gitea/routers/api/packages/arch/arch.go

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package arch

import (
	"bytes"
	"encoding/hex"
	"io"
	"net/http"
	"strings"
	"time"

	"code.gitea.io/gitea/modules/context"
	arch_module "code.gitea.io/gitea/modules/packages/arch"
	"code.gitea.io/gitea/modules/setting"
	"code.gitea.io/gitea/routers/api/packages/helper"
	arch_service "code.gitea.io/gitea/services/packages/arch"
)

// Push new package to arch package registry.
func Push(ctx *context.Context) {
	var (
		owner    = ctx.Params("username")
		filename = ctx.Req.Header.Get("filename")
		email    = ctx.Req.Header.Get("email")
		distro   = ctx.Req.Header.Get("distro")
		sendtime = ctx.Req.Header.Get("time")
		pkgsign  = ctx.Req.Header.Get("pkgsign")
		metasign = ctx.Req.Header.Get("metasign")
	)

	// Decoding package signature.
	sigdata, err := hex.DecodeString(pkgsign)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	// Read package to memory for signature validation.
	pkgdata, err := io.ReadAll(ctx.Req.Body)
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}
	defer ctx.Req.Body.Close()

	// Get user and organization owning arch package.
	user, org, err := arch_service.IdentifyOwner(ctx, owner, email)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Decoding time when message was created.
	t, err := time.Parse(time.RFC3339, sendtime)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	if time.Since(t) > time.Hour {
		apiError(ctx, http.StatusUnauthorized, "outdated message")
		return
	}

	// Decoding signature related to metadata.
	msigdata, err := hex.DecodeString(metasign)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	// Parse metadata contained in arch package archive.
	md, err := arch_module.EjectMetadata(filename, distro, setting.Domain, pkgdata)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	// Validating metadata signature, to ensure that operation push operation
	// is initiated by original package owner.
	sendmetadata := []byte(owner + md.Name + sendtime)
	err = arch_service.ValidateSignature(ctx, sendmetadata, msigdata, user)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Validate package signature with any of user's GnuPG keys.
	err = arch_service.ValidateSignature(ctx, pkgdata, sigdata, user)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Save file related to arch package.
	pkgid, err := arch_service.SaveFile(ctx, &arch_service.SaveFileParams{
		Organization: org,
		User:         user,
		Metadata:     md,
		Filename:     filename,
		Data:         pkgdata,
		Distro:       distro,
	})
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	// Save file related to arch package signature.
	_, err = arch_service.SaveFile(ctx, &arch_service.SaveFileParams{
		Organization: org,
		User:         user,
		Metadata:     md,
		Data:         sigdata,
		Filename:     filename + ".sig",
		Distro:       distro,
	})
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	// Add existing architectures and distros to current metadata.
	err = arch_service.UpdateMetadata(ctx, &arch_service.UpdateMetadataParameters{
		User: user,
		Md:   md,
	})
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Automatically connect repository for provided package if name matched.
	err = arch_service.RepositoryAutoconnect(ctx, owner, md.Name, pkgid)
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	ctx.Status(http.StatusOK)
}

// Get file from arch package registry.
func Get(ctx *context.Context) {
	var (
		file   = ctx.Params("file")
		owner  = ctx.Params("username")
		distro = ctx.Params("distro")
		arch   = ctx.Params("arch")
	)

	// Packages are stored in different way from pacman databases, and loaded
	// with LoadPackageFile function.
	if strings.HasSuffix(file, "tar.zst") || strings.HasSuffix(file, "zst.sig") {
		pkgdata, err := arch_service.LoadFile(ctx, distro, file)
		if err != nil {
			apiError(ctx, http.StatusNotFound, err)
			return
		}

		ctx.ServeContent(bytes.NewReader(pkgdata), &context.ServeHeaderOptions{
			Filename:      file,
			CacheDuration: time.Minute * 5,
		})
		return
	}

	// Pacman databases is not stored in gitea's storage, it is created for
	// incoming request and cached.
	if strings.HasSuffix(file, ".db.tar.gz") || strings.HasSuffix(file, ".db") {
		db, err := arch_service.CreatePacmanDb(ctx, owner, arch, distro)
		if err != nil {
			apiError(ctx, http.StatusInternalServerError, err)
			return
		}

		ctx.ServeContent(bytes.NewReader(db), &context.ServeHeaderOptions{
			Filename:      file,
			CacheDuration: time.Minute * 5,
		})
		return
	}

	ctx.Resp.WriteHeader(http.StatusNotFound)
}

// Remove specific package version, related files and pacman database entry.
func Remove(ctx *context.Context) {
	var (
		owner   = ctx.Params("username")
		email   = ctx.Req.Header.Get("email")
		target  = ctx.Req.Header.Get("target")
		stime   = ctx.Req.Header.Get("time")
		version = ctx.Req.Header.Get("version")
	)

	// Parse sent time and check if it is within last minute.
	t, err := time.Parse(time.RFC3339, stime)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	if time.Since(t) > time.Minute {
		apiError(ctx, http.StatusUnauthorized, "outdated message")
		return
	}

	// Get user owning the package.
	user, org, err := arch_service.IdentifyOwner(ctx, owner, email)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Read signature data from request body.
	sigdata, err := io.ReadAll(ctx.Req.Body)
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}
	defer ctx.Req.Body.Close()

	// Validate package signature with any of user's GnuPG keys.
	mesdata := []byte(owner + target + stime)
	err = arch_service.ValidateSignature(ctx, mesdata, sigdata, user)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Remove package files and pacman database entry.
	err = arch_service.RemovePackage(ctx, org.AsUser(), target, version)
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	ctx.Resp.WriteHeader(http.StatusOK)
}

func apiError(ctx *context.Context, status int, obj interface{}) {
	helper.LogAndProcessError(ctx, status, obj, func(message string) {
		ctx.PlainText(status, message)
	})
}
added arch packages implementation 2023-06-20 20:08:48 +00:00			`// Copyright 2023 The Gitea Authors. All rights reserved.`
			`// SPDX-License-Identifier: MIT`

			`package arch`

			`import (`
corrected package blob structure, pacman database is created on get request automatically from package metadata in database 2023-07-02 20:03:34 +00:00			`"bytes"`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`"encoding/hex"`
			`"io"`
			`"net/http"`
			`"strings"`
added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`"time"`
added arch packages implementation 2023-06-20 20:08:48 +00:00
			`"code.gitea.io/gitea/modules/context"`
			`arch_module "code.gitea.io/gitea/modules/packages/arch"`
			`"code.gitea.io/gitea/modules/setting"`
			`"code.gitea.io/gitea/routers/api/packages/helper"`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`arch_service "code.gitea.io/gitea/services/packages/arch"`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`)`

			`// Push new package to arch package registry.`
			`func Push(ctx *context.Context) {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`var (`
moved arch package routes to the same scope with other packages 2023-06-22 06:29:08 +00:00			`owner = ctx.Params("username")`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`filename = ctx.Req.Header.Get("filename")`
			`email = ctx.Req.Header.Get("email")`
			`distro = ctx.Req.Header.Get("distro")`
documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`sendtime = ctx.Req.Header.Get("time")`
			`pkgsign = ctx.Req.Header.Get("pkgsign")`
			`metasign = ctx.Req.Header.Get("metasign")`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`)`
added arch packages implementation 2023-06-20 20:08:48 +00:00
			`// Decoding package signature.`
documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`sigdata, err := hex.DecodeString(pkgsign)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00			`// Read package to memory for signature validation.`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`pkgdata, err := io.ReadAll(ctx.Req.Body)`
			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`
			`defer ctx.Req.Body.Close()`

code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`// Get user and organization owning arch package.`
			`user, org, err := arch_service.IdentifyOwner(ctx, owner, email)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`apiError(ctx, http.StatusUnauthorized, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`// Decoding time when message was created.`
			`t, err := time.Parse(time.RFC3339, sendtime)`
			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

			`if time.Since(t) > time.Hour {`
			`apiError(ctx, http.StatusUnauthorized, "outdated message")`
			`return`
			`}`

			`// Decoding signature related to metadata.`
			`msigdata, err := hex.DecodeString(metasign)`
			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

test for package create, get and delete operations 2023-07-04 17:02:32 +00:00			`// Parse metadata contained in arch package archive.`
			`md, err := arch_module.EjectMetadata(filename, distro, setting.Domain, pkgdata)`
			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`// Validating metadata signature, to ensure that operation push operation`
			`// is initiated by original package owner.`
test for package create, get and delete operations 2023-07-04 17:02:32 +00:00			`sendmetadata := []byte(owner + md.Name + sendtime)`
documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`err = arch_service.ValidateSignature(ctx, sendmetadata, msigdata, user)`
			`if err != nil {`
			`apiError(ctx, http.StatusUnauthorized, err)`
			`return`
			`}`

opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00			`// Validate package signature with any of user's GnuPG keys.`
added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`err = arch_service.ValidateSignature(ctx, pkgdata, sigdata, user)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`apiError(ctx, http.StatusUnauthorized, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

reused existing services/packages functions for package and signature files/blobs creation 2023-06-22 07:33:23 +00:00			`// Save file related to arch package.`
			`pkgid, err := arch_service.SaveFile(ctx, &arch_service.SaveFileParams{`
			`Organization: org,`
			`User: user,`
			`Metadata: md,`
			`Filename: filename,`
			`Data: pkgdata,`
			`Distro: distro,`
			`})`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
db desc file for pacman database is saved in the same space with package 2023-07-01 14:13:21 +00:00			`apiError(ctx, http.StatusInternalServerError, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

reused existing services/packages functions for package and signature files/blobs creation 2023-06-22 07:33:23 +00:00			`// Save file related to arch package signature.`
			`_, err = arch_service.SaveFile(ctx, &arch_service.SaveFileParams{`
			`Organization: org,`
			`User: user,`
			`Metadata: md,`
			`Data: sigdata,`
			`Filename: filename + ".sig",`
			`Distro: distro,`
			`})`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
db desc file for pacman database is saved in the same space with package 2023-07-01 14:13:21 +00:00			`apiError(ctx, http.StatusInternalServerError, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

fixed pacman database creation error for case with multiple architectures and distributions 2023-07-09 08:48:46 +00:00			`// Add existing architectures and distros to current metadata.`
			`err = arch_service.UpdateMetadata(ctx, &arch_service.UpdateMetadataParameters{`
			`User: user,`
			`Md: md,`
			`})`
			`if err != nil {`
			`apiError(ctx, http.StatusUnauthorized, err)`
			`return`
			`}`

db desc file for pacman database is saved in the same space with package 2023-07-01 14:13:21 +00:00			`// Automatically connect repository for provided package if name matched.`
			`err = arch_service.RepositoryAutoconnect(ctx, owner, md.Name, pkgid)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`

			`ctx.Status(http.StatusOK)`
			`}`

			`// Get file from arch package registry.`
			`func Get(ctx *context.Context) {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`var (`
			`file = ctx.Params("file")`
corrected package database connection description and documentation reference in UI 2023-06-24 15:08:18 +00:00			`owner = ctx.Params("username")`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`distro = ctx.Params("distro")`
			`arch = ctx.Params("arch")`
			`)`
added arch packages implementation 2023-06-20 20:08:48 +00:00
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`// Packages are stored in different way from pacman databases, and loaded`
			`// with LoadPackageFile function.`
			`if strings.HasSuffix(file, "tar.zst") \|\| strings.HasSuffix(file, "zst.sig") {`
corrected package blob structure, pacman database is created on get request automatically from package metadata in database 2023-07-02 20:03:34 +00:00			`pkgdata, err := arch_service.LoadFile(ctx, distro, file)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`apiError(ctx, http.StatusNotFound, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

corrected package blob structure, pacman database is created on get request automatically from package metadata in database 2023-07-02 20:03:34 +00:00			`ctx.ServeContent(bytes.NewReader(pkgdata), &context.ServeHeaderOptions{`
			`Filename: file,`
			`CacheDuration: time.Minute * 5,`
			`})`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

corrected package blob structure, pacman database is created on get request automatically from package metadata in database 2023-07-02 20:03:34 +00:00			`// Pacman databases is not stored in gitea's storage, it is created for`
			`// incoming request and cached.`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`if strings.HasSuffix(file, ".db.tar.gz") \|\| strings.HasSuffix(file, ".db") {`
corrected package blob structure, pacman database is created on get request automatically from package metadata in database 2023-07-02 20:03:34 +00:00			`db, err := arch_service.CreatePacmanDb(ctx, owner, arch, distro)`
fixed db download failure and incorrect package owner assigned on push 2023-06-20 21:15:56 +00:00			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`
opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00
corrected package blob structure, pacman database is created on get request automatically from package metadata in database 2023-07-02 20:03:34 +00:00			`ctx.ServeContent(bytes.NewReader(db), &context.ServeHeaderOptions{`
			`Filename: file,`
			`CacheDuration: time.Minute * 5,`
			`})`
opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00			`return`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`}`
opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00
fixed db download failure and incorrect package owner assigned on push 2023-06-20 21:15:56 +00:00			`ctx.Resp.WriteHeader(http.StatusNotFound)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`}`

updated remove function description 2023-06-25 14:45:16 +00:00			`// Remove specific package version, related files and pacman database entry.`
added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`func Remove(ctx *context.Context) {`
			`var (`
			`owner = ctx.Params("username")`
			`email = ctx.Req.Header.Get("email")`
			`target = ctx.Req.Header.Get("target")`
			`stime = ctx.Req.Header.Get("time")`
			`version = ctx.Req.Header.Get("version")`
			`)`

			`// Parse sent time and check if it is within last minute.`
			`t, err := time.Parse(time.RFC3339, stime)`
			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

			`if time.Since(t) > time.Minute {`
			`apiError(ctx, http.StatusUnauthorized, "outdated message")`
			`return`
			`}`

			`// Get user owning the package.`
			`user, org, err := arch_service.IdentifyOwner(ctx, owner, email)`
			`if err != nil {`
			`apiError(ctx, http.StatusUnauthorized, err)`
			`return`
			`}`

			`// Read signature data from request body.`
			`sigdata, err := io.ReadAll(ctx.Req.Body)`
			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`
			`defer ctx.Req.Body.Close()`

			`// Validate package signature with any of user's GnuPG keys.`
documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`mesdata := []byte(owner + target + stime)`
added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`err = arch_service.ValidateSignature(ctx, mesdata, sigdata, user)`
			`if err != nil {`
			`apiError(ctx, http.StatusUnauthorized, err)`
			`return`
			`}`

			`// Remove package files and pacman database entry.`
corrected package blob structure, pacman database is created on get request automatically from package metadata in database 2023-07-02 20:03:34 +00:00			`err = arch_service.RemovePackage(ctx, org.AsUser(), target, version)`
added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`

			`ctx.Resp.WriteHeader(http.StatusOK)`
			`}`

added arch packages implementation 2023-06-20 20:08:48 +00:00			`func apiError(ctx *context.Context, status int, obj interface{}) {`
			`helper.LogAndProcessError(ctx, status, obj, func(message string) {`
			`ctx.PlainText(status, message)`
			`})`
			`}`