git.scottworley.com Git - voter/blame_incremental - src/main.rs

use rand::prelude::*;
use std::collections::{HashMap, HashSet};
use std::io::prelude::*;
use std::path::{Path, PathBuf};

const DATA_PATH: &str = "/var/lib/voter";
const COOKIE_NAME: &[u8] = b"__Secure-id";
const COOKIE_LENGTH: usize = 12;

fn validate_path(path: &str) -> Result<PathBuf, cgi::Response> {
    let invalid_path = || cgi::text_response(404, "Invalid path");
    if path == "/" {
        return Err(cgi::text_response(404, "(This is the voting place.  You should have been given a more specific URL for the specific thing you've been invited to vote on.)"));
    }
    if path.contains("..") || !path.starts_with("/") {
        return Err(invalid_path());
    }
    let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf();
    if !dir
        .canonicalize()
        .map_err(|_| invalid_path())?
        .starts_with(DATA_PATH)
    {
        return Err(invalid_path());
    }
    if !dir.is_dir() {
        return Err(invalid_path());
    }
    Ok(dir)
}

fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> {
    // Expect exactly one cookie, exactly as we generate it.
    let cookie = request
        .headers()
        .get(cgi::http::header::COOKIE)
        .map(|c| c.as_bytes())
        .and_then(|c| c.strip_prefix(COOKIE_NAME))
        .and_then(|c| c.strip_prefix(b"="))
        .ok_or_else(|| cgi::text_response(400, "Invalid cookie"))?;
    if cookie.len() != COOKIE_LENGTH || cookie.contains(&b' ') || cookie.contains(&b';') {
        Err(cgi::text_response(400, "Invalid cookie"))
    } else {
        Ok(cookie)
    }
}

fn tally_votes(dir: PathBuf) -> std::io::Result<HashMap<String, HashSet<String>>> {
    let mut tally: HashMap<String, HashSet<String>> = HashMap::new();
    if let Ok(vfile) = std::fs::File::open(dir.join("votes")) {
        for liner in std::io::BufReader::new(vfile).lines() {
            let line = liner?;
            if let Some((voter, datum)) = line.split_once(' ') {
                if voter.len() == COOKIE_LENGTH {
                    if let Some((vote, candidate)) = datum.split_once(' ') {
                        if vote == "0" {
                            if let Some(entry) = tally.get_mut(candidate) {
                                entry.remove(voter);
                            }
                        } else if vote == "1" {
                            tally
                                .entry(candidate.to_owned())
                                .or_default()
                                .insert(voter.to_owned());
                        }
                    }
                }
            }
        }
    }
    Ok(tally)
}

fn make_random_id() -> [u8; COOKIE_LENGTH] {
    let mut id = [0; COOKIE_LENGTH];
    for i in 0..COOKIE_LENGTH {
        while !(b'A'..=b'Z').contains(&id[i])
            && !(b'a'..=b'z').contains(&id[i])
            && !(b'0'..=b'9').contains(&id[i])
        {
            id[i] = random()
        }
    }
    id
}

fn set_cookie(mut response: cgi::Response, path: &str) -> Result<cgi::Response, cgi::Response> {
    response.headers_mut().append(
        cgi::http::header::SET_COOKIE,
        cgi::http::header::HeaderValue::from_bytes(
            &[
                COOKIE_NAME,
                b"=",
                &make_random_id(),
                b"; Secure HttpOnly SameSite=Strict Max-Age=30000000 Path=",
                path.as_bytes(),
            ]
            .concat(),
        )
        .map_err(|_| cgi::text_response(503, "Couldn't make cookie"))?,
    );
    Ok(response)
}

const HTML_HEADER: &str = "<!DOCTYPE html>
<html>
  <head>
    <meta charset=\"utf-8\">
    <title>Vote!</title>
    <style>
      th { font-size: 70%; text-align: left }
      input { transform: scale(1.5) }
      div { animation: 2s infinite linear spin }
      @keyframes spin {
        from { transform:rotate(0) }
        to { transform:rotate(1turn) }
      }
    </style>
    <script>
      window.onload = function() {
        for (cb of document.getElementsByTagName('input')) {
          cb.addEventListener('click', (function(cb) {
            return function() {
              cb.style.display = 'none'
              const spin = document.createElement('div')
              spin.appendChild(document.createTextNode('⏳'))
              cb.parentElement.insertBefore(spin, cb)

              const req = new XMLHttpRequest()
              req.addEventListener('load', function(e) {
                cb.parentElement.removeChild(cb.previousElementSibling)
                if (req.status == 200) {
                    cb.style.display = ''
                    const delta = cb.checked ? 1 : -1
                    const count_td = cb.parentElement.previousElementSibling
                    count_td.textContent = parseInt(count_td.textContent) + delta
                } else {
                   cb.parentElement.insertBefore(document.createTextNode('❗'), cb)
                }
              })
              req.open('PUT', window.location.href)
              req.send((cb.checked ? 1 : 0) + ' ' + cb.parentElement.nextElementSibling.innerHTML)
            }
          })(cb))
          cb.disabled = false
        }
      }
      function num_cmp(a, b) {
        return parseInt(b.textContent) - parseInt(a.textContent)
      }
      function str_cmp(a, b) {
        if (a.textContent < b.textContent) return -1
        if (a.textContent > b.textContent) return 1
        return 0
      }
      function checked_cmp(a, b) {
        vs = [a, b].map(x => {
          const v = x.children[0].checked + 0
          return isNaN(v) ? -1 : v
        })
        return vs[1] - vs[0]
      }
      function sort_table(col, cmp) {
        const rows = Array.from(document.getElementsByTagName('tr'))
        rows.shift()
        rows.sort((a, b) => cmp(a.children[col], b.children[col]))
        for (row of rows) {
          row.parentElement.appendChild(row)
        }
      }
    </script>
  </head>
  <body>
    <table>
      <tr>
        <th onclick='sort_table(0, num_cmp)'>Count</th>
        <th onclick='sort_table(1, checked_cmp)'>Vote</th>
        <th onclick='sort_table(2, str_cmp)'>Candidate</th>
      </tr>";
const HTML_FOOTER: &str = "
    </table>
  </body>
</html>";

fn supports(tally: &HashMap<String, HashSet<String>>, me: &str, candidate: &str) -> bool {
    tally
        .get(candidate)
        .map(|supporters| supporters.contains(me))
        .unwrap_or(false)
}

fn prompt_for_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
    let voter = get_voter(&request);
    let me = if let Ok(id) = voter {
        std::str::from_utf8(id).ok()
    } else {
        None
    };
    let tally =
        tally_votes(dir.clone()).map_err(|_| cgi::text_response(503, "Couldn't tally votes"))?;
    let cfile = std::fs::File::open(dir.join("candidates"))
        .map_err(|_| cgi::text_response(503, "No candidates"))?;
    let mut response = cgi::html_response(
        200,
        std::iter::once(Ok(HTML_HEADER.to_owned()))
            .chain(std::io::BufReader::new(cfile).lines().map(|rc| {
                rc.map(|c| {
                    let count = tally
                        .get(&c)
                        .map(|supporters| supporters.len())
                        .unwrap_or(0);
                    let checked = if me.map(|me| supports(&tally, me, &c)).unwrap_or(false) {
                        "checked"
                    } else {
                        ""
                    };
                    format!(
                        "<tr>
                        <td>{count}</td>
                        <td><input type=\"checkbox\" autocomplete=\"off\" {checked} disabled></td>
                        <td>{c}</td>
                        </tr>"
                    )
                })
            }))
            .chain(std::iter::once(Ok(HTML_FOOTER.to_owned())))
            .collect::<std::io::Result<String>>()
            .map_err(|_| cgi::text_response(503, "Missing candidates"))?,
    );
    if voter.is_err() {
        response = set_cookie(response, request.uri().path())?
    }
    Ok(response)
}

fn write_vote(dir: PathBuf, voter: &[u8], vote: &[u8]) -> std::io::Result<()> {
    let datum = [voter, b" ", vote, b"\n"].concat();
    let vpath = dir.join("votes");
    let vfile = std::fs::File::options()
        .append(true)
        .create(true)
        .open(vpath)?;
    let mut vlock = fd_lock::RwLock::new(vfile);
    vlock.write()?.write(&datum)?;
    Ok(())
}

fn record_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
    let body = request.body();
    // Valid votes look like "0 foo" or "1 bar"
    if body.len() < 3
        || (body[0] != b'0' && body[0] != b'1')
        || body[1] != b' '
        || body.contains(&b'\n')
    {
        return Err(cgi::text_response(415, "Invalid vote"));
    }
    write_vote(dir, &get_voter(&request)?, body)
        .map_err(|_| cgi::text_response(503, "Couldn't record vote"))?;
    Ok(cgi::text_response(200, "Vote recorded"))
}

fn strip_body(mut response: cgi::Response) -> cgi::Response {
    response.body_mut().clear();
    response
}

fn respond(request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
    let dir = validate_path(request.uri().path())?;
    match request.method() {
        &cgi::http::Method::HEAD => prompt_for_vote(dir, request).map(strip_body),
        &cgi::http::Method::GET => prompt_for_vote(dir, request),
        &cgi::http::Method::PUT => record_vote(dir, request),
        _ => Err(cgi::text_response(405, "Huh?")),
    }
}

fn respond_or_report_error(request: cgi::Request) -> cgi::Response {
    match respond(request) {
        Ok(result) => result,
        Err(error) => error,
    }
}

cgi::cgi_main! { respond_or_report_error }
Commit	Line	Data
	1	use rand::prelude::*;
	2	use std::collections::{HashMap, HashSet};
	3	use std::io::prelude::*;
	4	use std::path::{Path, PathBuf};
	5
	6	const DATA_PATH: &str = "/var/lib/voter";
	7	const COOKIE_NAME: &[u8] = b"__Secure-id";
	8	const COOKIE_LENGTH: usize = 12;
	9
	10	fn validate_path(path: &str) -> Result<PathBuf, cgi::Response> {
	11	let invalid_path = \|\| cgi::text_response(404, "Invalid path");
	12	if path == "/" {
	13	return Err(cgi::text_response(404, "(This is the voting place. You should have been given a more specific URL for the specific thing you've been invited to vote on.)"));
	14	}
	15	if path.contains("..") \|\| !path.starts_with("/") {
	16	return Err(invalid_path());
	17	}
	18	let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf();
	19	if !dir
	20	.canonicalize()
	21	.map_err(\|_\| invalid_path())?
	22	.starts_with(DATA_PATH)
	23	{
	24	return Err(invalid_path());
	25	}
	26	if !dir.is_dir() {
	27	return Err(invalid_path());
	28	}
	29	Ok(dir)
	30	}
	31
	32	fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> {
	33	// Expect exactly one cookie, exactly as we generate it.
	34	let cookie = request
	35	.headers()
	36	.get(cgi::http::header::COOKIE)
	37	.map(\|c\| c.as_bytes())
	38	.and_then(\|c\| c.strip_prefix(COOKIE_NAME))
	39	.and_then(\|c\| c.strip_prefix(b"="))
	40	.ok_or_else(\|\| cgi::text_response(400, "Invalid cookie"))?;
	41	if cookie.len() != COOKIE_LENGTH \|\| cookie.contains(&b' ') \|\| cookie.contains(&b';') {
	42	Err(cgi::text_response(400, "Invalid cookie"))
	43	} else {
	44	Ok(cookie)
	45	}
	46	}
	47
	48	fn tally_votes(dir: PathBuf) -> std::io::Result<HashMap<String, HashSet<String>>> {
	49	let mut tally: HashMap<String, HashSet<String>> = HashMap::new();
	50	if let Ok(vfile) = std::fs::File::open(dir.join("votes")) {
	51	for liner in std::io::BufReader::new(vfile).lines() {
	52	let line = liner?;
	53	if let Some((voter, datum)) = line.split_once(' ') {
	54	if voter.len() == COOKIE_LENGTH {
	55	if let Some((vote, candidate)) = datum.split_once(' ') {
	56	if vote == "0" {
	57	if let Some(entry) = tally.get_mut(candidate) {
	58	entry.remove(voter);
	59	}
	60	} else if vote == "1" {
	61	tally
	62	.entry(candidate.to_owned())
	63	.or_default()
	64	.insert(voter.to_owned());
	65	}
	66	}
	67	}
	68	}
	69	}
	70	}
	71	Ok(tally)
	72	}
	73
	74	fn make_random_id() -> [u8; COOKIE_LENGTH] {
	75	let mut id = [0; COOKIE_LENGTH];
	76	for i in 0..COOKIE_LENGTH {
	77	while !(b'A'..=b'Z').contains(&id[i])
	78	&& !(b'a'..=b'z').contains(&id[i])
	79	&& !(b'0'..=b'9').contains(&id[i])
	80	{
	81	id[i] = random()
	82	}
	83	}
	84	id
	85	}
	86
	87	fn set_cookie(mut response: cgi::Response, path: &str) -> Result<cgi::Response, cgi::Response> {
	88	response.headers_mut().append(
	89	cgi::http::header::SET_COOKIE,
	90	cgi::http::header::HeaderValue::from_bytes(
	91	&[
	92	COOKIE_NAME,
	93	b"=",
	94	&make_random_id(),
	95	b"; Secure HttpOnly SameSite=Strict Max-Age=30000000 Path=",
	96	path.as_bytes(),
	97	]
	98	.concat(),
	99	)
	100	.map_err(\|_\| cgi::text_response(503, "Couldn't make cookie"))?,
	101	);
	102	Ok(response)
	103	}
	104
	105	const HTML_HEADER: &str = "<!DOCTYPE html>
	106	<html>
	107	<head>
	108	<meta charset=\"utf-8\">
	109	<title>Vote!</title>
	110	<style>
	111	th { font-size: 70%; text-align: left }
	112	input { transform: scale(1.5) }
	113	div { animation: 2s infinite linear spin }
	114	@keyframes spin {
	115	from { transform:rotate(0) }
	116	to { transform:rotate(1turn) }
	117	}
	118	</style>
	119	<script>
	120	window.onload = function() {
	121	for (cb of document.getElementsByTagName('input')) {
	122	cb.addEventListener('click', (function(cb) {
	123	return function() {
	124	cb.style.display = 'none'
	125	const spin = document.createElement('div')
	126	spin.appendChild(document.createTextNode('⏳'))
	127	cb.parentElement.insertBefore(spin, cb)
	128
	129	const req = new XMLHttpRequest()
	130	req.addEventListener('load', function(e) {
	131	cb.parentElement.removeChild(cb.previousElementSibling)
	132	if (req.status == 200) {
	133	cb.style.display = ''
	134	const delta = cb.checked ? 1 : -1
	135	const count_td = cb.parentElement.previousElementSibling
	136	count_td.textContent = parseInt(count_td.textContent) + delta
	137	} else {
	138	cb.parentElement.insertBefore(document.createTextNode('❗'), cb)
	139	}
	140	})
	141	req.open('PUT', window.location.href)
	142	req.send((cb.checked ? 1 : 0) + ' ' + cb.parentElement.nextElementSibling.innerHTML)
	143	}
	144	})(cb))
	145	cb.disabled = false
	146	}
	147	}
	148	function num_cmp(a, b) {
	149	return parseInt(b.textContent) - parseInt(a.textContent)
	150	}
	151	function str_cmp(a, b) {
	152	if (a.textContent < b.textContent) return -1
	153	if (a.textContent > b.textContent) return 1
	154	return 0
	155	}
	156	function checked_cmp(a, b) {
	157	vs = [a, b].map(x => {
	158	const v = x.children[0].checked + 0
	159	return isNaN(v) ? -1 : v
	160	})
	161	return vs[1] - vs[0]
	162	}
	163	function sort_table(col, cmp) {
	164	const rows = Array.from(document.getElementsByTagName('tr'))
	165	rows.shift()
	166	rows.sort((a, b) => cmp(a.children[col], b.children[col]))
	167	for (row of rows) {
	168	row.parentElement.appendChild(row)
	169	}
	170	}
	171	</script>
	172	</head>
	173	<body>
	174	<table>
	175	<tr>
	176	<th onclick='sort_table(0, num_cmp)'>Count</th>
	177	<th onclick='sort_table(1, checked_cmp)'>Vote</th>
	178	<th onclick='sort_table(2, str_cmp)'>Candidate</th>
	179	</tr>";
	180	const HTML_FOOTER: &str = "
	181	</table>
	182	</body>
	183	</html>";
	184
	185	fn supports(tally: &HashMap<String, HashSet<String>>, me: &str, candidate: &str) -> bool {
	186	tally
	187	.get(candidate)
	188	.map(\|supporters\| supporters.contains(me))
	189	.unwrap_or(false)
	190	}
	191
	192	fn prompt_for_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
	193	let voter = get_voter(&request);
	194	let me = if let Ok(id) = voter {
	195	std::str::from_utf8(id).ok()
	196	} else {
	197	None
	198	};
	199	let tally =
	200	tally_votes(dir.clone()).map_err(\|_\| cgi::text_response(503, "Couldn't tally votes"))?;
	201	let cfile = std::fs::File::open(dir.join("candidates"))
	202	.map_err(\|_\| cgi::text_response(503, "No candidates"))?;
	203	let mut response = cgi::html_response(
	204	200,
	205	std::iter::once(Ok(HTML_HEADER.to_owned()))
	206	.chain(std::io::BufReader::new(cfile).lines().map(\|rc\| {
	207	rc.map(\|c\| {
	208	let count = tally
	209	.get(&c)
	210	.map(\|supporters\| supporters.len())
	211	.unwrap_or(0);
	212	let checked = if me.map(\|me\| supports(&tally, me, &c)).unwrap_or(false) {
	213	"checked"
	214	} else {
	215	""
	216	};
	217	format!(
	218	"<tr>
	219	<td>{count}</td>
	220	<td><input type=\"checkbox\" autocomplete=\"off\" {checked} disabled></td>
	221	<td>{c}</td>
	222	</tr>"
	223	)
	224	})
	225	}))
	226	.chain(std::iter::once(Ok(HTML_FOOTER.to_owned())))
	227	.collect::<std::io::Result<String>>()
	228	.map_err(\|_\| cgi::text_response(503, "Missing candidates"))?,
	229	);
	230	if voter.is_err() {
	231	response = set_cookie(response, request.uri().path())?
	232	}
	233	Ok(response)
	234	}
	235
	236	fn write_vote(dir: PathBuf, voter: &[u8], vote: &[u8]) -> std::io::Result<()> {
	237	let datum = [voter, b" ", vote, b"\n"].concat();
	238	let vpath = dir.join("votes");
	239	let vfile = std::fs::File::options()
	240	.append(true)
	241	.create(true)
	242	.open(vpath)?;
	243	let mut vlock = fd_lock::RwLock::new(vfile);
	244	vlock.write()?.write(&datum)?;
	245	Ok(())
	246	}
	247
	248	fn record_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
	249	let body = request.body();
	250	// Valid votes look like "0 foo" or "1 bar"
	251	if body.len() < 3
	252	\|\| (body[0] != b'0' && body[0] != b'1')
	253	\|\| body[1] != b' '
	254	\|\| body.contains(&b'\n')
	255	{
	256	return Err(cgi::text_response(415, "Invalid vote"));
	257	}
	258	write_vote(dir, &get_voter(&request)?, body)
	259	.map_err(\|_\| cgi::text_response(503, "Couldn't record vote"))?;
	260	Ok(cgi::text_response(200, "Vote recorded"))
	261	}
	262
	263	fn strip_body(mut response: cgi::Response) -> cgi::Response {
	264	response.body_mut().clear();
	265	response
	266	}
	267
	268	fn respond(request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
	269	let dir = validate_path(request.uri().path())?;
	270	match request.method() {
	271	&cgi::http::Method::HEAD => prompt_for_vote(dir, request).map(strip_body),
	272	&cgi::http::Method::GET => prompt_for_vote(dir, request),
	273	&cgi::http::Method::PUT => record_vote(dir, request),
	274	_ => Err(cgi::text_response(405, "Huh?")),
	275	}
	276	}
	277
	278	fn respond_or_report_error(request: cgi::Request) -> cgi::Response {
	279	match respond(request) {
	280	Ok(result) => result,
	281	Err(error) => error,
	282	}
	283	}
	284
	285	cgi::cgi_main! { respond_or_report_error }