tangled.org / core
this repo has no description
fork atom

repoguard: resolve handle to did and compare that to parent directory

Anirudh Oppiliappan 6058b1c2 b83134f9

options
unified split
Changed files
+32 -17
cmd
repoguard
main.go
routes
auth
auth.go
+29 -14
cmd/repoguard/main.go
··· 1 package main 2 3 import ( 4 "flag" 5 "fmt" 6 "log" 7 "os" 8 "os/exec" 9 "path/filepath" 10 "strings" 11 "time" 12 ) 13 14 var ( ··· 58 } 59 60 gitCommand := cmdParts[0] 61 - repoName := strings.Trim(cmdParts[1], "'") 62 63 validCommands := map[string]bool{ 64 "git-receive-pack": true, ··· 69 exitWithLog("access denied: invalid git command") 70 } 71 72 - if !isAllowedUser(*allowedUser, repoName) { 73 - exitWithLog("access denied: user not allowed") 74 } 75 76 fullPath := filepath.Join(*baseDirFlag, repoName) ··· 101 }) 102 } 103 104 func initLogger() { 105 var err error 106 logFile, err = os.OpenFile(*logPathFlag, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600) ··· 142 } 143 } 144 145 - func isAllowedUser(user, repoPath string) bool { 146 - fullPath := filepath.Join(*baseDirFlag, repoPath) 147 - didPath := filepath.Join(fullPath, "did") 148 - 149 - didBytes, err := os.ReadFile(didPath) 150 - if err != nil { 151 - return false 152 - } 153 - 154 - allowedUser := strings.TrimSpace(string(didBytes)) 155 - return allowedUser == user 156 }
··· 1 package main 2 3 import ( 4 + "context" 5 "flag" 6 "fmt" 7 "log" 8 "os" 9 "os/exec" 10 + "path" 11 "path/filepath" 12 "strings" 13 "time" 14 + 15 + "github.com/icyphox/bild/routes/auth" 16 ) 17 18 var ( ··· 62 } 63 64 gitCommand := cmdParts[0] 65 + 66 + // example.com/repo 67 + handlePath := strings.Trim(cmdParts[1], "'") 68 + repoName := handleToDID(handlePath) 69 70 validCommands := map[string]bool{ 71 "git-receive-pack": true, ··· 76 exitWithLog("access denied: invalid git command") 77 } 78 79 + did := path.Dir(repoName) 80 + if gitCommand != "git-upload-pack" { 81 + if !isAllowedUser(*allowedUser, did) { 82 + exitWithLog("access denied: user not allowed") 83 + } 84 } 85 86 fullPath := filepath.Join(*baseDirFlag, repoName) ··· 111 }) 112 } 113 114 + func handleToDID(handlePath string) string { 115 + handle := path.Dir(handlePath) 116 + 117 + ident, err := auth.ResolveIdent(context.Background(), handle) 118 + if err != nil { 119 + exitWithLog(fmt.Sprintf("error resolving handle: %v", err)) 120 + } 121 + 122 + // did:plc:foobarbaz/repo 123 + didPath := filepath.Join(ident.DID.String(), path.Base(handlePath)) 124 + 125 + return didPath 126 + } 127 + 128 func initLogger() { 129 var err error 130 logFile, err = os.OpenFile(*logPathFlag, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600) ··· 166 } 167 } 168 169 + func isAllowedUser(user, did string) bool { 170 + return user == did 171 }
+3 -3
routes/auth/auth.go
··· 21 return &Auth{store} 22 } 23 24 - func resolveIdent(ctx context.Context, arg string) (*identity.Identity, error) { 25 id, err := syntax.ParseAtIdentifier(arg) 26 if err != nil { 27 return nil, err ··· 57 58 func (a *Auth) CreateInitialSession(w http.ResponseWriter, r *http.Request, username, appPassword string) (AtSessionCreate, error) { 59 ctx := r.Context() 60 - resolved, err := resolveIdent(ctx, username) 61 if err != nil { 62 return AtSessionCreate{}, fmt.Errorf("invalid handle: %s", err) 63 } ··· 118 return nil, fmt.Errorf("user is not authenticated") 119 } 120 121 - return resolveIdent(r.Context(), did) 122 }
··· 21 return &Auth{store} 22 } 23 24 + func ResolveIdent(ctx context.Context, arg string) (*identity.Identity, error) { 25 id, err := syntax.ParseAtIdentifier(arg) 26 if err != nil { 27 return nil, err ··· 57 58 func (a *Auth) CreateInitialSession(w http.ResponseWriter, r *http.Request, username, appPassword string) (AtSessionCreate, error) { 59 ctx := r.Context() 60 + resolved, err := ResolveIdent(ctx, username) 61 if err != nil { 62 return AtSessionCreate{}, fmt.Errorf("invalid handle: %s", err) 63 } ··· 118 return nil, fmt.Errorf("user is not authenticated") 119 } 120 121 + return ResolveIdent(r.Context(), did) 122 }