[voter] / src / main.rs

use std::io::prelude::*;
use std::path::{Path, PathBuf};

const DATA_PATH: &str = "/var/lib/voter";
const COOKIE_NAME: &[u8] = b"__Secure-id";
const COOKIE_LENGTH: usize = 32;

fn validate_path(path: &str) -> Result<PathBuf, cgi::Response> {
    let invalid_path = || cgi::text_response(404, "Invalid path");
    if path == "/" {
        return Err(cgi::text_response(404, "(This is the voting place.  You should have been given a more specific URL for the specific thing you've been invited to vote on.)"));
    }
    if path.contains("..") || !path.starts_with("/") {
        return Err(invalid_path());
    }
    let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf();
    if !dir
        .canonicalize()
        .map_err(|_| invalid_path())?
        .starts_with(DATA_PATH)
    {
        return Err(invalid_path());
    }
    if !dir.is_dir() {
        return Err(invalid_path());
    }
    Ok(dir)
}

fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> {
    // Expect exactly one cookie, exactly as we generate it.
    let cookie = request
        .headers()
        .get(cgi::http::header::COOKIE)
        .map(|c| c.as_bytes())
        .and_then(|c| c.strip_prefix(COOKIE_NAME))
        .and_then(|c| c.strip_prefix(b"="))
        .ok_or_else(|| cgi::text_response(400, "Invalid cookie"))?;
    if cookie.len() != COOKIE_LENGTH || cookie.contains(&b' ') || cookie.contains(&b';') {
        Err(cgi::text_response(400, "Invalid cookie"))
    } else {
        Ok(cookie)
    }
}

fn prompt_for_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
    Err(cgi::text_response(503, "Not Implemented"))
}

fn write_vote(dir: PathBuf, voter: &[u8], vote: &[u8]) -> std::io::Result<()> {
    let datum = [voter, b" ", vote, b"\n"].concat();
    let vpath = dir.join("votes");
    let vfile = std::fs::File::options()
        .append(true)
        .create(true)
        .open(vpath)?;
    let mut vlock = fd_lock::RwLock::new(vfile);
    vlock.write()?.write(&datum)?;
    Ok(())
}

fn record_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
    let body = request.body();
    // Valid votes look like "0 foo" or "1 bar"
    if body.len() < 3
        || (body[0] != b'0' && body[0] != b'1')
        || body[1] != b' '
        || body.contains(&b'\n')
    {
        return Err(cgi::text_response(415, "Invalid vote"));
    }
    write_vote(dir, &get_voter(&request)?, body)
        .map_err(|_| cgi::text_response(503, "Couldn't record vote"))?;
    Ok(cgi::text_response(200, "Vote recorded"))
}

fn strip_body(mut response: cgi::Response) -> cgi::Response {
    response.body_mut().clear();
    response
}

fn respond(request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
    let dir = validate_path(request.uri().path())?;
    match request.method() {
        &cgi::http::Method::HEAD => prompt_for_vote(dir, request).map(strip_body),
        &cgi::http::Method::GET => prompt_for_vote(dir, request),
        &cgi::http::Method::PUT => record_vote(dir, request),
        _ => Err(cgi::text_response(405, "Huh?")),
    }
}

fn respond_or_report_error(request: cgi::Request) -> cgi::Response {
    match respond(request) {
        Ok(result) => result,
        Err(error) => error,
    }
}

cgi::cgi_main! { respond_or_report_error }
Commit	Line	Data
fbcdf3ed	1	use std::io::prelude::*;
c8402f1c	2	use std::path::{Path, PathBuf};
d1df2e73	3
c8402f1c	4	const DATA_PATH: &str = "/var/lib/voter";
fbcdf3ed SW	5	const COOKIE_NAME: &[u8] = b"__Secure-id";
fbcdf3ed SW	6	const COOKIE_LENGTH: usize = 32;
c8402f1c SW	7
	8	fn validate_path(path: &str) -> Result<PathBuf, cgi::Response> {
	9	let invalid_path = \|\| cgi::text_response(404, "Invalid path");
	10	if path == "/" {
	11	return Err(cgi::text_response(404, "(This is the voting place. You should have been given a more specific URL for the specific thing you've been invited to vote on.)"));
	12	}
	13	if path.contains("..") \|\| !path.starts_with("/") {
	14	return Err(invalid_path());
	15	}
	16	let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf();
	17	if !dir
	18	.canonicalize()
	19	.map_err(\|_\| invalid_path())?
	20	.starts_with(DATA_PATH)
	21	{
	22	return Err(invalid_path());
	23	}
	24	if !dir.is_dir() {
	25	return Err(invalid_path());
	26	}
	27	Ok(dir)
	28	}
	29
fbcdf3ed SW	30	fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> {
	31	// Expect exactly one cookie, exactly as we generate it.
	32	let cookie = request
	33	.headers()
	34	.get(cgi::http::header::COOKIE)
	35	.map(\|c\| c.as_bytes())
	36	.and_then(\|c\| c.strip_prefix(COOKIE_NAME))
	37	.and_then(\|c\| c.strip_prefix(b"="))
	38	.ok_or_else(\|\| cgi::text_response(400, "Invalid cookie"))?;
	39	if cookie.len() != COOKIE_LENGTH \|\| cookie.contains(&b' ') \|\| cookie.contains(&b';') {
	40	Err(cgi::text_response(400, "Invalid cookie"))
	41	} else {
	42	Ok(cookie)
	43	}
	44	}
	45
c8402f1c SW	46	fn prompt_for_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
	47	Err(cgi::text_response(503, "Not Implemented"))
	48	}
	49
fbcdf3ed SW	50	fn write_vote(dir: PathBuf, voter: &[u8], vote: &[u8]) -> std::io::Result<()> {
	51	let datum = [voter, b" ", vote, b"\n"].concat();
	52	let vpath = dir.join("votes");
	53	let vfile = std::fs::File::options()
	54	.append(true)
	55	.create(true)
	56	.open(vpath)?;
	57	let mut vlock = fd_lock::RwLock::new(vfile);
	58	vlock.write()?.write(&datum)?;
	59	Ok(())
	60	}
	61
c8402f1c	62	fn record_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
fbcdf3ed SW	63	let body = request.body();
	64	// Valid votes look like "0 foo" or "1 bar"
	65	if body.len() < 3
	66	\|\| (body[0] != b'0' && body[0] != b'1')
	67	\|\| body[1] != b' '
	68	\|\| body.contains(&b'\n')
	69	{
	70	return Err(cgi::text_response(415, "Invalid vote"));
	71	}
	72	write_vote(dir, &get_voter(&request)?, body)
	73	.map_err(\|_\| cgi::text_response(503, "Couldn't record vote"))?;
	74	Ok(cgi::text_response(200, "Vote recorded"))
	75	}
	76
	77	fn strip_body(mut response: cgi::Response) -> cgi::Response {
	78	response.body_mut().clear();
	79	response
c8402f1c SW	80	}
	81
	82	fn respond(request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
	83	let dir = validate_path(request.uri().path())?;
	84	match request.method() {
fbcdf3ed	85	&cgi::http::Method::HEAD => prompt_for_vote(dir, request).map(strip_body),
c8402f1c	86	&cgi::http::Method::GET => prompt_for_vote(dir, request),
fbcdf3ed	87	&cgi::http::Method::PUT => record_vote(dir, request),
c8402f1c SW	88	_ => Err(cgi::text_response(405, "Huh?")),
	89	}
	90	}
	91
	92	fn respond_or_report_error(request: cgi::Request) -> cgi::Response {
	93	match respond(request) {
	94	Ok(result) => result,
	95	Err(error) => error,
	96	}
d1df2e73 SW	97	}
d1df2e73 SW	98
c8402f1c	99	cgi::cgi_main! { respond_or_report_error }