tangled.org / core
this repo has no description
fork atom

repoguard: resolve handle to did and compare that to parent directory

Anirudh Oppiliappan 6058b1c2 b83134f9

options
unified split
Changed files
+32 -17
cmd
repoguard
main.go
routes
auth
auth.go
+29 -14
cmd/repoguard/main.go
··· 1 1 package main 2 2 3 3 import ( 4 + "context" 4 5 "flag" 5 6 "fmt" 6 7 "log" 7 8 "os" 8 9 "os/exec" 10 + "path" 9 11 "path/filepath" 10 12 "strings" 11 13 "time" 14 + 15 + "github.com/icyphox/bild/routes/auth" 12 16 ) 13 17 14 18 var ( ··· 58 62 } 59 63 60 64 gitCommand := cmdParts[0] 61 - repoName := strings.Trim(cmdParts[1], "'") 65 + 66 + // example.com/repo 67 + handlePath := strings.Trim(cmdParts[1], "'") 68 + repoName := handleToDID(handlePath) 62 69 63 70 validCommands := map[string]bool{ 64 71 "git-receive-pack": true, ··· 69 76 exitWithLog("access denied: invalid git command") 70 77 } 71 78 72 - if !isAllowedUser(*allowedUser, repoName) { 73 - exitWithLog("access denied: user not allowed") 79 + did := path.Dir(repoName) 80 + if gitCommand != "git-upload-pack" { 81 + if !isAllowedUser(*allowedUser, did) { 82 + exitWithLog("access denied: user not allowed") 83 + } 74 84 } 75 85 76 86 fullPath := filepath.Join(*baseDirFlag, repoName) ··· 101 111 }) 102 112 } 103 113 114 + func handleToDID(handlePath string) string { 115 + handle := path.Dir(handlePath) 116 + 117 + ident, err := auth.ResolveIdent(context.Background(), handle) 118 + if err != nil { 119 + exitWithLog(fmt.Sprintf("error resolving handle: %v", err)) 120 + } 121 + 122 + // did:plc:foobarbaz/repo 123 + didPath := filepath.Join(ident.DID.String(), path.Base(handlePath)) 124 + 125 + return didPath 126 + } 127 + 104 128 func initLogger() { 105 129 var err error 106 130 logFile, err = os.OpenFile(*logPathFlag, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600) ··· 142 166 } 143 167 } 144 168 145 - func isAllowedUser(user, repoPath string) bool { 146 - fullPath := filepath.Join(*baseDirFlag, repoPath) 147 - didPath := filepath.Join(fullPath, "did") 148 - 149 - didBytes, err := os.ReadFile(didPath) 150 - if err != nil { 151 - return false 152 - } 153 - 154 - allowedUser := strings.TrimSpace(string(didBytes)) 155 - return allowedUser == user 169 + func isAllowedUser(user, did string) bool { 170 + return user == did 156 171 }
+3 -3
routes/auth/auth.go
··· 21 21 return &Auth{store} 22 22 } 23 23 24 - func resolveIdent(ctx context.Context, arg string) (*identity.Identity, error) { 24 + func ResolveIdent(ctx context.Context, arg string) (*identity.Identity, error) { 25 25 id, err := syntax.ParseAtIdentifier(arg) 26 26 if err != nil { 27 27 return nil, err ··· 57 57 58 58 func (a *Auth) CreateInitialSession(w http.ResponseWriter, r *http.Request, username, appPassword string) (AtSessionCreate, error) { 59 59 ctx := r.Context() 60 - resolved, err := resolveIdent(ctx, username) 60 + resolved, err := ResolveIdent(ctx, username) 61 61 if err != nil { 62 62 return AtSessionCreate{}, fmt.Errorf("invalid handle: %s", err) 63 63 } ··· 118 118 return nil, fmt.Errorf("user is not authenticated") 119 119 } 120 120 121 - return resolveIdent(r.Context(), did) 121 + return ResolveIdent(r.Context(), did) 122 122 }