]>
Commit | Line | Data |
---|---|---|
1 | use rand::prelude::*; | |
2 | use std::io::prelude::*; | |
3 | use std::path::{Path, PathBuf}; | |
4 | ||
5 | const DATA_PATH: &str = "/var/lib/voter"; | |
6 | const COOKIE_NAME: &[u8] = b"__Secure-id"; | |
7 | const COOKIE_LENGTH: usize = 12; | |
8 | ||
9 | fn validate_path(path: &str) -> Result<PathBuf, cgi::Response> { | |
10 | let invalid_path = || cgi::text_response(404, "Invalid path"); | |
11 | if path == "/" { | |
12 | return Err(cgi::text_response(404, "(This is the voting place. You should have been given a more specific URL for the specific thing you've been invited to vote on.)")); | |
13 | } | |
14 | if path.contains("..") || !path.starts_with("/") { | |
15 | return Err(invalid_path()); | |
16 | } | |
17 | let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf(); | |
18 | if !dir | |
19 | .canonicalize() | |
20 | .map_err(|_| invalid_path())? | |
21 | .starts_with(DATA_PATH) | |
22 | { | |
23 | return Err(invalid_path()); | |
24 | } | |
25 | if !dir.is_dir() { | |
26 | return Err(invalid_path()); | |
27 | } | |
28 | Ok(dir) | |
29 | } | |
30 | ||
31 | fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> { | |
32 | // Expect exactly one cookie, exactly as we generate it. | |
33 | let cookie = request | |
34 | .headers() | |
35 | .get(cgi::http::header::COOKIE) | |
36 | .map(|c| c.as_bytes()) | |
37 | .and_then(|c| c.strip_prefix(COOKIE_NAME)) | |
38 | .and_then(|c| c.strip_prefix(b"=")) | |
39 | .ok_or_else(|| cgi::text_response(400, "Invalid cookie"))?; | |
40 | if cookie.len() != COOKIE_LENGTH || cookie.contains(&b' ') || cookie.contains(&b';') { | |
41 | Err(cgi::text_response(400, "Invalid cookie")) | |
42 | } else { | |
43 | Ok(cookie) | |
44 | } | |
45 | } | |
46 | ||
47 | fn make_random_id() -> [u8; COOKIE_LENGTH] { | |
48 | let mut id = [0; COOKIE_LENGTH]; | |
49 | for i in 0..COOKIE_LENGTH { | |
50 | while !(b'A'..=b'Z').contains(&id[i]) | |
51 | && !(b'a'..=b'z').contains(&id[i]) | |
52 | && !(b'0'..=b'9').contains(&id[i]) | |
53 | { | |
54 | id[i] = random() | |
55 | } | |
56 | } | |
57 | id | |
58 | } | |
59 | ||
60 | fn set_cookie(mut response: cgi::Response, path: &str) -> Result<cgi::Response, cgi::Response> { | |
61 | response.headers_mut().append( | |
62 | cgi::http::header::SET_COOKIE, | |
63 | cgi::http::header::HeaderValue::from_bytes( | |
64 | &[ | |
65 | COOKIE_NAME, | |
66 | b"=", | |
67 | &make_random_id(), | |
68 | b"; Secure HttpOnly SameSite=Strict Max-Age=30000000 Path=", | |
69 | path.as_bytes(), | |
70 | ] | |
71 | .concat(), | |
72 | ) | |
73 | .map_err(|_| cgi::text_response(503, "Couldn't make cookie"))?, | |
74 | ); | |
75 | Ok(response) | |
76 | } | |
77 | ||
78 | const HTML_HEADER: &str = "<!DOCTYPE html> | |
79 | <html> | |
80 | <head> | |
81 | <meta charset=\"utf-8\"> | |
82 | <title>Vote!</title> | |
83 | <style> | |
84 | input { transform: scale(1.5) } | |
85 | div { animation: 2s infinite linear spin } | |
86 | @keyframes spin { | |
87 | from { transform:rotate(0) } | |
88 | to { transform:rotate(1turn) } | |
89 | } | |
90 | </style> | |
91 | <script> | |
92 | window.onload = function() { | |
93 | for (cb of document.getElementsByTagName('input')) { | |
94 | cb.addEventListener('click', (function(cb) { | |
95 | return function() { | |
96 | cb.style.display = 'none' | |
97 | const spin = document.createElement('div') | |
98 | spin.appendChild(document.createTextNode('⏳')) | |
99 | cb.parentElement.insertBefore(spin, cb) | |
100 | ||
101 | const req = new XMLHttpRequest() | |
102 | req.addEventListener('load', function(e) { | |
103 | cb.parentElement.removeChild(cb.previousElementSibling) | |
104 | if (req.status == 200) { | |
105 | cb.style.display = '' | |
106 | } else { | |
107 | cb.parentElement.insertBefore(document.createTextNode('❗'), cb) | |
108 | } | |
109 | }) | |
110 | req.open('PUT', window.location.href) | |
111 | req.send((cb.checked ? 1 : 0) + ' ' + cb.parentElement.nextSibling.innerHTML) | |
112 | } | |
113 | })(cb)) | |
114 | cb.disabled = false | |
115 | } | |
116 | } | |
117 | </script> | |
118 | </head> | |
119 | <body> | |
120 | <table>"; | |
121 | const HTML_FOOTER: &str = " | |
122 | </table> | |
123 | </body> | |
124 | </html>"; | |
125 | ||
126 | fn prompt_for_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> { | |
127 | let voter = get_voter(&request); | |
128 | let cfile = std::fs::File::open(dir.join("candidates")) | |
129 | .map_err(|_| cgi::text_response(503, "No candidates"))?; | |
130 | let mut response = cgi::html_response( | |
131 | 200, | |
132 | std::iter::once(Ok(HTML_HEADER.to_owned())) | |
133 | .chain(std::io::BufReader::new(cfile).lines().map(|rc| { | |
134 | rc.map(|c| { | |
135 | format!("<tr><td><input type=\"checkbox\" autocomplete=\"off\" disabled></td><td>{c}</td></tr>") | |
136 | }) | |
137 | })) | |
138 | .chain(std::iter::once(Ok(HTML_FOOTER.to_owned()))) | |
139 | .collect::<std::io::Result<String>>() | |
140 | .map_err(|_| cgi::text_response(503, "Missing candidates"))?, | |
141 | ); | |
142 | if voter.is_err() { | |
143 | response = set_cookie(response, request.uri().path())? | |
144 | } | |
145 | Ok(response) | |
146 | } | |
147 | ||
148 | fn write_vote(dir: PathBuf, voter: &[u8], vote: &[u8]) -> std::io::Result<()> { | |
149 | let datum = [voter, b" ", vote, b"\n"].concat(); | |
150 | let vpath = dir.join("votes"); | |
151 | let vfile = std::fs::File::options() | |
152 | .append(true) | |
153 | .create(true) | |
154 | .open(vpath)?; | |
155 | let mut vlock = fd_lock::RwLock::new(vfile); | |
156 | vlock.write()?.write(&datum)?; | |
157 | Ok(()) | |
158 | } | |
159 | ||
160 | fn record_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> { | |
161 | let body = request.body(); | |
162 | // Valid votes look like "0 foo" or "1 bar" | |
163 | if body.len() < 3 | |
164 | || (body[0] != b'0' && body[0] != b'1') | |
165 | || body[1] != b' ' | |
166 | || body.contains(&b'\n') | |
167 | { | |
168 | return Err(cgi::text_response(415, "Invalid vote")); | |
169 | } | |
170 | write_vote(dir, &get_voter(&request)?, body) | |
171 | .map_err(|_| cgi::text_response(503, "Couldn't record vote"))?; | |
172 | Ok(cgi::text_response(200, "Vote recorded")) | |
173 | } | |
174 | ||
175 | fn strip_body(mut response: cgi::Response) -> cgi::Response { | |
176 | response.body_mut().clear(); | |
177 | response | |
178 | } | |
179 | ||
180 | fn respond(request: cgi::Request) -> Result<cgi::Response, cgi::Response> { | |
181 | let dir = validate_path(request.uri().path())?; | |
182 | match request.method() { | |
183 | &cgi::http::Method::HEAD => prompt_for_vote(dir, request).map(strip_body), | |
184 | &cgi::http::Method::GET => prompt_for_vote(dir, request), | |
185 | &cgi::http::Method::PUT => record_vote(dir, request), | |
186 | _ => Err(cgi::text_response(405, "Huh?")), | |
187 | } | |
188 | } | |
189 | ||
190 | fn respond_or_report_error(request: cgi::Request) -> cgi::Response { | |
191 | match respond(request) { | |
192 | Ok(result) => result, | |
193 | Err(error) => error, | |
194 | } | |
195 | } | |
196 | ||
197 | cgi::cgi_main! { respond_or_report_error } |