nix: flake: build package with vanilla 'nixpkgs'

Switching to Rocket's master branch (soon to be 0.5.0) allows building
with a stable Rust compiler, yay!

.github/workflows/ci.yaml

@@ -10,11 +10,11 @@ jobs:
       - name: Checkout sources
         uses: actions/checkout@v2
 
-      - name: Install nightly toolchain
+      - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
         with:
           profile: minimal
-          toolchain: nightly
+          toolchain: stable
           override: true
 
       - name: Run cargo check
@@ -29,11 +29,11 @@ jobs:
       - name: Checkout sources
         uses: actions/checkout@v2
 
-      - name: Install nightly toolchain
+      - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
         with:
           profile: minimal
-          toolchain: nightly
+          toolchain: stable
           override: true
 
       - name: Run cargo test
@@ -48,11 +48,11 @@ jobs:
       - name: Checkout sources
         uses: actions/checkout@v2
 
-      - name: Install nightly toolchain
+      - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
         with:
           profile: minimal
-          toolchain: nightly
+          toolchain: stable
           override: true
           components: rustfmt, clippy
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "lohr"
-version = "0.3.0"
+version = "0.3.1"
 authors = ["Antoine Martin <antoine@alarsyo.net>"]
 edition = "2018"
 license = "Apache-2.0 OR MIT"
@@ -16,10 +16,21 @@ hex = "0.4.3"
 hmac = "0.10.1"
 log = "0.4.14"
 regex = "1"
-rocket = "0.4.7"
-rocket_contrib = { version = "0.4.7", features = [ "json" ] }
 serde = { version = "1.0.125", features = [ "derive" ] }
 serde_json = "1.0.64"
 serde_regex = "1.1.0"
 serde_yaml = "0.8.17"
 sha2 = "0.9.3"
+
+[dependencies.rocket]
+version = "0.5.0-dev"
+# don't need private-cookies
+default-features = false
+
+[dependencies.clap]
+version = "2.33.3"
+# no need for suggestions or color with only one argument
+default-features = false
+
+[patch.crates-io]
+rocket = { git = "https://github.com/SergioBenitez/Rocket", rev = "2893ce754d6535e0a752586e60d7e292343016c0" }

README.org

@@ -21,6 +21,14 @@ file at the repo root.
 This is a very destructive process: anything removed from the single source of
 truth is effectively removed from any mirror as well.
 
+** Installing
+
+=lohr= is [[https://crates.io/crates/lohr][published on crates.io]], so you can install it with ~cargo install~:
+
+#+begin_src sh
+$ cargo install lohr
+#+end_src
+
 ** Setup
 
 *** Quickstart
@@ -73,8 +81,12 @@ variable.
 
 **** Extra remote configuration
 
-=lohr= looks for a =lohr-config.yaml= file in its =LOHR_HOME= directory. The
-=LOHR_CONFIG= variable takes precedence over looking into the state directory.
+You can provide =lohr= with a YAML file containing additional configuration. You
+can pass its path to the =--config= flag when launching =lohr=. If no
+configuration is provided via a CLI flag, =lohr= will check the =LOHR_CONFIG=
+environment variable. If the environment variable isn't set either, it will
+check in =LOHR_HOME= is a =lohr-config.yaml= file exists, and try to load it.
+
 This file takes the following format:
 
 #+begin_src yaml

flake.lock

@@ -31,43 +31,6 @@
         "type": "github"
       }
     },
-    "mozillapkgs": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1603906276,
-        "narHash": "sha256-RsNPnEKd7BcogwkqhaV5kI/HuNC4flH/OQCC/4W5y/8=",
-        "owner": "mozilla",
-        "repo": "nixpkgs-mozilla",
-        "rev": "8c007b60731c07dd7a052cce508de3bb1ae849b4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "mozilla",
-        "repo": "nixpkgs-mozilla",
-        "type": "github"
-      }
-    },
-    "naersk": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1614785451,
-        "narHash": "sha256-TPw8kQvr2UNCuvndtY+EjyXp6Q5GEW2l9UafXXh1XmI=",
-        "owner": "nmattia",
-        "repo": "naersk",
-        "rev": "e0fe990b478a66178a58c69cf53daec0478ca6f9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nmattia",
-        "ref": "master",
-        "repo": "naersk",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1616670887,
@@ -88,8 +51,6 @@
       "inputs": {
         "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
-        "mozillapkgs": "mozillapkgs",
-        "naersk": "naersk",
         "nixpkgs": "nixpkgs"
       }
     }

flake.nix

@@ -1,13 +1,5 @@
 {
   inputs = {
-    naersk = {
-      url = "github:nmattia/naersk/master";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    mozillapkgs = {
-      url = "github:mozilla/nixpkgs-mozilla";
-      flake = false;
-    };
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     flake-utils.url = "github:numtide/flake-utils";
     flake-compat = {
@@ -16,27 +8,19 @@
     };
   };
 
-  outputs = { self, naersk, mozillapkgs, nixpkgs, flake-utils, ... }:
+  outputs = { self, nixpkgs, flake-utils, ... }:
     flake-utils.lib.eachDefaultSystem (system:
       let
         pkgs = import nixpkgs { inherit system; };
-
-        mozilla = pkgs.callPackage (mozillapkgs + "/package-set.nix") { };
-        rustNightly = (mozilla.rustChannelOf {
-          date = "2021-03-29";
-          channel = "nightly";
-          sha256 = "sha256-Y94CnslybZgiZlNVV6Cg0TUPV2OeDXakPev1kqdt9Kk=";
-        }).rust;
-
-        naersk-lib = pkgs.callPackage naersk {
-          cargo = rustNightly;
-          rustc = rustNightly;
-        };
       in
       {
-        defaultPackage = naersk-lib.buildPackage {
-          src = ./.;
+        defaultPackage = pkgs.rustPlatform.buildRustPackage {
           pname = "lohr";
+          version = "0.3.1";
+
+          src = ./.;
+
+          cargoSha256 = "sha256-XnBvb13Pv7bNTLCL3WV+bxRK0/uMEKA1/Bk0Tfua3Rs=";
 
           meta = with pkgs.lib; {
             description = "A Git mirroring tool";
@@ -52,10 +36,12 @@
 
         devShell = pkgs.mkShell {
           buildInputs = with pkgs; [
+            cargo
+            clippy
             nixpkgs-fmt
             pre-commit
             rustPackages.clippy
-            rustNightly
+            rustc
             rustfmt
           ];
 

rust-toolchain

@@ -1 +1 @@
-nightly
+stable

src/job.rs

@@ -190,13 +190,6 @@ impl Job {
     }
 
     pub(crate) fn run(&mut self, homedir: &Path, config: &GlobalSettings) -> anyhow::Result<()> {
-        if config
-            .blacklist
-            .iter()
-            .any(|re| re.is_match(&self.repo.full_name))
-        {
-            return Ok(());
-        }
         let local_path = homedir.join(&self.repo.full_name);
         assert!(local_path.is_absolute());
         self.local_path = Some(local_path);

src/main.rs

@@ -1,18 +1,17 @@
-#![feature(proc_macro_hygiene, decl_macro)]
-
 use std::env;
 use std::fs::File;
-use std::path::PathBuf;
+use std::path::{Path, PathBuf};
 use std::sync::{
     mpsc::{channel, Receiver, Sender},
     Mutex,
 };
 use std::thread;
 
+use anyhow::Context;
+use clap::{App, Arg};
+use log::{error, info};
 use rocket::{http::Status, post, routes, State};
 
-use log::error;
-
 mod gitea;
 use gitea::GiteaWebHook;
 
@@ -29,7 +28,23 @@ struct JobSender(Mutex<Sender<Job>>);
 struct Secret(String);
 
 #[post("/", data = "<payload>")]
-fn gitea_webhook(payload: SignedJson<GiteaWebHook>, sender: State<JobSender>) -> Status {
+fn gitea_webhook(
+    payload: SignedJson<GiteaWebHook>,
+    sender: State<JobSender>,
+    config: State<GlobalSettings>,
+) -> Status {
+    if config
+        .blacklist
+        .iter()
+        .any(|re| re.is_match(&payload.repository.full_name))
+    {
+        info!(
+            "Ignoring webhook for repo {} which is blacklisted",
+            payload.repository.full_name
+        );
+        return Status::Ok;
+    }
+
     {
         let sender = sender.0.lock().unwrap();
         let repo = &payload.repository;
@@ -49,21 +64,47 @@ fn repo_updater(rx: Receiver<Job>, homedir: PathBuf, config: GlobalSettings) {
     }
 }
 
-fn parse_config(mut path: PathBuf) -> anyhow::Result<GlobalSettings> {
-    path.push("lohr-config");
-    path.set_extension("yaml");
-    let path = env::var("LOHR_CONFIG")
-        .map(Into::into)
-        .unwrap_or_else(|_| path);
-    let config = if let Ok(file) = File::open(path.as_path()) {
-        serde_yaml::from_reader(file)?
-    } else {
-        Default::default()
+fn parse_config(home: &Path, flags: &clap::ArgMatches) -> anyhow::Result<GlobalSettings> {
+    // prioritize CLI flag, then env var
+    let config_path = flags.value_of("config").map(PathBuf::from);
+    let config_path = config_path.or_else(|| env::var("LOHR_CONFIG").map(PathBuf::from).ok());
+
+    let file = match config_path {
+        Some(config_path) => File::open(&config_path).with_context(|| {
+            format!(
+                "could not open provided configuration file at {}",
+                config_path.display()
+            )
+        })?,
+        None => {
+            // check if file exists in lohr home
+            let config_path = home.join("lohr-config.yaml");
+            if !config_path.is_file() {
+                return Ok(Default::default());
+            }
+
+            File::open(config_path).context("failed to open configuration file in LOHR_HOME")?
+        }
     };
-    Ok(config)
+
+    serde_yaml::from_reader(file).context("could not parse configuration file")
 }
 
-fn main() -> anyhow::Result<()> {
+#[rocket::main]
+async fn main() -> anyhow::Result<()> {
+    let matches = App::new("lohr")
+        .version("0.3.1")
+        .about("Git mirroring daemon")
+        .arg(
+            Arg::with_name("config")
+                .short("c")
+                .long("config")
+                .value_name("FILE")
+                .help("Use a custom config file")
+                .takes_value(true),
+        )
+        .get_matches();
+
     let (sender, receiver) = channel();
 
     let homedir = env::var("LOHR_HOME").unwrap_or_else(|_| "./".to_string());
@@ -73,7 +114,8 @@ fn main() -> anyhow::Result<()> {
     let secret = env::var("LOHR_SECRET")
         .expect("please provide a secret, otherwise anyone can send you a malicious webhook");
 
-    let config = parse_config(homedir.clone())?;
+    let config = parse_config(&homedir, &matches)?;
+    let config_state = config.clone();
 
     thread::spawn(move || {
         repo_updater(receiver, homedir, config);
@@ -83,7 +125,9 @@ fn main() -> anyhow::Result<()> {
         .mount("/", routes![gitea_webhook])
         .manage(JobSender(Mutex::new(sender)))
         .manage(Secret(secret))
-        .launch();
+        .manage(config_state)
+        .launch()
+        .await?;
 
     Ok(())
 }

src/settings.rs

@@ -2,7 +2,7 @@ use serde::Deserialize;
 
 pub(crate) type RepoUrl = String; // FIXME: probably needs a better type than this
 
-#[derive(Default, Deserialize)]
+#[derive(Clone, Default, Deserialize)]
 pub(crate) struct GlobalSettings {
     /// List of remote stems to use when no `.lohr` file is found
     #[serde(default)]

src/signature.rs

@@ -1,20 +1,17 @@
 use std::{
-    io::Read,
+    io,
     ops::{Deref, DerefMut},
 };
 
 use rocket::{
-    data::{FromData, Outcome},
+    data::{ByteUnit, FromData, Outcome},
     http::ContentType,
     State,
 };
-use rocket::{
-    data::{Transform, Transformed},
-    http::Status,
-};
+use rocket::{http::Status, local_cache};
 use rocket::{Data, Request};
 
-use anyhow::anyhow;
+use anyhow::{anyhow, Context};
 use serde::Deserialize;
 
 use crate::Secret;
@@ -53,37 +50,29 @@ impl<T> DerefMut for SignedJson<T> {
     }
 }
 
-const LIMIT: u64 = 1 << 20;
+const LIMIT: ByteUnit = ByteUnit::Mebibyte(1);
+
+impl<'r, T: Deserialize<'r>> SignedJson<T> {
+    fn from_str(s: &'r str) -> anyhow::Result<Self> {
+        serde_json::from_str(s)
+            .map(SignedJson)
+            .context("could not parse json")
+    }
+}
 
 // This is a one to one implementation of request_contrib::Json's FromData, but with HMAC
 // validation.
 //
 // Tracking issue for chaining Data guards to avoid this:
 // https://github.com/SergioBenitez/Rocket/issues/775
-impl<'a, T> FromData<'a> for SignedJson<T>
+#[rocket::async_trait]
+impl<'r, T> FromData<'r> for SignedJson<T>
 where
-    T: Deserialize<'a>,
+    T: Deserialize<'r>,
 {
     type Error = anyhow::Error;
-    type Owned = String;
-    type Borrowed = str;
 
-    fn transform(
-        request: &Request,
-        data: Data,
-    ) -> rocket::data::Transform<Outcome<Self::Owned, Self::Error>> {
-        let size_limit = request.limits().get("json").unwrap_or(LIMIT);
-        let mut s = String::with_capacity(512);
-        match data.open().take(size_limit).read_to_string(&mut s) {
-            Ok(_) => Transform::Borrowed(Outcome::Success(s)),
-            Err(e) => Transform::Borrowed(Outcome::Failure((
-                Status::BadRequest,
-                anyhow!("couldn't read json: {}", e),
-            ))),
-        }
-    }
-
-    fn from_data(request: &Request, o: Transformed<'a, Self>) -> Outcome<Self, Self::Error> {
+    async fn from_data(request: &'r Request<'_>, data: Data) -> Outcome<Self, Self::Error> {
         let json_ct = ContentType::new("application", "json");
         if request.content_type() != Some(&json_ct) {
             return Outcome::Failure((Status::BadRequest, anyhow!("wrong content type")));
@@ -97,26 +86,31 @@ where
             ));
         }
 
+        let size_limit = request.limits().get("json").unwrap_or(LIMIT);
+        let content = match data.open(size_limit).into_string().await {
+            Ok(s) if s.is_complete() => s.into_inner(),
+            Ok(_) => {
+                let eof = io::ErrorKind::UnexpectedEof;
+                return Outcome::Failure((
+                    Status::PayloadTooLarge,
+                    io::Error::new(eof, "data limit exceeded").into(),
+                ));
+            }
+            Err(e) => return Outcome::Failure((Status::BadRequest, e.into())),
+        };
+
         let signature = signatures[0];
+        let secret = request.guard::<State<Secret>>().await.unwrap();
 
-        let content = o.borrowed()?;
-
-        let secret = request.guard::<State<Secret>>().unwrap();
-
-        if !validate_signature(&secret.0, &signature, content) {
+        if !validate_signature(&secret.0, &signature, &content) {
             return Outcome::Failure((Status::BadRequest, anyhow!("couldn't verify signature")));
         }
 
-        let content = match serde_json::from_str(content) {
-            Ok(content) => content,
-            Err(e) => {
-                return Outcome::Failure((
-                    Status::BadRequest,
-                    anyhow!("couldn't parse json: {}", e),
-                ))
-            }
+        let content = match Self::from_str(local_cache!(request, content)) {
+            Ok(content) => Outcome::Success(content),
+            Err(e) => Outcome::Failure((Status::BadRequest, e)),
         };
 
-        Outcome::Success(SignedJson(content))
+        content
     }
 }