X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=blobdiff_plain;f=gocheese.go;h=25a1b562918b1a6b35f7e48c663cfc38faa21829;hp=7e5f79ec0e86fd0ad599035050aa8cf2cdb993a5;hb=48325fb9a20dcc7fab91c6f3c86618e19057254e;hpb=9e662204b6bd8cafdd2bbfe7534573d828eaef2b diff --git a/gocheese.go b/gocheese.go index 7e5f79e..25a1b56 100644 --- a/gocheese.go +++ b/gocheese.go @@ -1,11 +1,11 @@ /* GoCheese -- Python private package repository and caching proxy Copyright (C) 2019 Sergey Matveev + 2019 Elena Balakhonova This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -the Free Software Foundation, either version 3 of the License, or -(at your option) any later version. +the Free Software Foundation, version 3 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -21,6 +21,7 @@ package main import ( "bytes" + "context" "crypto/sha256" "encoding/hex" "flag" @@ -28,27 +29,40 @@ import ( "io" "io/ioutil" "log" + "net" "net/http" "net/url" "os" + "os/signal" "path/filepath" "regexp" "runtime" "strings" + "syscall" + "time" + + "golang.org/x/net/netutil" ) const ( - HTMLBegin = "Links for %s

Links for %s

\n" - HTMLEnd = "" - HTMLElement = "%s
\n" + HTMLBegin = ` + + + Links for %s + + +` + HTMLEnd = " \n\n" + HTMLElement = " %s
\n" SHA256Prefix = "sha256=" SHA256Ext = ".sha256" InternalFlag = ".internal" + GPGSigExt = ".asc" + GPGSigAttr = " data-gpg-sig=true" Warranty = `This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by -the Free Software Foundation, either version 3 of the License, or -(at your option) any later version. +the Free Software Foundation, version 3 of the License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -60,26 +74,33 @@ along with this program. If not, see .` ) var ( - root = flag.String("root", "./packages", "Path to packages directory") - bind = flag.String("bind", "[::]:8080", "Address to bind to") - simpleURLPath = flag.String("simple", "/simple/", "/simple/ URL path") - refreshURLPath = flag.String("refresh", "/refresh/", "Auto-refreshing URL path") - pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL") - auth = flag.String("auth", "spam:foo", "login:password,...") - fsck = flag.Bool("fsck", false, "Check integrity of all packages") - version = flag.Bool("version", false, "Print version information") - warranty = flag.Bool("warranty", false, "Print warranty information") - pkgPyPI = regexp.MustCompile(`^.*]*>(.+)
.*$`) Version string = "UNKNOWN" - passwords map[string]string = make(map[string]string) + root = flag.String("root", "./packages", "Path to packages directory") + bind = flag.String("bind", "[::]:8080", "Address to bind to") + tlsCert = flag.String("tls-cert", "", "Path to TLS X.509 certificate") + tlsKey = flag.String("tls-key", "", "Path to TLS X.509 private key") + norefreshURLPath = flag.String("norefresh", "/norefresh/", "Non-refreshing URL path") + refreshURLPath = flag.String("refresh", "/simple/", "Auto-refreshing URL path") + gpgUpdateURLPath = flag.String("gpgupdate", "/gpgupdate/", "GPG forceful refreshing URL path") + pypiURL = flag.String("pypi", "https://pypi.org/simple/", "Upstream PyPI URL") + passwdPath = flag.String("passwd", "passwd", "Path to file with authenticators") + passwdCheck = flag.Bool("passwd-check", false, "Test the -passwd file for syntax errors and exit") + fsck = flag.Bool("fsck", false, "Check integrity of all packages") + maxClients = flag.Int("maxclients", 128, "Maximal amount of simultaneous clients") + version = flag.Bool("version", false, "Print version information") + warranty = flag.Bool("warranty", false, "Print warranty information") + + killed bool + + normalizationRe *regexp.Regexp = regexp.MustCompilePOSIX("[-_.]+") ) func mkdirForPkg(w http.ResponseWriter, r *http.Request, dir string) bool { path := filepath.Join(*root, dir) if _, err := os.Stat(path); os.IsNotExist(err) { - if err = os.Mkdir(path, 0700); err != nil { + if err = os.Mkdir(path, os.FileMode(0777)); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return false } @@ -88,19 +109,23 @@ func mkdirForPkg(w http.ResponseWriter, r *http.Request, dir string) bool { return true } -func refreshDir(w http.ResponseWriter, r *http.Request, dir, filenameGet string) bool { +func refreshDir( + w http.ResponseWriter, + r *http.Request, + dir, + filenameGet string, + gpgUpdate bool, +) bool { if _, err := os.Stat(filepath.Join(*root, dir, InternalFlag)); err == nil { - log.Println(r.RemoteAddr, "pypi refresh skip, internal package", dir) return true } - log.Println(r.RemoteAddr, "pypi refresh", dir) resp, err := http.Get(*pypiURL + dir + "/") if err != nil { http.Error(w, err.Error(), http.StatusBadGateway) return false } - defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) + resp.Body.Close() if err != nil { http.Error(w, err.Error(), http.StatusBadGateway) return false @@ -108,6 +133,7 @@ func refreshDir(w http.ResponseWriter, r *http.Request, dir, filenameGet string) if !mkdirForPkg(w, r, dir) { return false } + dirPath := filepath.Join(*root, dir) var submatches []string var uri string var filename string @@ -130,17 +156,23 @@ func refreshDir(w http.ResponseWriter, r *http.Request, dir, filenameGet string) http.Error(w, err.Error(), http.StatusBadGateway) return false } + pkgURL.Fragment = "" + path = filepath.Join(dirPath, filename) if filename == filenameGet { + if killed { + // Skip heavy remote call, when shutting down + http.Error(w, "shutting down", http.StatusInternalServerError) + return false + } log.Println(r.RemoteAddr, "pypi download", filename) - path = filepath.Join(*root, dir, filename) - resp, err = http.Get(uri) + resp, err = http.Get(pkgURL.String()) if err != nil { http.Error(w, err.Error(), http.StatusBadGateway) return false } defer resp.Body.Close() hasher := sha256.New() - dst, err := ioutil.TempFile(filepath.Join(*root, dir), "") + dst, err := TempFile(dirPath) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return false @@ -171,18 +203,32 @@ func refreshDir(w http.ResponseWriter, r *http.Request, dir, filenameGet string) return false } } - path = filepath.Join(*root, dir, filename+SHA256Ext) + if filename == filenameGet || gpgUpdate { + if _, err = os.Stat(path); err == nil { + if resp, err := http.Get(pkgURL.String() + GPGSigExt); err == nil { + sig, err := ioutil.ReadAll(resp.Body) + resp.Body.Close() + if err == nil { + if err = WriteFileSync(dirPath, path+GPGSigExt, sig); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return false + } + log.Println(r.RemoteAddr, "pypi downloaded signature", filename) + } + } + } + } + path = path + SHA256Ext _, err = os.Stat(path) if err == nil { continue - } else { - if !os.IsNotExist(err) { - http.Error(w, err.Error(), http.StatusInternalServerError) - return false - } + } + if !os.IsNotExist(err) { + http.Error(w, err.Error(), http.StatusInternalServerError) + return false } log.Println(r.RemoteAddr, "pypi touch", filename) - if err = ioutil.WriteFile(path, digest, os.FileMode(0600)); err != nil { + if err = WriteFileSync(dirPath, path, digest); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return false } @@ -191,33 +237,39 @@ func refreshDir(w http.ResponseWriter, r *http.Request, dir, filenameGet string) } func listRoot(w http.ResponseWriter, r *http.Request) { - log.Println(r.RemoteAddr, "root") files, err := ioutil.ReadDir(*root) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } - w.Write([]byte(fmt.Sprintf(HTMLBegin, "root", "root"))) + var result bytes.Buffer + result.WriteString(fmt.Sprintf(HTMLBegin, "root")) for _, file := range files { if file.Mode().IsDir() { - w.Write([]byte(fmt.Sprintf( + result.WriteString(fmt.Sprintf( HTMLElement, - *simpleURLPath+file.Name()+"/", + *refreshURLPath+file.Name()+"/", file.Name(), - ))) + )) } } - w.Write([]byte(HTMLEnd)) + result.WriteString(HTMLEnd) + w.Write(result.Bytes()) } -func listDir(w http.ResponseWriter, r *http.Request, dir string, autorefresh bool) { - log.Println(r.RemoteAddr, "dir", dir) +func listDir( + w http.ResponseWriter, + r *http.Request, + dir string, + autorefresh, + gpgUpdate bool, +) { dirPath := filepath.Join(*root, dir) if autorefresh { - if !refreshDir(w, r, dir, "") { + if !refreshDir(w, r, dir, "", gpgUpdate) { return } - } else if _, err := os.Stat(dirPath); os.IsNotExist(err) && !refreshDir(w, r, dir, "") { + } else if _, err := os.Stat(dirPath); os.IsNotExist(err) && !refreshDir(w, r, dir, "", false) { return } files, err := ioutil.ReadDir(dirPath) @@ -225,36 +277,50 @@ func listDir(w http.ResponseWriter, r *http.Request, dir string, autorefresh boo http.Error(w, err.Error(), http.StatusInternalServerError) return } - w.Write([]byte(fmt.Sprintf(HTMLBegin, dir, dir))) + var result bytes.Buffer + result.WriteString(fmt.Sprintf(HTMLBegin, dir)) var data []byte + var gpgSigAttr string var filenameClean string for _, file := range files { if !strings.HasSuffix(file.Name(), SHA256Ext) { continue } + if killed { + // Skip expensive I/O when shutting down + http.Error(w, "shutting down", http.StatusInternalServerError) + return + } data, err = ioutil.ReadFile(filepath.Join(dirPath, file.Name())) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } filenameClean = strings.TrimSuffix(file.Name(), SHA256Ext) - w.Write([]byte(fmt.Sprintf( + if _, err = os.Stat(filepath.Join(dirPath, filenameClean+GPGSigExt)); os.IsNotExist(err) { + gpgSigAttr = "" + } else { + gpgSigAttr = GPGSigAttr + } + result.WriteString(fmt.Sprintf( HTMLElement, strings.Join([]string{ - *simpleURLPath, dir, "/", - filenameClean, "#", SHA256Prefix, string(data), + *refreshURLPath, dir, "/", + filenameClean, "#", SHA256Prefix, hex.EncodeToString(data), }, ""), + gpgSigAttr, filenameClean, - ))) + )) } - w.Write([]byte(HTMLEnd)) + result.WriteString(HTMLEnd) + w.Write(result.Bytes()) } func servePkg(w http.ResponseWriter, r *http.Request, dir, filename string) { - log.Println(r.RemoteAddr, "pkg", filename) + log.Println(r.RemoteAddr, "get", filename) path := filepath.Join(*root, dir, filename) if _, err := os.Stat(path); os.IsNotExist(err) { - if !refreshDir(w, r, dir, filename) { + if !refreshDir(w, r, dir, filename, false) { return } } @@ -263,7 +329,13 @@ func servePkg(w http.ResponseWriter, r *http.Request, dir, filename string) { func serveUpload(w http.ResponseWriter, r *http.Request) { username, password, ok := r.BasicAuth() - if !ok || passwords[username] != password { + if !ok { + log.Println(r.RemoteAddr, "unauthenticated", username) + http.Error(w, "unauthenticated", http.StatusUnauthorized) + return + } + auther, ok := passwords[username] + if !ok || !auther.Auth(password) { log.Println(r.RemoteAddr, "unauthenticated", username) http.Error(w, "unauthenticated", http.StatusUnauthorized) return @@ -273,11 +345,26 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, err.Error(), http.StatusBadRequest) return } + pkgNames, exists := r.MultipartForm.Value["name"] + if !exists || len(pkgNames) != 1 { + http.Error(w, "name is expected in request", http.StatusBadRequest) + return + } + dir := normalizationRe.ReplaceAllString(pkgNames[0], "-") + dirPath := filepath.Join(*root, dir) + var digestExpected []byte + if digestExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists { + digestExpected, err = hex.DecodeString(digestExpectedHex[0]) + if err != nil { + http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest) + return + } + } + gpgSigsExpected := make(map[string]struct{}) for _, file := range r.MultipartForm.File["content"] { filename := file.Filename - log.Println(r.RemoteAddr, "upload", filename, "by", username) - dir := filename[:strings.LastIndex(filename, "-")] - dirPath := filepath.Join(*root, dir) + gpgSigsExpected[filename+GPGSigExt] = struct{}{} + log.Println(r.RemoteAddr, "put", filename, "by", username) path := filepath.Join(dirPath, filename) if _, err = os.Stat(path); err == nil { log.Println(r.RemoteAddr, "already exists", filename) @@ -302,7 +389,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { http.Error(w, err.Error(), http.StatusInternalServerError) return } - dst, err = ioutil.TempFile(dirPath, "") + dst, err = TempFile(dirPath) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return @@ -322,15 +409,52 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { return } dst.Close() + digest := hasher.Sum(nil) + if digestExpected != nil { + if bytes.Compare(digestExpected, digest) == 0 { + log.Println(r.RemoteAddr, filename, "good checksum received") + } else { + log.Println(r.RemoteAddr, filename, "bad checksum received") + http.Error(w, "bad checksum", http.StatusBadRequest) + os.Remove(dst.Name()) + return + } + } if err = os.Rename(dst.Name(), path); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } - if err = ioutil.WriteFile( - path+SHA256Ext, - hasher.Sum(nil), - os.FileMode(0600), - ); err != nil { + if err = WriteFileSync(dirPath, path+SHA256Ext, digest); err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + } + for _, file := range r.MultipartForm.File["gpg_signature"] { + filename := file.Filename + if _, exists := gpgSigsExpected[filename]; !exists { + http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest) + return + } + delete(gpgSigsExpected, filename) + log.Println(r.RemoteAddr, "put", filename, "by", username) + path := filepath.Join(dirPath, filename) + if _, err = os.Stat(path); err == nil { + log.Println(r.RemoteAddr, "already exists", filename) + http.Error(w, "Already exists", http.StatusBadRequest) + return + } + src, err := file.Open() + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + sig, err := ioutil.ReadAll(src) + src.Close() + if err != nil { + http.Error(w, err.Error(), http.StatusInternalServerError) + return + } + if err = WriteFileSync(dirPath, path, sig); err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } @@ -338,15 +462,23 @@ func serveUpload(w http.ResponseWriter, r *http.Request) { } func handler(w http.ResponseWriter, r *http.Request) { - if r.Method == "GET" { + switch r.Method { + case "GET": var path string var autorefresh bool - if strings.HasPrefix(r.URL.Path, *simpleURLPath) { - path = strings.TrimPrefix(r.URL.Path, *simpleURLPath) - autorefresh = false - } else { + var gpgUpdate bool + if strings.HasPrefix(r.URL.Path, *norefreshURLPath) { + path = strings.TrimPrefix(r.URL.Path, *norefreshURLPath) + } else if strings.HasPrefix(r.URL.Path, *refreshURLPath) { path = strings.TrimPrefix(r.URL.Path, *refreshURLPath) autorefresh = true + } else if strings.HasPrefix(r.URL.Path, *gpgUpdateURLPath) { + path = strings.TrimPrefix(r.URL.Path, *gpgUpdateURLPath) + autorefresh = true + gpgUpdate = true + } else { + http.Error(w, "unknown action", http.StatusBadRequest) + return } parts := strings.Split(strings.TrimSuffix(path, "/"), "/") if len(parts) > 2 { @@ -357,13 +489,15 @@ func handler(w http.ResponseWriter, r *http.Request) { if parts[0] == "" { listRoot(w, r) } else { - listDir(w, r, parts[0], autorefresh) + listDir(w, r, parts[0], autorefresh, gpgUpdate) } } else { servePkg(w, r, parts[0], parts[1]) } - } else if r.Method == "POST" { + case "POST": serveUpload(w, r) + default: + http.Error(w, "unknown action", http.StatusBadRequest) } } @@ -427,15 +561,58 @@ func main() { } return } - for _, credentials := range strings.Split(*auth, ",") { - splitted := strings.Split(credentials, ":") - if len(splitted) != 2 { - log.Fatal("Wrong auth format") - } - passwords[splitted[0]] = splitted[1] + if *passwdCheck { + refreshPasswd() + return } + if (*tlsCert != "" && *tlsKey == "") || (*tlsCert == "" && *tlsKey != "") { + log.Fatalln("Both -tls-cert and -tls-key are required") + } + refreshPasswd() log.Println("root:", *root, "bind:", *bind) - http.HandleFunc(*simpleURLPath, handler) + + ln, err := net.Listen("tcp", *bind) + if err != nil { + log.Fatal(err) + } + ln = netutil.LimitListener(ln, *maxClients) + server := &http.Server{ + ReadTimeout: time.Minute, + WriteTimeout: time.Minute, + } + http.HandleFunc(*norefreshURLPath, handler) http.HandleFunc(*refreshURLPath, handler) - log.Fatal(http.ListenAndServe(*bind, nil)) + http.HandleFunc(*gpgUpdateURLPath, handler) + + needsRefreshPasswd := make(chan os.Signal, 0) + needsShutdown := make(chan os.Signal, 0) + exitErr := make(chan error, 0) + signal.Notify(needsRefreshPasswd, syscall.SIGHUP) + signal.Notify(needsShutdown, syscall.SIGTERM, syscall.SIGINT) + go func() { + for range needsRefreshPasswd { + log.Println("Refreshing passwords") + refreshPasswd() + } + }() + go func(s *http.Server) { + <-needsShutdown + killed = true + log.Println("Shutting down") + ctx, cancel := context.WithTimeout(context.TODO(), time.Minute) + exitErr <- s.Shutdown(ctx) + cancel() + }(server) + + if *tlsCert == "" { + err = server.Serve(ln) + } else { + err = server.ServeTLS(ln, *tlsCert, *tlsKey) + } + if err != http.ErrServerClosed { + log.Fatal(err) + } + if err := <-exitErr; err != nil { + log.Fatal(err) + } }