rushlink/handlers/handlers.go

package handlers

import (
	"crypto/rand"
	"crypto/subtle"
	"encoding/base64"
	"fmt"
	"log"
	"net/http"
	"net/url"
	"strings"
	"time"
	"unicode"

	"github.com/gorilla/mux"
	"github.com/pkg/errors"
	bolt "go.etcd.io/bbolt"

	"gitea.hashru.nl/dsprenkels/rushlink/db"
	"gitea.hashru.nl/dsprenkels/rushlink/gobmarsh"
)

type PasteType int
type PasteState int

type StoredPaste struct {
	Type        PasteType
	State       PasteState
	Content     []byte
	Key         string
	OwnerToken  [16]byte
	TimeCreated time.Time
}

const (
	TypePaste PasteType = iota
	TypeRedirect
)

const (
	StatePresent PasteState = iota
	StateDeleted
)

const CookieOwnerToken = "owner_token"

// These keys are designated reserved, and will not be randomly chosen
var ReservedPasteKeys = []string{"xd42", "example"}

// Base64 encoding and decoding
var base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"
var base64Encoder = base64.RawURLEncoding.WithPadding(base64.NoPadding)

func (t PasteType) String() string {
	switch t {
	case TypePaste:
		return "paste"
	case TypeRedirect:
		return "redirect"
	default:
		return "invalid"
	}
}

func (t PasteState) String() string {
	switch t {
	case StatePresent:
		return "present"
	case StateDeleted:
		return "deleted"
	default:
		return "invalid"
	}
}

func indexGetHandler(w http.ResponseWriter, r *http.Request) {
	render(w, r, "index", nil)
}

func indexPostHandler(w http.ResponseWriter, r *http.Request) {
	if err := r.ParseMultipartForm(50 * 1000 * 1000); err != nil {
		log.Printf("error: %v\n", err)
		renderInternalServerError(w, r, err)
		return
	}

	// Determine what kind of post this is, currently only `shorten=...`
	if len(r.PostForm) == 0 {
		renderError(w, r, http.StatusBadRequest, "empty body in POST request\n")
		return
	}
	shorten_values, prs := r.PostForm["shorten"]
	if !prs {
		renderError(w, r, http.StatusBadRequest, "no 'shorten' param given\n")
		return
	}
	if len(shorten_values) != 1 {
		renderError(w, r, http.StatusBadRequest, "only one 'shorten' param is allowed per request\n")
		return
	}

	shortenPostHandler(w, r)
}

func pasteGetHandler(w http.ResponseWriter, r *http.Request) {
	pasteGetHandlerInner(w, r, false, false)
}

func pasteGetHandlerNoRedirect(w http.ResponseWriter, r *http.Request) {
	pasteGetHandlerInner(w, r, true, false)
}

func pasteGetHandlerMeta(w http.ResponseWriter, r *http.Request) {
	pasteGetHandlerInner(w, r, false, true)
}

func pasteGetHandlerInner(w http.ResponseWriter, r *http.Request, noRedirect, showMeta bool) {
	vars := mux.Vars(r)
	key := vars["key"]
	var storedPaste *StoredPaste
	if err := db.DB.View(func(tx *bolt.Tx) error {
		var err error
		storedPaste, err = getURL(tx, []byte(key))
		return err
	}); err != nil {
		log.Printf("error: %v\n", err)
		renderInternalServerError(w, r, err)
		return
	}
	if storedPaste == nil {
		renderError(w, r, http.StatusNotFound, "url key not found in the database")
		return
	}

	if showMeta {
		isOwner := false
		ownerToken, ok := getOwnerTokenFromRequest(r)
		if ok && subtle.ConstantTimeCompare(ownerToken[:], storedPaste.OwnerToken[:]) == 1 {
			isOwner = true
		}

		data := map[string]interface{}{
			"Paste":   storedPaste,
			"IsOwner": isOwner,
		}
		render(w, r, "pasteMeta", data)
		return
	}

	switch storedPaste.State {
	case StatePresent:
		if !noRedirect {
			rawurl := string(storedPaste.Content)
			urlParse, err := url.Parse(rawurl)
			if err != nil {
				log.Printf("error: invalid URL ('%v') in database for key '%v': %v\n", rawurl, storedPaste.Key, err)
				renderInternalServerError(w, r, "invalid url in database")
				return
			}
			http.Redirect(w, r, urlParse.String(), http.StatusSeeOther)
		}
		w.Write(storedPaste.Content)
	case StateDeleted:
		renderError(w, r, http.StatusGone, "key has been deleted")
	default:
		log.Printf("error: invalid storedPaste.State (%v) for key '%v'\n", storedPaste.State, storedPaste.Key)
		msg := fmt.Sprintf("internal server error: invalid storedPaste.State (%v\n)", storedPaste.State)
		renderInternalServerError(w, r, msg)
	}
}

func shortenPostHandler(w http.ResponseWriter, r *http.Request) {
	rawurl := r.PostForm.Get("shorten")
	userURL, err := url.ParseRequestURI(rawurl)
	if err != nil {
		msg := fmt.Sprintf("invalid url (%v): %v", err, rawurl)
		renderError(w, r, http.StatusBadRequest, msg)
		return
	}
	if userURL.Scheme == "" {
		renderError(w, r, http.StatusBadRequest, "invalid url (unspecified scheme)")
		return
	}
	if userURL.Host == "" {
		renderError(w, r, http.StatusBadRequest, "invalid url (unspecified host)")
		return
	}

	var storedPaste *StoredPaste
	if err := db.DB.Update(func(tx *bolt.Tx) error {
		ownerKey, ok := getOwnerTokenFromRequest(r)
		if ok == false {
			// Owner key not supplied or invalid, generate a new one
			ownerKey, err = generateOwnerToken()
			if err != nil {
				return errors.Wrap(err, "generating OwnerToken")
			}
		}

		sp, err := shortenURL(tx, userURL, ownerKey)
		storedPaste = sp
		return err
	}); err != nil {
		log.Printf("error: %v\n", err)
		renderInternalServerError(w, r, err)
		return
	}

	saveURL, err := r.URL.Parse(string(storedPaste.Key))
	if err != nil {
		err = errors.Wrap(err, "parsing url")
		log.Printf("error: %v\n", err)
		renderInternalServerError(w, r, err)
		return
	}
	var base64OwnerToken = make([]byte, 24)
	base64Encoder.Encode(base64OwnerToken, storedPaste.OwnerToken[:])

	// TODO(dsprenkels) Put this into a template
	w.WriteHeader(http.StatusOK)
	fmt.Fprintf(w, "URL saved at %v\n", saveURL)
	isNotPrint := func(r rune) bool { return !unicode.IsPrint(r) }
	fmt.Fprintf(w, "Owner key is %s\n", strings.TrimRightFunc(string(base64OwnerToken), isNotPrint))
}

// Retrieve a URL from the database
func getURL(tx *bolt.Tx, key []byte) (*StoredPaste, error) {
	shortenBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
	if shortenBucket == nil {
		return nil, fmt.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
	}
	storedBytes := shortenBucket.Get(key)
	if storedBytes == nil {
		return nil, nil
	}
	storedPaste := &StoredPaste{}
	err := gobmarsh.Unmarshal(storedBytes, storedPaste)
	return storedPaste, err
}

// Add a new URL to the database
//
// Returns the new ID if the url was successfully shortened
func shortenURL(tx *bolt.Tx, userURL *url.URL, ownerKey [16]byte) (*StoredPaste, error) {
	shortenBucket := tx.Bucket([]byte(db.BUCKET_PASTES))
	if shortenBucket == nil {
		return nil, fmt.Errorf("bucket %v does not exist", db.BUCKET_PASTES)
	}

	// Generate a key until it is not in the database, this occurs in O(log N),
	// where N is the amount of keys stored in the url-shorten database.
	epoch := 0
	var urlKey string
	for {
		var err error
		urlKey, err = generateURLKey(epoch)
		if err != nil {
			return nil, errors.Wrap(err, "url-key generation failed")
		}

		found := shortenBucket.Get([]byte(urlKey))
		if found == nil {
			break
		}

		isReserved := false
		for _, reservedKey := range ReservedPasteKeys {
			if strings.HasPrefix(urlKey, reservedKey) {
				isReserved = true
				break
			}
		}
		if !isReserved {
			break
		}

		epoch++
	}

	// Store the new key
	storedPaste := StoredPaste{
		Type:        TypeRedirect,
		State:       StatePresent,
		Content:     []byte(userURL.String()),
		Key:         urlKey,
		OwnerToken:  ownerKey,
		TimeCreated: time.Now().UTC(),
	}
	storedBytes, err := gobmarsh.Marshal(storedPaste)
	if err != nil {
		return nil, errors.Wrap(err, "encoding for database failed")
	}
	if err := shortenBucket.Put([]byte(urlKey), storedBytes); err != nil {
		return nil, errors.Wrap(err, "database transaction failed")
	}
	return &storedPaste, nil
}

func generateURLKey(epoch int) (string, error) {
	urlKey := make([]byte, 4+epoch)
	_, err := rand.Read(urlKey)
	if err != nil {
		return "", err
	}
	// Put all the values in the range 0..64 for easier base64-encoding
	for i := 0; i < len(urlKey); i++ {
		urlKey[i] &= 0x3F
	}
	// Implement truncate-resistance by forcing the prefix to
	//     0b111110xxxxxxxxxx
	//       ^----- {epoch} ones followed by a single 0
	//
	// Example when epoch is 1: prefix is 0b10.
	i := 0
	for i < epoch {
		// Set this bit to 1
		limb := i / 6
		bit := i % 6
		urlKey[limb] |= 1 << uint(5-bit)
		i++
	}
	// Finally set the next bit to 0
	limb := i / 6
	bit := i % 6
	urlKey[limb] &= ^(1 << uint(5-bit))

	// Convert this ID to a canonical base64 notation
	for i := range urlKey {
		urlKey[i] = base64Alphabet[urlKey[i]]
	}
	return string(urlKey), nil
}

func generateOwnerToken() ([16]byte, error) {
	var ownerKey [16]byte
	_, err := rand.Read(ownerKey[:])
	if err != nil {
		return ownerKey, err
	}
	return ownerKey, nil
}

func getOwnerTokenFromRequest(r *http.Request) ([16]byte, bool) {
	var ownerKey [16]byte
	ownerKeyCookie, err := r.Cookie(CookieOwnerToken)
	if err != nil && err != http.ErrNoCookie {
		return ownerKey, false
	}
	if ownerKeyCookie != nil {
		n, err := base64Encoder.Strict().Decode(ownerKey[:], []byte(ownerKeyCookie.Value))
		if err == nil || n == 16 {
			return ownerKey, true
		}
	}
	return ownerKey, false
}