-/*
-GoCheese -- Python private package repository and caching proxy
-Copyright (C) 2019 Sergey Matveev <stargrave@stargrave.org>
- 2019 Elena Balakhonova <balakhonova_e@riseup.net>
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, version 3 of the License.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
+// GoCheese -- Python private package repository and caching proxy
+// Copyright (C) 2019-2024 Sergey Matveev <stargrave@stargrave.org>
+// 2019-2024 Elena Balakhonova <balakhonova_e@riseup.net>
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, version 3 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see <http://www.gnu.org/licenses/>.
package main
"crypto/sha256"
"encoding/hex"
"io"
- "io/ioutil"
"log"
"net/http"
"os"
"path/filepath"
+ "regexp"
+ "strings"
+ "time"
+
+ "go.cypherpunks.ru/recfile"
)
+var NormalizationRe = regexp.MustCompilePOSIX("[-_.]+")
+
func serveUpload(w http.ResponseWriter, r *http.Request) {
- // Authentication
- username, password, ok := r.BasicAuth()
- if !ok {
- log.Println(r.RemoteAddr, "unauthenticated", username)
- http.Error(w, "unauthenticated", http.StatusUnauthorized)
+ user := r.Context().Value(CtxUserKey).(*User)
+ if user == nil {
+ log.Println(r.RemoteAddr, "unauthorised")
+ http.Error(w, "unauthorised", http.StatusUnauthorized)
return
}
- auther, ok := passwords[username]
- if !ok || !auther.Auth(password) {
- log.Println(r.RemoteAddr, "unauthenticated", username)
- http.Error(w, "unauthenticated", http.StatusUnauthorized)
+ if user.ro {
+ log.Println(r.RemoteAddr, "ro user", user.name)
+ http.Error(w, "unauthorised", http.StatusUnauthorized)
return
}
http.Error(w, "single name is expected in request", http.StatusBadRequest)
return
}
- pkgName := normalizationRe.ReplaceAllString(pkgNames[0], "-")
- dirPath := filepath.Join(*root, pkgName)
- var digestExpected []byte
- if digestExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
- digestExpected, err = hex.DecodeString(digestExpectedHex[0])
+ pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
+ dirPath := filepath.Join(Root, pkgName)
+ now := time.Now().UTC()
+
+ var digestSHA256Expected []byte
+ if digestSHA256ExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
+ digestSHA256Expected, err = hex.DecodeString(digestSHA256ExpectedHex[0])
if err != nil {
http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
return
}
}
- gpgSigsExpected := make(map[string]struct{})
+ var digestBLAKE2b256Expected []byte
+ if digestBLAKE2b256ExpectedHex, exists := r.MultipartForm.Value["blake2_256_digest"]; exists {
+ digestBLAKE2b256Expected, err = hex.DecodeString(digestBLAKE2b256ExpectedHex[0])
+ if err != nil {
+ http.Error(w, "bad blake2_256_digest: "+err.Error(), http.StatusBadRequest)
+ return
+ }
+ }
// Checking is it internal package
if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
for _, file := range r.MultipartForm.File["content"] {
filename := file.Filename
- gpgSigsExpected[filename+GPGSigExt] = struct{}{}
- log.Println(r.RemoteAddr, "put", filename, "by", username)
+ log.Println(r.RemoteAddr, "put", filename, "by", user.name)
path := filepath.Join(dirPath, filename)
if _, err = os.Stat(path); err == nil {
- log.Println(r.RemoteAddr, "already exists", filename)
+ log.Println(r.RemoteAddr, filename, "already exists")
http.Error(w, "already exists", http.StatusBadRequest)
return
}
return
}
src, err := file.Open()
- defer src.Close()
if err != nil {
+ log.Println("error", r.RemoteAddr, filename, err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
+ defer src.Close()
dst, err := TempFile(dirPath)
if err != nil {
+ log.Println("error", r.RemoteAddr, filename, err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
dstBuf := bufio.NewWriter(dst)
- hasher := sha256.New()
- wr := io.MultiWriter(hasher, dst)
+ hasherSHA256 := sha256.New()
+ hasherBLAKE2b256 := blake2b256New()
+ wr := io.MultiWriter(hasherSHA256, hasherBLAKE2b256, dst)
if _, err = io.Copy(wr, src); err != nil {
+ log.Println("error", r.RemoteAddr, filename, err)
os.Remove(dst.Name())
dst.Close()
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
if err = dstBuf.Flush(); err != nil {
+ log.Println("error", r.RemoteAddr, filename, err)
os.Remove(dst.Name())
dst.Close()
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
- if err = dst.Sync(); err != nil {
- os.Remove(dst.Name())
- dst.Close()
- http.Error(w, err.Error(), http.StatusInternalServerError)
- return
+ if !NoSync {
+ if err = dst.Sync(); err != nil {
+ log.Println("error", r.RemoteAddr, filename, err)
+ os.Remove(dst.Name())
+ dst.Close()
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }
}
dst.Close()
- digest := hasher.Sum(nil)
- if digestExpected != nil {
- if bytes.Compare(digestExpected, digest) == 0 {
- log.Println(r.RemoteAddr, filename, "good checksum received")
+
+ digestSHA256 := hasherSHA256.Sum(nil)
+ digestBLAKE2b256 := hasherBLAKE2b256.Sum(nil)
+ if digestSHA256Expected != nil {
+ if bytes.Equal(digestSHA256Expected, digestSHA256) {
+ log.Println(r.RemoteAddr, filename, "good SHA256 checksum received")
+ } else {
+ log.Println(r.RemoteAddr, filename, "bad SHA256 checksum received")
+ http.Error(w, "bad sha256 checksum", http.StatusBadRequest)
+ os.Remove(dst.Name())
+ return
+ }
+ }
+ if digestBLAKE2b256Expected != nil {
+ if bytes.Equal(digestBLAKE2b256Expected, digestBLAKE2b256) {
+ log.Println(r.RemoteAddr, filename, "good BLAKE2b-256 checksum received")
} else {
- log.Println(r.RemoteAddr, filename, "bad checksum received")
- http.Error(w, "bad checksum", http.StatusBadRequest)
+ log.Println(r.RemoteAddr, filename, "bad BLAKE2b-256 checksum received")
+ http.Error(w, "bad blake2b_256 checksum", http.StatusBadRequest)
os.Remove(dst.Name())
return
}
}
+
if err = os.Rename(dst.Name(), path); err != nil {
+ log.Println("error", r.RemoteAddr, path, err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
if err = DirSync(dirPath); err != nil {
+ log.Println("error", r.RemoteAddr, dirPath, err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
- if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digest); err != nil {
- http.Error(w, err.Error(), http.StatusInternalServerError)
- return
- }
- }
- for _, file := range r.MultipartForm.File["gpg_signature"] {
- filename := file.Filename
- if _, exists := gpgSigsExpected[filename]; !exists {
- http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
- return
- }
- delete(gpgSigsExpected, filename)
- log.Println(r.RemoteAddr, "put", filename, "by", username)
- path := filepath.Join(dirPath, filename)
- if _, err = os.Stat(path); err == nil {
- log.Println(r.RemoteAddr, "already exists", filename)
- http.Error(w, "already exists", http.StatusBadRequest)
- return
- }
- src, err := file.Open()
- if err != nil {
+ if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digestSHA256, now); err != nil {
+ log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
- sig, err := ioutil.ReadAll(src)
- src.Close()
- if err != nil {
+ if err = WriteFileSync(dirPath, path+"."+HashAlgoBLAKE2b256, digestBLAKE2b256, now); err != nil {
+ log.Println("error", r.RemoteAddr, path+"."+HashAlgoBLAKE2b256, err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
- if err = WriteFileSync(dirPath, path, sig); err != nil {
- http.Error(w, err.Error(), http.StatusInternalServerError)
- return
+ }
+
+ var buf bytes.Buffer
+ wr := recfile.NewWriter(&buf)
+ for _, m := range MDFormToRecField {
+ formField, recField := m[0], m[1]
+ if vs, exists := r.MultipartForm.Value[formField]; exists {
+ for _, v := range vs {
+ lines := strings.Split(v, "\n")
+ if len(lines) > 1 {
+ _, err = wr.WriteFieldMultiline(recField, lines)
+ } else {
+ _, err = wr.WriteFields(recfile.Field{
+ Name: recField,
+ Value: lines[0],
+ })
+ }
+ if err != nil {
+ log.Fatal(err)
+ }
+ }
}
}
+ path := filepath.Join(dirPath, MDFile)
+ if err = WriteFileSync(dirPath, path, buf.Bytes(), now); err != nil {
+ log.Println("error", r.RemoteAddr, path, err)
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }
}