add gosec

wip 0.0.5
2025-09-07 00:31:37 +02:00 · 2025-09-02 22:32:07 +02:00
16 changed files with 296 additions and 14 deletions
--- a/build.sh
+++ b/build.sh
@@ -35,7 +35,7 @@ fi

 ## SERVER

-platforms=("linux/amd64" "linux/arm64" "linux/riscv64" "linux/ppc64le")
+platforms=("linux/amd64" "linux/arm64" "linux/riscv64" "linux/ppc64le", "windows/amd64")

 for platform in "${platforms[@]}"; do
    echo "* Compiling server for $platform..."
--- a/cmd/cli/commands/list/list.go
+++ b/cmd/cli/commands/list/list.go
@@ -43,7 +43,7 @@ func (p *ListCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{})
 			return subcommands.ExitUsageError
 		}

-		username, password, err := credentials.Read()
+		username, password, err := credentials.Read(f.Arg(0))
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "error: failed to read std output: %s", err)
 			return subcommands.ExitFailure
--- a/cmd/cli/commands/login/login.go
+++ b/cmd/cli/commands/login/login.go
@@ -0,0 +1,60 @@
+package login
+
+import (
+	"cloudsave/cmd/cli/tools/prompt/credentials"
+	"cloudsave/pkg/remote/client"
+	"context"
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/google/subcommands"
+)
+
+type (
+	LoginCmd struct {
+	}
+)
+
+func (*LoginCmd) Name() string     { return "login" }
+func (*LoginCmd) Synopsis() string { return "save IN PLAIN TEXT your credentials" }
+func (*LoginCmd) Usage() string {
+	return `Usage: cloudsave login <SERVER_HOSTNAME>
+
+Warning: this command saves the login into a plain text json file
+
+Options:
+`
+}
+
+func (p *LoginCmd) SetFlags(f *flag.FlagSet) {
+}
+
+func (p *LoginCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus {
+	if f.NArg() != 1 {
+		fmt.Fprintf(os.Stderr, "error: this command take 1 argument")
+		return subcommands.ExitUsageError
+	}
+
+	server := f.Arg(0)
+
+	username, password, err := credentials.Read(server)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "error: failed to read std output: %s", err)
+		return subcommands.ExitFailure
+	}
+
+	cli := client.New(server, username, password)
+	if _, err := cli.Version(); err != nil {
+		fmt.Fprintf(os.Stderr, "error: failed to login: %s", err)
+		return subcommands.ExitFailure
+	}
+
+	if err := credentials.Login(username, password, server); err != nil {
+		fmt.Fprintf(os.Stderr, "error: failed to save login: %s", err)
+		return subcommands.ExitFailure
+	}
+
+	fmt.Println("login information saved!")
+	return subcommands.ExitSuccess
+}
--- a/cmd/cli/commands/logout/logout.go
+++ b/cmd/cli/commands/logout/logout.go
@@ -0,0 +1,43 @@
+package logout
+
+import (
+	"cloudsave/cmd/cli/tools/prompt/credentials"
+	"context"
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/google/subcommands"
+)
+
+type (
+	LogoutCmd struct {
+	}
+)
+
+func (*LogoutCmd) Name() string     { return "logout" }
+func (*LogoutCmd) Synopsis() string { return "logout from a server" }
+func (*LogoutCmd) Usage() string {
+	return `Usage: cloudsave logout <SERVER_HOSTNAME>
+
+Options:
+`
+}
+
+func (p *LogoutCmd) SetFlags(f *flag.FlagSet) {
+}
+
+func (p *LogoutCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{}) subcommands.ExitStatus {
+	if f.NArg() != 1 {
+		fmt.Fprintf(os.Stderr, "error: this command take 1 argument")
+		return subcommands.ExitUsageError
+	}
+
+	if err := credentials.Logout(f.Arg(0)); err != nil {
+		fmt.Fprintf(os.Stderr, "error: failed to logout: %s", err)
+		return subcommands.ExitFailure
+	}
+
+	fmt.Println("bye!")
+	return subcommands.ExitSuccess
+}
--- a/cmd/cli/commands/pull/pull.go
+++ b/cmd/cli/commands/pull/pull.go
@@ -41,7 +41,7 @@ func (p *PullCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{})
 	gameID := f.Arg(1)
 	path := f.Arg(2)

-	username, password, err := credentials.Read()
+	username, password, err := credentials.Read(url)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error: failed to read std output: %s", err)
 		return subcommands.ExitFailure
--- a/cmd/cli/commands/sync/sync.go
+++ b/cmd/cli/commands/sync/sync.go
@@ -284,7 +284,7 @@ func connect(remoteCred map[string]map[string]string, r remote.Remote) (*client.
 	fmt.Println()
 	fmt.Println("Connexion to", r.URL)
 	fmt.Println("============")
-	username, password, err := credentials.Read()
+	username, password, err := credentials.Read(r.URL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read std output: %w", err)
 	}
--- a/cmd/cli/commands/version/version.go
+++ b/cmd/cli/commands/version/version.go
@@ -42,7 +42,7 @@ func (p *VersionCmd) Execute(_ context.Context, f *flag.FlagSet, _ ...interface{
 			return subcommands.ExitUsageError
 		}

-		username, password, err := credentials.Read()
+		username, password, err := credentials.Read(f.Arg(0))
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "failed to read std output: %s", err)
 			return subcommands.ExitFailure
--- a/cmd/cli/main.go
+++ b/cmd/cli/main.go
@@ -4,6 +4,8 @@ import (
 	"cloudsave/cmd/cli/commands/add"
 	"cloudsave/cmd/cli/commands/apply"
 	"cloudsave/cmd/cli/commands/list"
+	"cloudsave/cmd/cli/commands/login"
+	"cloudsave/cmd/cli/commands/logout"
 	"cloudsave/cmd/cli/commands/pull"
 	"cloudsave/cmd/cli/commands/remote"
 	"cloudsave/cmd/cli/commands/remove"
@@ -56,6 +58,8 @@ func main() {
 	subcommands.Register(&remote.RemoteCmd{Service: s}, "remote")
 	subcommands.Register(&sync.SyncCmd{Service: s}, "remote")
 	subcommands.Register(&pull.PullCmd{Service: s}, "remote")
+	subcommands.Register(&login.LoginCmd{}, "remote")
+	subcommands.Register(&logout.LogoutCmd{}, "remote")

 	flag.Parse()
 	ctx := context.Background()
--- a/cmd/cli/tools/prompt/credentials/credentials.go
+++ b/cmd/cli/tools/prompt/credentials/credentials.go
@@ -2,14 +2,48 @@ package credentials

 import (
 	"bufio"
+	"encoding/json"
+	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"

 	"golang.org/x/term"
 )

-func Read() (string, string, error) {
+type (
+	credential struct {
+		Username string `json:"username"`
+		Password string `json:"password"`
+	}
+
+	credentialsStore struct {
+		Store map[string]credential `json:"store"`
+	}
+)
+
+var (
+	datastorePath string
+)
+
+func init() {
+	roaming, err := os.UserConfigDir()
+	if err != nil {
+		panic("failed to get user config path: " + err.Error())
+	}
+	datastorePath = filepath.Join(roaming, "cloudsave")
+}
+
+func Read(server string) (string, string, error) {
+	var err error
+	store, err := load()
+	if err == nil {
+		if c, ok := store[server]; ok {
+			return c.Username, c.Password, nil
+		}
+	}
+
 	fmt.Print("Enter username: ")
 	reader := bufio.NewReader(os.Stdin)
 	username, _ := reader.ReadString('\n')
@@ -24,3 +58,66 @@ func Read() (string, string, error) {

 	return username, string(password), nil
 }
+
+func Login(username, password, server string) error {
+	store, err := load()
+	if err != nil {
+		return err
+	}
+
+	store[server] = credential{
+		Username: username,
+		Password: password,
+	}
+
+	return save(store)
+}
+
+func Logout(server string) error {
+	store, err := load()
+	if err != nil {
+		return err
+	}
+
+	delete(store, server)
+
+	return save(store)
+}
+
+func save(store map[string]credential) error {
+	c := credentialsStore{
+		Store: store,
+	}
+
+	f, err := os.OpenFile(filepath.Join(datastorePath, "credential.json"), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0740)
+	if err != nil {
+		return fmt.Errorf("failed to open datastore: %w", err)
+	}
+	defer f.Close()
+
+	e := json.NewEncoder(f)
+	if err := e.Encode(c); err != nil {
+		return fmt.Errorf("failed to encode data: %w", err)
+	}
+
+	return nil
+}
+
+func load() (map[string]credential, error) {
+	f, err := os.OpenFile(filepath.Join(datastorePath, "credential.json"), os.O_RDONLY, 0)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return make(map[string]credential), nil
+		}
+		return nil, fmt.Errorf("failed to open datastore: %w", err)
+	}
+	defer f.Close()
+
+	var c credentialsStore
+	d := json.NewDecoder(f)
+	if err := d.Decode(&c); err != nil {
+		return nil, fmt.Errorf("failed to decode data: %w", err)
+	}
+
+	return c.Store, nil
+}
--- a/cmd/server/api/api.go
+++ b/cmd/server/api/api.go
@@ -21,6 +21,7 @@ type (
 		Server       *http.Server
 		Service      *data.Service
 		documentRoot string
+		creds        map[string]string
 	}
 )

@@ -32,6 +33,7 @@ func NewServer(documentRoot string, srv *data.Service, creds map[string]string,
 	s := &HTTPServer{
 		Service:      srv,
 		documentRoot: documentRoot,
+		creds:        creds,
 	}
 	router := chi.NewRouter()
 	router.NotFound(func(writer http.ResponseWriter, request *http.Request) {
@@ -46,7 +48,7 @@ func NewServer(documentRoot string, srv *data.Service, creds map[string]string,
 	router.Use(middleware.Compress(5, "application/gzip"))
 	router.Use(middleware.Heartbeat("/heartbeat"))
 	router.Route("/api", func(routerAPI chi.Router) {
-		routerAPI.Use(BasicAuth("cloudsave", creds))
+		routerAPI.Use(s.BasicAuth("cloudsave"))
 		routerAPI.Route("/v1", func(r chi.Router) {
 			// Get information about the server
 			r.Get("/version", s.Information)
@@ -78,6 +80,10 @@ func NewServer(documentRoot string, srv *data.Service, creds map[string]string,
 	return s
 }

+func (s *HTTPServer) SetCredentials(creds map[string]string) {
+	s.creds = creds
+}
+
 func (s HTTPServer) all(w http.ResponseWriter, r *http.Request) {
 	datastore, err := s.Service.AllGames()
 	if err != nil {
--- a/cmd/server/api/middlewares.go
+++ b/cmd/server/api/middlewares.go
@@ -20,7 +20,7 @@ func recoverMiddleware(next http.Handler) http.Handler {
 }

 // BasicAuth implements a simple middleware handler for adding basic http auth to a route.
-func BasicAuth(realm string, creds map[string]string) func(next http.Handler) http.Handler {
+func (s *HTTPServer) BasicAuth(realm string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			user, pass, ok := r.BasicAuth()
@@ -29,7 +29,7 @@ func BasicAuth(realm string, creds map[string]string) func(next http.Handler) ht
 				return
 			}

-			credPass := creds[user]
+			credPass := s.creds[user]
 			if err := bcrypt.CompareHashAndPassword([]byte(credPass), []byte(pass)); err != nil {
 				basicAuthFailed(w, r, realm)
 				return
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -5,12 +5,30 @@ package main
 import (
 	"fmt"
 	"os"
+	"os/signal"
+	"syscall"
 )

 const defaultDocumentRoot string = "/var/lib/cloudsave"

+var (
+	updateChan chan struct{}
+)
+
 func main() {
-	run()
+	updateChan = make(chan struct{})
+
+	sigc := make(chan os.Signal, 1)
+	signal.Notify(sigc, syscall.SIGHUP)
+
+	go func() {
+		for {
+			<-sigc
+			updateChan <- struct{}{}
+		}
+	}()
+
+	run(updateChan)
 }

 func fatal(message string, exitCode int) {
--- a/cmd/server/main_windows.go
+++ b/cmd/server/main_windows.go
@@ -13,9 +13,15 @@ const defaultDocumentRoot string = "C:\\ProgramData\\CloudSave"
 //go:embed res/icon.ico
 var icon []byte

+var (
+	updateChan chan struct{}
+)
+
 func main() {
+	updateChan = make(chan struct{})
 	go systray.Run(onReady, onExit)
-	run()
+
+	run(updateChan)
 }

 func fatal(message string, exitCode int) {
@@ -28,12 +34,20 @@ func onReady() {
 	systray.SetTooltip("CloudSave")
 	systray.SetIcon(icon)

-	mQuit := systray.AddMenuItem("Quit", "Quit")
+	mReload := systray.AddMenuItem("Reload", "Reload the server data")
+	mQuit := systray.AddMenuItem("Quit", "Quit the server")

 	go func() {
 		<-mQuit.ClickedCh
 		os.Exit(0)
 	}()
+
+	go func() {
+		for {
+			<-mReload.ClickedCh
+			updateChan <- struct{}{}
+		}
+	}()
 }

 func onExit() {
--- a/cmd/server/runner.go
+++ b/cmd/server/runner.go
@@ -14,7 +14,7 @@ import (
 	"strconv"
 )

-func run() {
+func run(updateChan <-chan struct{}) {
 	fmt.Printf("CloudSave server -- v%s.%s.%s\n\n", constants.Version, runtime.GOOS, runtime.GOARCH)

 	var documentRoot string
@@ -47,6 +47,7 @@ func run() {
 		if err := r.Preload(); err != nil {
 			fatal("failed to load datastore: "+err.Error(), 1)
 		}
+
 		repo = r
 	} else {
 		slog.Info("loading lazy repository...")
@@ -61,6 +62,21 @@ func run() {

 	server := api.NewServer(documentRoot, s, h.Content(), port)

+	go func() {
+		for {
+			<-updateChan
+			if r, ok := repo.(*repository.EagerRepository); ok {
+				r.Reload()
+			}
+			h, err := htpasswd.Open(filepath.Join(documentRoot, ".htpasswd"))
+			if err != nil {
+				fatal("failed to load .htpasswd: "+err.Error(), 1)
+			}
+			slog.Info("users loaded: " + strconv.Itoa(len(h.Content())) + " user(s) loaded")
+			server.SetCredentials(h.Content())
+		}
+	}()
+
 	fmt.Println("server started at :" + strconv.Itoa(port))
 	if err := server.Server.ListenAndServe(); err != nil {
 		fatal("failed to start server: "+err.Error(), 1)
--- a/8
+++ b/8
@@ -2,6 +2,14 @@ pipeline {
    agent any

    stages {
+        stage('Audit') {
+            steps {
+                sh '''
+                go install github.com/securego/gosec/v2/cmd/gosec@v2.22.8
+                /var/lib/jenkins/go/bin/gosec ./...
+                '''
+            }
+        }
        stage('Build') {
            steps {
                sh './build.sh'
--- a/pkg/repository/repository.go
+++ b/pkg/repository/repository.go
@@ -73,7 +73,7 @@ type (
 		AllHist(gameID GameIdentifier) ([]string, error)

 		WriteBlob(ID Identifier) (io.Writer, error)
-		      WriteMetadata(gameID GameIdentifier, m Metadata) error
+		WriteMetadata(gameID GameIdentifier, m Metadata) error

 		Metadata(gameID GameIdentifier) (Metadata, error)
 		LastScan(gameID GameIdentifier) (time.Time, error)
@@ -401,6 +401,7 @@ func (r *EagerRepository) Preload() error {
 	r.mu.Lock()
 	defer r.mu.Unlock()

+	slog.Info("loading data from datastore to memory...")
 	games, err := r.Repository.All()
 	if err != nil {
 		return fmt.Errorf("failed to load all data: %w", err)
@@ -443,6 +444,21 @@ func (r *EagerRepository) Preload() error {
 	return nil
 }

+func (r *EagerRepository) ClearCache() {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+
+	slog.Info("clearing cache...")
+	for k := range r.data {
+		delete(r.data, k)
+	}
+}
+
+func (r *EagerRepository) Reload() error {
+	r.ClearCache()
+	return r.Preload()
+}
+
 func (r *EagerRepository) All() ([]string, error) {
 	r.mu.RLock()
 	defer r.mu.RUnlock()
Author	SHA1	Message	Date
Aurélie DELHAIE	b3232e79d5	add gosec Some checks failed CloudSave/pipeline/head There was a failure building this commit Details	2025-09-07 00:31:37 +02:00
Aurélie DELHAIE	0a33d1b68d	wip 0.0.5 All checks were successful CloudSave/pipeline/head This commit looks good Details	2025-09-02 22:32:07 +02:00