/* GoCheese -- Python private package repository and caching proxy Copyright (C) 2019-2021 Sergey Matveev 2019-2021 Elena Balakhonova This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . */ package main import ( "bufio" "bytes" "crypto/sha256" "encoding/hex" "io" "io/ioutil" "log" "net/http" "os" "path/filepath" ) func serveUpload(w http.ResponseWriter, r *http.Request) { // Authentication username, password, ok := r.BasicAuth() if !ok { log.Println(r.RemoteAddr, "unauthenticated", username) http.Error(w, "unauthenticated", http.StatusUnauthorized) return } auther, ok := passwords[username] if !ok || !auther.Auth(password) { log.Println(r.RemoteAddr, "unauthenticated", username) http.Error(w, "unauthenticated", http.StatusUnauthorized) return } // Form parsing var err error if err = r.ParseMultipartForm(1 << 20); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } pkgNames, exists := r.MultipartForm.Value["name"] if !exists || len(pkgNames) != 1 { http.Error(w, "single name is expected in request", http.StatusBadRequest) return } pkgName := normalizationRe.ReplaceAllString(pkgNames[0], "-") dirPath := filepath.Join(*root, pkgName) var digestExpected []byte if digestExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists { digestExpected, err = hex.DecodeString(digestExpectedHex[0]) if err != nil { http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest) return } } gpgSigsExpected := make(map[string]struct{}) // Checking is it internal package if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil { log.Println(r.RemoteAddr, "non-internal package", pkgName) http.Error(w, "unknown internal package", http.StatusUnauthorized) return } for _, file := range r.MultipartForm.File["content"] { filename := file.Filename gpgSigsExpected[filename+GPGSigExt] = struct{}{} log.Println(r.RemoteAddr, "put", filename, "by", username) path := filepath.Join(dirPath, filename) if _, err = os.Stat(path); err == nil { log.Println(r.RemoteAddr, filename, "already exists") http.Error(w, "already exists", http.StatusBadRequest) return } if !mkdirForPkg(w, r, pkgName) { return } src, err := file.Open() defer src.Close() if err != nil { log.Println("error", r.RemoteAddr, filename, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } dst, err := TempFile(dirPath) if err != nil { log.Println("error", r.RemoteAddr, filename, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } dstBuf := bufio.NewWriter(dst) hasher := sha256.New() wr := io.MultiWriter(hasher, dst) if _, err = io.Copy(wr, src); err != nil { log.Println("error", r.RemoteAddr, filename, err) os.Remove(dst.Name()) dst.Close() http.Error(w, err.Error(), http.StatusInternalServerError) return } if err = dstBuf.Flush(); err != nil { log.Println("error", r.RemoteAddr, filename, err) os.Remove(dst.Name()) dst.Close() http.Error(w, err.Error(), http.StatusInternalServerError) return } if err = dst.Sync(); err != nil { log.Println("error", r.RemoteAddr, filename, err) os.Remove(dst.Name()) dst.Close() http.Error(w, err.Error(), http.StatusInternalServerError) return } dst.Close() digest := hasher.Sum(nil) if digestExpected != nil { if bytes.Compare(digestExpected, digest) == 0 { log.Println(r.RemoteAddr, filename, "good checksum received") } else { log.Println(r.RemoteAddr, filename, "bad checksum received") http.Error(w, "bad checksum", http.StatusBadRequest) os.Remove(dst.Name()) return } } if err = os.Rename(dst.Name(), path); err != nil { log.Println("error", r.RemoteAddr, path, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } if err = DirSync(dirPath); err != nil { log.Println("error", r.RemoteAddr, dirPath, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digest); err != nil { log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } } for _, file := range r.MultipartForm.File["gpg_signature"] { filename := file.Filename if _, exists := gpgSigsExpected[filename]; !exists { log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename") http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest) return } delete(gpgSigsExpected, filename) log.Println(r.RemoteAddr, "put", filename, "by", username) path := filepath.Join(dirPath, filename) if _, err = os.Stat(path); err == nil { log.Println(r.RemoteAddr, filename, "already exists") http.Error(w, "already exists", http.StatusBadRequest) return } src, err := file.Open() if err != nil { log.Println("error", r.RemoteAddr, filename, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } sig, err := ioutil.ReadAll(src) src.Close() if err != nil { log.Println("error", r.RemoteAddr, filename, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } if err = WriteFileSync(dirPath, path, sig); err != nil { log.Println("error", r.RemoteAddr, path, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } } }