_digest: "+err.Error(), http.StatusBadRequest)
                        return
                }
        }

        // Checking is it internal package
        if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
                log.Println(r.RemoteAddr, "non-internal package", pkgName)
                http.Error(w, "unknown internal package", http.StatusUnauthorized)
                return
        }

        for _, file := range r.MultipartForm.File["content"] {
                filename := file.Filename
                log.Println(r.RemoteAddr, "put", filename, "by", user.name)
                path := filepath.Join(dirPath, filename)
                if _, err = os.Stat(path); err == nil {
                        log.Println(r.RemoteAddr, filename, "already exists")
                        http.Error(w, "already exists", http.StatusBadRequest)
                        return
                }
                if !mkdirForPkg(w, r, pkgName) {
                        return
                }
                src, err := file.Open()
                if err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                defer src.Close()
                dst, err := TempFile(dirPath)
                if err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                dstBuf := bufio.NewWriter(dst)
                hasherSHA256 := sha256.New()
                hasherBLAKE2b256 := blake2b256New()
                wr := io.MultiWriter(hasherSHA256, hasherBLAKE2b256, dst)
                if _, err = io.Copy(wr, src); err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        os.Remove(dst.Name())
                        dst.Close()
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if err = dstBuf.Flush(); err != nil {
                        log.Println("error", r.RemoteAddr, filename, err)
                        os.Remove(dst.Name())
                        dst.Close()
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if !NoSync {
                        if err = dst.Sync(); err != nil {
                                log.Println("error", r.RemoteAddr, filename, err)
                                os.Remove(dst.Name())
                                dst.Close()
                                http.Error(w, err.Error(), http.StatusInternalServerError)
                                return
                        }
                }
                dst.Close()

                digestSHA256 := hasherSHA256.Sum(nil)
                digestBLAKE2b256 := hasherBLAKE2b256.Sum(nil)
                if digestSHA256Expected != nil {
                        if bytes.Equal(digestSHA256Expected, digestSHA256) {
                                log.Println(r.RemoteAddr, filename, "good SHA256 checksum received")
                        } else {
                                log.Println(r.RemoteAddr, filename, "bad SHA256 checksum received")
                                http.Error(w, "bad sha256 checksum", http.StatusBadRequest)
                                os.Remove(dst.Name())
                                return
                        }
                }
                if digestBLAKE2b256Expected != nil {
                        if bytes.Equal(digestBLAKE2b256Expected, digestBLAKE2b256) {
                                log.Println(r.RemoteAddr, filename, "good BLAKE2b-256 checksum received")
                        } else {
                                log.Println(r.RemoteAddr, filename, "bad BLAKE2b-256 checksum received")
                                http.Error(w, "bad blake2b_256 checksum", http.StatusBadRequest)
                                os.Remove(dst.Name())
                                return
                        }
                }

                if err = os.Rename(dst.Name(), path); err != nil {
                        log.Println("error", r.RemoteAddr, path, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if err = DirSync(dirPath); err != nil {
                        log.Println("error", r.RemoteAddr, dirPath, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digestSHA256, now); err != nil {
                        log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
                if err = WriteFileSync(dirPath, path+"."+HashAlgoBLAKE2b256, digestBLAKE2b256, now); err != nil {
                        log.Println("error", r.RemoteAddr, path+"."+HashAlgoBLAKE2b256, err)
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
        }

        var buf bytes.Buffer
        wr := recfile.NewWriter(&buf)
        for _, m := range MDFormToRecField {
                formField, recField := m[0], m[1]
                if vs, exists := r.MultipartForm.Value[formField]; exists {
                        for _, v := range vs {
                                lines := strings.Split(v, "\n")
                                if len(lines) > 1 {
                                        _, err = wr.WriteFieldMultiline(recField, lines)
                                } else {
                                        _, err = wr.WriteFields(recfile.Field{
                                                Name:  recField,
                                                Value: lines[0],
                                        })
                                }
                                if err != nil {
                                        log.Fatal(err)
                                }
                        }
                }
        }
        path := filepath.Join(dirPath, MDFile)
        if err = WriteFileSync(dirPath, path, buf.Bytes(), now); err != nil {
                log.Println("error", r.RemoteAddr, path, err)
                http.Error(w, err.Error(), http.StatusInternalServerError)
                return
        }
}