X-Git-Url: http://git.scottworley.com/voter/blobdiff_plain/d1df2e736f7d6a99551b2361c00ae2cc0f090e10..dd0a124698a0ded987f7b5b426607308b0e79ffc:/src/main.rs?ds=inline diff --git a/src/main.rs b/src/main.rs index 574d43f..273a719 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,7 +1,134 @@ -fn respond(request: cgi::Request) -> Result { - let greeting = std::fs::read_to_string("greeting.txt").map_err(|_| "Couldn't open file")?; +use rand::prelude::*; +use std::io::prelude::*; +use std::path::{Path, PathBuf}; - Ok(cgi::text_response(200, greeting)) +const DATA_PATH: &str = "/var/lib/voter"; +const COOKIE_NAME: &[u8] = b"__Secure-id"; +const COOKIE_LENGTH: usize = 32; + +fn validate_path(path: &str) -> Result { + let invalid_path = || cgi::text_response(404, "Invalid path"); + if path == "/" { + return Err(cgi::text_response(404, "(This is the voting place. You should have been given a more specific URL for the specific thing you've been invited to vote on.)")); + } + if path.contains("..") || !path.starts_with("/") { + return Err(invalid_path()); + } + let dir = Path::new(&format!("{DATA_PATH}{path}")).to_path_buf(); + if !dir + .canonicalize() + .map_err(|_| invalid_path())? + .starts_with(DATA_PATH) + { + return Err(invalid_path()); + } + if !dir.is_dir() { + return Err(invalid_path()); + } + Ok(dir) +} + +fn get_voter(request: &cgi::Request) -> Result<&[u8], cgi::Response> { + // Expect exactly one cookie, exactly as we generate it. + let cookie = request + .headers() + .get(cgi::http::header::COOKIE) + .map(|c| c.as_bytes()) + .and_then(|c| c.strip_prefix(COOKIE_NAME)) + .and_then(|c| c.strip_prefix(b"=")) + .ok_or_else(|| cgi::text_response(400, "Invalid cookie"))?; + if cookie.len() != COOKIE_LENGTH || cookie.contains(&b' ') || cookie.contains(&b';') { + Err(cgi::text_response(400, "Invalid cookie")) + } else { + Ok(cookie) + } +} + +fn make_random_id() -> [u8; COOKIE_LENGTH] { + std::iter::from_fn(random) + .filter(|c| { + (b'A'..=b'Z').contains(c) || (b'a'..=b'z').contains(c) || (b'0'..=b'9').contains(c) + }) + .take(COOKIE_LENGTH) + .collect::>() + .try_into() + .unwrap() +} + +fn set_cookie(mut response: cgi::Response, path: &str) -> Result { + response.headers_mut().append( + cgi::http::header::SET_COOKIE, + cgi::http::header::HeaderValue::from_bytes( + &[ + COOKIE_NAME, + b"=", + &make_random_id(), + b"; Secure HttpOnly SameSite=Strict Max-Age=30000000 Path=", + path.as_bytes(), + ] + .concat(), + ) + .map_err(|_| cgi::text_response(503, "Couldn't make cookie"))?, + ); + Ok(response) +} + +fn prompt_for_vote(dir: PathBuf, request: cgi::Request) -> Result { + let voter = get_voter(&request); + let mut response = cgi::html_response(200, "You should vote"); + if voter.is_err() { + response = set_cookie(response, request.uri().path())? + } + Ok(response) +} + +fn write_vote(dir: PathBuf, voter: &[u8], vote: &[u8]) -> std::io::Result<()> { + let datum = [voter, b" ", vote, b"\n"].concat(); + let vpath = dir.join("votes"); + let vfile = std::fs::File::options() + .append(true) + .create(true) + .open(vpath)?; + let mut vlock = fd_lock::RwLock::new(vfile); + vlock.write()?.write(&datum)?; + Ok(()) +} + +fn record_vote(dir: PathBuf, request: cgi::Request) -> Result { + let body = request.body(); + // Valid votes look like "0 foo" or "1 bar" + if body.len() < 3 + || (body[0] != b'0' && body[0] != b'1') + || body[1] != b' ' + || body.contains(&b'\n') + { + return Err(cgi::text_response(415, "Invalid vote")); + } + write_vote(dir, &get_voter(&request)?, body) + .map_err(|_| cgi::text_response(503, "Couldn't record vote"))?; + Ok(cgi::text_response(200, "Vote recorded")) +} + +fn strip_body(mut response: cgi::Response) -> cgi::Response { + response.body_mut().clear(); + response +} + +fn respond(request: cgi::Request) -> Result { + let dir = validate_path(request.uri().path())?; + match request.method() { + &cgi::http::Method::HEAD => prompt_for_vote(dir, request).map(strip_body), + &cgi::http::Method::GET => prompt_for_vote(dir, request), + &cgi::http::Method::PUT => record_vote(dir, request), + _ => Err(cgi::text_response(405, "Huh?")), + } +} + +fn respond_or_report_error(request: cgi::Request) -> cgi::Response { + match respond(request) { + Ok(result) => result, + Err(error) => error, + } } -cgi::cgi_try_main! { respond } +cgi::cgi_main! { respond_or_report_error }