git.scottworley.com Git - voter/blob - src/main.rs

   1 use rand::prelude::*;
   2 use std::io::prelude::*;
   3 use std::path::{Path, PathBuf};
   4
   5 const DATA_PATH: &str = "/var/lib/voter";
   6 const COOKIE_NAME: &[u8] = b"__Secure-id";
   7 const COOKIE_LENGTH: usize = 12;
   8
   9 fn validate_path(path: &str) -> Result<PathBuf, cgi::Response> {
  10     let invalid_path = || cgi::text_response(404, "Invalid path");
  11     if path == "/" {
  12         return Err(cgi::text_response(404, "(This is the voting place.  You should have been given a more specific URL for the specific thing you've been invited to vote on.)"));
  13     }
  14     if path.contains("..") || !path.starts_with("/") {
  15         return Err(invalid_path());
  16     }
  17     let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf();
  18     if !dir
  19         .canonicalize()
  20         .map_err(|_| invalid_path())?
  21         .starts_with(DATA_PATH)
  22     {
  23         return Err(invalid_path());
  24     }
  25     if !dir.is_dir() {
  26         return Err(invalid_path());
  27     }
  28     Ok(dir)
  29 }
  30
  31 fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> {
  32     // Expect exactly one cookie, exactly as we generate it.
  33     let cookie = request
  34         .headers()
  35         .get(cgi::http::header::COOKIE)
  36         .map(|c| c.as_bytes())
  37         .and_then(|c| c.strip_prefix(COOKIE_NAME))
  38         .and_then(|c| c.strip_prefix(b"="))
  39         .ok_or_else(|| cgi::text_response(400, "Invalid cookie"))?;
  40     if cookie.len() != COOKIE_LENGTH || cookie.contains(&b' ') || cookie.contains(&b';') {
  41         Err(cgi::text_response(400, "Invalid cookie"))
  42     } else {
  43         Ok(cookie)
  44     }
  45 }
  46
  47 fn make_random_id() -> [u8; COOKIE_LENGTH] {
  48     let mut id = [0; COOKIE_LENGTH];
  49     for i in 0..COOKIE_LENGTH {
  50         while !(b'A'..=b'Z').contains(&id[i])
  51             && !(b'a'..=b'z').contains(&id[i])
  52             && !(b'0'..=b'9').contains(&id[i])
  53         {
  54             id[i] = random()
  55         }
  56     }
  57     id
  58 }
  59
  60 fn set_cookie(mut response: cgi::Response, path: &str) -> Result<cgi::Response, cgi::Response> {
  61     response.headers_mut().append(
  62         cgi::http::header::SET_COOKIE,
  63         cgi::http::header::HeaderValue::from_bytes(
  64             &[
  65                 COOKIE_NAME,
  66                 b"=",
  67                 &make_random_id(),
  68                 b"; Secure HttpOnly SameSite=Strict Max-Age=30000000 Path=",
  69                 path.as_bytes(),
  70             ]
  71             .concat(),
  72         )
  73         .map_err(|_| cgi::text_response(503, "Couldn't make cookie"))?,
  74     );
  75     Ok(response)
  76 }
  77
  78 const HTML_HEADER: &str = "
  79 <html>
  80   <head>
  81     <title>Vote!</title>
  82     <style>
  83       input { transform: scale(1.5); }
  84     </style>
  85   </head>
  86   <body>
  87     <table>";
  88 const HTML_FOOTER: &str = "
  89     </table>
  90   </body>
  91 </html>";
  92
  93 fn prompt_for_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
  94     let voter = get_voter(&request);
  95     let cfile = std::fs::File::open(dir.join("candidates"))
  96         .map_err(|_| cgi::text_response(503, "No candidates"))?;
  97     let mut response = cgi::html_response(
  98         200,
  99         std::iter::once(Ok(HTML_HEADER.to_owned()))
 100             .chain(std::io::BufReader::new(cfile).lines().map(|rc| {
 101                 rc.map(|c| format!("<tr><td><input type=\"checkbox\"></td><td>{c}</td></tr>"))
 102             }))
 103             .chain(std::iter::once(Ok(HTML_FOOTER.to_owned())))
 104             .collect::<std::io::Result<String>>()
 105             .map_err(|_| cgi::text_response(503, "Missing candidates"))?,
 106     );
 107     if voter.is_err() {
 108         response = set_cookie(response, request.uri().path())?
 109     }
 110     Ok(response)
 111 }
 112
 113 fn write_vote(dir: PathBuf, voter: &[u8], vote: &[u8]) -> std::io::Result<()> {
 114     let datum = [voter, b" ", vote, b"\n"].concat();
 115     let vpath = dir.join("votes");
 116     let vfile = std::fs::File::options()
 117         .append(true)
 118         .create(true)
 119         .open(vpath)?;
 120     let mut vlock = fd_lock::RwLock::new(vfile);
 121     vlock.write()?.write(&datum)?;
 122     Ok(())
 123 }
 124
 125 fn record_vote(dir: PathBuf, request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
 126     let body = request.body();
 127     // Valid votes look like "0 foo" or "1 bar"
 128     if body.len() < 3
 129         || (body[0] != b'0' && body[0] != b'1')
 130         || body[1] != b' '
 131         || body.contains(&b'\n')
 132     {
 133         return Err(cgi::text_response(415, "Invalid vote"));
 134     }
 135     write_vote(dir, &get_voter(&request)?, body)
 136         .map_err(|_| cgi::text_response(503, "Couldn't record vote"))?;
 137     Ok(cgi::text_response(200, "Vote recorded"))
 138 }
 139
 140 fn strip_body(mut response: cgi::Response) -> cgi::Response {
 141     response.body_mut().clear();
 142     response
 143 }
 144
 145 fn respond(request: cgi::Request) -> Result<cgi::Response, cgi::Response> {
 146     let dir = validate_path(request.uri().path())?;
 147     match request.method() {
 148         &cgi::http::Method::HEAD => prompt_for_vote(dir, request).map(strip_body),
 149         &cgi::http::Method::GET => prompt_for_vote(dir, request),
 150         &cgi::http::Method::PUT => record_vote(dir, request),
 151         _ => Err(cgi::text_response(405, "Huh?")),
 152     }
 153 }
 154
 155 fn respond_or_report_error(request: cgi::Request) -> cgi::Response {
 156     match respond(request) {
 157         Ok(result) => result,
 158         Err(error) => error,
 159     }
 160 }
 161
 162 cgi::cgi_main! { respond_or_report_error }