X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=blobdiff_plain;f=upload.go;h=5ab1048c3cefd07b675493983d5d70c802bec80a;hp=aec2008849f534241ad7ce3850627663cb265973;hb=HEAD;hpb=a138af795fb0ad0cece96ab5ded469f097397665

diff --git a/upload.go b/upload.go
index aec2008..7e5ed2a 100644
--- a/upload.go
+++ b/upload.go
@@ -1,20 +1,18 @@
-/*
-GoCheese -- Python private package repository and caching proxy
-Copyright (C) 2019-2022 Sergey Matveev <stargrave@stargrave.org>
-              2019-2022 Elena Balakhonova <balakhonova_e@riseup.net>
-
-This program is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, version 3 of the License.
-
-This program is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-GNU General Public License for more details.
-
-You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
+// GoCheese -- Python private package repository and caching proxy
+// Copyright (C) 2019-2024 Sergey Matveev <stargrave@stargrave.org>
+//               2019-2024 Elena Balakhonova <balakhonova_e@riseup.net>
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, version 3 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 package main
 
@@ -24,7 +22,6 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"io"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -39,19 +36,15 @@ import (
 var NormalizationRe = regexp.MustCompilePOSIX("[-_.]+")
 
 func serveUpload(w http.ResponseWriter, r *http.Request) {
-	// Authentication
-	username, password, ok := r.BasicAuth()
-	if !ok {
-		log.Println(r.RemoteAddr, "unauthenticated", username)
-		http.Error(w, "unauthenticated", http.StatusUnauthorized)
+	user := r.Context().Value(CtxUserKey).(*User)
+	if user == nil {
+		log.Println(r.RemoteAddr, "unauthorised")
+		http.Error(w, "unauthorised", http.StatusUnauthorized)
 		return
 	}
-	PasswordsM.RLock()
-	auther, ok := Passwords[username]
-	PasswordsM.RUnlock()
-	if !ok || !auther.Auth(password) {
-		log.Println(r.RemoteAddr, "unauthenticated", username)
-		http.Error(w, "unauthenticated", http.StatusUnauthorized)
+	if user.ro {
+		log.Println(r.RemoteAddr, "ro user", user.name)
+		http.Error(w, "unauthorised", http.StatusUnauthorized)
 		return
 	}
 
@@ -68,7 +61,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 	}
 	pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
 	dirPath := filepath.Join(Root, pkgName)
-	gpgSigsExpected := make(map[string]struct{})
 	now := time.Now().UTC()
 
 	var digestSHA256Expected []byte
@@ -97,8 +89,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 
 	for _, file := range r.MultipartForm.File["content"] {
 		filename := file.Filename
-		gpgSigsExpected[filename+GPGSigExt] = struct{}{}
-		log.Println(r.RemoteAddr, "put", filename, "by", username)
+		log.Println(r.RemoteAddr, "put", filename, "by", user.name)
 		path := filepath.Join(dirPath, filename)
 		if _, err = os.Stat(path); err == nil {
 			log.Println(r.RemoteAddr, filename, "already exists")
@@ -109,12 +100,12 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		src, err := file.Open()
-		defer src.Close()
 		if err != nil {
 			log.Println("error", r.RemoteAddr, filename, err)
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+		defer src.Close()
 		dst, err := TempFile(dirPath)
 		if err != nil {
 			log.Println("error", r.RemoteAddr, filename, err)
@@ -153,7 +144,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 		digestSHA256 := hasherSHA256.Sum(nil)
 		digestBLAKE2b256 := hasherBLAKE2b256.Sum(nil)
 		if digestSHA256Expected != nil {
-			if bytes.Compare(digestSHA256Expected, digestSHA256) == 0 {
+			if bytes.Equal(digestSHA256Expected, digestSHA256) {
 				log.Println(r.RemoteAddr, filename, "good SHA256 checksum received")
 			} else {
 				log.Println(r.RemoteAddr, filename, "bad SHA256 checksum received")
@@ -163,11 +154,11 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 			}
 		}
 		if digestBLAKE2b256Expected != nil {
-			if bytes.Compare(digestBLAKE2b256Expected, digestBLAKE2b256) == 0 {
+			if bytes.Equal(digestBLAKE2b256Expected, digestBLAKE2b256) {
 				log.Println(r.RemoteAddr, filename, "good BLAKE2b-256 checksum received")
 			} else {
 				log.Println(r.RemoteAddr, filename, "bad BLAKE2b-256 checksum received")
-				http.Error(w, "bad blake2_256 checksum", http.StatusBadRequest)
+				http.Error(w, "bad blake2b_256 checksum", http.StatusBadRequest)
 				os.Remove(dst.Name())
 				return
 			}
@@ -194,40 +185,6 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	for _, file := range r.MultipartForm.File["gpg_signature"] {
-		filename := file.Filename
-		if _, exists := gpgSigsExpected[filename]; !exists {
-			log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename")
-			http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
-			return
-		}
-		delete(gpgSigsExpected, filename)
-		log.Println(r.RemoteAddr, "put", filename, "by", username)
-		path := filepath.Join(dirPath, filename)
-		if _, err = os.Stat(path); err == nil {
-			log.Println(r.RemoteAddr, filename, "already exists")
-			http.Error(w, "already exists", http.StatusBadRequest)
-			return
-		}
-		src, err := file.Open()
-		if err != nil {
-			log.Println("error", r.RemoteAddr, filename, err)
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-		sig, err := ioutil.ReadAll(src)
-		src.Close()
-		if err != nil {
-			log.Println("error", r.RemoteAddr, filename, err)
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-		if err = WriteFileSync(dirPath, path, sig, now); err != nil {
-			log.Println("error", r.RemoteAddr, path, err)
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-	}
 
 	var buf bytes.Buffer
 	wr := recfile.NewWriter(&buf)
@@ -245,7 +202,7 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
 					})
 				}
 				if err != nil {
-					log.Fatalln(err)
+					log.Fatal(err)
 				}
 			}
 		}