···

       
1
       
 
       
package main

     

       
2
       
 
       


     

       
3
       
 
       
import (

     

       
0
       
 
       

     

       
4
       
 
       
	"flag"

     

       
5
       
 
       
	"fmt"

     

       
6
       
 
       
	"log"

     

       
7
       
 
       
	"os"

     

       
8
       
 
       
	"os/exec"

     

       
0
       
 
       

     

       
9
       
 
       
	"path/filepath"

     

       
10
       
 
       
	"strings"

     

       
11
       
 
       
	"time"

     

       
0
       
 
       

     

       
0
       
 
       

     

       
12
       
 
       
)

     

       
13
       
 
       


     

       
14
       
 
       
var (

     
···

       
58
       
 
       
	}

     

       
59
       
 
       


     

       
60
       
 
       
	gitCommand := cmdParts[0]

     

       
61
       
-
       
	repoName := strings.Trim(cmdParts[1], "'")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
62
       
 
       


     

       
63
       
 
       
	validCommands := map[string]bool{

     

       
64
       
 
       
		"git-receive-pack":   true,

     
···

       
69
       
 
       
		exitWithLog("access denied: invalid git command")

     

       
70
       
 
       
	}

     

       
71
       
 
       


     

       
72
       
-
       
	if !isAllowedUser(*allowedUser, repoName) {

     

       
73
       
-
       
		exitWithLog("access denied: user not allowed")

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
74
       
 
       
	}

     

       
75
       
 
       


     

       
76
       
 
       
	fullPath := filepath.Join(*baseDirFlag, repoName)

     
···

       
101
       
 
       
	})

     

       
102
       
 
       
}

     

       
103
       
 
       


     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
104
       
 
       
func initLogger() {

     

       
105
       
 
       
	var err error

     

       
106
       
 
       
	logFile, err = os.OpenFile(*logPathFlag, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)

     
···

       
142
       
 
       
	}

     

       
143
       
 
       
}

     

       
144
       
 
       


     

       
145
       
-
       
func isAllowedUser(user, repoPath string) bool {

     

       
146
       
-
       
	fullPath := filepath.Join(*baseDirFlag, repoPath)

     

       
147
       
-
       
	didPath := filepath.Join(fullPath, "did")

     

       
148
       
-
       


     

       
149
       
-
       
	didBytes, err := os.ReadFile(didPath)

     

       
150
       
-
       
	if err != nil {

     

       
151
       
-
       
		return false

     

       
152
       
-
       
	}

     

       
153
       
-
       


     

       
154
       
-
       
	allowedUser := strings.TrimSpace(string(didBytes))

     

       
155
       
-
       
	return allowedUser == user

     

       
156
       
 
       
}

     

···

       
1
       
 
       
package main

     

       
2
       
 
       


     

       
3
       
 
       
import (

     

       
4
       
+
       
	"context"

     

       
5
       
 
       
	"flag"

     

       
6
       
 
       
	"fmt"

     

       
7
       
 
       
	"log"

     

       
8
       
 
       
	"os"

     

       
9
       
 
       
	"os/exec"

     

       
10
       
+
       
	"path"

     

       
11
       
 
       
	"path/filepath"

     

       
12
       
 
       
	"strings"

     

       
13
       
 
       
	"time"

     

       
14
       
+
       


     

       
15
       
+
       
	"github.com/icyphox/bild/routes/auth"

     

       
16
       
 
       
)

     

       
17
       
 
       


     

       
18
       
 
       
var (

     
···

       
62
       
 
       
	}

     

       
63
       
 
       


     

       
64
       
 
       
	gitCommand := cmdParts[0]

     

       
65
       
+
       


     

       
66
       
+
       
	// example.com/repo

     

       
67
       
+
       
	handlePath := strings.Trim(cmdParts[1], "'")

     

       
68
       
+
       
	repoName := handleToDID(handlePath)

     

       
69
       
 
       


     

       
70
       
 
       
	validCommands := map[string]bool{

     

       
71
       
 
       
		"git-receive-pack":   true,

     
···

       
76
       
 
       
		exitWithLog("access denied: invalid git command")

     

       
77
       
 
       
	}

     

       
78
       
 
       


     

       
79
       
+
       
	did := path.Dir(repoName)

     

       
80
       
+
       
	if gitCommand != "git-upload-pack" {

     

       
81
       
+
       
		if !isAllowedUser(*allowedUser, did) {

     

       
82
       
+
       
			exitWithLog("access denied: user not allowed")

     

       
83
       
+
       
		}

     

       
84
       
 
       
	}

     

       
85
       
 
       


     

       
86
       
 
       
	fullPath := filepath.Join(*baseDirFlag, repoName)

     
···

       
111
       
 
       
	})

     

       
112
       
 
       
}

     

       
113
       
 
       


     

       
114
       
+
       
func handleToDID(handlePath string) string {

     

       
115
       
+
       
	handle := path.Dir(handlePath)

     

       
116
       
+
       


     

       
117
       
+
       
	ident, err := auth.ResolveIdent(context.Background(), handle)

     

       
118
       
+
       
	if err != nil {

     

       
119
       
+
       
		exitWithLog(fmt.Sprintf("error resolving handle: %v", err))

     

       
120
       
+
       
	}

     

       
121
       
+
       


     

       
122
       
+
       
	// did:plc:foobarbaz/repo

     

       
123
       
+
       
	didPath := filepath.Join(ident.DID.String(), path.Base(handlePath))

     

       
124
       
+
       


     

       
125
       
+
       
	return didPath

     

       
126
       
+
       
}

     

       
127
       
+
       


     

       
128
       
 
       
func initLogger() {

     

       
129
       
 
       
	var err error

     

       
130
       
 
       
	logFile, err = os.OpenFile(*logPathFlag, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)

     
···

       
166
       
 
       
	}

     

       
167
       
 
       
}

     

       
168
       
 
       


     

       
169
       
+
       
func isAllowedUser(user, did string) bool {

     

       
170
       
+
       
	return user == did

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
171
       
 
       
}

     

···

       
21
       
 
       
	return &Auth{store}

     

       
22
       
 
       
}

     

       
23
       
 
       


     

       
24
       
-
       
func resolveIdent(ctx context.Context, arg string) (*identity.Identity, error) {

     

       
25
       
 
       
	id, err := syntax.ParseAtIdentifier(arg)

     

       
26
       
 
       
	if err != nil {

     

       
27
       
 
       
		return nil, err

     
···

       
57
       
 
       


     

       
58
       
 
       
func (a *Auth) CreateInitialSession(w http.ResponseWriter, r *http.Request, username, appPassword string) (AtSessionCreate, error) {

     

       
59
       
 
       
	ctx := r.Context()

     

       
60
       
-
       
	resolved, err := resolveIdent(ctx, username)

     

       
61
       
 
       
	if err != nil {

     

       
62
       
 
       
		return AtSessionCreate{}, fmt.Errorf("invalid handle: %s", err)

     

       
63
       
 
       
	}

     
···

       
118
       
 
       
		return nil, fmt.Errorf("user is not authenticated")

     

       
119
       
 
       
	}

     

       
120
       
 
       


     

       
121
       
-
       
	return resolveIdent(r.Context(), did)

     

       
122
       
 
       
}

     

···

       
21
       
 
       
	return &Auth{store}

     

       
22
       
 
       
}

     

       
23
       
 
       


     

       
24
       
+
       
func ResolveIdent(ctx context.Context, arg string) (*identity.Identity, error) {

     

       
25
       
 
       
	id, err := syntax.ParseAtIdentifier(arg)

     

       
26
       
 
       
	if err != nil {

     

       
27
       
 
       
		return nil, err

     
···

       
57
       
 
       


     

       
58
       
 
       
func (a *Auth) CreateInitialSession(w http.ResponseWriter, r *http.Request, username, appPassword string) (AtSessionCreate, error) {

     

       
59
       
 
       
	ctx := r.Context()

     

       
60
       
+
       
	resolved, err := ResolveIdent(ctx, username)

     

       
61
       
 
       
	if err != nil {

     

       
62
       
 
       
		return AtSessionCreate{}, fmt.Errorf("invalid handle: %s", err)

     

       
63
       
 
       
	}

     
···

       
118
       
 
       
		return nil, fmt.Errorf("user is not authenticated")

     

       
119
       
 
       
	}

     

       
120
       
 
       


     

       
121
       
+
       
	return ResolveIdent(r.Context(), did)

     

       
122
       
 
       
}