package rushlink import ( "crypto/subtle" "fmt" "io" "log" "mime/multipart" "net/http" "net/url" "os" "path/filepath" "time" "gitea.hashru.nl/dsprenkels/rushlink/internal/db" "github.com/google/uuid" "github.com/gorilla/mux" "github.com/pkg/errors" bolt "go.etcd.io/bbolt" ) type viewPaste uint const ( _ viewPaste = 1 << iota viewNoRedirect viewShowMeta ) const cookieDeleteToken = "owner_token" func (rl *rushlink) indexGetHandler(w http.ResponseWriter, r *http.Request) { render(w, r, "index", map[string]interface{}{}) } func (rl *rushlink) uploadFileGetHandler(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) id := vars["id"] var fu *db.FileUpload var badID bool if err := rl.db.Bolt.View(func(tx *bolt.Tx) error { fuID, err := uuid.Parse(id) if err != nil { badID = true return err } fu, err = db.GetFileUpload(tx, fuID) return err }); err != nil { if badID { renderError(w, r, http.StatusNotFound, "malformed file id") return } // unexpected error panic(err) } filePath := fu.Path(rl.fs) file, err := os.Open(filePath) if err != nil { if os.IsNotExist(err) { log.Printf("error: '%v' should exist according to the database, but it doesn't", filePath) renderError(w, r, http.StatusNotFound, "file not found") return } // unexpected error panic(err) } w.Header().Set("Content-Type", fu.ContentType) w.WriteHeader(http.StatusOK) if r.Method == "HEAD" { return } io.Copy(w, file) } func (rl *rushlink) viewPasteHandler(w http.ResponseWriter, r *http.Request) { rl.viewPasteHandlerInner(w, r, 0) } func (rl *rushlink) viewPasteHandlerNoRedirect(w http.ResponseWriter, r *http.Request) { rl.viewPasteHandlerInner(w, r, viewNoRedirect) } func (rl *rushlink) viewPasteHandlerMeta(w http.ResponseWriter, r *http.Request) { rl.viewPasteHandlerInner(w, r, viewShowMeta) } func (rl *rushlink) viewPasteHandlerInner(w http.ResponseWriter, r *http.Request, flags viewPaste) { vars := mux.Vars(r) key := vars["key"] var p *db.Paste var fuID *uuid.UUID var fu *db.FileUpload if err := rl.db.Bolt.View(func(tx *bolt.Tx) error { var err error p, err = db.GetPaste(tx, key) if err != nil { return err } if p != nil && p.Type == db.PasteTypeFileUpload { var id uuid.UUID copy(id[:], p.Content) fuID = &id fu, err = db.GetFileUpload(tx, id) if err != nil { return err } } return nil }); err != nil { panic(err) } if p == nil { renderError(w, r, http.StatusNotFound, "url key not found in the database") return } if flags&viewShowMeta != 0 { canDelete := struct { Bool bool String string }{Bool: false} deleteToken := getDeleteTokenFromRequest(r) if deleteToken == "" { canDelete.String = "undefined" } else { if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(p.DeleteToken)) == 1 { canDelete.Bool = true canDelete.String = "correct" } else { canDelete.String = "invalid" } } data := map[string]interface{}{ "Paste": p, "CanDelete": canDelete, } render(w, r, "pasteMeta", data) return } switch p.State { case db.PasteStatePresent: var location string switch p.Type { case db.PasteTypeFileUpload: if fu == nil { panic(fmt.Sprintf("file for id %v does not exist in database\n", fuID)) } location = fu.URL().String() break case db.PasteTypeRedirect: location = p.RedirectURL().String() break default: panic("paste type unsupported") } if flags&viewNoRedirect == 0 { http.Redirect(w, r, location, http.StatusSeeOther) } fmt.Fprint(w, location) case db.PasteStateDeleted: renderError(w, r, http.StatusGone, "paste has been deleted\n") default: panic(errors.Errorf("invalid paste.State (%v) for key '%v'", p.State, p.Key)) } } func (rl *rushlink) newPasteHandler(w http.ResponseWriter, r *http.Request) { file, fileHeader, err := r.FormFile("file") if err == nil { rl.newFileUploadPasteHandler(w, r, file, *fileHeader) return } else if err == http.ErrMissingFile { // Fallthrough } else { msg := fmt.Sprintf("could not parse form: %v\n", err) renderError(w, r, http.StatusBadRequest, msg) return } shorten := r.FormValue("shorten") if shorten != "" { rl.newRedirectPasteHandler(w, r, shorten) return } renderError(w, r, http.StatusBadRequest, "no 'file' and no 'shorten' fields given in form\n") } func (rl *rushlink) newFileUploadPasteHandler(w http.ResponseWriter, r *http.Request, file multipart.File, header multipart.FileHeader) { var fu *db.FileUpload var paste *db.Paste if err := rl.db.Bolt.Update(func(tx *bolt.Tx) error { var err error fu, err = db.NewFileUpload(rl.fs, file, header.Filename) if err != nil { panic(errors.Wrap(err, "creating fileUpload")) } if err := fu.Save(tx); err != nil { panic(errors.Wrap(err, "saving fileUpload in db")) } paste, err = shortenFileUploadID(tx, fu.ID) return err }); err != nil { panic(err) } data := map[string]interface{}{ "Paste": paste, "FileUpload": fu, "FileExt": filepath.Ext(fu.FileName)} render(w, r, "newFileUploadPasteSuccess", data) } func (rl *rushlink) newPasteHandlerURLEncoded(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { if err := r.ParseForm(); err != nil { next(w, r) return } shorten := r.PostFormValue("shorten") if shorten == "" { renderError(w, r, http.StatusBadRequest, "no 'shorten' param given\n") return } rl.newRedirectPasteHandler(w, r, shorten) } func (rl *rushlink) newRedirectPasteHandler(w http.ResponseWriter, r *http.Request, rawurl string) { userURL, err := url.ParseRequestURI(rawurl) if err != nil { msg := fmt.Sprintf("invalid url (%v): %v", err, rawurl) renderError(w, r, http.StatusBadRequest, msg) return } if userURL.Scheme == "" { renderError(w, r, http.StatusBadRequest, "invalid url (unspecified scheme)\n") return } if userURL.Host == "" { renderError(w, r, http.StatusBadRequest, "invalid url (unspecified host)\n") return } var paste *db.Paste if err := rl.db.Bolt.Update(func(tx *bolt.Tx) error { var err error paste, err = shortenURL(tx, userURL) return err }); err != nil { panic(err) } data := map[string]interface{}{"Paste": paste} render(w, r, "newRedirectPasteSuccess", data) } // Delete a URL from the database func (rl *rushlink) deletePasteHandler(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) key := vars["key"] deleteToken := getDeleteTokenFromRequest(r) if deleteToken == "" { renderError(w, r, http.StatusBadRequest, "no delete token provided\n") return } var errorCode int var paste db.Paste if err := rl.db.Bolt.Update(func(tx *bolt.Tx) error { p, err := db.GetPaste(tx, key) if err != nil { errorCode = http.StatusNotFound return err } if p.State == db.PasteStateDeleted { errorCode = http.StatusGone return errors.New("already deleted") } if subtle.ConstantTimeCompare([]byte(deleteToken), []byte(p.DeleteToken)) == 0 { errorCode = http.StatusForbidden return errors.New("invalid delete token") } if err := p.Delete(tx, rl.fs); err != nil { errorCode = http.StatusInternalServerError return err } paste = *p return nil }); err != nil { log.Printf("error: %v\n", err) renderError(w, r, errorCode, fmt.Sprintf("error: %v\n", err)) return } data := map[string]interface{}{"Paste": paste} render(w, r, "deletePasteSuccess", data) } // Add a new fileUpload redirect to the database // // Returns the new paste key if the fileUpload was successfully added to the // database func shortenFileUploadID(tx *bolt.Tx, id uuid.UUID) (*db.Paste, error) { return shorten(tx, db.PasteTypeFileUpload, id[:]) } // Add a new URL to the database // // Returns the new paste key if the url was successfully shortened func shortenURL(tx *bolt.Tx, userURL *url.URL) (*db.Paste, error) { return shorten(tx, db.PasteTypeRedirect, []byte(userURL.String())) } // Add a paste (of any kind) to the database with arbitrary content. func shorten(tx *bolt.Tx, ty db.PasteType, content []byte) (*db.Paste, error) { // Generate the paste key pasteKey, err := db.GeneratePasteKey(tx) if err != nil { return nil, errors.Wrap(err, "generating paste key") } // Also generate a deleteToken deleteToken, err := db.GenerateDeleteToken() if err != nil { return nil, errors.Wrap(err, "generating delete token") } // Store the new key p := db.Paste{ Type: ty, State: db.PasteStatePresent, Content: content, Key: pasteKey, DeleteToken: deleteToken, TimeCreated: time.Now().UTC(), } if err := p.Save(tx); err != nil { return nil, err } return &p, nil } func getDeleteTokenFromRequest(r *http.Request) string { return r.URL.Query().Get("deleteToken") }