]>
Commit | Line | Data |
---|---|---|
1 | use rand::prelude::*; | |
2 | use std::collections::{HashMap, HashSet}; | |
3 | use std::io::prelude::*; | |
4 | use std::path::{Path, PathBuf}; | |
5 | ||
6 | const DATA_PATH: &str = "/var/lib/voter"; | |
7 | const COOKIE_NAME: &[u8] = b"__Secure-id"; | |
8 | const COOKIE_LENGTH: usize = 12; | |
9 | ||
10 | fn validate_path(path: &str) -> Result<PathBuf, cgi::Response> { | |
11 | let invalid_path = || cgi::text_response(404, "Invalid path"); | |
12 | if path == "/" { | |
13 | return Err(cgi::text_response(404, "(This is the voting place. You should have been given a more specific URL for the specific thing you've been invited to vote on.)")); | |
14 | } | |
15 | if path.contains("..") || !path.starts_with("/") { | |
16 | return Err(invalid_path()); | |
17 | } | |
18 | let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf(); | |
19 | if !dir | |
20 | .canonicalize() | |
21 | .map_err(|_| invalid_path())? | |
22 | .starts_with(DATA_PATH) | |
23 | { | |
24 | return Err(invalid_path()); | |
25 | } | |
26 | if !dir.is_dir() { | |
27 | return Err(invalid_path()); | |
28 | } | |
29 | Ok(dir) | |
30 | } | |
31 | ||
32 | fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> { | |
33 | // Expect exactly one cookie, exactly as we generate it. | |
34 | let cookie = request | |
35 | .headers() | |
36 | .get(cgi::http::header::COOKIE) | |
37 | .map(|c| c.as_bytes()) | |
38 | .and_then(|c| c.strip_prefix(COOKIE_NAME)) | |
39 | .and_then(|c| c.strip_prefix(b"=")) | |
40 | .ok_or_else(|| cgi::text_response(400, "Invalid cookie"))?; | |
41 | if cookie.len() != COOKIE_LENGTH || cookie.contains(&b' ') || cookie.contains(&b';') { | |
42 | Err(cgi::text_response(400, "Invalid cookie")) | |
43 | } else { | |
44 | Ok(cookie) | |
45 | } | |
46 | } | |
47 | ||
48 | fn tally_votes(dir: PathBuf) -> std::io::Result<HashMap<String, HashSet<String>>> { | |
49 | let mut tally: HashMap<String, HashSet<String>> = HashMap::new(); | |
50 | let vfile = std::fs::File::open(dir.join("votes"))?; | |
51 | for liner in std::io::BufReader::new(vfile).lines() { | |
52 | let line = liner?; | |
53 | if let Some((voter, datum)) = line.split_once(' ') { | |
54 | if voter.len() == COOKIE_LENGTH { | |
55 | if let Some((vote, candidate)) = datum.split_once(' ') { | |
56 | if vote == "0" { | |
57 | if let Some(entry) = tally.get_mut(candidate) { | |
58 | entry.remove(voter); | |
59 | } | |
60 | } else if vote == "1" { | |
61 | tally | |
62 | .entry(candidate.to_owned()) | |
63 | .or_default() | |
64 | .insert(voter.to_owned()); | |
65 | } | |
66 | } | |
67 | } | |
68 | } | |
69 | } | |
70 | Ok(tally) | |
71 | } | |
72 | ||
73 | fn make_random_id() -> [u8; COOKIE_LENGTH] { | |
74 | let mut id = [0; COOKIE_LENGTH]; | |
75 | for i in 0..COOKIE_LENGTH { | |
76 | while !(b'A'..=b'Z').contains(&id[i]) | |
77 | && !(b'a'..=b'z').contains(&id[i]) | |
78 | && !(b'0'..=b'9').contains(&id[i]) | |
79 | { | |
80 | id[i] = random() | |
81 | } | |
82 | } | |
83 | id | |
84 | } | |
85 | ||
86 | fn set_cookie(mut response: cgi::Response, path: &str) -> Result<cgi::Response, cgi::Response> { | |
87 | response.headers_mut().append( | |
88 | cgi::http::header::SET_COOKIE, | |
89 | cgi::http::header::HeaderValue::from_bytes( | |
90 | &[ | |
91 | COOKIE_NAME, | |
92 | b"=", | |
93 | &make_random_id(), | |
94 | b"; Secure HttpOnly SameSite=Strict Max-Age=30000000 Path=", | |
95 | path.as_bytes(), | |
96 | ] | |
97 | .concat(), | |
98 | ) | |
99 | .map_err(|_| cgi::text_response(503, "Couldn't make cookie"))?, | |
100 | ); | |
101 | Ok(response) | |
102 | } | |
103 | ||
104 | const HTML_HEADER: &str = "<!DOCTYPE html> | |
105 | <html> | |
106 | <head> | |
107 | <meta charset=\"utf-8\"> | |
108 | <title>Vote!</title> | |
109 | <style> | |
110 | th { font-size: 70%; text-align: left } | |
111 | input { transform: scale(1.5) } | |
112 | div { animation: 2s infinite linear spin } | |
113 | @keyframes spin { | |
114 | from { transform:rotate(0) } | |
115 | to { transform:rotate(1turn) } | |
116 | } | |
117 | </style> | |
118 | <script> | |
119 | window.onload = function() { | |
120 | for (cb of document.getElementsByTagName('input')) { | |
121 | cb.addEventListener('click', (function(cb) { | |
122 | return function() { | |
123 | cb.style.display = 'none' | |
124 | const spin = document.createElement('div') | |
125 | spin.appendChild(document.createTextNode('⏳')) | |
126 | cb.parentElement.insertBefore(spin, cb) | |
127 | ||
128 | const req = new XMLHttpRequest() | |
129 | req.addEventListener('load', function(e) { | |
130 | cb.parentElement.removeChild(cb.previousElementSibling) | |
131 | if (req.status == 200) { | |
132 | cb.style.display = '' | |
133 | const delta = cb.checked ? 1 : -1 | |
134 | const count_td = cb.parentElement.previousElementSibling | |
135 | count_td.textContent = parseInt(count_td.textContent) + delta | |
136 | } else { | |
137 | cb.parentElement.insertBefore(document.createTextNode('❗'), cb) | |
138 | } | |
139 | }) | |
140 | req.open('PUT', window.location.href) | |
141 | req.send((cb.checked ? 1 : 0) + ' ' + cb.parentElement.nextElementSibling.innerHTML) | |
142 | } | |
143 | })(cb)) | |
144 | cb.disabled = false | |
145 | } | |
146 | } | |
147 | function num_cmp(a, b) { | |
148 | return parseInt(b.textContent) - parseInt(a.textContent) | |
149 | } | |
150 | function str_cmp(a, b) { | |
151 | if (a.textContent < b.textContent) return -1 | |
152 | if (a.textContent > b.textContent) return 1 | |
153 | return 0 | |
154 | } | |
155 | function checked_cmp(a, b) { | |
156 | vs = [a, b].map(x => { | |
157 | const v = x.children[0].checked + 0 | |
158 | return isNaN(v) ? -1 : v | |
159 | }) | |
160 | return vs[1] - vs[0] | |
161 | } | |
162 | function sort_table(col, cmp) { | |
163 | const rows = Array.from(document.getElementsByTagName('tr')) | |
164 | rows.shift() | |
165 | rows.sort((a, b) => cmp(a.children[col], b.children[col])) | |
166 | for (row of rows) { | |
167 | row.parentElement.appendChild(row) | |
168 | } | |
169 | } | |
170 | </script> | |
171 | </head> | |
172 | <body> | |
173 | <table> | |
174 | <tr> | |
175 | <th onclick='sort_table(0, num_cmp)'>Count</th> | |
176 | <th onclick='sort_table(1, checked_cmp)'>Vote</th> | |
177 | <th onclick='sort_table(2, str_cmp)'>Candidate</th> | |
178 | </tr>"; | |
179 | const HTML_FOOTER: &str = " | |
180 | </table> | |
181 | </body> | |
182 | </html>"; | |
183 | ||
184 | fn supports(tally: &HashMap<String, HashSet<String>>, me: &str, candidate: &str) -> bool { | |
185 | tally | |
186 | .get(candidate) | |
187 | .map(|supporters| supporters.contains(me)) | |
188 | .unwrap_or(false) | |
189 | } | |
190 | ||
191 | fn prompt_for_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> { | |
192 | let voter = get_voter(&request); | |
193 | let me = if let Ok(id) = voter { | |
194 | std::str::from_utf8(id).ok() | |
195 | } else { | |
196 | None | |
197 | }; | |
198 | let tally = | |
199 | tally_votes(dir.clone()).map_err(|_| cgi::text_response(503, "Couldn't tally votes"))?; | |
200 | let cfile = std::fs::File::open(dir.join("candidates")) | |
201 | .map_err(|_| cgi::text_response(503, "No candidates"))?; | |
202 | let mut response = cgi::html_response( | |
203 | 200, | |
204 | std::iter::once(Ok(HTML_HEADER.to_owned())) | |
205 | .chain(std::io::BufReader::new(cfile).lines().map(|rc| { | |
206 | rc.map(|c| { | |
207 | let count = tally | |
208 | .get(&c) | |
209 | .map(|supporters| supporters.len()) | |
210 | .unwrap_or(0); | |
211 | let checked = if me.map(|me| supports(&tally, me, &c)).unwrap_or(false) { | |
212 | "checked" | |
213 | } else { | |
214 | "" | |
215 | }; | |
216 | format!( | |
217 | "<tr> | |
218 | <td>{count}</td> | |
219 | <td><input type=\"checkbox\" autocomplete=\"off\" {checked} disabled></td> | |
220 | <td>{c}</td> | |
221 | </tr>" | |
222 | ) | |
223 | }) | |
224 | })) | |
225 | .chain(std::iter::once(Ok(HTML_FOOTER.to_owned()))) | |
226 | .collect::<std::io::Result<String>>() | |
227 | .map_err(|_| cgi::text_response(503, "Missing candidates"))?, | |
228 | ); | |
229 | if voter.is_err() { | |
230 | response = set_cookie(response, request.uri().path())? | |
231 | } | |
232 | Ok(response) | |
233 | } | |
234 | ||
235 | fn write_vote(dir: PathBuf, voter: &[u8], vote: &[u8]) -> std::io::Result<()> { | |
236 | let datum = [voter, b" ", vote, b"\n"].concat(); | |
237 | let vpath = dir.join("votes"); | |
238 | let vfile = std::fs::File::options() | |
239 | .append(true) | |
240 | .create(true) | |
241 | .open(vpath)?; | |
242 | let mut vlock = fd_lock::RwLock::new(vfile); | |
243 | vlock.write()?.write(&datum)?; | |
244 | Ok(()) | |
245 | } | |
246 | ||
247 | fn record_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> { | |
248 | let body = request.body(); | |
249 | // Valid votes look like "0 foo" or "1 bar" | |
250 | if body.len() < 3 | |
251 | || (body[0] != b'0' && body[0] != b'1') | |
252 | || body[1] != b' ' | |
253 | || body.contains(&b'\n') | |
254 | { | |
255 | return Err(cgi::text_response(415, "Invalid vote")); | |
256 | } | |
257 | write_vote(dir, &get_voter(&request)?, body) | |
258 | .map_err(|_| cgi::text_response(503, "Couldn't record vote"))?; | |
259 | Ok(cgi::text_response(200, "Vote recorded")) | |
260 | } | |
261 | ||
262 | fn strip_body(mut response: cgi::Response) -> cgi::Response { | |
263 | response.body_mut().clear(); | |
264 | response | |
265 | } | |
266 | ||
267 | fn respond(request: cgi::Request) -> Result<cgi::Response, cgi::Response> { | |
268 | let dir = validate_path(request.uri().path())?; | |
269 | match request.method() { | |
270 | &cgi::http::Method::HEAD => prompt_for_vote(dir, request).map(strip_body), | |
271 | &cgi::http::Method::GET => prompt_for_vote(dir, request), | |
272 | &cgi::http::Method::PUT => record_vote(dir, request), | |
273 | _ => Err(cgi::text_response(405, "Huh?")), | |
274 | } | |
275 | } | |
276 | ||
277 | fn respond_or_report_error(request: cgi::Request) -> cgi::Response { | |
278 | match respond(request) { | |
279 | Ok(result) => result, | |
280 | Err(error) => error, | |
281 | } | |
282 | } | |
283 | ||
284 | cgi::cgi_main! { respond_or_report_error } |