// GoCheese -- Python private package repository and caching proxy // Copyright (C) 2019-2024 Sergey Matveev // 2019-2024 Elena Balakhonova // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation, version 3 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with this program. If not, see . package main import ( "bufio" "bytes" "crypto/sha256" "encoding/hex" "io" "log" "net/http" "os" "path/filepath" "regexp" "strings" "time" "go.cypherpunks.ru/recfile" ) var NormalizationRe = regexp.MustCompilePOSIX("[-_.]+") func serveUpload(w http.ResponseWriter, r *http.Request) { user := r.Context().Value(CtxUserKey).(*User) if user == nil { log.Println(r.RemoteAddr, "unauthorised") http.Error(w, "unauthorised", http.StatusUnauthorized) return } if user.ro { log.Println(r.RemoteAddr, "ro user", user.name) http.Error(w, "unauthorised", http.StatusUnauthorized) return } // Form parsing var err error if err = r.ParseMultipartForm(1 << 20); err != nil { http.Error(w, err.Error(), http.StatusBadRequest) return } pkgNames, exists := r.MultipartForm.Value["name"] if !exists || len(pkgNames) != 1 { http.Error(w, "single name is expected in request", http.StatusBadRequest) return } pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-")) dirPath := filepath.Join(Root, pkgName) now := time.Now().UTC() var digestSHA256Expected []byte if digestSHA256ExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists { digestSHA256Expected, err = hex.DecodeString(digestSHA256ExpectedHex[0]) if err != nil { http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest) return } } var digestBLAKE2b256Expected []byte if digestBLAKE2b256ExpectedHex, exists := r.MultipartForm.Value["blake2_256_digest"]; exists { digestBLAKE2b256Expected, err = hex.DecodeString(digestBLAKE2b256ExpectedHex[0]) if err != nil { http.Error(w, "bad blake2_256_digest: "+err.Error(), http.StatusBadRequest) return } } // Checking is it internal package if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil { log.Println(r.RemoteAddr, "non-internal package", pkgName) http.Error(w, "unknown internal package", http.StatusUnauthorized) return } for _, file := range r.MultipartForm.File["content"] { filename := file.Filename log.Println(r.RemoteAddr, "put", filename, "by", user.name) path := filepath.Join(dirPath, filename) if _, err = os.Stat(path); err == nil { log.Println(r.RemoteAddr, filename, "already exists") http.Error(w, "already exists", http.StatusBadRequest) return } if !mkdirForPkg(w, r, pkgName) { return } src, err := file.Open() if err != nil { log.Println("error", r.RemoteAddr, filename, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } defer src.Close() dst, err := TempFile(dirPath) if err != nil { log.Println("error", r.RemoteAddr, filename, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } dstBuf := bufio.NewWriter(dst) hasherSHA256 := sha256.New() hasherBLAKE2b256 := blake2b256New() wr := io.MultiWriter(hasherSHA256, hasherBLAKE2b256, dst) if _, err = io.Copy(wr, src); err != nil { log.Println("error", r.RemoteAddr, filename, err) os.Remove(dst.Name()) dst.Close() http.Error(w, err.Error(), http.StatusInternalServerError) return } if err = dstBuf.Flush(); err != nil { log.Println("error", r.RemoteAddr, filename, err) os.Remove(dst.Name()) dst.Close() http.Error(w, err.Error(), http.StatusInternalServerError) return } if !NoSync { if err = dst.Sync(); err != nil { log.Println("error", r.RemoteAddr, filename, err) os.Remove(dst.Name()) dst.Close() http.Error(w, err.Error(), http.StatusInternalServerError) return } } dst.Close() digestSHA256 := hasherSHA256.Sum(nil) digestBLAKE2b256 := hasherBLAKE2b256.Sum(nil) if digestSHA256Expected != nil { if bytes.Equal(digestSHA256Expected, digestSHA256) { log.Println(r.RemoteAddr, filename, "good SHA256 checksum received") } else { log.Println(r.RemoteAddr, filename, "bad SHA256 checksum received") http.Error(w, "bad sha256 checksum", http.StatusBadRequest) os.Remove(dst.Name()) return } } if digestBLAKE2b256Expected != nil { if bytes.Equal(digestBLAKE2b256Expected, digestBLAKE2b256) { log.Println(r.RemoteAddr, filename, "good BLAKE2b-256 checksum received") } else { log.Println(r.RemoteAddr, filename, "bad BLAKE2b-256 checksum received") http.Error(w, "bad blake2b_256 checksum", http.StatusBadRequest) os.Remove(dst.Name()) return } } if err = os.Rename(dst.Name(), path); err != nil { log.Println("error", r.RemoteAddr, path, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } if err = DirSync(dirPath); err != nil { log.Println("error", r.RemoteAddr, dirPath, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digestSHA256, now); err != nil { log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } if err = WriteFileSync(dirPath, path+"."+HashAlgoBLAKE2b256, digestBLAKE2b256, now); err != nil { log.Println("error", r.RemoteAddr, path+"."+HashAlgoBLAKE2b256, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } } var buf bytes.Buffer wr := recfile.NewWriter(&buf) for _, m := range MDFormToRecField { formField, recField := m[0], m[1] if vs, exists := r.MultipartForm.Value[formField]; exists { for _, v := range vs { lines := strings.Split(v, "\n") if len(lines) > 1 { _, err = wr.WriteFieldMultiline(recField, lines) } else { _, err = wr.WriteFields(recfile.Field{ Name: recField, Value: lines[0], }) } if err != nil { log.Fatal(err) } } } } path := filepath.Join(dirPath, MDFile) if err = WriteFileSync(dirPath, path, buf.Bytes(), now); err != nil { log.Println("error", r.RemoteAddr, path, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } }