aboutsummaryrefslogtreecommitdiffstats
path: root/storage-backend/index.php
blob: eae06ef448890931ce4cceb6cc2d4efee324f888 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
<?php
/*
 * This script serves as storing backend for the xmpp extension
 * XEP-0363 Http Upload and for the extension to delete a file previously uploaded via HTTP upload
 *
 * The following return codes are used for requesting an upload slot (parameter 'slot_type' = 'upload' or empty):
 * 200: Success - response body contains PUT URL, GET URL formatted in Json
 * 400: In case a mandatory parameter is not set.  (error code: 4, parameters: missing_parameter). Mandatory parameters are:
 *   xmpp_server_key
 *   filename
 *   size
 *   content_type
 *   user_jid
 * 403: In case the XMPP Server Key is not valid
 * 406:
 *   File is empty (error code: 1)
 *   File too large (error code: 2, parameters: max_file_size)
 *   Invalid character found in filename (error code: 3, parameters: invalid_character)
 * 500: Any other server error
 *   Upload directory for slot cannot be created
 *   Slot registry file cannot be created
 * 
 * The following return codes are used for requesting an delete slot (parameter 'slot_type' = 'delete'):
 * 200: Success - response body contains delete_token formatted in Json
 * 400: In case a mandatory parameter is not set.  (error code: 4, parameters: missing_parameter). Mandatory parameters are:
 *   xmpp_server_key
 *   file_url
 *   user_jid
 * 403: In case the XMPP Server Key is not valid
 * 500: Any other server error
 *   Slot registry file cannot be updated with delete token and token validity time
 
 * The following return codes are used for uploading a file:
 * 201: Success - File Created
 * 403: If a slot is already used or file upload contains other data than in the request slot.
 *   The slot was used before (file already exists)
 *   The slot does not exist
 *   File size differs from slot request
 *   Mime Type differs from slot request
 * 
 * The following return codes are used for deleting a file:
 * 204: Success - No Content
 * 403: If a slot does not exist or a slot is not marked for deletion.
 *   The slot does not exist
 *   The slot does not contain a delete token
 *   The slot's delete token does not match the header field "X-FILETRANSFER-HTTP-DELETE-TOKEN"
 *   The slot's delete token is not valid any more
 */
 
$method = $_SERVER['REQUEST_METHOD'];

// Load configuration
$config = require(__DIR__.'/config/config.inc.php');
// Initialize directory config
$config['storage_base_path'] = __DIR__.'/files/';
$config['slot_registry_dir'] = __DIR__.'/slots/';
$config['base_url_put'] = getServerProtocol()."://".getRequestHostname().getRequestUriWithoutFilename().'files/';
$config['base_url_get'] = $config['base_url_put'];

switch ($method) {
  case 'POST':
    // parse post parameters
    // check if all parameters are present - return 400 (bad request) if a parameter is missing / empty
	$xmppServerKey = getMandatoryPostParameter('xmpp_server_key');
	$userJid = getMandatoryPostParameter('user_jid');
	$slotType = getOptionalPostParameter('slot_type', 'upload');
    
    // Check if xmppServerKey is allowed to request slots
    if (false === checkXmppServerKey($config['valid_xmpp_server_keys'], $xmppServerKey)) {
      sendHttpReturnCodeAndJson(403, 'Server is not allowed to request an upload slot');
    }
    
    switch ($slotType) {
      case 'delete':
        // Check if all parameters needed for an delete are present - return 400 (bad request) if a parameter is missing / empty
        $fileURL = getMandatoryPostParameter('file_url');
        
        $slotUUID = getUUIDFromUri($fileURL);
        $filename = getFilenameFromUri($fileURL);
        if (!slotExists($slotUUID, $config)) {
          sendHttpReturnCodeAndJson(403, "The slot does not exist.");
        }
        
        if ($config['delete_only_by_creator']) {
          $slotParameters = loadSlotParameters($slotUUID, $config);
          if ($slotParameters['user_jid'] != $userJid) {
            sendHttpReturnCodeAndJson(403, "Deletion of that file is only allowed by the user created it.");
          }
        }
        
        // generate delete token, register delete token
        $deleteToken = generate_uuid();
        registerDeleteToken($slotUUID, $filename, $deleteToken, $config);
        
        // return 200 for success and delete url Json formatted ( ['delete'=>url] )
        $result = ['deletetoken' => $deleteToken];
      break;
      case 'upload':
      default:
        // Check if all parameters needed for an upload are present - return 400 (bad request) if a parameter is missing / empty
        $filename = rawurlencode(getMandatoryPostParameter('filename'));
        $filesize = getMandatoryPostParameter('size');
        $mimeType = getOptionalPostParameter('content_type');
        
        // check file name - return 406 (not acceptable) if file contains invalid characters
        foreach ($config['invalid_characters_in_filename'] as $invalidCharacter) {
          if (stripos($filename, $invalidCharacter) !== false) {
            sendHttpReturnCodeAndJson(406, ['msg' => 'Invalid character found in filename.', 'err_code' => 3, 'parameters' => ['invalid_character' => $invalidCharacter]]);
          }
        }
        // check file size - return 406 (not acceptable) if file too small
        if ($filesize <= 0) {
          sendHttpReturnCodeAndJson(406, ['msg' => 'File is empty.', 'err_code' => 1]);
        }
        // check file size - return 406 (not acceptable) if file too large
        if ($filesize > $config['max_upload_file_size']) {
          sendHttpReturnCodeAndJson(406, ['msg' => 'File too large.', 'err_code' => 2, 'parameters' => ['max_file_size' => $config['max_upload_file_size']]]);
        }
        // generate slot uuid, register slot uuid and expected file size and expected mime type
        $slotUUID = generate_uuid();
        registerSlot($slotUUID, $filename, $filesize, $mimeType, $userJid, $config);
        if (!mkdir(getUploadFilePath($slotUUID, $config))) {
          sendHttpReturnCodeAndJson(500, "Could not create directory for upload.");
        }
        // return 200 for success and get / put url Json formatted ( ['get'=>url, 'put'=>url] )
        $result = ['put' => $config['base_url_put'].$slotUUID.'/'.$filename,
                   'get' => $config['base_url_get'].$slotUUID.'/'.$filename];
    }
    
    echo json_encode($result);
    break;
  case 'PUT':
    // check slot uuid - return 403 if not existing
    $uri = $_SERVER["REQUEST_URI"];
    $slotUUID = getUUIDFromUri($uri);
    $filename = getFilenameFromUri($uri);
    if (!slotExists($slotUUID, $config)) {
      sendHttpReturnCodeAndJson(403, "The slot does not exist.");
    }
    $slotParameters = loadSlotParameters($slotUUID, $config);
    if (!checkFilenameParameter($filename, $slotParameters)) {
      sendHttpReturnCodeAndJson(403, "Uploaded filename differs from requested slot filename.");
    }
    $uploadFilePath = rawurldecode(getUploadFilePath($slotUUID, $config, $slotParameters['filename']));
    if (file_exists($uploadFilePath)) {
      sendHttpReturnCodeAndJson(403, "The slot was already used.");
    }
    // save file
    $incomingFileStream = fopen("php://input", "r");
    $targetFileStream = fopen($uploadFilePath, "w");
    $uploadedFilesize = stream_copy_to_stream($incomingFileStream, $targetFileStream, $slotParameters['filesize'] + 1); // max. 1 byte more than expected to avoid spamming
    fclose($targetFileStream);
    // check actual file size with registered file size - return 413
    if ($uploadedFilesize != $slotParameters['filesize']) {
      unlink($uploadFilePath);
      sendHttpReturnCodeAndJson(403, "Uploaded file size differs from requested slot size.");
    }
    // check actual mime type with registered mime type
    if (!is_null($slotParameters['content_type']) && !empty($slotParameters['content_type']) && mime_content_type($uploadFilePath) != $slotParameters['content_type']) {
      unlink($uploadFilePath);
      sendHttpReturnCodeAndJson(403, "Uploaded file content type differs from requested slot content type.");
    }
    // return 500 in case of any error
    // return 201 for success
    sendHttpReturnCodeAndMessage(201);
    break;
  case 'DELETE':
    // check slot uuid - return 403 if not existing
    $uri = $_SERVER["REQUEST_URI"];
    $slotUUID = getUUIDFromUri($uri);
    $filename = getFilenameFromUri($uri);
    $deleteToken = $_SERVER["HTTP_X_FILETRANSFER_HTTP_DELETE_TOKEN"];
    if (!slotExists($slotUUID, $config)) {
      sendHttpReturnCodeAndJson(403, "The slot does not exist.");
    }
    $slotParameters = loadSlotParameters($slotUUID, $config);
    if ($deleteToken != $slotParameters['delete_token']) {
      sendHttpReturnCodeAndJson(403, "The delete token is not valid.");
    }
    if (time() > $slotParameters['delete_token_valid_till']) {
      sendHttpReturnCodeAndJson(403, "The delete token is not valid anymore.");
    }
    if (!checkFilenameParameter($filename, $slotParameters)) {
      sendHttpReturnCodeAndJson(403, "Filename to delete differs from requested slot filename.");
    }
    $uploadFilePath = rawurldecode(getUploadFilePath($slotUUID, $config, $slotParameters['filename']));
    if (!file_exists($uploadFilePath)) {
      sendHttpReturnCodeAndJson(404, "The file does not exist.");
    }
    
    // Delete file
    if (unlink($uploadFilePath)) {
      // Clean up the server - ignore errors
      @rmdir(getUploadFilePath($slotUUID, $config));
      // return 204 for success
      sendHttpReturnCodeAndMessage(204);
    } else {
      sendHttpReturnCodeAndJson(500, "Could not delete file.");
    }
    break;
  default:
    sendHttpReturnCodeAndJson(403, "Access not allowed.");
    break;
}

function checkXmppServerKey($validXmppServerKeys, $xmppServerKey) {
  foreach ($validXmppServerKeys as $validXmppServerKey) {
    if ($validXmppServerKey == $xmppServerKey) {
      return true;
    }
  }
  return false;
}

function checkFilenameParameter($filename, $slotParameters) {
  $filename = $filename; // the filename is a http get parameter and therefore encoded
  return $slotParameters['filename'] == $filename;
}

function loadSlotParameters($slotUUID, $config) {
  $slotParameters = require(getSlotFilePath($slotUUID, $config));
  $slotParameters['filename'] = $slotParameters['filename'];
  
  return $slotParameters;
}

function getMandatoryPostParameter($parameterName) {
  $parameter = $_POST[$parameterName];
  if (!isset($parameter) || is_null($parameter) || empty($parameter)) {
    sendHttpReturnCodeAndJson(400, ['msg' => 'Missing parameter.', 'err_code' => 4, 'parameters' => ['missing_parameter' => $parameterName]]);
  }
  return $parameter;
}

function getOptionalPostParameter($parameterName, $default = NULL) {
  $parameter = $_POST[$parameterName];
  if (!isset($parameter) || is_null($parameter) || empty($parameter)) {
    $parameter = $default;
  }
  return $parameter;
}

function sendHttpReturnCodeAndJson($code, $data) {
  if (!is_array($data)) {
    $data = ['msg' => $data];
  }
  sendHttpReturnCodeAndMessage($code, json_encode($data));
}

function sendHttpReturnCodeAndMessage($code, $text = '') {
  http_response_code($code);
  exit($text);
}

function getUUIDFromUri($uri) {
  $pattern = "/[a-f0-9]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/";
  preg_match($pattern, $uri, $matches);
  return $matches[0];
}

function getFilenameFromUri($uri) {
  $lastSlash = strrpos($uri, '/') + 1;
  return substr($uri, $lastSlash);
}

function registerSlot($slotUUID, $filename, $filesize, $contentType, $userJid, $config) {
  $contents = "<?php\n/*\n * This is an autogenerated file - do not edit\n */\n\n";
  $contents .= 'return [\'filename\' => \''.$filename.'\', \'filesize\' => \''.$filesize.'\', ';
  $contents .= '\'content_type\' => \''.$contentType.'\', \'user_jid\' => \''.$userJid.'\'];\n?>';
  if (!file_put_contents(getSlotFilePath($slotUUID, $config), $contents)) {
    sendHttpReturnCodeAndMessage(500, "Could not create slot registry entry.");
  }
}

function registerDeleteToken($slotUUID, $filename, $deleteToken, $config) {
  $slotFilePath = getSlotFilePath($slotUUID, $config);
  $contents = file_get_contents($slotFilePath);
  $validTo = time() + $config['delete_token_validity'];
  $newContents = str_replace("]", ", 'delete_token' => '".$deleteToken."', 'delete_token_valid_till' => '".$validTo."']", $contents);
  if (!file_put_contents($slotFilePath, $newContents)) {
    sendHttpReturnCodeAndMessage(500, "Could not update slot registry entry.");
  }
}

function slotExists($slotUUID, $config) {
  return file_exists(getSlotFilePath($slotUUID, $config));
}

function getSlotFilePath($slotUUID, $config) {
  return $config['slot_registry_dir'].$slotUUID;
}

function getUploadFilePath($slotUUID, $config, $filename = NULL) {
  $path = $config['storage_base_path'].$slotUUID;
  if (!is_null($filename)) {
    $path .= '/'.$filename;
  }
  return $path;
}

/**
 * Inspired by https://github.com/owncloud/core/blob/master/lib/private/appframework/http/request.php#L523
 */
function getServerProtocol() {
  if (isset($_SERVER['HTTP_X_FORWARDED_PROTO'])) {
      if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], ',') !== false) {
          $parts = explode(',', $_SERVER['HTTP_X_FORWARDED_PROTO']);
          $proto = strtolower(trim($parts[0]));
      } else {
          $proto = strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']);
      }
      // Verify that the protocol is always HTTP or HTTPS
      // default to http if an invalid value is provided
      return $proto === 'https' ? 'https' : 'http';
  }
  if (isset($_SERVER['HTTPS'])
      && $_SERVER['HTTPS'] !== null
      && $_SERVER['HTTPS'] !== 'off'
      && $_SERVER['HTTPS'] !== '') {
      return 'https';
  }
  return 'http';
}

function getRequestHostname() {
  if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
    return strtolower($_SERVER['HTTP_X_FORWARDED_HOST']);
  }
  return strtolower($_SERVER['HTTP_HOST']);
}

function getRequestUriWithoutFilename() {
  return strtolower(substr($_SERVER['REQUEST_URI'], 0, strrpos($_SERVER['REQUEST_URI'], '/') + 1));
}

/**
 * Copied from http://rogerstringer.com/2013/11/15/generate-uuids-php/
 */ 
function generate_uuid() {
  return sprintf( '%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
    mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ),
    mt_rand( 0, 0xffff ),
    mt_rand( 0, 0x0fff ) | 0x4000,
    mt_rand( 0, 0x3fff ) | 0x8000,
    mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff )
  );
}
?>