Checksumming of uploaded packages

diff --git a/gocheese.go b/gocheese.go
index a11e03f04d0a398efd1c1d24f9437ea0142def0a..cdbb1358d70789ecd211e0097b6c9e5080775a5e 100644 (file)
--- a/gocheese.go
+++ b/gocheese.go
@@ -298,6 +298,14 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
                http.Error(w, err.Error(), http.StatusBadRequest)
                return
        }
+       var digestExpected []byte
+       if digestExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
+               digestExpected, err = hex.DecodeString(digestExpectedHex[0])
+               if err != nil {
+                       http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
+                       return
+               }
+       }
        for _, file := range r.MultipartForm.File["content"] {
                filename := file.Filename
                log.Println(r.RemoteAddr, "put", filename, "by", username)
@@ -347,11 +355,22 @@ func serveUpload(w http.ResponseWriter, r *http.Request) {
                        return
                }
                dst.Close()
+               digest := hasher.Sum(nil)
+               if digestExpected != nil {
+                       if bytes.Compare(digestExpected, digest) == 0 {
+                               log.Println(r.RemoteAddr, filename, "good checksum received")
+                       } else {
+                               log.Println(r.RemoteAddr, filename, "bad checksum received")
+                               http.Error(w, "bad checksum", http.StatusBadRequest)
+                               os.Remove(dst.Name())
+                               return
+                       }
+               }
                if err = os.Rename(dst.Name(), path); err != nil {
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }
-               if err = ioutil.WriteFile(path+SHA256Ext, hasher.Sum(nil), os.FileMode(0666)); err != nil {
+               if err = ioutil.WriteFile(path+SHA256Ext, digest, os.FileMode(0666)); err != nil {
                        http.Error(w, err.Error(), http.StatusInternalServerError)
                        return
                }

diff --git a/gocheese.texi b/gocheese.texi
index a1884397257cab203d2361e59de005084e41a6ac..f30743bffda1bc50c2c16332b4bbca7ba9911b5c 100644 (file)
--- a/gocheese.texi
+++ b/gocheese.texi
@@ -24,7 +24,9 @@ but nearly all the code was rewritten. It has huge differences:
 @itemize
 @item proxying and caching of missing packages
 @item atomic packages store on filesystem
-@item SHA256-checksummed packages (both uploaded and proxied one)
+@item SHA256-checksummed packages: storing checksums, giving them back,
+    verifying stored files integrity, verifying checksum of uploaded
+    packaged
 @item graceful HTTP-server shutdown
 @item no YAML configuration, just command-line arguments
 @item no package overwriting ability (as PyPI does)
@@ -69,6 +71,9 @@ twine upload
     --password foo dist/tarball.tar.gz
 @end verbatim
 
+If @command{twine} sends SHA256 checksum in the request, then uploaded
+file is checked against it.
+
 @node Passwords
 @unnumbered Password authentication