add PUT handler

Author: davidnewhall

pkg/api/api.go

@@ -1,4 +1,4 @@
-// Package api provides an HTTP API for listing, fetching, and deleting files
+// Package api provides an HTTP API for listing, fetching, uploading, and deleting files
 // written by the UDP ingest path. All operations are scoped to output_path.
 package api
 
@@ -24,18 +24,19 @@ func New(outputPath, password string) *API {
 	}
 }
 
-// Register mounts all API routes onto smuthe server muxx and is intended to be passed as the
+// Register mounts all API routes onto the server mux and is intended to be passed as the
 // register callback to httpserver.New.
 func (a *API) Register(smx *http.ServeMux) {
 	router := mux.NewRouter()
-	apiRouter := router.PathPrefix("/api").Subrouter()
+	apiRouter := router.PathPrefix("/api/").Subrouter()
 	apiRouter.Use(a.authenticate)
 
-	apiRouter.HandleFunc("/list/{path:.+}", a.listHandler).Methods(http.MethodGet)
-	apiRouter.HandleFunc("/file/{path:.+}", a.fileHandler).Methods(http.MethodGet)
-	apiRouter.HandleFunc("/all", a.deleteAllHandler).Methods(http.MethodDelete)
-	apiRouter.HandleFunc("/{path:.+}", a.deleteHandler).Methods(http.MethodDelete)
+	apiRouter.HandleFunc("/list/{path:.+}", a.listHandler).Methods(http.MethodGet)      // /api/list/some/path
+	apiRouter.HandleFunc("/file/{path:.+}", a.fileHandler).Methods(http.MethodGet)      // /api/file/some/path
+	apiRouter.HandleFunc("/file/{path:.+}", a.putFileHandler).Methods(http.MethodPut)   // /api/file/some/path
+	apiRouter.HandleFunc("/all", a.deleteAllHandler).Methods(http.MethodDelete)         // /api/all
+	apiRouter.HandleFunc("/glob/{path:.+}", a.deleteHandler).Methods(http.MethodDelete) // /api/glob/some/path
 
 	smx.Handle("/api/", router)
-	smx.Handle("/api", router)
+	smx.Handle("/api", router) // this 404s.
 }

pkg/api/handlers.go

@@ -111,7 +111,7 @@ func (a *API) fileHandler(resp http.ResponseWriter, req *http.Request) {
 	http.ServeContent(resp, req, info.Name(), info.ModTime(), fileHandle)
 }
 
-// deleteHandler handles DELETE /api/{path} and removes all files or directories
+// deleteHandler handles DELETE /api/glob/{path} and removes all files or directories
 // matching the path. The path may contain * wildcards in any segment.
 func (a *API) deleteHandler(resp http.ResponseWriter, r *http.Request) {
 	rawPath := mux.Vars(r)["path"]

pkg/api/uploads.go

@@ -0,0 +1,141 @@
+package api
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/gorilla/mux"
+)
+
+const (
+	// FileMode is the mode for the file.
+	FileMode = 0o640
+	// DirMode is the mode for the directory.
+	DirMode = 0o750
+)
+
+// statusError carries an HTTP status for errors returned to clients as JSON.
+type statusError struct {
+	Code int
+	Msg  string
+}
+
+func (e *statusError) Error() string {
+	return e.Msg
+}
+
+// putFileHandler handles PUT /api/file/{path} and writes the request body to that path.
+// Parent directories are created as needed. Wildcards are not permitted.
+func (a *API) putFileHandler(resp http.ResponseWriter, req *http.Request) {
+	var se *statusError
+	switch relPath, created, err := a.writeUploadedFile(mux.Vars(req)["path"], req.Body); {
+	case errors.As(err, &se):
+		writeError(resp, se.Code, se.Msg)
+	case err != nil:
+		writeError(resp, http.StatusInternalServerError, err.Error())
+	case created:
+		writeJSON(resp, http.StatusCreated, map[string]string{"path": relPath})
+	default:
+		writeJSON(resp, http.StatusOK, map[string]string{"path": relPath})
+	}
+}
+
+func (a *API) validatePutFilePath(rawPath string) (string, bool, error) {
+	path, err := a.safePath(rawPath)
+	if err != nil {
+		return "", false, &statusError{Code: http.StatusBadRequest, Msg: err.Error()}
+	}
+
+	if strings.ContainsRune(path, '*') {
+		return "", false, &statusError{
+			Code: http.StatusBadRequest,
+			Msg:  "wildcards not allowed for file upload",
+		}
+	}
+
+	info, statErr := os.Stat(path)
+	if statErr == nil && info.IsDir() {
+		return "", false, &statusError{Code: http.StatusBadRequest, Msg: "path is a directory; use /api/list/"}
+	}
+
+	created := errors.Is(statErr, os.ErrNotExist)
+	if statErr != nil && !created {
+		return "", false, fmt.Errorf("stat: %w", statErr)
+	}
+
+	return path, created, nil
+}
+
+func commitUploadedFile(tmpPath, destPath string, created bool) error {
+	err := os.Chmod(tmpPath, FileMode) //nolint:gosec // temp path from CreateTemp under validated directory
+	if err != nil {
+		return fmt.Errorf("chmod: %w", err)
+	}
+
+	if !created {
+		err = os.Remove(destPath) //nolint:gosec // destPath returned from safePath under outputPath
+		if err != nil {
+			return fmt.Errorf("removing existing file: %w", err)
+		}
+	}
+
+	err = os.Rename(tmpPath, destPath) //nolint:gosec // paths validated; atomic replace after write
+	if err != nil {
+		return fmt.Errorf("renaming file: %w", err)
+	}
+
+	return nil
+}
+
+func (a *API) writeUploadedFile(rawPath string, body io.Reader) (string, bool, error) {
+	filePath, created, err := a.validatePutFilePath(rawPath)
+	if err != nil {
+		return "", false, err
+	}
+
+	dir := filepath.Dir(filePath)
+
+	err = os.MkdirAll(dir, DirMode) //nolint:gosec // dir is filepath.Dir of a path from safePath under outputPath
+	if err != nil {
+		return "", false, fmt.Errorf("creating parent directories: %w", err)
+	}
+
+	tmpFile, err := os.CreateTemp(dir, ".fogwillow-upload-*")
+	if err != nil {
+		return "", false, fmt.Errorf("temp file: %w", err)
+	}
+
+	tmpPath := tmpFile.Name()
+	cleanupTmp := true
+
+	defer func() {
+		if cleanupTmp {
+			_ = os.Remove(tmpPath) //nolint:gosec // temp file created in this function under validated dir
+		}
+	}()
+
+	_, err = io.Copy(tmpFile, body)
+	if err != nil {
+		_ = tmpFile.Close()
+		return "", false, fmt.Errorf("writing body: %w", err)
+	}
+
+	err = tmpFile.Close()
+	if err != nil {
+		return "", false, fmt.Errorf("closing temp file: %w", err)
+	}
+
+	err = commitUploadedFile(tmpPath, filePath, created)
+	if err != nil {
+		return "", false, err
+	}
+
+	cleanupTmp = false
+
+	return strings.TrimPrefix(filePath, a.outputPath+string(filepath.Separator)), created, nil
+}

pkg/fog/start.go

@@ -115,7 +115,7 @@ func (c *Config) Start() error {
 }
 
 // setup makes sure configurations are sound and sane.
-func (c *Config) setup() {
+func (c *Config) setup() { //nolint:cyclop
 	// Protect uint->int64 conversions.
 	if c.LogFileMB > httpserver.MaxStupidValue {
 		c.LogFileMB = httpserver.MaxStupidValue

pkg/httpserver/accesslog.go

@@ -10,11 +10,12 @@ import (
 )
 
 const (
-	// Access log file mode.
+	// LogFileMode is the mode for the access log file.
 	LogFileMode = 0o644
-	// Apache Combined Log Format: host ident user time "request" status bytes "referer" "user-agent".
+	// CombinedLogFormat is from Apache: host ident user time "request" status bytes "referer" "user-agent".
 	CombinedLogFormat = `%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"`
-	MaxStupidValue    = uint(9999999) // for comparing with config.
+	// MaxStupidValue is a stupid big value for minimizing config inputs.
+	MaxStupidValue = uint(9999999) // for comparing with config.
 )
 
 // newAccessLog creates a rotating access log writer from config.