upload.go

   1 // GoCheese -- Python private package repository and caching proxy
   2 // Copyright (C) 2019-2024 Sergey Matveev <stargrave@stargrave.org>
   3 //               2019-2024 Elena Balakhonova <balakhonova_e@riseup.net>
   4 //
   5 // This program is free software: you can redistribute it and/or modify
   6 // it under the terms of the GNU General Public License as published by
   7 // the Free Software Foundation, version 3 of the License.
   8 //
   9 // This program is distributed in the hope that it will be useful,
  10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 // GNU General Public License for more details.
  13 //
  14 // You should have received a copy of the GNU General Public License
  15 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
  16
  17 package main
  18
  19 import (
  20         "bufio"
  21         "bytes"
  22         "crypto/sha256"
  23         "encoding/hex"
  24         "io"
  25         "log"
  26         "net/http"
  27         "os"
  28         "path/filepath"
  29         "regexp"
  30         "strings"
  31         "time"
  32
  33         "go.cypherpunks.ru/recfile"
  34 )
  35
  36 var NormalizationRe = regexp.MustCompilePOSIX("[-_.]+")
  37
  38 func serveUpload(w http.ResponseWriter, r *http.Request) {
  39         // Authentication
  40         username, password, ok := r.BasicAuth()
  41         if !ok {
  42                 log.Println(r.RemoteAddr, "unauthenticated", username)
  43                 http.Error(w, "unauthenticated", http.StatusUnauthorized)
  44                 return
  45         }
  46         PasswordsM.RLock()
  47         auther, ok := Passwords[username]
  48         PasswordsM.RUnlock()
  49         if !ok || !auther.Auth(password) {
  50                 log.Println(r.RemoteAddr, "unauthenticated", username)
  51                 http.Error(w, "unauthenticated", http.StatusUnauthorized)
  52                 return
  53         }
  54
  55         // Form parsing
  56         var err error
  57         if err = r.ParseMultipartForm(1 << 20); err != nil {
  58                 http.Error(w, err.Error(), http.StatusBadRequest)
  59                 return
  60         }
  61         pkgNames, exists := r.MultipartForm.Value["name"]
  62         if !exists || len(pkgNames) != 1 {
  63                 http.Error(w, "single name is expected in request", http.StatusBadRequest)
  64                 return
  65         }
  66         pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
  67         dirPath := filepath.Join(Root, pkgName)
  68         now := time.Now().UTC()
  69
  70         var digestSHA256Expected []byte
  71         if digestSHA256ExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
  72                 digestSHA256Expected, err = hex.DecodeString(digestSHA256ExpectedHex[0])
  73                 if err != nil {
  74                         http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
  75                         return
  76                 }
  77         }
  78         var digestBLAKE2b256Expected []byte
  79         if digestBLAKE2b256ExpectedHex, exists := r.MultipartForm.Value["blake2_256_digest"]; exists {
  80                 digestBLAKE2b256Expected, err = hex.DecodeString(digestBLAKE2b256ExpectedHex[0])
  81                 if err != nil {
  82                         http.Error(w, "bad blake2_256_digest: "+err.Error(), http.StatusBadRequest)
  83                         return
  84                 }
  85         }
  86
  87         // Checking is it internal package
  88         if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
  89                 log.Println(r.RemoteAddr, "non-internal package", pkgName)
  90                 http.Error(w, "unknown internal package", http.StatusUnauthorized)
  91                 return
  92         }
  93
  94         for _, file := range r.MultipartForm.File["content"] {
  95                 filename := file.Filename
  96                 log.Println(r.RemoteAddr, "put", filename, "by", username)
  97                 path := filepath.Join(dirPath, filename)
  98                 if _, err = os.Stat(path); err == nil {
  99                         log.Println(r.RemoteAddr, filename, "already exists")
 100                         http.Error(w, "already exists", http.StatusBadRequest)
 101                         return
 102                 }
 103                 if !mkdirForPkg(w, r, pkgName) {
 104                         return
 105                 }
 106                 src, err := file.Open()
 107                 if err != nil {
 108                         log.Println("error", r.RemoteAddr, filename, err)
 109                         http.Error(w, err.Error(), http.StatusInternalServerError)
 110                         return
 111                 }
 112                 defer src.Close()
 113                 dst, err := TempFile(dirPath)
 114                 if err != nil {
 115                         log.Println("error", r.RemoteAddr, filename, err)
 116                         http.Error(w, err.Error(), http.StatusInternalServerError)
 117                         return
 118                 }
 119                 dstBuf := bufio.NewWriter(dst)
 120                 hasherSHA256 := sha256.New()
 121                 hasherBLAKE2b256 := blake2b256New()
 122                 wr := io.MultiWriter(hasherSHA256, hasherBLAKE2b256, dst)
 123                 if _, err = io.Copy(wr, src); err != nil {
 124                         log.Println("error", r.RemoteAddr, filename, err)
 125                         os.Remove(dst.Name())
 126                         dst.Close()
 127                         http.Error(w, err.Error(), http.StatusInternalServerError)
 128                         return
 129                 }
 130                 if err = dstBuf.Flush(); err != nil {
 131                         log.Println("error", r.RemoteAddr, filename, err)
 132                         os.Remove(dst.Name())
 133                         dst.Close()
 134                         http.Error(w, err.Error(), http.StatusInternalServerError)
 135                         return
 136                 }
 137                 if !NoSync {
 138                         if err = dst.Sync(); err != nil {
 139                                 log.Println("error", r.RemoteAddr, filename, err)
 140                                 os.Remove(dst.Name())
 141                                 dst.Close()
 142                                 http.Error(w, err.Error(), http.StatusInternalServerError)
 143                                 return
 144                         }
 145                 }
 146                 dst.Close()
 147
 148                 digestSHA256 := hasherSHA256.Sum(nil)
 149                 digestBLAKE2b256 := hasherBLAKE2b256.Sum(nil)
 150                 if digestSHA256Expected != nil {
 151                         if bytes.Equal(digestSHA256Expected, digestSHA256) {
 152                                 log.Println(r.RemoteAddr, filename, "good SHA256 checksum received")
 153                         } else {
 154                                 log.Println(r.RemoteAddr, filename, "bad SHA256 checksum received")
 155                                 http.Error(w, "bad sha256 checksum", http.StatusBadRequest)
 156                                 os.Remove(dst.Name())
 157                                 return
 158                         }
 159                 }
 160                 if digestBLAKE2b256Expected != nil {
 161                         if bytes.Equal(digestBLAKE2b256Expected, digestBLAKE2b256) {
 162                                 log.Println(r.RemoteAddr, filename, "good BLAKE2b-256 checksum received")
 163                         } else {
 164                                 log.Println(r.RemoteAddr, filename, "bad BLAKE2b-256 checksum received")
 165                                 http.Error(w, "bad blake2b_256 checksum", http.StatusBadRequest)
 166                                 os.Remove(dst.Name())
 167                                 return
 168                         }
 169                 }
 170
 171                 if err = os.Rename(dst.Name(), path); err != nil {
 172                         log.Println("error", r.RemoteAddr, path, err)
 173                         http.Error(w, err.Error(), http.StatusInternalServerError)
 174                         return
 175                 }
 176                 if err = DirSync(dirPath); err != nil {
 177                         log.Println("error", r.RemoteAddr, dirPath, err)
 178                         http.Error(w, err.Error(), http.StatusInternalServerError)
 179                         return
 180                 }
 181                 if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digestSHA256, now); err != nil {
 182                         log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err)
 183                         http.Error(w, err.Error(), http.StatusInternalServerError)
 184                         return
 185                 }
 186                 if err = WriteFileSync(dirPath, path+"."+HashAlgoBLAKE2b256, digestBLAKE2b256, now); err != nil {
 187                         log.Println("error", r.RemoteAddr, path+"."+HashAlgoBLAKE2b256, err)
 188                         http.Error(w, err.Error(), http.StatusInternalServerError)
 189                         return
 190                 }
 191         }
 192
 193         var buf bytes.Buffer
 194         wr := recfile.NewWriter(&buf)
 195         for _, m := range MDFormToRecField {
 196                 formField, recField := m[0], m[1]
 197                 if vs, exists := r.MultipartForm.Value[formField]; exists {
 198                         for _, v := range vs {
 199                                 lines := strings.Split(v, "\n")
 200                                 if len(lines) > 1 {
 201                                         _, err = wr.WriteFieldMultiline(recField, lines)
 202                                 } else {
 203                                         _, err = wr.WriteFields(recfile.Field{
 204                                                 Name:  recField,
 205                                                 Value: lines[0],
 206                                         })
 207                                 }
 208                                 if err != nil {
 209                                         log.Fatal(err)
 210                                 }
 211                         }
 212                 }
 213         }
 214         path := filepath.Join(dirPath, MDFile)
 215         if err = WriteFileSync(dirPath, path, buf.Bytes(), now); err != nil {
 216                 log.Println("error", r.RemoteAddr, path, err)
 217                 http.Error(w, err.Error(), http.StatusInternalServerError)
 218                 return
 219         }
 220 }