Merge pull request src-d#178 from camathieu/1.2

1.2

Author: bodji

client/archive/zip/zip.go

@@ -49,7 +49,7 @@ type Backend struct {
 func NewZipBackend(config map[string]interface{}) (zb *Backend, err error) {
 	zb = new(Backend)
 	zb.Config = NewZipBackendConfig(config)
-	if _, err := os.Stat(zb.Config.Zip); os.IsNotExist(err) || os.IsPermission(err) {
+	if _, err = os.Stat(zb.Config.Zip); os.IsNotExist(err) || os.IsPermission(err) {
 		if zb.Config.Zip, err = exec.LookPath("zip"); err != nil {
 			err = errors.New("zip binary not found in $PATH, please install or edit ~/.plickrc")
 		}

client/plik.go

@@ -224,15 +224,10 @@ Options:
 		}
 	}
 
-	// Comments
+	// Display commands
 	if !uploadInfo.Stream {
-		var totalSize int64
 		printf("\nCommands : \n")
 		for _, file := range uploadInfo.Files {
-
-			// Increment size
-			totalSize += file.CurrentSize
-
 			// Print file information (only url if quiet mode is enabled)
 			if config.Config.Quiet {
 				fmt.Println(getFileURL(uploadInfo, file))
@@ -657,9 +652,9 @@ func updateClient(updateFlag bool) (err error) {
 	}
 
 	if version != "" {
-		printf("Plik client sucessfully updated to %s\n", version)
+		printf("Plik client successfully updated to %s\n", version)
 	} else {
-		printf("Plik client sucessfully updated\n")
+		printf("Plik client successfully updated\n")
 	}
 
 	return

documentation/api.md

@@ -58,6 +58,9 @@ Get file :
   - **GET**  /$mode/:uploadid:/:fileid:/:filename:/yubikey/:yubikeyOtp:
     - Same as previous call, except that you can specify a Yubikey OTP in the URL if the upload is Yubikey restricted.
 
+  - **GET**  /archive/:uploadid:/:filename:
+    - Download uploaded files in a zip archive. :filename: must end with .zip
+
 Remove file :
 
    - **DELETE** /$mode/:uploadid:/:fileid:/:filename:

server/handlers/getArchive.go

@@ -0,0 +1,200 @@
+/**
+
+    Plik upload server
+
+The MIT License (MIT)
+
+Copyright (c) <2015>
+	- Mathieu Bodjikian <[email protected]>
+	- Charles-Antoine Mathieu <[email protected]>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+**/
+
+package handlers
+
+import (
+	"archive/zip"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	"github.com/root-gg/plik/server/Godeps/_workspace/src/github.com/gorilla/mux"
+	"github.com/root-gg/plik/server/Godeps/_workspace/src/github.com/root-gg/juliet"
+	"github.com/root-gg/plik/server/common"
+	"github.com/root-gg/plik/server/dataBackend"
+	"github.com/root-gg/plik/server/metadataBackend"
+)
+
+// GetArchive download all file of the upload in a zip archive
+func GetArchive(ctx *juliet.Context, resp http.ResponseWriter, req *http.Request) {
+	log := common.GetLogger(ctx)
+
+	// If a download domain is specified verify that the request comes from this specific domain
+	if common.Config.DownloadDomainURL != nil {
+		if req.Host != common.Config.DownloadDomainURL.Host {
+			downloadURL := fmt.Sprintf("%s://%s%s",
+				common.Config.DownloadDomainURL.Scheme,
+				common.Config.DownloadDomainURL.Host,
+				req.RequestURI)
+			log.Warningf("Invalid download domain %s, expected %s", req.Host, common.Config.DownloadDomainURL.Host)
+			http.Redirect(resp, req, downloadURL, 301)
+			return
+		}
+	}
+
+	// Get upload from context
+	upload := common.GetUpload(ctx)
+	if upload == nil {
+		// This should never append
+		log.Critical("Missing upload in getFileHandler")
+		common.Fail(ctx, req, resp, "Internal error", 500)
+		return
+	}
+
+	// Get files to archive
+	var files []*common.File
+	for _, file := range upload.Files {
+		// If upload has OneShot option, test if one of the files has not been already downloaded once
+		if upload.OneShot && file.Status == "downloaded" {
+			log.Warningf("File %s has already been downloaded", file.Name)
+			common.Fail(ctx, req, resp, fmt.Sprintf("File %s has already been downloaded", file.Name), 404)
+			return
+		}
+
+		// If the file is marked as deleted by a previous call, we abort request
+		if file.Status == "removed" {
+			log.Warningf("File %s has been removed", file.Name)
+			common.Fail(ctx, req, resp, "File %s has been removed", 404)
+			return
+		}
+
+		files = append(files, file)
+	}
+
+	if len(files) == 0 {
+		common.Fail(ctx, req, resp, "Nothing to archive", 404)
+		return
+	}
+
+	// Set content type
+	resp.Header().Set("Content-Type", "application/zip")
+
+	/* Additional security headers for possibly unsafe content */
+	resp.Header().Set("X-Content-Type-Options", "nosniff")
+	resp.Header().Set("X-XSS-Protection", "1; mode=block")
+	resp.Header().Set("X-Frame-Options", "DENY")
+	resp.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'none'; style-src 'none'; img-src 'none'; connect-src 'none'; font-src 'none'; object-src 'none'; media-src 'none'; child-src 'none'; form-action 'none'; frame-ancestors 'none'; plugin-types ''; sandbox ''")
+
+	// Get the file name from the url params
+	vars := mux.Vars(req)
+	fileName := vars["filename"]
+	if fileName == "" {
+		log.Warning("Missing file name")
+		common.Fail(ctx, req, resp, "Missing file name", 400)
+		return
+	}
+
+	if strings.HasSuffix(".zip", fileName) {
+		log.Warningf("Invalid file name %s. Missing .zip extention", fileName)
+		common.Fail(ctx, req, resp, fmt.Sprintf("Invalid file name %s. Missing .zip extention", fileName), 400)
+		return
+	}
+
+	// If "dl" GET params is set
+	// -> Set Content-Disposition header
+	// -> The client should download file instead of displaying it
+	dl := req.URL.Query().Get("dl")
+	if dl != "" {
+		resp.Header().Set("Content-Disposition", fmt.Sprintf(`attachement; filename="%s"`, fileName))
+	} else {
+		resp.Header().Set("Content-Disposition", fmt.Sprintf(`filename="%s"`, fileName))
+	}
+
+	// HEAD Request => Do not print file, user just wants http headers
+	// GET  Request => Print file content
+	if req.Method == "GET" {
+		// Get file in data backend
+
+		if upload.Stream {
+			common.Fail(ctx, req, resp, "Archive feature is not available in stream mode", 404)
+			return
+		}
+
+		backend := dataBackend.GetDataBackend()
+
+		// The zip archive is piped directly to http response body without buffering
+		archive := zip.NewWriter(resp)
+
+		for _, file := range files {
+			fileReader, err := backend.GetFile(ctx, upload, file.ID)
+			if err != nil {
+				log.Warningf("Failed to get file %s in upload %s : %s", file.Name, upload.ID, err)
+				common.Fail(ctx, req, resp, fmt.Sprintf("Failed to read file %s", file.Name), 404)
+				return
+			}
+
+			fileWriter, err := archive.Create(file.Name)
+			if err != nil {
+				log.Warningf("Failed to add file %s to the archive : %s", file.Name, err)
+				common.Fail(ctx, req, resp, fmt.Sprintf("Failed to add file %s to the archive", file.Name), 500)
+				return
+			}
+
+			// Update metadata if oneShot option is set
+			if upload.OneShot {
+				file.Status = "downloaded"
+				err = metadataBackend.GetMetaDataBackend().AddOrUpdateFile(ctx, upload, file)
+				if err != nil {
+					log.Warningf("Error while deleting file %s from upload %s metadata : %s", file.Name, upload.ID, err)
+				}
+			}
+
+			// File is piped directly to zip archive thus to the http response body without buffering
+			_, err = io.Copy(fileWriter, fileReader)
+			if err != nil {
+				log.Warningf("Error while copying file to response : %s", err)
+			}
+
+			err = fileReader.Close()
+			if err != nil {
+				log.Warningf("Error while closing file reader : %s", err)
+			}
+
+			// Remove file from data backend if oneShot option is set
+			if upload.OneShot {
+				err = backend.RemoveFile(ctx, upload, file.ID)
+				if err != nil {
+					log.Warningf("Error while deleting file %s from upload %s : %s", file.Name, upload.ID, err)
+					return
+				}
+			}
+		}
+
+		err := archive.Close()
+		if err != nil {
+			log.Warningf("Failed to close zip archive : %s", err)
+			return
+		}
+
+		// Remove upload if no files anymore
+		RemoveUploadIfNoFileAvailable(ctx, upload)
+	}
+}

server/handlers/getFile.go

@@ -36,7 +36,6 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/root-gg/plik/server/Godeps/_workspace/src/github.com/gorilla/mux"
 	"github.com/root-gg/plik/server/Godeps/_workspace/src/github.com/root-gg/juliet"
 	"github.com/root-gg/plik/server/common"
 	"github.com/root-gg/plik/server/dataBackend"
@@ -92,53 +91,12 @@ func GetFile(ctx *juliet.Context, resp http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	// If upload is yubikey protected, user must send an OTP when he wants to get a file.
-	if upload.Yubikey != "" {
-
-		// Error if yubikey is disabled on server, and enabled on upload
-		if !common.Config.YubikeyEnabled {
-			log.Warningf("Got a Yubikey upload but Yubikey backend is disabled")
-			common.Fail(ctx, req, resp, "Yubikey are disabled on this server", 403)
-			return
-		}
-
-		vars := mux.Vars(req)
-		token := vars["yubikey"]
-		if token == "" {
-			log.Warningf("Missing yubikey token")
-			common.Fail(ctx, req, resp, "Invalid yubikey token", 401)
-			return
-		}
-		if len(token) != 44 {
-			log.Warningf("Invalid yubikey token : %s", token)
-			common.Fail(ctx, req, resp, "Invalid yubikey token", 401)
-			return
-		}
-		if token[:12] != upload.Yubikey {
-			log.Warningf("Invalid yubikey device : %s", token)
-			common.Fail(ctx, req, resp, "Invalid yubikey token", 401)
-			return
-		}
-
-		_, isValid, err := common.Config.YubiAuth.Verify(token)
-		if err != nil {
-			log.Warningf("Failed to validate yubikey token : %s", err)
-			common.Fail(ctx, req, resp, "Invalid yubikey token", 500)
-			return
-		}
-		if !isValid {
-			log.Warningf("Invalid yubikey token : %s", token)
-			common.Fail(ctx, req, resp, "Invalid yubikey token", 401)
-			return
-		}
-	}
-
 	// Avoid rendering HTML in browser
 	if strings.Contains(file.Type, "html") {
 		file.Type = "text/plain"
 	}
 
-	if file.Type == "" || strings.Contains(file.Type, "flash") {
+	if file.Type == "" || strings.Contains(file.Type, "flash") || strings.Contains(file.Type, "pdf") {
 		file.Type = "application/octet-stream"
 	}
 
@@ -175,6 +133,7 @@ func GetFile(ctx *juliet.Context, resp http.ResponseWriter, req *http.Request) {
 		} else {
 			backend = dataBackend.GetDataBackend()
 		}
+
 		fileReader, err := backend.GetFile(ctx, upload, file.ID)
 		if err != nil {
 			log.Warningf("Failed to get file %s in upload %s : %s", file.Name, upload.ID, err)

server/handlers/misc.go

@@ -120,7 +120,7 @@ func GetQrCode(ctx *juliet.Context, resp http.ResponseWriter, req *http.Request)
 }
 
 // RemoveUploadIfNoFileAvailable iterates on upload files and remove upload files
-// and metadata if all the files have been downloaded (usefull for OneShot uploads)
+// and metadata if all the files have been downloaded (useful for OneShot uploads)
 func RemoveUploadIfNoFileAvailable(ctx *juliet.Context, upload *common.Upload) {
 	log := common.GetLogger(ctx)