From 9b0efdda005931e86af30167b1461e6f68810d07 Mon Sep 17 00:00:00 2001
From: Aaron Bieber <aaron@bolddaemon.com>
Date: Mon, 17 May 2021 07:50:45 -0600
Subject: [PATCH] initial

---
 .gitignore |   1 +
 LICENSE    |  15 +++++
 go.mod     |   9 +++
 go.sum     |  16 ++++++
 main.go    | 162 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 203 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 LICENSE
 create mode 100644 go.mod
 create mode 100644 go.sum
 create mode 100644 main.go

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..91302cd
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+widdler
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d22c571
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,15 @@
+/*
+ * Copyright (c) 2021 Aaron Bieber <aaron@bolddaemon.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..bbe6119
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,9 @@
+module suah.dev/widdler
+
+go 1.16
+
+require (
+	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
+	golang.org/x/net v0.0.0-20210510120150-4163338589ed
+	suah.dev/protect v1.0.0
+)
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..329f638
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,16 @@
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a h1:kr2P4QFmQr29mSLA43kwrOcgcReGTfbE9N577tCTuBc=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210510120150-4163338589ed h1:p9UgmWI9wKpfYmgaV/IZKGdXc5qEK45tDwwwDyjS26I=
+golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da h1:b3NXsE2LusjYGGjL5bxEVZZORm/YEFFrWFjR8eFrw/c=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+suah.dev/protect v1.0.0 h1:X8pzDvDIZIiugmkmr6DES6JFO1XUdJWi34Ffmk6CMZY=
+suah.dev/protect v1.0.0/go.mod h1:ZSgyBM30JUwhVPWJzVHh0jlu5W6Qz1VR6tIhAzqJZ9Y=
diff --git a/main.go b/main.go
new file mode 100644
index 0000000..36f90e3
--- /dev/null
+++ b/main.go
@@ -0,0 +1,162 @@
+package main
+
+import (
+	"embed"
+	"encoding/csv"
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"path"
+	"path/filepath"
+	"time"
+
+	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/net/webdav"
+	"suah.dev/protect"
+)
+
+var twFile = "empty-5.1.23.html"
+
+//go:embed empty-5.1.23.html
+var tiddly embed.FS
+
+var (
+	test     bool
+	cacheDir string
+	davDir   string
+	listen   string
+	passPath string
+	users    map[string]string
+)
+
+func init() {
+	users = make(map[string]string)
+	dir, err := filepath.Abs(filepath.Dir(os.Args[0]))
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	flag.StringVar(&cacheDir, "cache", fmt.Sprintf("%s/.cache", dir), "Directory in which to store ACME certificates.")
+	flag.StringVar(&davDir, "davdir", dir, "Directory to serve over WebDAV.")
+	flag.StringVar(&listen, "http", "127.0.0.1:8080", "Listen on")
+	flag.StringVar(&passPath, "htpass", fmt.Sprintf("%s/.htpasswd", dir), "Path to .htpasswd file..")
+	flag.BoolVar(&test, "test", false, "Enable testing mode (uses staging LetsEncrypt).")
+	flag.Parse()
+
+	// These are OpenBSD specific protections used to prevent unnecessary file access.
+	_ = protect.Unveil(passPath, "r")
+	_ = protect.Unveil(davDir, "rwc")
+	_ = protect.Unveil(cacheDir, "rwc")
+	_ = protect.Unveil("/etc/ssl/cert.pem", "r")
+	_ = protect.Unveil("/etc/resolv.conf", "r")
+	_ = protect.Pledge("stdio wpath rpath cpath inet dns")
+
+	p, err := os.Open(passPath)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer p.Close()
+
+	ht := csv.NewReader(p)
+	ht.Comma = ':'
+	ht.Comment = '#'
+	ht.TrimLeadingSpace = true
+
+	entries, err := ht.ReadAll()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	for _, parts := range entries {
+		users[parts[0]] = parts[1]
+	}
+}
+
+func authenticate(user string, pass string) bool {
+	htpass, exists := users[user]
+
+	if !exists {
+		return false
+	}
+
+	err := bcrypt.CompareHashAndPassword([]byte(htpass), []byte(pass))
+	return err == nil
+}
+
+func logger(f http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		n := time.Now()
+		fmt.Printf("%s (%s) [%s] \"%s %s\" %03d\n",
+			r.RemoteAddr,
+			n.Format(time.RFC822Z),
+			r.Method,
+			r.URL.Path,
+			r.Proto,
+			r.ContentLength,
+		)
+		f(w, r)
+	}
+}
+
+func createEmpty(path string) error {
+	_, fErr := os.Stat(path)
+	if os.IsNotExist(fErr) {
+		log.Printf("creating %q\n", path)
+		twData, _ := tiddly.ReadFile(twFile)
+		wErr := ioutil.WriteFile(path, []byte(twData), 0600)
+		if wErr != nil {
+			return wErr
+		}
+	}
+	return nil
+}
+
+func main() {
+	wdav := &webdav.Handler{
+		LockSystem: webdav.NewMemLS(),
+		FileSystem: webdav.Dir(davDir),
+	}
+
+	idxHandler := http.FileServer(http.Dir(davDir))
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", logger(func(w http.ResponseWriter, r *http.Request) {
+		user, pass, ok := r.BasicAuth()
+		if !(ok && authenticate(user, pass)) {
+			w.Header().Set("WWW-Authenticate", `Basic realm="davfs"`)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		fp := path.Join(davDir, r.URL.Path)
+		err := createEmpty(fp)
+		if err != nil {
+			log.Println(err)
+			fmt.Fprintf(w, err.Error())
+			return
+		}
+
+		if r.URL.Path == "/" {
+			idxHandler.ServeHTTP(w, r)
+			return
+		}
+
+		wdav.ServeHTTP(w, r)
+	}))
+
+	s := http.Server{
+		Handler: mux,
+	}
+
+	lis, err := net.Listen("tcp", listen)
+	if err != nil {
+		log.Panic(err)
+	}
+
+	log.Printf("Listening for HTTP on '%s'", listen)
+	log.Panic(s.Serve(lis))
+}