gavin/main.go

295 lines
6.4 KiB
Go
Raw Normal View History

package main
import (
"crypto/tls"
2021-01-20 07:15:22 -07:00
"embed"
_ "embed"
"encoding/csv"
"flag"
"fmt"
2021-09-29 07:40:59 -06:00
"io/fs"
"log"
"net"
"net/http"
"os"
2021-09-29 07:40:59 -06:00
"path"
"path/filepath"
"time"
"golang.org/x/crypto/acme"
"golang.org/x/crypto/acme/autocert"
"golang.org/x/crypto/bcrypt"
"golang.org/x/net/webdav"
2020-05-08 16:47:44 -06:00
"suah.dev/protect"
)
2021-01-20 07:15:22 -07:00
//go:embed organice
var content embed.FS
2021-09-29 07:40:59 -06:00
// Should match the path for content
var rootFS = "organice"
var (
acmeDomain string
test bool
acmeListen string
cacheDir string
davDir string
davPath string
listen string
passPath string
users map[string]string
2021-09-29 07:40:59 -06:00
dump bool
)
func init() {
users = make(map[string]string)
dir, err := filepath.Abs(filepath.Dir(os.Args[0]))
if err != nil {
log.Fatalln(err)
}
// TODO: come up with better names for things.
// TODO: should these go in a config file?
flag.StringVar(&acmeDomain, "domain", "", "Domain to to use for ACME requests.")
flag.StringVar(&acmeListen, "alisten", ":80", "Listen for acme requests on")
flag.StringVar(&cacheDir, "cache", fmt.Sprintf("%s/.cache", dir), "Directory in which to store ACME certificates.")
flag.StringVar(&davDir, "davdir", dir, "Directory to serve over WebDAV.")
flag.StringVar(&listen, "http", "127.0.0.1:8080", "Listen on")
flag.StringVar(&passPath, "htpass", fmt.Sprintf("%s/.htpasswd", dir), "Path to .htpasswd file..")
flag.StringVar(&davPath, "davpath", "/dav/", "Directory containing files to serve over WebDAV.")
flag.BoolVar(&test, "test", false, "Enable testing mode (uses staging LetsEncrypt).")
2021-09-29 07:40:59 -06:00
flag.BoolVar(&dump, "dump", false, "Dump Organice assets to disk (./organice).")
flag.Parse()
2020-06-09 21:51:35 -06:00
// These are OpenBSD specific protections used to prevent unnecessary file access.
_ = protect.Unveil(passPath, "r")
_ = protect.Unveil(davDir, "rwc")
_ = protect.Unveil(cacheDir, "rwc")
_ = protect.Unveil("/etc/ssl/cert.pem", "r")
_ = protect.Unveil("/etc/resolv.conf", "r")
_ = protect.Pledge("stdio wpath rpath cpath inet dns")
p, err := os.Open(passPath)
if err != nil {
log.Fatal(err)
}
2020-03-24 07:09:08 -06:00
defer p.Close()
ht := csv.NewReader(p)
ht.Comma = ':'
ht.Comment = '#'
ht.TrimLeadingSpace = true
entries, err := ht.ReadAll()
if err != nil {
log.Fatal(err)
}
for _, parts := range entries {
users[parts[0]] = parts[1]
}
}
2021-01-18 21:01:00 -07:00
func authenticate(user string, pass string) bool {
htpass, exists := users[user]
if !exists {
return false
}
err := bcrypt.CompareHashAndPassword([]byte(htpass), []byte(pass))
2020-03-24 07:09:08 -06:00
return err == nil
}
func httpLog(r *http.Request) {
n := time.Now()
fmt.Printf("%s (%s) [%s] \"%s %s\" %03d\n",
r.RemoteAddr,
n.Format(time.RFC822Z),
r.Method,
r.URL.Path,
r.Proto,
r.ContentLength,
)
}
func logger(f http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
httpLog(r)
f(w, r)
}
}
2021-09-29 16:55:55 -06:00
func dumpFS(dest string, entries []fs.DirEntry) {
2021-09-29 07:40:59 -06:00
var localRoot = rootFS
2021-09-29 16:55:55 -06:00
err := os.Mkdir(path.Join(dest, localRoot), 0755)
2021-09-29 07:40:59 -06:00
if err != nil {
fmt.Println(err)
os.Exit(1)
}
for _, e := range entries {
fp := path.Join(localRoot, e.Name())
if e.IsDir() {
rootFS = fp
2021-09-29 16:55:55 -06:00
newDir, err := content.ReadDir(rootFS)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
dumpFS(dest, newDir)
2021-09-29 07:40:59 -06:00
} else {
fh, err := content.Open(fp)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
defer fh.Close()
2021-09-29 16:55:55 -06:00
nfp := path.Join(dest, fp)
2021-09-29 07:40:59 -06:00
nfh, err := os.Create(nfp)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
defer nfh.Close()
nfh.ReadFrom(fh)
2021-09-29 16:55:55 -06:00
fmt.Printf("\t%s\n", nfp)
2021-09-29 07:40:59 -06:00
}
}
}
func main() {
2021-09-29 07:40:59 -06:00
if dump {
2021-09-29 16:55:55 -06:00
tmpDir, err := os.MkdirTemp("", "gavin")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
fmt.Printf("Dumping files to %q\n", tmpDir)
dir, err := content.ReadDir(rootFS)
if err != nil {
fmt.Println(err)
os.Exit(1)
}
dumpFS(tmpDir, dir)
2021-09-29 07:40:59 -06:00
os.Exit(0)
}
wdav := &webdav.Handler{
Prefix: davPath,
LockSystem: webdav.NewMemLS(),
FileSystem: webdav.Dir(davDir),
Logger: func(r *http.Request, err error) {
httpLog(r)
},
}
2021-01-20 07:15:22 -07:00
fileServer := http.FileServer(http.FS(content))
mux := http.NewServeMux()
mux.HandleFunc("/", logger(func(w http.ResponseWriter, r *http.Request) {
2021-01-20 07:15:22 -07:00
// embed.FS contains the top level directory 'organice'
// This modifies the request path to match.
r.URL.Path = fmt.Sprintf("/organice%s", r.URL.Path)
httpLog(r)
fileServer.ServeHTTP(w, r)
}))
2021-01-20 07:15:22 -07:00
mux.HandleFunc(davPath, func(w http.ResponseWriter, r *http.Request) {
user, pass, ok := r.BasicAuth()
2021-01-18 21:01:00 -07:00
if !(ok && authenticate(user, pass)) {
w.Header().Set("WWW-Authenticate", `Basic realm="davfs"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
wdav.ServeHTTP(w, r)
})
s := http.Server{
Handler: mux,
}
if acmeDomain != "" {
tlsConfig := acmeHandler(acmeDomain, acmeListen, cacheDir)
tlsLis, err := tls.Listen("tcp", listen, tlsConfig)
if err != nil {
log.Fatal(err)
}
log.Printf("Listening for HTTPS on '%s'", listen)
log.Panic(s.Serve(tlsLis))
} else {
lis, err := net.Listen("tcp", listen)
if err != nil {
log.Panic(err)
}
log.Printf("Listening for HTTP on '%s'", listen)
log.Panic(s.Serve(lis))
}
}
func acmeHandler(domain, listen, cache string) *tls.Config {
log.Printf("storing certifiates for %q in %q\n", domain, cache)
m := &autocert.Manager{
Prompt: autocert.AcceptTOS,
Cache: autocert.DirCache(cache),
HostPolicy: autocert.HostWhitelist(domain),
}
if test {
m.Client = &acme.Client{
DirectoryURL: "https://acme-staging-v02.api.letsencrypt.org/directory",
}
}
// TLS parameters graciously taken from https://github.com/jrick/domain
tc := m.TLSConfig()
tc.ServerName = domain
tc.NextProtos = []string{"http/1.1", acme.ALPNProto}
tc.MinVersion = tls.VersionTLS12
tc.CurvePreferences = []tls.CurveID{tls.X25519, tls.CurveP256}
tc.PreferServerCipherSuites = true
tc.CipherSuites = []uint16{
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
}
lis, err := net.Listen("tcp", listen)
if err != nil {
log.Fatal(err)
}
log.Printf("ACME client listening on %s", lis.Addr())
mHandler := m.HTTPHandler(nil)
s := &http.Server{
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
httpLog(r)
mHandler.ServeHTTP(w, r)
}),
}
go func() {
log.Panic(s.Serve(lis))
}()
return tc
}