2 GoCheese -- Python private package repository and caching proxy
3 Copyright (C) 2019-2023 Sergey Matveev <stargrave@stargrave.org>
4 2019-2023 Elena Balakhonova <balakhonova_e@riseup.net>
6 This program is free software: you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation, version 3 of the License.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
35 "go.cypherpunks.ru/recfile"
38 var NormalizationRe = regexp.MustCompilePOSIX("[-_.]+")
40 func serveUpload(w http.ResponseWriter, r *http.Request) {
42 username, password, ok := r.BasicAuth()
44 log.Println(r.RemoteAddr, "unauthenticated", username)
45 http.Error(w, "unauthenticated", http.StatusUnauthorized)
49 auther, ok := Passwords[username]
51 if !ok || !auther.Auth(password) {
52 log.Println(r.RemoteAddr, "unauthenticated", username)
53 http.Error(w, "unauthenticated", http.StatusUnauthorized)
59 if err = r.ParseMultipartForm(1 << 20); err != nil {
60 http.Error(w, err.Error(), http.StatusBadRequest)
63 pkgNames, exists := r.MultipartForm.Value["name"]
64 if !exists || len(pkgNames) != 1 {
65 http.Error(w, "single name is expected in request", http.StatusBadRequest)
68 pkgName := strings.ToLower(NormalizationRe.ReplaceAllString(pkgNames[0], "-"))
69 dirPath := filepath.Join(Root, pkgName)
70 gpgSigsExpected := make(map[string]struct{})
71 now := time.Now().UTC()
73 var digestSHA256Expected []byte
74 if digestSHA256ExpectedHex, exists := r.MultipartForm.Value["sha256_digest"]; exists {
75 digestSHA256Expected, err = hex.DecodeString(digestSHA256ExpectedHex[0])
77 http.Error(w, "bad sha256_digest: "+err.Error(), http.StatusBadRequest)
81 var digestBLAKE2b256Expected []byte
82 if digestBLAKE2b256ExpectedHex, exists := r.MultipartForm.Value["blake2_256_digest"]; exists {
83 digestBLAKE2b256Expected, err = hex.DecodeString(digestBLAKE2b256ExpectedHex[0])
85 http.Error(w, "bad blake2_256_digest: "+err.Error(), http.StatusBadRequest)
90 // Checking is it internal package
91 if _, err = os.Stat(filepath.Join(dirPath, InternalFlag)); err != nil {
92 log.Println(r.RemoteAddr, "non-internal package", pkgName)
93 http.Error(w, "unknown internal package", http.StatusUnauthorized)
97 for _, file := range r.MultipartForm.File["content"] {
98 filename := file.Filename
99 gpgSigsExpected[filename+GPGSigExt] = struct{}{}
100 log.Println(r.RemoteAddr, "put", filename, "by", username)
101 path := filepath.Join(dirPath, filename)
102 if _, err = os.Stat(path); err == nil {
103 log.Println(r.RemoteAddr, filename, "already exists")
104 http.Error(w, "already exists", http.StatusBadRequest)
107 if !mkdirForPkg(w, r, pkgName) {
110 src, err := file.Open()
112 log.Println("error", r.RemoteAddr, filename, err)
113 http.Error(w, err.Error(), http.StatusInternalServerError)
117 dst, err := TempFile(dirPath)
119 log.Println("error", r.RemoteAddr, filename, err)
120 http.Error(w, err.Error(), http.StatusInternalServerError)
123 dstBuf := bufio.NewWriter(dst)
124 hasherSHA256 := sha256.New()
125 hasherBLAKE2b256 := blake2b256New()
126 wr := io.MultiWriter(hasherSHA256, hasherBLAKE2b256, dst)
127 if _, err = io.Copy(wr, src); err != nil {
128 log.Println("error", r.RemoteAddr, filename, err)
129 os.Remove(dst.Name())
131 http.Error(w, err.Error(), http.StatusInternalServerError)
134 if err = dstBuf.Flush(); err != nil {
135 log.Println("error", r.RemoteAddr, filename, err)
136 os.Remove(dst.Name())
138 http.Error(w, err.Error(), http.StatusInternalServerError)
142 if err = dst.Sync(); err != nil {
143 log.Println("error", r.RemoteAddr, filename, err)
144 os.Remove(dst.Name())
146 http.Error(w, err.Error(), http.StatusInternalServerError)
152 digestSHA256 := hasherSHA256.Sum(nil)
153 digestBLAKE2b256 := hasherBLAKE2b256.Sum(nil)
154 if digestSHA256Expected != nil {
155 if bytes.Equal(digestSHA256Expected, digestSHA256) {
156 log.Println(r.RemoteAddr, filename, "good SHA256 checksum received")
158 log.Println(r.RemoteAddr, filename, "bad SHA256 checksum received")
159 http.Error(w, "bad sha256 checksum", http.StatusBadRequest)
160 os.Remove(dst.Name())
164 if digestBLAKE2b256Expected != nil {
165 if bytes.Equal(digestBLAKE2b256Expected, digestBLAKE2b256) {
166 log.Println(r.RemoteAddr, filename, "good BLAKE2b-256 checksum received")
168 log.Println(r.RemoteAddr, filename, "bad BLAKE2b-256 checksum received")
169 http.Error(w, "bad blake2_256 checksum", http.StatusBadRequest)
170 os.Remove(dst.Name())
175 if err = os.Rename(dst.Name(), path); err != nil {
176 log.Println("error", r.RemoteAddr, path, err)
177 http.Error(w, err.Error(), http.StatusInternalServerError)
180 if err = DirSync(dirPath); err != nil {
181 log.Println("error", r.RemoteAddr, dirPath, err)
182 http.Error(w, err.Error(), http.StatusInternalServerError)
185 if err = WriteFileSync(dirPath, path+"."+HashAlgoSHA256, digestSHA256, now); err != nil {
186 log.Println("error", r.RemoteAddr, path+"."+HashAlgoSHA256, err)
187 http.Error(w, err.Error(), http.StatusInternalServerError)
190 if err = WriteFileSync(dirPath, path+"."+HashAlgoBLAKE2b256, digestBLAKE2b256, now); err != nil {
191 log.Println("error", r.RemoteAddr, path+"."+HashAlgoBLAKE2b256, err)
192 http.Error(w, err.Error(), http.StatusInternalServerError)
196 for _, file := range r.MultipartForm.File["gpg_signature"] {
197 filename := file.Filename
198 if _, exists := gpgSigsExpected[filename]; !exists {
199 log.Println(r.RemoteAddr, filename, "unexpected GPG signature filename")
200 http.Error(w, "unexpected GPG signature filename", http.StatusBadRequest)
203 delete(gpgSigsExpected, filename)
204 log.Println(r.RemoteAddr, "put", filename, "by", username)
205 path := filepath.Join(dirPath, filename)
206 if _, err = os.Stat(path); err == nil {
207 log.Println(r.RemoteAddr, filename, "already exists")
208 http.Error(w, "already exists", http.StatusBadRequest)
211 src, err := file.Open()
213 log.Println("error", r.RemoteAddr, filename, err)
214 http.Error(w, err.Error(), http.StatusInternalServerError)
217 sig, err := io.ReadAll(src)
220 log.Println("error", r.RemoteAddr, filename, err)
221 http.Error(w, err.Error(), http.StatusInternalServerError)
224 if err = WriteFileSync(dirPath, path, sig, now); err != nil {
225 log.Println("error", r.RemoteAddr, path, err)
226 http.Error(w, err.Error(), http.StatusInternalServerError)
232 wr := recfile.NewWriter(&buf)
233 for _, m := range MDFormToRecField {
234 formField, recField := m[0], m[1]
235 if vs, exists := r.MultipartForm.Value[formField]; exists {
236 for _, v := range vs {
237 lines := strings.Split(v, "\n")
239 _, err = wr.WriteFieldMultiline(recField, lines)
241 _, err = wr.WriteFields(recfile.Field{
252 path := filepath.Join(dirPath, MDFile)
253 if err = WriteFileSync(dirPath, path, buf.Bytes(), now); err != nil {
254 log.Println("error", r.RemoteAddr, path, err)
255 http.Error(w, err.Error(), http.StatusInternalServerError)