]>
Commit | Line | Data |
---|---|---|
dd0a1246 | 1 | use rand::prelude::*; |
75cfd491 | 2 | use std::collections::{HashMap, HashSet}; |
fbcdf3ed | 3 | use std::io::prelude::*; |
c8402f1c | 4 | use std::path::{Path, PathBuf}; |
d1df2e73 | 5 | |
c8402f1c | 6 | const DATA_PATH: &str = "/var/lib/voter"; |
fbcdf3ed | 7 | const COOKIE_NAME: &[u8] = b"__Secure-id"; |
ae9be1b6 | 8 | const COOKIE_LENGTH: usize = 12; |
c8402f1c SW |
9 | |
10 | fn validate_path(path: &str) -> Result<PathBuf, cgi::Response> { | |
11 | let invalid_path = || cgi::text_response(404, "Invalid path"); | |
12 | if path == "/" { | |
13 | return Err(cgi::text_response(404, "(This is the voting place. You should have been given a more specific URL for the specific thing you've been invited to vote on.)")); | |
14 | } | |
15 | if path.contains("..") || !path.starts_with("/") { | |
16 | return Err(invalid_path()); | |
17 | } | |
18 | let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf(); | |
19 | if !dir | |
20 | .canonicalize() | |
21 | .map_err(|_| invalid_path())? | |
22 | .starts_with(DATA_PATH) | |
23 | { | |
24 | return Err(invalid_path()); | |
25 | } | |
26 | if !dir.is_dir() { | |
27 | return Err(invalid_path()); | |
28 | } | |
29 | Ok(dir) | |
30 | } | |
31 | ||
fbcdf3ed SW |
32 | fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> { |
33 | // Expect exactly one cookie, exactly as we generate it. | |
34 | let cookie = request | |
35 | .headers() | |
36 | .get(cgi::http::header::COOKIE) | |
37 | .map(|c| c.as_bytes()) | |
38 | .and_then(|c| c.strip_prefix(COOKIE_NAME)) | |
39 | .and_then(|c| c.strip_prefix(b"=")) | |
40 | .ok_or_else(|| cgi::text_response(400, "Invalid cookie"))?; | |
41 | if cookie.len() != COOKIE_LENGTH || cookie.contains(&b' ') || cookie.contains(&b';') { | |
42 | Err(cgi::text_response(400, "Invalid cookie")) | |
43 | } else { | |
44 | Ok(cookie) | |
45 | } | |
46 | } | |
47 | ||
75cfd491 SW |
48 | fn tally_votes(dir: PathBuf) -> std::io::Result<HashMap<String, HashSet<String>>> { |
49 | let mut tally: HashMap<String, HashSet<String>> = HashMap::new(); | |
50 | let vfile = std::fs::File::open(dir.join("votes"))?; | |
51 | for liner in std::io::BufReader::new(vfile).lines() { | |
52 | let line = liner?; | |
53 | if let Some((voter, datum)) = line.split_once(' ') { | |
54 | if voter.len() == COOKIE_LENGTH { | |
55 | if let Some((vote, candidate)) = datum.split_once(' ') { | |
56 | if vote == "0" { | |
57 | if let Some(entry) = tally.get_mut(candidate) { | |
58 | entry.remove(voter); | |
59 | } | |
60 | } else if vote == "1" { | |
61 | tally | |
62 | .entry(candidate.to_owned()) | |
63 | .or_default() | |
64 | .insert(voter.to_owned()); | |
65 | } | |
66 | } | |
67 | } | |
68 | } | |
69 | } | |
70 | Ok(tally) | |
71 | } | |
72 | ||
dd0a1246 | 73 | fn make_random_id() -> [u8; COOKIE_LENGTH] { |
5a0934fa SW |
74 | let mut id = [0; COOKIE_LENGTH]; |
75 | for i in 0..COOKIE_LENGTH { | |
76 | while !(b'A'..=b'Z').contains(&id[i]) | |
77 | && !(b'a'..=b'z').contains(&id[i]) | |
78 | && !(b'0'..=b'9').contains(&id[i]) | |
79 | { | |
80 | id[i] = random() | |
81 | } | |
82 | } | |
83 | id | |
dd0a1246 SW |
84 | } |
85 | ||
86 | fn set_cookie(mut response: cgi::Response, path: &str) -> Result<cgi::Response, cgi::Response> { | |
87 | response.headers_mut().append( | |
88 | cgi::http::header::SET_COOKIE, | |
89 | cgi::http::header::HeaderValue::from_bytes( | |
90 | &[ | |
91 | COOKIE_NAME, | |
92 | b"=", | |
93 | &make_random_id(), | |
94 | b"; Secure HttpOnly SameSite=Strict Max-Age=30000000 Path=", | |
95 | path.as_bytes(), | |
96 | ] | |
97 | .concat(), | |
98 | ) | |
99 | .map_err(|_| cgi::text_response(503, "Couldn't make cookie"))?, | |
100 | ); | |
101 | Ok(response) | |
102 | } | |
103 | ||
3a28e771 | 104 | const HTML_HEADER: &str = "<!DOCTYPE html> |
f5e90a7e SW |
105 | <html> |
106 | <head> | |
3a28e771 | 107 | <meta charset=\"utf-8\"> |
9e49b3f0 | 108 | <title>Vote!</title> |
f5e90a7e | 109 | <style> |
3a49148b | 110 | th { font-size: 70%; text-align: left } |
9d82c13f | 111 | input { transform: scale(1.5) } |
95432069 SW |
112 | div { animation: 2s infinite linear spin } |
113 | @keyframes spin { | |
114 | from { transform:rotate(0) } | |
115 | to { transform:rotate(1turn) } | |
116 | } | |
f5e90a7e | 117 | </style> |
9d82c13f SW |
118 | <script> |
119 | window.onload = function() { | |
120 | for (cb of document.getElementsByTagName('input')) { | |
95432069 SW |
121 | cb.addEventListener('click', (function(cb) { |
122 | return function() { | |
123 | cb.style.display = 'none' | |
124 | const spin = document.createElement('div') | |
125 | spin.appendChild(document.createTextNode('⏳')) | |
126 | cb.parentElement.insertBefore(spin, cb) | |
f724d95f SW |
127 | |
128 | const req = new XMLHttpRequest() | |
129 | req.addEventListener('load', function(e) { | |
130 | cb.parentElement.removeChild(cb.previousElementSibling) | |
131 | if (req.status == 200) { | |
132 | cb.style.display = '' | |
133 | } else { | |
134 | cb.parentElement.insertBefore(document.createTextNode('❗'), cb) | |
135 | } | |
136 | }) | |
137 | req.open('PUT', window.location.href) | |
75cfd491 | 138 | req.send((cb.checked ? 1 : 0) + ' ' + cb.parentElement.nextElementSibling.innerHTML) |
95432069 SW |
139 | } |
140 | })(cb)) | |
9d82c13f SW |
141 | cb.disabled = false |
142 | } | |
143 | } | |
144 | </script> | |
f5e90a7e SW |
145 | </head> |
146 | <body> | |
3a49148b SW |
147 | <table> |
148 | <tr> | |
149 | <th>Vote</th> | |
150 | <th>Candidate</th> | |
151 | </tr>"; | |
f5e90a7e SW |
152 | const HTML_FOOTER: &str = " |
153 | </table> | |
154 | </body> | |
155 | </html>"; | |
156 | ||
75cfd491 SW |
157 | fn supports(tally: &HashMap<String, HashSet<String>>, me: &str, candidate: &str) -> bool { |
158 | tally | |
159 | .get(candidate) | |
160 | .map(|supporters| supporters.contains(me)) | |
161 | .unwrap_or(false) | |
162 | } | |
163 | ||
c8402f1c | 164 | fn prompt_for_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> { |
dd0a1246 | 165 | let voter = get_voter(&request); |
75cfd491 SW |
166 | let me = if let Ok(id) = voter { |
167 | std::str::from_utf8(id).ok() | |
168 | } else { | |
169 | None | |
170 | }; | |
171 | let tally = | |
172 | tally_votes(dir.clone()).map_err(|_| cgi::text_response(503, "Couldn't tally votes"))?; | |
381eeda5 SW |
173 | let cfile = std::fs::File::open(dir.join("candidates")) |
174 | .map_err(|_| cgi::text_response(503, "No candidates"))?; | |
175 | let mut response = cgi::html_response( | |
176 | 200, | |
f5e90a7e SW |
177 | std::iter::once(Ok(HTML_HEADER.to_owned())) |
178 | .chain(std::io::BufReader::new(cfile).lines().map(|rc| { | |
9d82c13f | 179 | rc.map(|c| { |
75cfd491 SW |
180 | let checked = if me.map(|me| supports(&tally, me, &c)).unwrap_or(false) { |
181 | "checked" | |
182 | } else { | |
183 | "" | |
184 | }; | |
185 | format!( | |
186 | "<tr> | |
187 | <td><input type=\"checkbox\" autocomplete=\"off\" {checked} disabled></td> | |
188 | <td>{c}</td> | |
189 | </tr>" | |
190 | ) | |
9d82c13f | 191 | }) |
f5e90a7e SW |
192 | })) |
193 | .chain(std::iter::once(Ok(HTML_FOOTER.to_owned()))) | |
381eeda5 SW |
194 | .collect::<std::io::Result<String>>() |
195 | .map_err(|_| cgi::text_response(503, "Missing candidates"))?, | |
196 | ); | |
dd0a1246 SW |
197 | if voter.is_err() { |
198 | response = set_cookie(response, request.uri().path())? | |
199 | } | |
200 | Ok(response) | |
c8402f1c SW |
201 | } |
202 | ||
fbcdf3ed SW |
203 | fn write_vote(dir: PathBuf, voter: &[u8], vote: &[u8]) -> std::io::Result<()> { |
204 | let datum = [voter, b" ", vote, b"\n"].concat(); | |
205 | let vpath = dir.join("votes"); | |
206 | let vfile = std::fs::File::options() | |
207 | .append(true) | |
208 | .create(true) | |
209 | .open(vpath)?; | |
210 | let mut vlock = fd_lock::RwLock::new(vfile); | |
211 | vlock.write()?.write(&datum)?; | |
212 | Ok(()) | |
213 | } | |
214 | ||
c8402f1c | 215 | fn record_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> { |
fbcdf3ed SW |
216 | let body = request.body(); |
217 | // Valid votes look like "0 foo" or "1 bar" | |
218 | if body.len() < 3 | |
219 | || (body[0] != b'0' && body[0] != b'1') | |
220 | || body[1] != b' ' | |
221 | || body.contains(&b'\n') | |
222 | { | |
223 | return Err(cgi::text_response(415, "Invalid vote")); | |
224 | } | |
225 | write_vote(dir, &get_voter(&request)?, body) | |
226 | .map_err(|_| cgi::text_response(503, "Couldn't record vote"))?; | |
227 | Ok(cgi::text_response(200, "Vote recorded")) | |
228 | } | |
229 | ||
230 | fn strip_body(mut response: cgi::Response) -> cgi::Response { | |
231 | response.body_mut().clear(); | |
232 | response | |
c8402f1c SW |
233 | } |
234 | ||
235 | fn respond(request: cgi::Request) -> Result<cgi::Response, cgi::Response> { | |
236 | let dir = validate_path(request.uri().path())?; | |
237 | match request.method() { | |
fbcdf3ed | 238 | &cgi::http::Method::HEAD => prompt_for_vote(dir, request).map(strip_body), |
c8402f1c | 239 | &cgi::http::Method::GET => prompt_for_vote(dir, request), |
fbcdf3ed | 240 | &cgi::http::Method::PUT => record_vote(dir, request), |
c8402f1c SW |
241 | _ => Err(cgi::text_response(405, "Huh?")), |
242 | } | |
243 | } | |
244 | ||
245 | fn respond_or_report_error(request: cgi::Request) -> cgi::Response { | |
246 | match respond(request) { | |
247 | Ok(result) => result, | |
248 | Err(error) => error, | |
249 | } | |
d1df2e73 SW |
250 | } |
251 | ||
c8402f1c | 252 | cgi::cgi_main! { respond_or_report_error } |