1 // GoCheese -- Python private package repository and caching proxy
2 // Copyright (C) 2019-2024 Sergey Matveev <stargrave@stargrave.org>
3 // 2019-2024 Elena Balakhonova <balakhonova_e@riseup.net>
5 // This program is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, version 3 of the License.
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
14 // You should have received a copy of the GNU General Public License
15 // along with this program. If not, see <http://www.gnu.org/licenses/>.
33 "go.cypherpunks.ru/recfile"
36 var NormalizationRe = regexp.MustCompilePOSIX("[-_.]+")
38 func serveUpload(w http.ResponseWriter, r *http.Request) {
40 username, password, ok := r.BasicAuth()
42 log.Println(r.RemoteAddr, "unauthenticated", username)
43 http.Error(w, "unauthenticated", http.StatusUnauthorized)
47 auther, ok := Passwords[username]
49 if !ok || !auther.Auth(password) {
50 log.Println(r.RemoteAddr, "unauthenticated", username)
51 http.Error(w, "unauthenticated", http.StatusUnauthorized)
57 if err = r.ParseMultipartForm(1 << 20); err != nil {
58 http.Error(w, err.Error(), http.StatusBadRequest)
61 pkgNames, exists := r.MultipartForm.Value["name"]
62 if !exists || len(pkgNames) != 1 {
63 http.Error(w, "single name is expected in request", http.StatusBadRequest)
66 pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
67 dirPath := filepath.Join(Root, pkgName)
68 now := time.Now().UTC()
70 var digestSHA256Expected []byte
71 if digestSHA256ExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
72 digestSHA256Expected, err = hex.DecodeString(digestSHA256ExpectedHex[0])
74 http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
78 var digestBLAKE2b256Expected []byte
79 if digestBLAKE2b256ExpectedHex, exists := r.MultipartForm.Value["blake2_256_digest"]; exists {
80 digestBLAKE2b256Expected, err = hex.DecodeString(digestBLAKE2b256ExpectedHex[0])
82 http.Error(w, "bad blake2_256_digest: "+err.Error(), http.StatusBadRequest)
87 // Checking is it internal package
88 if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
89 log.Println(r.RemoteAddr, "non-internal package", pkgName)
90 http.Error(w, "unknown internal package", http.StatusUnauthorized)
94 for _, file := range r.MultipartForm.File["content"] {
95 filename := file.Filename
96 log.Println(r.RemoteAddr, "put", filename, "by", username)
97 path := filepath.Join(dirPath, filename)
98 if _, err = os.Stat(path); err == nil {
99 log.Println(r.RemoteAddr, filename, "already exists")
100 http.Error(w, "already exists", http.StatusBadRequest)
103 if !mkdirForPkg(w, r, pkgName) {
106 src, err := file.Open()
108 log.Println("error", r.RemoteAddr, filename, err)
109 http.Error(w, err.Error(), http.StatusInternalServerError)
113 dst, err := TempFile(dirPath)
115 log.Println("error", r.RemoteAddr, filename, err)
116 http.Error(w, err.Error(), http.StatusInternalServerError)
119 dstBuf := bufio.NewWriter(dst)
120 hasherSHA256 := sha256.New()
121 hasherBLAKE2b256 := blake2b256New()
122 wr := io.MultiWriter(hasherSHA256, hasherBLAKE2b256, dst)
123 if _, err = io.Copy(wr, src); err != nil {
124 log.Println("error", r.RemoteAddr, filename, err)
125 os.Remove(dst.Name())
127 http.Error(w, err.Error(), http.StatusInternalServerError)
130 if err = dstBuf.Flush(); err != nil {
131 log.Println("error", r.RemoteAddr, filename, err)
132 os.Remove(dst.Name())
134 http.Error(w, err.Error(), http.StatusInternalServerError)
138 if err = dst.Sync(); err != nil {
139 log.Println("error", r.RemoteAddr, filename, err)
140 os.Remove(dst.Name())
142 http.Error(w, err.Error(), http.StatusInternalServerError)
148 digestSHA256 := hasherSHA256.Sum(nil)
149 digestBLAKE2b256 := hasherBLAKE2b256.Sum(nil)
150 if digestSHA256Expected != nil {
151 if bytes.Equal(digestSHA256Expected, digestSHA256) {
152 log.Println(r.RemoteAddr, filename, "good SHA256 checksum received")
154 log.Println(r.RemoteAddr, filename, "bad SHA256 checksum received")
155 http.Error(w, "bad sha256 checksum", http.StatusBadRequest)
156 os.Remove(dst.Name())
160 if digestBLAKE2b256Expected != nil {
161 if bytes.Equal(digestBLAKE2b256Expected, digestBLAKE2b256) {
162 log.Println(r.RemoteAddr, filename, "good BLAKE2b-256 checksum received")
164 log.Println(r.RemoteAddr, filename, "bad BLAKE2b-256 checksum received")
165 http.Error(w, "bad blake2b_256 checksum", http.StatusBadRequest)
166 os.Remove(dst.Name())
171 if err = os.Rename(dst.Name(), path); err != nil {
172 log.Println("error", r.RemoteAddr, path, err)
173 http.Error(w, err.Error(), http.StatusInternalServerError)
176 if err = DirSync(dirPath); err != nil {
177 log.Println("error", r.RemoteAddr, dirPath, err)
178 http.Error(w, err.Error(), http.StatusInternalServerError)
181 if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digestSHA256, now); err != nil {
182 log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err)
183 http.Error(w, err.Error(), http.StatusInternalServerError)
186 if err = WriteFileSync(dirPath, path+"."+HashAlgoBLAKE2b256, digestBLAKE2b256, now); err != nil {
187 log.Println("error", r.RemoteAddr, path+"."+HashAlgoBLAKE2b256, err)
188 http.Error(w, err.Error(), http.StatusInternalServerError)
194 wr := recfile.NewWriter(&buf)
195 for _, m := range MDFormToRecField {
196 formField, recField := m[0], m[1]
197 if vs, exists := r.MultipartForm.Value[formField]; exists {
198 for _, v := range vs {
199 lines := strings.Split(v, "\n")
201 _, err = wr.WriteFieldMultiline(recField, lines)
203 _, err = wr.WriteFields(recfile.Field{
214 path := filepath.Join(dirPath, MDFile)
215 if err = WriteFileSync(dirPath, path, buf.Bytes(), now); err != nil {
216 log.Println("error", r.RemoteAddr, path, err)
217 http.Error(w, err.Error(), http.StatusInternalServerError)