gitea/routers/api/packages/arch/arch.go

// Copyright 2023 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package arch

import (
	"encoding/hex"
	"io"
	"net/http"
	"strings"
	"time"

	"code.gitea.io/gitea/modules/context"
	arch_module "code.gitea.io/gitea/modules/packages/arch"
	"code.gitea.io/gitea/modules/setting"
	"code.gitea.io/gitea/routers/api/packages/helper"
	arch_service "code.gitea.io/gitea/services/packages/arch"
)

// Push new package to arch package registry.
func Push(ctx *context.Context) {
	var (
		owner    = ctx.Params("username")
		filename = ctx.Req.Header.Get("filename")
		email    = ctx.Req.Header.Get("email")
		distro   = ctx.Req.Header.Get("distro")
		sendtime = ctx.Req.Header.Get("time")
		pkgsign  = ctx.Req.Header.Get("pkgsign")
		metasign = ctx.Req.Header.Get("metasign")
	)

	// Decoding package signature.
	sigdata, err := hex.DecodeString(pkgsign)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	// Read package to memory for signature validation.
	pkgdata, err := io.ReadAll(ctx.Req.Body)
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}
	defer ctx.Req.Body.Close()

	// Get user and organization owning arch package.
	user, org, err := arch_service.IdentifyOwner(ctx, owner, email)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Decoding time when message was created.
	t, err := time.Parse(time.RFC3339, sendtime)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	if time.Since(t) > time.Hour {
		apiError(ctx, http.StatusUnauthorized, "outdated message")
		return
	}

	// Decoding signature related to metadata.
	msigdata, err := hex.DecodeString(metasign)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	// Validating metadata signature, to ensure that operation push operation
	// is initiated by original package owner.
	sendmetadata := []byte(owner + filename + sendtime)
	err = arch_service.ValidateSignature(ctx, sendmetadata, msigdata, user)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Validate package signature with any of user's GnuPG keys.
	err = arch_service.ValidateSignature(ctx, pkgdata, sigdata, user)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Parse metadata contained in arch package archive.
	md, err := arch_module.EjectMetadata(filename, setting.Domain, pkgdata)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	// Save file related to arch package.
	pkgid, err := arch_service.SaveFile(ctx, &arch_service.SaveFileParams{
		Organization: org,
		User:         user,
		Metadata:     md,
		Filename:     filename,
		Data:         pkgdata,
		Distro:       distro,
	})
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	// Save file related to arch package signature.
	_, err = arch_service.SaveFile(ctx, &arch_service.SaveFileParams{
		Organization: org,
		User:         user,
		Metadata:     md,
		Data:         sigdata,
		Filename:     filename + ".sig",
		Distro:       distro,
	})
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	// Save file related to arch package description.
	_, err = arch_service.SaveFile(ctx, &arch_service.SaveFileParams{
		Organization: org,
		User:         user,
		Metadata:     md,
		Data:         []byte(md.GetDbDesc()),
		Filename:     filename + ".desc",
		Distro:       distro,
	})
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	// Automatically connect repository for provided package if name matched.
	err = arch_service.RepositoryAutoconnect(ctx, owner, md.Name, pkgid)
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	ctx.Status(http.StatusOK)
}

// Get file from arch package registry.
func Get(ctx *context.Context) {
	var (
		file   = ctx.Params("file")
		owner  = ctx.Params("username")
		distro = ctx.Params("distro")
		arch   = ctx.Params("arch")
	)

	// Packages are stored in different way from pacman databases, and loaded
	// with LoadPackageFile function.
	if strings.HasSuffix(file, "tar.zst") || strings.HasSuffix(file, "zst.sig") {
		pkgdata, err := arch_service.LoadPackageFile(ctx, distro, file)
		if err != nil {
			apiError(ctx, http.StatusNotFound, err)
			return
		}

		_, err = ctx.Resp.Write(pkgdata)
		if err != nil {
			apiError(ctx, http.StatusInternalServerError, err)
			return
		}

		ctx.Resp.WriteHeader(http.StatusOK)
		return
	}

	// Pacman databases are stored directly in gitea file storage and could be
	// loaded with name as a key.
	if strings.HasSuffix(file, ".db.tar.gz") || strings.HasSuffix(file, ".db") {
		data, err := arch_service.LoadPacmanDatabase(ctx, owner, distro, arch, file)
		if err != nil {
			apiError(ctx, http.StatusNotFound, err)
			return
		}

		_, err = ctx.Resp.Write(data)
		if err != nil {
			apiError(ctx, http.StatusInternalServerError, err)
			return
		}

		ctx.Resp.WriteHeader(http.StatusOK)
		return
	}

	ctx.Resp.WriteHeader(http.StatusNotFound)
}

// Remove specific package version, related files and pacman database entry.
func Remove(ctx *context.Context) {
	var (
		owner   = ctx.Params("username")
		email   = ctx.Req.Header.Get("email")
		distro  = ctx.Req.Header.Get("distro")
		target  = ctx.Req.Header.Get("target")
		stime   = ctx.Req.Header.Get("time")
		version = ctx.Req.Header.Get("version")
		arch    = strings.Split(ctx.Req.Header.Get("arch"), " ")
	)

	// Parse sent time and check if it is within last minute.
	t, err := time.Parse(time.RFC3339, stime)
	if err != nil {
		apiError(ctx, http.StatusBadRequest, err)
		return
	}

	if time.Since(t) > time.Minute {
		apiError(ctx, http.StatusUnauthorized, "outdated message")
		return
	}

	// Get user owning the package.
	user, org, err := arch_service.IdentifyOwner(ctx, owner, email)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Read signature data from request body.
	sigdata, err := io.ReadAll(ctx.Req.Body)
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}
	defer ctx.Req.Body.Close()

	// Validate package signature with any of user's GnuPG keys.
	mesdata := []byte(owner + target + stime)
	err = arch_service.ValidateSignature(ctx, mesdata, sigdata, user)
	if err != nil {
		apiError(ctx, http.StatusUnauthorized, err)
		return
	}

	// Remove pacman database entries related to package.
	err = arch_service.RemoveDbEntry(ctx, arch, owner, distro, target, version)
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	// Remove package files and pacman database entry.
	err = arch_service.RemovePackage(ctx, &arch_service.RemoveParameters{
		User:         user,
		Organization: org,
		Owner:        owner,
		Name:         target,
		Version:      version,
	})
	if err != nil {
		apiError(ctx, http.StatusInternalServerError, err)
		return
	}

	ctx.Resp.WriteHeader(http.StatusOK)
}

func apiError(ctx *context.Context, status int, obj interface{}) {
	helper.LogAndProcessError(ctx, status, obj, func(message string) {
		ctx.PlainText(status, message)
	})
}
added arch packages implementation 2023-06-20 20:08:48 +00:00			`// Copyright 2023 The Gitea Authors. All rights reserved.`
			`// SPDX-License-Identifier: MIT`

			`package arch`

			`import (`
			`"encoding/hex"`
			`"io"`
			`"net/http"`
			`"strings"`
added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`"time"`
added arch packages implementation 2023-06-20 20:08:48 +00:00
			`"code.gitea.io/gitea/modules/context"`
			`arch_module "code.gitea.io/gitea/modules/packages/arch"`
			`"code.gitea.io/gitea/modules/setting"`
			`"code.gitea.io/gitea/routers/api/packages/helper"`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`arch_service "code.gitea.io/gitea/services/packages/arch"`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`)`

			`// Push new package to arch package registry.`
			`func Push(ctx *context.Context) {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`var (`
moved arch package routes to the same scope with other packages 2023-06-22 06:29:08 +00:00			`owner = ctx.Params("username")`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`filename = ctx.Req.Header.Get("filename")`
			`email = ctx.Req.Header.Get("email")`
			`distro = ctx.Req.Header.Get("distro")`
documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`sendtime = ctx.Req.Header.Get("time")`
			`pkgsign = ctx.Req.Header.Get("pkgsign")`
			`metasign = ctx.Req.Header.Get("metasign")`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`)`
added arch packages implementation 2023-06-20 20:08:48 +00:00
			`// Decoding package signature.`
documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`sigdata, err := hex.DecodeString(pkgsign)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00			`// Read package to memory for signature validation.`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`pkgdata, err := io.ReadAll(ctx.Req.Body)`
			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`
			`defer ctx.Req.Body.Close()`

code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`// Get user and organization owning arch package.`
			`user, org, err := arch_service.IdentifyOwner(ctx, owner, email)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`apiError(ctx, http.StatusUnauthorized, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`// Decoding time when message was created.`
			`t, err := time.Parse(time.RFC3339, sendtime)`
			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

			`if time.Since(t) > time.Hour {`
			`apiError(ctx, http.StatusUnauthorized, "outdated message")`
			`return`
			`}`

			`// Decoding signature related to metadata.`
			`msigdata, err := hex.DecodeString(metasign)`
			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

			`// Validating metadata signature, to ensure that operation push operation`
			`// is initiated by original package owner.`
			`sendmetadata := []byte(owner + filename + sendtime)`
			`err = arch_service.ValidateSignature(ctx, sendmetadata, msigdata, user)`
			`if err != nil {`
			`apiError(ctx, http.StatusUnauthorized, err)`
			`return`
			`}`

opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00			`// Validate package signature with any of user's GnuPG keys.`
added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`err = arch_service.ValidateSignature(ctx, pkgdata, sigdata, user)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`apiError(ctx, http.StatusUnauthorized, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

			`// Parse metadata contained in arch package archive.`
			`md, err := arch_module.EjectMetadata(filename, setting.Domain, pkgdata)`
			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

reused existing services/packages functions for package and signature files/blobs creation 2023-06-22 07:33:23 +00:00			`// Save file related to arch package.`
			`pkgid, err := arch_service.SaveFile(ctx, &arch_service.SaveFileParams{`
			`Organization: org,`
			`User: user,`
			`Metadata: md,`
			`Filename: filename,`
			`Data: pkgdata,`
			`Distro: distro,`
			`})`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
db desc file for pacman database is saved in the same space with package 2023-07-01 14:13:21 +00:00			`apiError(ctx, http.StatusInternalServerError, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

reused existing services/packages functions for package and signature files/blobs creation 2023-06-22 07:33:23 +00:00			`// Save file related to arch package signature.`
			`_, err = arch_service.SaveFile(ctx, &arch_service.SaveFileParams{`
			`Organization: org,`
			`User: user,`
			`Metadata: md,`
			`Data: sigdata,`
			`Filename: filename + ".sig",`
			`Distro: distro,`
			`})`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
db desc file for pacman database is saved in the same space with package 2023-07-01 14:13:21 +00:00			`apiError(ctx, http.StatusInternalServerError, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

db desc file for pacman database is saved in the same space with package 2023-07-01 14:13:21 +00:00			`// Save file related to arch package description.`
			`_, err = arch_service.SaveFile(ctx, &arch_service.SaveFileParams{`
			`Organization: org,`
			`User: user,`
			`Metadata: md,`
			`Data: []byte(md.GetDbDesc()),`
			`Filename: filename + ".desc",`
			`Distro: distro,`
			`})`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`

db desc file for pacman database is saved in the same space with package 2023-07-01 14:13:21 +00:00			`// Automatically connect repository for provided package if name matched.`
			`err = arch_service.RepositoryAutoconnect(ctx, owner, md.Name, pkgid)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`

			`ctx.Status(http.StatusOK)`
			`}`

			`// Get file from arch package registry.`
			`func Get(ctx *context.Context) {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`var (`
			`file = ctx.Params("file")`
corrected package database connection description and documentation reference in UI 2023-06-24 15:08:18 +00:00			`owner = ctx.Params("username")`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`distro = ctx.Params("distro")`
			`arch = ctx.Params("arch")`
			`)`
added arch packages implementation 2023-06-20 20:08:48 +00:00
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`// Packages are stored in different way from pacman databases, and loaded`
			`// with LoadPackageFile function.`
			`if strings.HasSuffix(file, "tar.zst") \|\| strings.HasSuffix(file, "zst.sig") {`
			`pkgdata, err := arch_service.LoadPackageFile(ctx, distro, file)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`apiError(ctx, http.StatusNotFound, err)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`return`
			`}`

code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`_, err = ctx.Resp.Write(pkgdata)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`

			`ctx.Resp.WriteHeader(http.StatusOK)`
			`return`
			`}`

code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`// Pacman databases are stored directly in gitea file storage and could be`
			`// loaded with name as a key.`
			`if strings.HasSuffix(file, ".db.tar.gz") \|\| strings.HasSuffix(file, ".db") {`
			`data, err := arch_service.LoadPacmanDatabase(ctx, owner, distro, arch, file)`
fixed db download failure and incorrect package owner assigned on push 2023-06-20 21:15:56 +00:00			`if err != nil {`
code refactoring and package version publisher id correction 2023-06-21 20:30:07 +00:00			`apiError(ctx, http.StatusNotFound, err)`
fixed db download failure and incorrect package owner assigned on push 2023-06-20 21:15:56 +00:00			`return`
			`}`
added arch packages implementation 2023-06-20 20:08:48 +00:00
fixed db download failure and incorrect package owner assigned on push 2023-06-20 21:15:56 +00:00			`_, err = ctx.Resp.Write(data)`
			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`
opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00
fixed db download failure and incorrect package owner assigned on push 2023-06-20 21:15:56 +00:00			`ctx.Resp.WriteHeader(http.StatusOK)`
opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00			`return`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`}`
opdated operation pacman database craetion to form or update database file in memory, added download counter related to pkg.tar.zst files 2023-06-24 10:37:33 +00:00
fixed db download failure and incorrect package owner assigned on push 2023-06-20 21:15:56 +00:00			`ctx.Resp.WriteHeader(http.StatusNotFound)`
added arch packages implementation 2023-06-20 20:08:48 +00:00			`}`

updated remove function description 2023-06-25 14:45:16 +00:00			`// Remove specific package version, related files and pacman database entry.`
added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`func Remove(ctx *context.Context) {`
			`var (`
			`owner = ctx.Params("username")`
			`email = ctx.Req.Header.Get("email")`
			`distro = ctx.Req.Header.Get("distro")`
			`target = ctx.Req.Header.Get("target")`
			`stime = ctx.Req.Header.Get("time")`
			`version = ctx.Req.Header.Get("version")`
			`arch = strings.Split(ctx.Req.Header.Get("arch"), " ")`
			`)`

			`// Parse sent time and check if it is within last minute.`
			`t, err := time.Parse(time.RFC3339, stime)`
			`if err != nil {`
			`apiError(ctx, http.StatusBadRequest, err)`
			`return`
			`}`

			`if time.Since(t) > time.Minute {`
			`apiError(ctx, http.StatusUnauthorized, "outdated message")`
			`return`
			`}`

			`// Get user owning the package.`
			`user, org, err := arch_service.IdentifyOwner(ctx, owner, email)`
			`if err != nil {`
			`apiError(ctx, http.StatusUnauthorized, err)`
			`return`
			`}`

			`// Read signature data from request body.`
			`sigdata, err := io.ReadAll(ctx.Req.Body)`
			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`
			`defer ctx.Req.Body.Close()`

			`// Validate package signature with any of user's GnuPG keys.`
documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`mesdata := []byte(owner + target + stime)`
added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`err = arch_service.ValidateSignature(ctx, mesdata, sigdata, user)`
			`if err != nil {`
			`apiError(ctx, http.StatusUnauthorized, err)`
			`return`
			`}`

documentation for arch packages, additional signature in arch package upload for better security 2023-06-28 19:12:01 +00:00			`// Remove pacman database entries related to package.`
			`err = arch_service.RemoveDbEntry(ctx, arch, owner, distro, target, version)`
			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`

added method to remove package verified with user's GPG key, removed unnecessary directory creation 2023-06-25 10:15:29 +00:00			`// Remove package files and pacman database entry.`
			`err = arch_service.RemovePackage(ctx, &arch_service.RemoveParameters{`
			`User: user,`
			`Organization: org,`
			`Owner: owner,`
			`Name: target,`
			`Version: version,`
			`})`
			`if err != nil {`
			`apiError(ctx, http.StatusInternalServerError, err)`
			`return`
			`}`

			`ctx.Resp.WriteHeader(http.StatusOK)`
			`}`

added arch packages implementation 2023-06-20 20:08:48 +00:00			`func apiError(ctx *context.Context, status int, obj interface{}) {`
			`helper.LogAndProcessError(ctx, status, obj, func(message string) {`
			`ctx.PlainText(status, message)`
			`})`
			`}`