S.O.N.G/OrbitalBeat
S.O.N.G/OrbitalBeat
3
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
OrbitalBeat/OrbitalBeat.go

649 lines
16 KiB
Go
Raw Blame History

package main
import (
"bytes"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/elliptic"
"crypto/rand"
"crypto/tls"
"crypto/x509"
"crypto/x509/pkix"
"database/sql"
"encoding/base32"
"encoding/binary"
"encoding/hex"
"encoding/pem"
"flag"
"fmt"
"github.com/ipfs/go-cid"
_ "github.com/lib/pq"
"github.com/multiformats/go-multihash"
"log"
"math/big"
"net/http"
"net/url"
"os"
"path"
"strconv"
"strings"
"sync"
"sync/atomic"
"time"
"unicode"
)
type ContentCacheEntry struct {
Entry ContentEntry
File *os.File
RefCount int64
AccessTime time.Time
}
func (e *ContentCacheEntry) valid() bool {
return atomic.LoadInt64(&e.RefCount) > 0
}
func (e *ContentCacheEntry) borrow() *ContentCacheEntry {
if e.valid() {
if atomic.AddInt64(&e.RefCount, 1) > 1 {
return e
} else { //Has already been deallocated or is in the process
atomic.AddInt64(&e.RefCount, -1)
}
}
return nil
}
func (e *ContentCacheEntry) release() {
objectCacheMutex.Lock()
if atomic.AddInt64(&e.RefCount, -1) == 0 {
defer e.File.Close()
delete(objectCache, e.Entry.Identifier)
}
objectCacheMutex.Unlock()
}
var base32Encoding = base32.NewEncoding("qpzry9x8gf2tvdw0s3jn54khce6mua7l").WithPadding(base32.NoPadding)
var dbHandle *sql.DB
var sniAddress string
var sha256Statement *sql.Stmt
var md5Statement *sql.Stmt
var fdlimit int
var objectCacheMutex sync.RWMutex
var objectCache = make(map[cid.Cid]*ContentCacheEntry)
var messageCacheLimit int
var messageCacheMutex sync.RWMutex
var messageCache = make(map[string]*ContentMessage)
var trustedPublicKeys []ed25519.PublicKey
func isSNIAllowed(sni string) bool {
return len(sniAddress) == 0 || sni == sniAddress
}
func getFirstValidContentEntry(entries *[]ContentEntry) *ContentEntry {
for _, entry := range *entries {
stat, err := os.Stat(entry.Path)
if err == nil /*&& uint64(stat.Size()) == entry.Size*/ { //TODO: update Size if not found
copiedEntry := entry
copiedEntry.Size = uint64(stat.Size())
return &copiedEntry
}
}
return nil
}
func handleQueryRequest(w http.ResponseWriter, r *http.Request, identifier cid.Cid, extraArguments []string) {
var cacheEntry = tryGetCacheEntryForIdentifier(identifier)
if cacheEntry == nil {
result := getEntriesForCID(identifier)
entry := getFirstValidContentEntry(&result)
if entry != nil {
cacheEntry = getCacheEntryForContentEntry(entry)
}
}
if cacheEntry == nil {
var origin string
if r.Header.Get("Referer") != "" {
origin = r.Header.Get("Referer")
} else if r.Header.Get("Origin") != "" {
origin = r.Header.Get("Origin")
}
//Try to redirect back to origin
if len(extraArguments) > 0 && origin != "" {
mh, _ := multihash.Decode(identifier.Hash())
var kind string
if mh.Code == multihash.SHA2_256 {
kind = "sha256"
} else if mh.Code == multihash.MD5 {
kind = "md5"
}
if kind != "" {
http.Redirect(w, r, fmt.Sprintf("%s/%s/%s/%s", origin, kind, hex.EncodeToString(mh.Digest), strings.Join(extraArguments, "/")), http.StatusFound)
return
}
}
w.WriteHeader(http.StatusNotFound)
return
}
defer cacheEntry.release()
w.Header().Set("Accept-Ranges", "bytes")
w.Header().Set("ETag", cacheEntry.Entry.Identifier.String())
w.Header().Set("Content-Length", strconv.FormatUint(cacheEntry.Entry.Size, 10))
w.Header().Set("Cache-Control", "public, max-age=2592000, immutable")
filename := path.Base(cacheEntry.Entry.Path)
//TODO: setting to hide filename
w.Header().Set("Content-Disposition", fmt.Sprintf("inline; filename*=utf-8''%s", url.PathEscape(filename)))
http.ServeContent(w, r, filename, time.Date(1970, 0, 0, 0, 0, 0, 0, time.UTC), cacheEntry.File)
}
func isASCII(s string) bool {
for _, c := range s {
if c > unicode.MaxASCII {
return false
}
}
return true
}
func setOtherHeaders(w http.ResponseWriter) {
w.Header().Set("Server", "OrbitalBeat")
w.Header().Set("Vary", "Content-Encoding")
w.Header().Set("X-Content-Type-Options", "nosniff")
}
func setCORSHeaders(w http.ResponseWriter) {
w.Header().Set("Access-Control-Allow-Credentials", "true")
w.Header().Set("Access-Control-Max-Age", "7200") //Firefox caps this to 86400, Chrome to 7200. Default is 5 seconds (!!!)
w.Header().Set("Access-Control-Allow-Methods", "GET,HEAD,OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "DNT,ETag,Origin,Accept,Accept-Language,X-Requested-With,Range")
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Expose-Headers", "*")
//CORP, COEP, COOP
w.Header().Set("Cross-Origin-Embedder-Policy", "require-corp")
w.Header().Set("Cross-Origin-Resource-Policy", "cross-origin")
w.Header().Set("Cross-Origin-Opener-Policy", "unsafe-none")
}
func getCacheEntryForContentEntry(entry *ContentEntry) *ContentCacheEntry {
cacheEntry := tryGetCacheEntryForIdentifier(entry.Identifier)
if cacheEntry != nil {
return cacheEntry
}
objectCacheMutex.Lock()
defer objectCacheMutex.Unlock()
if len(objectCache) >= fdlimit {
//Find oldest value, remove it
var item *ContentCacheEntry
for _, e := range objectCache {
if item == nil || e.AccessTime.Before(item.AccessTime) {
item = e
}
}
if item != nil {
delete(objectCache, item.Entry.Identifier)
item.release()
}
}
f, err := os.Open(entry.Path)
if err != nil {
return nil
}
objectCache[entry.Identifier] = &ContentCacheEntry{
Entry: *entry,
File: f,
RefCount: 1,
AccessTime: time.Now(),
}
return objectCache[entry.Identifier].borrow()
}
func tryGetCacheEntryForIdentifier(identifier cid.Cid) *ContentCacheEntry {
objectCacheMutex.RLock()
defer objectCacheMutex.RUnlock()
cacheEntry, ok := objectCache[identifier]
if ok {
cacheEntry := cacheEntry.borrow()
cacheEntry.AccessTime = time.Now().UTC()
return cacheEntry
}
return nil
}
func IsTrustedPublicKey(key ed25519.PublicKey) bool {
for _, k := range trustedPublicKeys {
if bytes.Compare(k, key) == 0 {
return true
}
}
return false
}
func handle(w http.ResponseWriter, r *http.Request) {
if len(r.Host) > 0 && r.Host == r.TLS.ServerName { //Prevents rebinding / DNS stuff
w.WriteHeader(http.StatusNotFound)
return
}
if r.Method == "GET" || r.Method == "HEAD" {
log.Printf("Serve %s", r.URL.Path)
setOtherHeaders(w)
setCORSHeaders(w)
pathElements := strings.Split(r.URL.Path, "/")
if len(pathElements) < 2 {
w.WriteHeader(http.StatusBadRequest)
return
}
messageBytes, err := base32Encoding.DecodeString(pathElements[1])
if err != nil {
w.WriteHeader(http.StatusBadRequest)
return
}
message := DecodeContentMessage(messageBytes)
if message == nil {
w.WriteHeader(http.StatusBadRequest)
return
}
if !IsTrustedPublicKey(message.PublicKey) {
w.WriteHeader(http.StatusForbidden)
return
}
if !message.verify() {
w.WriteHeader(http.StatusForbidden)
return
}
log.Printf("Valid %s %s", r.URL.Path, message.Identifier.String())
handleQueryRequest(w, r, message.Identifier, pathElements[2:])
} else if r.Method == "OPTIONS" {
setOtherHeaders(w)
setCORSHeaders(w)
w.WriteHeader(http.StatusNoContent)
} else {
w.WriteHeader(http.StatusNotImplemented)
}
}
//TODO: move this to a library
type ContentMessage struct {
Version uint64
PublicKey ed25519.PublicKey
IssueTime int64
Identifier cid.Cid
VerificationResult *bool
Signature []byte
}
func (s *ContentMessage) sign(privateKey ed25519.PrivateKey) {
s.PublicKey = make([]byte, ed25519.PublicKeySize)
copy(s.PublicKey, privateKey[32:])
s.Signature = ed25519.Sign(privateKey, s.encodeMessage())
s.VerificationResult = nil
}
func (s *ContentMessage) verify() bool {
currentTime := time.Now()
notBefore := currentTime.Add(-time.Hour) //Only one hour before time
notAfter := currentTime.Add(time.Hour * 24) //Only 24 hours after time
issueTime := time.Unix(s.IssueTime, 0)
if issueTime.Before(notBefore) {
return false
}
if issueTime.After(notAfter) {
return false
}
messageCacheMutex.RLock()
k := string(s.encode())
cachedMessage, ok := messageCache[k]
messageCacheMutex.RUnlock()
if ok {
return *cachedMessage.VerificationResult
}
messageCacheMutex.Lock()
defer messageCacheMutex.Unlock()
if s.VerificationResult == nil {
makeBool := func(v bool) *bool { return &v }
s.VerificationResult = makeBool(ed25519.Verify(s.PublicKey, s.encodeMessage(), s.Signature))
}
if len(messageCache) >= messageCacheLimit {
//Find oldest value, remove it
var item *ContentMessage
for _, e := range messageCache {
if item == nil || e.IssueTime < item.IssueTime {
item = e
}
}
if item != nil {
delete(messageCache, string(item.encode()))
}
}
messageCache[k] = s
return *s.VerificationResult
}
func (s *ContentMessage) encodeMessage() []byte {
message := &bytes.Buffer{}
buf := make([]byte, binary.MaxVarintLen64)
n := binary.PutUvarint(buf, s.Version) //signature version
_, _ = message.Write(buf[:n])
if s.Version == 0 {
_, _ = message.Write(s.PublicKey)
n = binary.PutVarint(buf, s.IssueTime) //time
_, _ = message.Write(buf[:n])
_, _ = s.Identifier.WriteBytes(message)
return message.Bytes()
}
return nil
}
func (s *ContentMessage) encode() []byte {
message := s.encodeMessage()
if message == nil || len(s.Signature) != ed25519.SignatureSize {
return nil
}
return append(message, s.Signature...)
}
func (s ContentMessage) String() string {
return fmt.Sprintf("%d %x %d %s %x", s.Version, s.PublicKey, s.IssueTime, s.Identifier.String(), s.Signature)
}
func DecodeContentMessage(signatureBytes []byte) *ContentMessage {
message := ContentMessage{}
buffer := bytes.NewBuffer(signatureBytes)
var err error
message.Version, err = binary.ReadUvarint(buffer)
if err != nil {
log.Print(err)
return nil
}
if message.Version == 0 {
message.PublicKey = make([]byte, ed25519.PublicKeySize)
_, err := buffer.Read(message.PublicKey)
if err != nil {
log.Print(message.String())
log.Print(err)
return nil
}
message.IssueTime, err = binary.ReadVarint(buffer)
if err != nil {
log.Print(message.String())
log.Print(err)
return nil
}
_, message.Identifier, err = cid.CidFromReader(buffer)
if err != nil {
log.Print(message.String())
log.Print(err)
return nil
}
message.Signature = make([]byte, ed25519.SignatureSize)
_, err = buffer.Read(message.Signature)
if err != nil {
log.Print(message.String())
log.Print(err)
return nil
}
if buffer.Len() != 0 { //Unknown extra data
log.Print(message.String())
log.Printf("%x", buffer.Bytes())
return nil
}
return &message
}
return nil
}
type ContentEntry struct {
Identifier cid.Cid
Path string
Size uint64
}
func handleQuery(rows *sql.Rows, err error) []ContentEntry {
if err != nil {
log.Print(err)
return []ContentEntry{}
}
defer rows.Close()
var result []ContentEntry
for rows.Next() {
var entry ContentEntry
var sha256 multihash.Multihash
var size sql.NullInt64
err := rows.Scan(&entry.Path, &size, &sha256)
if err != nil {
log.Print(err)
break
}
if size.Valid {
entry.Size = uint64(size.Int64)
}
mh, _ := multihash.Encode(sha256, multihash.SHA2_256)
entry.Identifier = cid.NewCidV1(cid.Raw, mh)
result = append(result, entry)
}
return result
}
func getEntriesForCID(identifier cid.Cid) []ContentEntry {
mh, _ := multihash.Decode(identifier.Hash())
if mh.Code == multihash.SHA2_256 {
return handleQuery(sha256Statement.Query(mh.Digest))
} else if mh.Code == multihash.MD5 {
return handleQuery(md5Statement.Query(mh.Digest))
}
return []ContentEntry{}
}
func createSelfSignedCertificate() ([]byte, []byte) {
x509Template := x509.Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{},
NotBefore: time.Unix(0, 0).UTC(),
NotAfter: time.Date(time.Now().UTC().Year()+10, 0, 0, 0, 0, 0, 0, time.UTC),
KeyUsage: x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
IsCA: true,
MaxPathLen: 1,
}
privateBogusKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
if err != nil {
log.Fatal(err)
}
certBytes, err := x509.CreateCertificate(rand.Reader, &x509Template, &x509Template, privateBogusKey.Public(), privateBogusKey)
if err != nil {
log.Fatal(err)
}
keyBytes, err := x509.MarshalPKCS8PrivateKey(privateBogusKey)
if err != nil {
log.Fatal(err)
}
return pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certBytes,
}),
pem.EncodeToMemory(&pem.Block{
Type: "PRIVATE KEY",
Bytes: keyBytes,
})
}
func main() {
//TODO: OCSP
certificatePath := flag.String("certificate", "ssl.crt", "Path to SSL certificate file.")
keypairPath := flag.String("keypair", "ssl.key", "Path to SSL key file.")
pgConnStr := flag.String("connstr", "", "Postgres connection string for postgres database")
listenAddress := flag.String("listen", ":7777", "Path to SSL key file.")
trustedKeys := flag.String("trusted_keys", "", "Trusted list of public keys, comma separated.")
sniAddressOption := flag.String("sni", "", "Define SNI address if desired. Empty will serve any requests regardless.")
fdLimitOption := flag.Int("fdlimit", 128, "Maximum number of lingering cached open files.")
signatureCacheLimitOption := flag.Int("siglimit", 4096, "Maximum number of lingering valid signature cache results.")
flag.Parse()
fdlimit = *fdLimitOption
messageCacheLimit = *signatureCacheLimitOption
var err error
for _, k := range strings.Split(*trustedKeys, ",") {
var publicKey ed25519.PublicKey
publicKey, err = base32Encoding.DecodeString(strings.Trim(k, " "))
if err != nil {
log.Fatal(err)
}
if len(publicKey) != ed25519.PublicKeySize {
continue
}
trustedPublicKeys = append(trustedPublicKeys, publicKey)
log.Printf("Added public key %x", publicKey)
}
dbHandle, err = sql.Open("postgres", *pgConnStr)
if err != nil {
log.Fatal(err)
}
defer dbHandle.Close()
sha256Statement, err = dbHandle.Prepare("SELECT path, size, sha256 FROM entries WHERE sha256 = $1;")
if err != nil {
log.Fatal(err)
}
defer sha256Statement.Close()
md5Statement, err = dbHandle.Prepare("SELECT path, size, sha256 FROM entries WHERE md5 = $1;")
if err != nil {
log.Fatal(err)
}
defer md5Statement.Close()
//TODO: create postgres tables
sniAddress = strings.ToLower(*sniAddressOption)
bogusCertificatePEM, bogusKeyPairPEM := createSelfSignedCertificate()
bogusCertificate, err := tls.X509KeyPair(bogusCertificatePEM, bogusKeyPairPEM)
if err != nil {
log.Fatal(err)
}
serverCertificate, err := tls.LoadX509KeyPair(*certificatePath, *keypairPath)
if err != nil {
log.Fatal(err)
}
server := &http.Server{
Addr: *listenAddress,
Handler: http.HandlerFunc(handle),
TLSConfig: &tls.Config{
MinVersion: tls.VersionTLS12,
MaxVersion: 0, //max supported, currently TLS 1.3
CurvePreferences: []tls.CurveID{
tls.X25519,
tls.CurveP256,
tls.CurveP384,
},
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},
PreferServerCipherSuites: false,
SessionTicketsDisabled: false,
Renegotiation: tls.RenegotiateFreelyAsClient,
NextProtos: []string{
"h2",
"http/1.1",
},
GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
if isSNIAllowed(info.ServerName) {
return &serverCertificate, nil
}
return &bogusCertificate, nil
},
},
}
log.Printf("Serving on %s", *listenAddress)
log.Fatal(server.ListenAndServeTLS(*certificatePath, *keypairPath))
}
Reference in a new issue View git blame Copy permalink